Is Your Vendor Due Diligence Program Effective?
Vendor Due Diligence is an essential component of your vendor management program. That’s because it helps determine whether a supplier will:
- Provide the goods and services they are promising, and
- Fit soundly into your organization’s risk appetite.
If mishandled – or ignored – you open your organization up to risks that you might not be able to manage successfully. So here are a few things to remember when considering vendor due diligence.
What is Vendor Due Diligence?
Before you create a vendor due diligence process, you first need to understand what it is. Due diligence refers to the tasks performed before entering into a relationship with a vendor (no contract in place).
There are two fundamental things you need to determine during this stage:
- Whether this partnership can support the business and operational needs of your organization
- If your organization can safely and cost-effectively control the risk associated with this partnership.
Answering these questions during the vendor due diligence process allows you to get assurances that protect you and your organization in the long run.
Look for evidence that the potential vendor has done what they’ve promised in the past. That way, you can feel a lot more comfortable signing that contract. Also, look for insights into their internal structure and operations. With this information, you can understand the potential vulnerabilities that could impact your business if you work together.
What to look for during your vendor due diligence efforts:
Vendor due diligence should be exhaustive for the highest potential risk relationships and less strenuous for lower potential risk relationships. Remember, the difference between your gardener and your core provider is significant. In addition, where on that spectrum a potential new vendor lands must be considered when you think about the added monitoring activities and policies you will implement with the new partnership.
This strategy will help ensure you don’t have something come out of the woodwork in 6 months or a year after you’ve signed and will keep you from creating a vendor program that’s too big to manage effectively.
There are several areas to address that cover multiple facets of a potential vendor’s viability and vulnerability:
Financial stability is a no-brainer. Can the vendor afford to provide the products/services/people you are paying for? If not, that is a fundamental issue. A solid financial history implies that they are successful enough at what they do to provide what they are promising.
Experience and expertise:
You want to partner with a vendor that knows what they’re doing, so you can get the best quality product or service possible. It is a must to see that they have robust training, knowledgeable staff, and background experience to support you. A little bit of time verifying this before can save you a lot of frustration in the future.
Protection of sensitive information:
If you don’t know how your potential vendor treats sensitive information, you can’t be entirely sure you and your clients are safe. Vendors cause a large majority of data breaches, so it’s essential to be aware of how they treat data security.
Infrastructure for product/service delivery:
Infrastructure is the bread and butter of ensuring you receive the products and services you expect:
- Can they produce what you’re asking?
- What if something happens at one of their facilities?
- What is their disaster recovery protocol?
- Can they handle added needs as you grow?
Risk to the organization
All of these questions determine whether they will be able to stick with your organization, come hell or high water. Finding the potential vendor’s real risk to your organization means looking at it holistically.
- Will you be trusting them with sensitive information?
- Will their product or service support a significant operational aspect of your business?
- How long can your organization function if they go offline?
Vendor Due Diligence: Where to find key information
During your vendor due diligence process, you and your team must find answers to the questions posed above. Start by looking deeply into their organization to find what you need to know. To get a sense of their stability, for instance, you will want to get a look at their financials.
Vetting reference checks will give you and your team a sense of:
- Whether they are stable, and
- What specific areas of concern warrant a closer look.
Having an attorney look through the contract to see what they are legally bound to provide will help you get a sense of assurance that you receive the desired solution. In addition, client testimonials can speak to the experience and expertise of an organization while getting a sense of how they do business. It is also essential to get some information about disaster recovery and security protocols through cybersecurity assessments and business continuity plans.
There are always risks associated with depending on a new vendor. Fortunately, if you have created a robust due diligence process, you can be more confident that your chosen vendor will be a good fit and that your organization will continue to be safe and sound.
Need help building a modern vendor management and vendor due diligence program that keeps your organization safe and propels it forward?
- WolfPAC has a team of 3rd party risk management experts that are eager to assist.
- We also have one of the most robust third-party risk management software offerings available.
Contact us today to learn more!
Not ready to adopt a new third-party risk software offering but need to conduct vendor due diligence on your Rolodex of third-party providers? Our team of expert vendor management advisors are available to conduct end-to-end assessments on any vendor. We perform SOC Report review, ensure regulatory adherence to FFIEC reports, examine financial statements and controls, perform vendor website security testing, and review subcontractors.