Vendor Due Diligence Strategy Guide and Checklist

Your third-party management footprint is exploding, and the term “business resilience” is echoing in Zoom meetings … but your vendor due diligence processes are still being ironed out. Rest assured that you’re not alone. In this post, we’ll introduce three approaches to get you on the right track.

What Is Vendor Due Diligence?

Before working with a new vendor, supplier or other third party, you’ll want to conduct due diligence prior to onboarding. The due diligence process should not only assess a vendor’s financial and operational stability, but also gauge any potential risks they could introduce to your organization.

Third-party vendors pose numerous risks including information cybersecurity concerns, operational risk, supply chain disruptions, and compliance concerns. Having a thorough vendor due diligence process that enables vendor selection based on risk can dramatically speed up vendor onboarding while mitigating the chance of a major disruption or data breach.

The due diligence process usually involves a combination of contract review, vendor-completed assessments, and external intelligence gathering on the target company and their subcontractors. All of this is ultimately weighed against your organization’s level of risk tolerance.

Why Vendor Due Diligence Requirements Are Expanding

Recently, vendor due diligence to-do lists have been getting a lot longer for procurement, risk management, and security teams. Given COVID-19's impact on third-party operations – combined with other health, environmental and geopolitical challenges – many organizations are expanding their vendor due diligence efforts beyond simple IT security assessments. This includes gathering information related to manufacturing, business continuity, transportation, non-IT products, and other domain areas that comprise today’s complex supply chains.

Information security and data privacy compliance requirements are also driving organizations to conduct additional due diligence on potential vendors. Regulations such as GDPR, HIPAA, and CCPA require organizations to ensure that PHI and PII are adequately protected and not misused. A data breach can be devastating in this environment, particularly if financial information or protected company information is compromised. Building an effective vendor due diligence program can help reduce your organization’s cyber risk while strengthening your business relationships.

Three Approaches to Vendor Due Diligence

Whether you’re formalizing a vendor due diligence program for the first time, or need to evolve your existing program, it’s important to take a step back and consider your overall strategy. At Prevalent, our customers typically take one or more of the following approaches to due diligence: In-house, Shared or Outsourced.

1. In-house Vendor Due Diligence: The DIY Approach

Many companies seek to internally manage vendor data collection and analysis. However, even if your organization is well-staffed and funded, DIY due diligence can be a burden if you use disparate, manual tools (e.g., spreadsheets) to manage the process. Bringing in an automated third-party risk management platform can help. Here are some capabilities you’ll want to look for:

• Normalized risk intelligence from inside-out assessments and external risk monitoring
• Configurable risk impact and likelihood scoring
• Automated workflow and task management
• Centralized document and evidence management
• Customizable vendor communications
• Configurable risk remediation guidance for vendors
• Risk remediation management tracking and reporting

One key to success with an internal approach is you have to make it as easy and painless as possible for vendors to respond to assessment questionnaires. The solution should also include a vendor-facing portal for viewing survey completion status, threat intelligence reports, and suggested remediations. It should also maintain a complete audit trail for future assessment validation.

Finally, you’ll want to be sure that the solution is able to automatically trigger workflow tasks based on assessment attributes, risk scores, and recommendations. For instance, triggers can initiate activities related to vendor profiling and tiering, risk correlation across assessment responses, and normalization of assessment and monitoring intelligence. This will make it much easier for you to focus more on risk management and spend less time worrying about content collection.

2. Shared Due Diligence: The Network Approach

As due diligence requirements expand to supply chain vendors and outsourced supply chain management providers, vendor management processes can be taxing on under-resourced teams. In my experience, an assessor can juggle around 150-200 concurrent assessments before they become overloaded. What happens when your board asks for supply chain risk data to inform decisions, and you have 15,000 vendors to assess?

Communicating with vendors and collecting risk data usually accounts for the largest share of time in the due diligence process. If all you have is spreadsheets and de-coupled assessment and monitoring data to work with, then you are headed for a burn-out situation! Compounding this issue is the shifting regulatory landscape, which requires expertise to interpret compliance reporting obligations.

Vendor risk intelligence networks can help when resource-constrained teams need to scale their programs. In this approach, network members and vendors pool their resources and share completed risk content to streamline risk analysis and mitigation. They offer on-demand access to readily available risk scores and content backed by industry-standard questionnaires. They’re perfect for SMBs that need benchmark data or larger organizations that need a quick way to tier vendors and identify those requiring more in-depth assessments.

Prevalent offers the following vendor risk intelligence networks:

• The Prevalent Exchange: a global, cross-industry library of completed standardized assessments
• The Prevalent Legal Vendor Network (LVN): used by over 50% of top U.S. law firms
• The Prevalent Healthcare Vendor Network (HVN): an exclusive network for H-ISAC members
• The Prevalent Third-Party Marketplace: a network where vendors can conduct and share self-assessments with their clients

Our customers typically find about 40% of their vendors in our networks. They also report an average time and cost savings of 44% when using a Prevalent vendor risk network vs. conducting assessments on their own with manual tools.

3. Outsourced Due Diligence: The Managed Services Approach

A popular option is to outsource third-party evidence collection and analysis to vendor risk assessment services. This approach frees your in-house team to focus on risk identification and remediation, rather than on chasing down assessment responses and verifying their accuracy.

This approach can deliver a faster time-to-value for risk reduction. It’s also a solid option for extremely resource-constrained teams – or those with limited internal skillsets. Here are a few of the ways your risk management program can leverage outsourced due diligence:

• Questionnaire distribution and response collection
• Documentation and evidence collection
• Threat intelligence verification
• Risk mitigation management
• Virtual validation testing and reporting

Managed services have become increasingly popular as Covid-19 has restricted companies from performing onsite risk validation. While you can conduct virtual due diligence using in-house resources, an established managed service provider can deliver the expertise, process and resources necessary to supplement and scale your program.

Bonus: The Hybrid Approach to Vendor Due Diligence

Many Prevalent customers opt to take advantage of two – or all three – of the above approaches to accelerate and automate their third-party risk management programs. For instance, some customers tap into our networks for initial due diligence checks and then work with our services team to conduct assessments of vendors that aren’t yet in the network or that require more in-depth analysis.

Everything is managed in our centralized vendor risk management software, which in-house teams can use to conduct periodic follow-up assessments – either on their own or with the support of Prevalent services – while continually monitoring third parties for cyber, business and financial risk.