Why Perform Due Diligence On Your Vendors?
The due diligence process ensures that your company has a consistent & reasonable approach to vetting its vendor relationships — especially if the vendor is providing a core business function or has access to non-public confidential information.
And Not Just At the Onset Of The Vendor Relationship
It's not enough to perform diligence during the initial vetting stage. We've seen it happen too often — a company goes bankrupt out of nowhere, key management leaves, the company shifts its product or service focus. Conducting diligence throughout the relationship — especially with your critical vendors — is key to avoid being blindsided.
Types Of Information To Collect During The Due Diligence Review
- Financial solvency — latest financial statements
- List of references
- Verification of insurance & license documentation
- Previous complaint history — BBB, FTC, etc.
- Company history — bios of management & key personnel
- Legal & regulatory compliance
- Audit reports — such as SSAE 16 & SAS 70
- Ability to deliver expected level of service — security controls, technology architecture, past experience
- Contract review — terms, renewal/notification requirements, required service levels, etc.
Sounds Like A Lot Of Time, Effort & Paperwork...
No one said it was fun! As mentioned above, the two keys to getting through it are:
Don't reinvent the wheel each time. Have a standard set of diligence review templates that your company uses. The more you can automate the process, the more quicker and smoother it will go.
Do enough diligence necessary to make you feel comfortable with the vendor's ability to perform their expected role. If you are a bank and seeking a vendor to handle your online banking infrastructure, then the diligence review will be extensive, exhaustive & thorough — whereas a company that handles brochure printing would not be subject to the same amount of diligence.
One way of being "reasonable" with your diligence approach is to conduct diligence proportionate to the vendor's perceived risk. The greater the risk, the more diligence should be conducted.
Even Better - Have the Vendor Complete It
VendorRisk gives you the ability to email the vendor and give them a "guest page" to complete their diligence review. The vendor contact can then enter or upload the information for each diligence item and submit their response. The diligence owner is emailed a notification that the vendor replied, and can then go in and approve each response.
With this approach, you're removing the hassle of being the middleman and having to transfer information and documents from email messages with the vendor to VendorRisk — using the guest page, the vendor enters the information directly into VendorRisk.
Examples Of Due Diligence Questions...
The following are real due diligence questions used by our existing customers:
- Has the company received any correspondence from the FTC, the CFPB, any and all State Attorneys General, any and all state banking or consumer agencies, or any other state or local agency with jurisdiction (whether actual or alleged) over your activities?
- Does the company have a Data Breach Policy?
- List current state licenses held (include all licenses) regardless of whether such license is held in connection with the services offered pursuant to your agreement.
- Does the contract / file contain SLA's or other metrics to measure performance?
- Has the vendor supplied a current copy of their business license or official business certification from their local jurisdiction?
- Does the vendor have policies and/or conduct any training on Data Privacy for employees with access to our member data?
How Can VendorRisk Help?
Allows unlimited review templates
One size does not fit all. You may end up needing review forms based on:
- Risk level
- Initial vs. on-going
- Vendor category/industry — e.g. technology diligence vs. consulting diligence
- A combination of the above, such as an "initial high-risk form" vs. "on-going high-risk form"
VendorRisk lets you create as many review templates as you need, and each one can be as many questions as you need.
Automates the scheduling of reviews
By entering a "next review date" and the review frequency, VendorRisk will notify you ahead of time that a review is due. When you complete the review, it will then automatically set the "next review date" to the appropriate date in the future.
Tracks progress of each review
Every review not yet completed will have a completion percentage between 0 and 100%, based on the number of items marked as completed within the review. By having a percentage clearly visible, you can quickly view all outstanding reviews and their likely time to completion.
Supports the review process
If your company policy is that all completed diligence reviews need to be approved by a review committee (even if just one person), then you can establish review committees in VendorRisk and when a diligence review is marked as completed, then the review committee will receive an email with instructions to view the completed form. The committee can then approve or reject the review.
Receive automated email reminders for...
- Upcoming due diligence reviews
- Due diligence reviews that need to be approved by you
- Due diligence reviews that were just approved/rejected
Examples of reports you can run, save & export...
- All diligence reviews conducted in the past year for high-risk vendors
- All diligence reviews with a status of "In-process"
- All completed due diligence reviews conducted by the Compliance department in the past 3 months