Written by vendor management professionals
Vendor diligence reviews should be performed by the Vendor Management Office (VMO). The VMO is responsible for having a non-biased view of vendors and manages the vendor relationship. The business unit should have the final sign-off on the diligence review and works with the VMO to resolve any outstanding issues.
If your company is currently not performing diligence reviews, you could be exposed to the following risks:
Vendor diligence reviews are not only critical when bringing on a new vendor but also to routinely check and ensure the vendor has been vetted for any changes from the previous reviews. The goal is to validate that the vendor continues to meet the standards needed to provide their service or product without causing any risks to your company, investors or customers.
Diligence reviews should be introduced to the vendors during the Request For Proposal (RFP) process. The RFP and diligence review should also be used to gauge the vendor's ability to be accurate and timely with their responses. Everything at this point should be monitored closely, as the vendor's performance at this stage will likely have a strong correlation to future performance.
If a diligence review is only performed during the initial vendor on-boarding, you could still be at risk by:
For the above reasons, I typically recommend an annual diligence review — I have found that the best time to perform the review is 180 days prior to the renewal notification notice. This should give you ample time to identify any changes that could affect the vendor's risk level. The same questions that appear on the initial review form can be used in subsequent review forms.
Diligence reviews could be done as frequently as quarterly or semi-annually in the following situations:
Company standards, policies & any regulatory regulations should dictate how many diligence review templates you should have and how in-depth each review should be — if one should even be done at all.
To determine how many review templates are needed, it is best to categorize your vendors by function and how tightly they integrate with your company's core business processes.
Here are three sample categories you could have:
Support vendors may have the longest diligence review, especially if the vendor handles NPI and interacts with your customer. This type of vendor most directly reflects your company's public image and needs to be vetted thoroughly.
The extent of technology-related diligence questions is dependent on the type of product. For example, if the vendor only provides desktop software, then you shouldn't need to ask if they are SSAE 16 compliant. However, you will still want to ensure their support model fits your needs.
Vendors that don't provide direct support to the team may be considered non-essential and probably won't need an in-depth review. A few examples would be your beverage, furniture or maintenance vendors. At most you would want to know how long they have been in business and if their insurance meets your expectations. To inquire about their IT infrastructure or how they handle NPI is probably excessive and a poor use of your vendor management team.
It has been my experience to allow 10 business days for the vendor to complete the review form.
Once the review is back in-house, it should only take a few hours for the VMO to review and input the data into their vendor management software. I would also suggest you pull a Dun and Bradstreet (or similar) report to validate some of the responses. Depending on the vendor spend/risk, you may want the finance department to review the financials before having the business unit provide the final sign-off of the review.
You should be on the lookout for the following "red flags" that could remove the vendor from consideration:
Below is a basic diligence review that covers a broad spectrum. Please consider it a template that you can then tweak to meet your specific business needs.
|The business contact's name, phone number, address, and email address.|
|The technical contact's name, phone number, address, and email address.|
|Scope of the proposed solution offered.|
|How the proposed solution meets our functional and business needs.|
|Differentiators of the potential vendor's company and proposed solution.|
|Company name, address, location of headquarters, and telephone number.|
|Global presence of vendor.|
|Do you consider yourself a hardware or software company?|
|Name of parent company.|
|Name of subsidiaries or affiliates.|
|What type of services do you offer? (provide a deck of services if applicable)|
|What is your Dun and Bradstreet (DnB) number?|
|What is your DnB Paydex score?|
|What is your DnB Credit Score Class?|
|What is your DnB Financial Stress Class?|
|What is your Better Business Bureau rating?|
|Has your company filed bankruptcy in the past 5 years?|
|Has your company had any Suits filed in the past 5 years?|
|Has your company had any Liens or Judgments in the past 5 years?|
|How long has your company been in business?|
|What is your mission statement?|
|Name and version of the proposed solution.|
|What are your plans for future growth & company direction?|
|Please describe your company's third-party hardware and software partnerships.|
|Please provide a brief overview of your company.|
|What is your company's annual revenue? Provide a copy of the last 3 years of your company's Annual Report, including copies of the most recent audited annual and quarterly financial statements.|
|What is the percentage of annual revenue that your company invests in ongoing Research and Development?|
|Are you the integrator of the proposed systems described in this response? If not, please supply the name and address of the subcontractor.|
|Please provide a minimum of three customer references.|
|What is your company's forward looking vision on your industry?|
|How many clients do you support in the [INSERT] industry?|
|Business Continuity & Disaster Recovery|
|Is there a documented policy for business continuity and disaster recovery?|
|If the vendor has a Business Continuity Plan, when was it last tested?|
|Has an internal group evaluated the BC/DR Program within the past year?|
|Do you maintain copies of BC/DR plans at secure off-site locations?|
|Are clients notified when a BC and/or DR test is performed?|
|Are clients provided contact information for use in emergencies?|
|Is there an annual schedule of required tests?|
|Do you comply with all legal, regulatory or industry requirements, etc. (GLBA, SOX, PCI)?|
|Is there a records retention policy?|
|Are you SSAE 16 or ISO 27001 certified? If yes, provide a copy of your last report.|
|Does your company have a compliance and ethics training program for all employees?|
|Provide your Certificate of Insurance.|
Paul Boone is an experienced VMO manager. Connect with Paul on LinkedIn.