Written by vendor management professionals

What are Vendor Diligence Reviews?

Paul Boone
  • Facebook
  • Twitter

Vendor diligence reviews should be performed by the Vendor Management Office (VMO). The VMO is responsible for having a non-biased view of vendors and manages the vendor relationship. The business unit should have the final sign-off on the diligence review and works with the VMO to resolve any outstanding issues.

If your company is currently not performing diligence reviews, you could be exposed to the following risks:

  • Depending on the industry you're in, auditors and regulators could impose penalties, revoke licenses to practice or take legal action against your company if the vendor is not compliant to the standards.
  • The press can also damage your company's reputation if a vendor's lack of compliance is exposed. This could negatively affect investor ratings, rating agency scores, shareholders and more.

When To Perform Diligence Reviews

Vendor diligence reviews are not only critical when bringing on a new vendor but also to routinely check and ensure the vendor has been vetted for any changes from the previous reviews. The goal is to validate that the vendor continues to meet the standards needed to provide their service or product without causing any risks to your company, investors or customers.

Initial Diligence Review

Diligence reviews should be introduced to the vendors during the Request For Proposal (RFP) process. The RFP and diligence review should also be used to gauge the vendor's ability to be accurate and timely with their responses. Everything at this point should be monitored closely, as the vendor's performance at this stage will likely have a strong correlation to future performance.

Subsequent Diligence Reviews

If a diligence review is only performed during the initial vendor on-boarding, you could still be at risk by:

  • Changes in the vendor's management team could change practices not compliant with your expectations.
  • If the vendor files bankruptcy, the availability (or lack thereof) of the vendor's product/service could impact the end-user and/or your core services.
  • If the vendor has had any legal actions against them but not directly impacting your company, there is a chance of risk exposure.

For the above reasons, I typically recommend an annual diligence review — I have found that the best time to perform the review is 180 days prior to the renewal notification notice. This should give you ample time to identify any changes that could affect the vendor's risk level. The same questions that appear on the initial review form can be used in subsequent review forms.

When to Change the Review Frequency

Diligence reviews could be done as frequently as quarterly or semi-annually in the following situations:

  • The vendor has been classified as a high/critical risk
  • The vendor has been in business less than 3 years
  • Items discovered in the last review need to be monitored
  • External sources identify risks, such as bankruptcy, vendor layoffs, lawsuits, etc.

Base the Review on the Type of Vendor & Service

Company standards, policies & any regulatory regulations should dictate how many diligence review templates you should have and how in-depth each review should be — if one should even be done at all.

To determine how many review templates are needed, it is best to categorize your vendors by function and how tightly they integrate with your company's core business processes.

Here are three sample categories you could have:

Support Vendors

Support vendors may have the longest diligence review, especially if the vendor handles NPI and interacts with your customer. This type of vendor most directly reflects your company's public image and needs to be vetted thoroughly.

Focus on:

  • Handling of Non-Public Information (NPI)
  • Compliance with the Consumer Financial Protection Bureau (CFPB) and other agencies
  • Financial review
  • Legal review
  • Corporate structure & stability
  • The vendor's annual spend
Technology Vendors

The extent of technology-related diligence questions is dependent on the type of product. For example, if the vendor only provides desktop software, then you shouldn't need to ask if they are SSAE 16 compliant. However, you will still want to ensure their support model fits your needs.

Focus on:

  • Handling of NPI
  • Security of systems (SSAE 16 or similar audit)
  • Financial review
  • Legal review
  • Corporate structure & stability
  • The vendor's annual spend
Non-Essential Vendors

Vendors that don't provide direct support to the team may be considered non-essential and probably won't need an in-depth review. A few examples would be your beverage, furniture or maintenance vendors. At most you would want to know how long they have been in business and if their insurance meets your expectations. To inquire about their IT infrastructure or how they handle NPI is probably excessive and a poor use of your vendor management team.

Focus on:

  • Financial review
  • Legal review
  • Corporate structure & stability

How Long Should the Review Process Take?

It has been my experience to allow 10 business days for the vendor to complete the review form.

Once the review is back in-house, it should only take a few hours for the VMO to review and input the data into their vendor management software. I would also suggest you pull a Dun and Bradstreet (or similar) report to validate some of the responses. Depending on the vendor spend/risk, you may want the finance department to review the financials before having the business unit provide the final sign-off of the review.

You should be on the lookout for the following "red flags" that could remove the vendor from consideration:

  • Not completing of the review
  • The lack of an SSAE 16 audit when customer information is being handled
  • Is currently in bankruptcy or has poor financial results
  • Previous or current lawsuits not in the vendor's favor
  • Poor agency ratings (BBB, SEC, FCC, etc.)

An Example Vendor Diligence Form

Below is a basic diligence review that covers a broad spectrum. Please consider it a template that you can then tweak to meet your specific business needs.

Contact Information
The business contact's name, phone number, address, and email address.
The technical contact's name, phone number, address, and email address.
Executive Summary
Scope of the proposed solution offered.
How the proposed solution meets our functional and business needs.
Differentiators of the potential vendor's company and proposed solution.
Vendor Profile
Company name, address, location of headquarters, and telephone number.
Global presence of vendor.
Do you consider yourself a hardware or software company?
Name of parent company.
Name of subsidiaries or affiliates.
What type of services do you offer? (provide a deck of services if applicable)
What is your Dun and Bradstreet (DnB) number?
What is your DnB Paydex score?
What is your DnB Credit Score Class?
What is your DnB Financial Stress Class?
What is your Better Business Bureau rating?
Has your company filed bankruptcy in the past 5 years?
Has your company had any Suits filed in the past 5 years?
Has your company had any Liens or Judgments in the past 5 years?
How long has your company been in business?
What is your mission statement?
Name and version of the proposed solution.
What are your plans for future growth & company direction?
Please describe your company's third-party hardware and software partnerships.
Please provide a brief overview of your company.
What is your company's annual revenue? Provide a copy of the last 3 years of your company's Annual Report, including copies of the most recent audited annual and quarterly financial statements.
What is the percentage of annual revenue that your company invests in ongoing Research and Development?
Are you the integrator of the proposed systems described in this response? If not, please supply the name and address of the subcontractor.
Please provide a minimum of three customer references.
What is your company's forward looking vision on your industry?
How many clients do you support in the [INSERT] industry?
Business Continuity & Disaster Recovery
Is there a documented policy for business continuity and disaster recovery?
If the vendor has a Business Continuity Plan, when was it last tested?
Has an internal group evaluated the BC/DR Program within the past year?
Do you maintain copies of BC/DR plans at secure off-site locations?
Are clients notified when a BC and/or DR test is performed?
Are clients provided contact information for use in emergencies?
Is there an annual schedule of required tests?
Do you comply with all legal, regulatory or industry requirements, etc. (GLBA, SOX, PCI)?
Is there a records retention policy?
Is there an organizational data protection and privacy policy?
Are you SSAE 16 or ISO 27001 certified? If yes, provide a copy of your last report.
Does your company have a compliance and ethics training program for all employees?
Provide your Certificate of Insurance.

Paul Boone is an experienced VMO manager. Connect with Paul on LinkedIn.

Get VendorRisk. Get organized.

Stop wasting time with spreadsheets. Get your vendor management program up and running today.

Schedule demo