Getting Started With Vendor Due Diligence Reviews

  • June 5, 2019
  • Quantivate

Why is due diligence important?

Businesses of all sizes are increasingly relying on vendors to provide critical products and services. However, outsourcing operations to third parties can pose significant risks, compounded by the fact that many organizations struggle to establish an effective due diligence review process that increases oversight and reduces risk exposure.

In its guide for managing third-party risk, the FDIC defines comprehensive due diligence as “a review of all available information about a potential third party, focusing on the entity’s financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls.”

This process helps management decide whether establishing a relationship with a particular vendor would contribute to the organization’s strategic and financial goals.

When should a due diligence review happen?

While due diligence provides essential information when selecting and evaluating new vendors, reviews should also be performed periodically as part of your ongoing third-party relationship management. Existing vendors should be reevaluated when the contract renews or when changes to your own business processes may impact your partnership with the vendor.

Getting Started: 25+ Vendor Due Diligence Questions

Any due diligence review should involve a thorough investigation into the provider’s ability to meet the requirements of the proposed contract. Here are several due diligence areas to consider that will help your organization perform a comprehensive review, along with example questions that demonstrate the type of information that might be collected in a due diligence questionnaire:

1. Business Overview & Operations

Example due diligence questions:

  • Has the vendor’s market share for the product/service remained stable or grown over the past 12 months? If possible, estimate market share and describe changes during this period.
  • Have there been any material changes to industry technology or vendor product/service delivery in the past 12 months?

2. Financial Health

Example due diligence questions:

  • Has the vendor been profitable in each of the last two years?
  • Have there been any material changes to the vendor’s financial statements over the last two years?
  • Is the vendor financially stable without the business of [your organization] or the vendor’s largest customer?

3. Legal Issues

Example due diligence questions:

  • Has the vendor’s active legal status changed? If yes, describe changes.
  • Is the vendor subject to pending lawsuits materially affecting its legal existence or product/service?
  • Will the contract be governed by U.S. law? (for foreign-based vendors)

4. Compliance

Example due diligence questions:

  • Has the vendor’s compliance plan and compliance program documentation remained current over the 12 months?
  • Is the vendor subject to any pending regulatory actions? If yes, provide summary of current status.
  • Has the vendor addressed all new or proposed federal and state regulations impacting the product/service?

5. Fourth Parties

Example due diligence questions:

  • Have the vendor’s critical third parties been stable during the last 12 months? Describe any changes during this period.
  • Are the vendor’s third parties contractually obligated to safeguard organization data?
  • Have the third parties’ information security and data disposal programs been verified?

6. Human Resources

Example due diligence questions:

  • Do vendor employees receive initial and regular training?
  • Has vendor staffing been stable in the last 12 months?
  • Will the vendor provide [your organization] with initial and ongoing training resources on its products/services?

7. Information Security

Example due diligence questions:

  • Has the vendor experienced any data security incidents in the last 12 months?
  • Has the vendor conducted an information security risk assessment in the last 12 months?
  • Is the vendor’s security incident response plan adequate to inform [your organization] of a security breach? If yes, provide details (communication process, response time).

8. Reputation

Example due diligence questions:

  • Are references, user groups, and other entities satisfied with the vendor’s products/services?
  • Are news articles and social media positive about the vendor and its products/services?
  • What is the number of consumer complaints over the last 12 months as compared to the previous year?

9. Business Continuity & Recovery

Example due diligence questions:

  • Does the vendor have a business continuity program that provides adequate recovery capacity for its products/services without adverse disruption?
  • Do the vendor’s business continuity and disaster recovery plans address interdependencies for mission-critical systems and processes?
  • Has a business continuity exercise been performed in the last 12 months? If yes, provide test results, remediation plans, and completion reports.

Advanced Due Diligence: Identifying Hidden Risks in Third-Party Products & Services

Many organizations acknowledge the importance of performing due diligence on their vendors, but may overlook individual third-party products and services.

This is a risky omission. Why?

1. Every product or service has different connections to its parent company.

Comprehensive due diligence examines that relationship to determine how a product or service aligns with or differs from its parent company.

Questions to ask:

  • Is the product or service development consistent with the parent company’s business strategy?
  • Does the vendor use appropriate controls in the application of the product or service?
  • How much is the vendor spending to develop the product or service, and would the company be stable without it?
  • What is the market share for the product or service?

2. Not all risks are equal.

The risks associated with each product or service will differ, and consolidating them within the parent company provides an inaccurate representation of risk exposure.

Risk tiering—including identifying risk categories, likelihood, and impact—is a best practice for vendor management, which can also be applied to risks associated with individual products and services to help determine where more due diligence may be needed.

The Takeaway

It’s essential to perform appropriate, consistent due diligence on both your vendors and their products and services. However, recent research found that a majority of organizations (60%) feel underprepared to evaluate and verify their third parties.

Furthermore, many companies lack visibility into the security practices of their third parties, even as they continue to share data. According to a third-party risk study, 57% of don’t have an inventory of all the vendors with which they share sensitive information; that number increases to 82% for fourth-party relationships.

These vendor management shortcomings highlight the necessity of not only establishing an effective due diligence process, but also developing a complete vendor management program.

Streamline your next due diligence review

Quantivate Vendor Management Software features guided processes for comprehensive third-party due diligence, including the ability to send vendor questionnaires within the software, where answers are automatically uploaded and stored in a digital file library. Our platform can help you quickly set up a complete vendor management program, providing access to tools and resources you need for vendor classification and risk scoring, contract and performance reviews, incident tracking, and more, plus built-in content and templates.

Users can also take advantage of our vendor due diligence consulting services, which offer different service packages to help you jumpstart the process, including due diligence data collection, vendor monitoring, insurance tracking, cybersecurity reviews, and other management activities.

Further Reading & Resources

Interested in taking your vendor management program to the next level? Get started with these learning resources and tools:

→ Vendor Management Essentials: 5 Steps for Success

→ Vendor Management Software Buyer’s Guide

→ Vendor Management Audit Readiness Checklist