Vendor due diligence is the process of assessing and evaluating third parties against a set of specific criteria. Thorough vendor due diligence provides a platform for success when working with third parties.
For example you can outsource a process, but you can never outsource the risk. Many of the scandals dominating the news today stem from failures in supplier and vendor due diligence: a breakdown in the supply chain, contaminated ingredients, unpatched software.
The truth is, these scandals are entirely preventable with proper vendor due diligence. Even better, try applying a vendor due diligence checklist so that you have a repeatable process.
Vendor due diligence is always important, but it’s critical when a vendor services a core business process or accesses confidential, sensitive information. Breaches by these third parties can often be the most costly to an organization.
See Also: What is Vendor Management?
Vendor Due Diligence Checklist: Key Consideration Criteria
Vendor due diligence must be both comprehensive and efficient, which often means countless hours spent on paperwork and spreadsheet management. However, consistently evaluating your third parties is vital for effective vendor risk management. You should evaluate all third parties on a regular basis, benchmarking them against specific criteria.
Below is a checklist for the areas you should focus on completing due diligence for when vetting potential new vendors or assessing existing vendors:
Vendor Due Diligence Checklist Item #1: Conditions of Facilities
- Does the staff have effective cleaning measures in place?
- Is the location exposed to hazardous matter?
- Is the internal environment properly climate controlled?
Vendor Due Diligence Checklist Item #2: Staff Training Policies
- How comprehensive is their worker training program?
- How are their employee retention rates?
- Is there a clear and skilled leader?
Vendor Due Diligence Checklist Item #3: Cybersecurity Practices
- How do they manage and protect their data?
- Is access to sensitive information controlled and limited to specific users?
- What is their maintenance schedule?
Vendor Due Diligence Checklist Item #4: Business Continuity Processes
- How easily can they identify key operational personnel?
- What is their recovery point objective (RPO) and recovery time objective (RTO)?
- Have they prioritized an off-site backup?
It’s standard procedure to maintain robust, sustainable evaluations for vendors. Many organizations, however, fall short by failing to evaluate on a regular basis. Producing a periodic supplier due diligence report for each prospective and existing vendor allows you to confirm that all third parties are adapting appropriately with the changing risk environment.