Enterprise risk management professionals worldwide confirm that enterprise risk has risen over the past year. But what’s even more concerning is that 34% of those who experience risk are attributing it to their increased reliance on third parties.
Since it is almost impossible today to do business without contracting with vendors or third parties, you must learn to manage the risk by performing due diligence on each of your third parties. One helpful tool for enterprises to use in this process is a vendor due diligence checklist.
The Vendor Due Diligence Checklist
A vendor due diligence checklist is the process or steps your organization takes to perform due diligence on its third parties. Vendor due diligence is a thorough investigation or assessment to vet the vendor you are contemplating taking on. You approve the vendor only when you are satisfied that the vendor meets, or can make improvements to meet your requirements and expectations. And after the vendor is onboard you should continue to monitor its cybersecurity posture.
What are the Different Types of Third-Party Risk?
Vendor due diligence is dependent on an organization’s ability to tolerate risk. Despite this, procurement and risk professionals can manage cybersecurity risks by categorizing them into different “buckets.”
These include:
- Operational risk. This type of risk is caused by operational processes, system failures, or an internal data breach. Operational risk assessments should include examining the company’s disaster preparedness plan, business continuity plan, any company code of ethics and past litigations.
- Financial risk. Due diligence should include an assessment of whether your vendors have met their financial information tax obligations. Companies can evaluate this by assessing the vendor’s financial loans, assets, compensation structure, balance and load payments and important tax documents.
- Political risk. Vendors may pose a political risk to your organization if they have PEPs (politically exposed persons) on their staff or board, are named on key watch lists, or are located in countries included in any global sanctions lists.
- Reputational risk. Negative public relations, violations of regulations or laws, security incidents or data breaches, customer complaints and negative reviews of third-party vendors can all harm your company’s reputation.
3 Main Approaches to Vendor Due Diligence
Your vendor due diligence process with each vendor will depend on the nature of your vendor relationships.
- In-house vendor – Larger companies or those with more resources may decide to invest in DIY due diligence in-house. But manual tools can be cumbersome, especially as the company scales. Third-party risk management platforms can help automate the process.
- Outsourced third-party vendors – Resource-constrained teams take a managed services approach to vendor due diligence so that the in-house team is free to focus on risk identification and risk reduction, rather than on assessing whether third parties are meeting the vendor due diligence requirements.
- Shared due diligence – Companies can share the due diligence process between them and an outsourced third party. Vendor risk intelligence networks allow companies to work together with their third parties to facilitate risk analysis and mitigation.
4 Steps to Developing a Vendor Due Diligence Checklist
A due diligence checklist is an organized approach to performing the investigation. The specific components of the checklist and the specific details included for each depend on your organization. But the checklist typically addresses these areas:
- General business information
- Financial review
- Reputation and reports
- Insurance
- Operational policies
- Cyber security
Performing many of these assessments can be very complex and time-consuming. Performing the same level of due diligence on every vendor can be a waste of time and resources. A cursory background check may be good enough for someone who delivers stationery to the office, but an IT contractor or financial services provider would warrant a more detailed assessment. So the first step in establishing a due diligence process is to categorize or prioritize potential vendors by business context and inherent risk. Then you can apply the appropriate amount of resources for each prospective vendor.
1) Prioritize Vendors by Risk
One way to prioritize vendors is by the amount of risk they pose to your organization. You can ask yourself, “If a security breach takes place, to what extent does financial risk affect me?”
You might categorize them as:
- General vendors – those that don’t have access to your network or data
- Confidential/sensitive data vendors – those that can access sensitive or confidential data
- Strategic vendors – those that you cannot do business without.
2) Analyze Vendor Attack Surface
Examine the vendor’s public-facing digital footprint and look for any cybersecurity gaps in their assets. Assessment should include their IT and network, the applications they use and how they use them. You should also evaluate the human aspects of their operation including their social posture and the effectiveness of their information security and team. Solutions like Panorays can perform these assessments in minutes and are non-intrusive to the vendor being assessed.
3) Automate the Questionnaire Process
The security questionnaire is a key component of the due diligence process. These detailed questionnaires help identify potential threats to the prospect’s assets, financial stability, business continuity, reputation and cybersecurity. They can be very time-consuming, both to create and to complete. So you want to customize the questionnaire according to the prospect being evaluated and your business relationship with them. Automated solutions can rapidly generate and scale customized questionnaires, saving time for both you and the prospective vendor.
4) Continuously Monitor Vendor Risk
The due diligence vendor selection process should not end once a vendor is onboard. Vendor networks and assets change and the threat landscape evolves continuously over time. You need a process for ongoing monitoring of your vendors’ security posture to mitigate any cybersecurity threats that can affect your organization. Beyond that, when you terminate your vendor relationship, a comprehensive off-boarding process is required to remove access and privileges which are no longer appropriate.
Streamline the Due Diligence Process with Panorays
Vendor risk management is ongoing and requires commitment from your security team to stay on top of evolving risks and changes in your vendor’s attack surface. Automating the process will help you not only manage the process but make it more efficient to reduce the potential of a data breach or cybersecurity incident originating from your third parties.
Want to learn more? Get started with a Free Account today to help build cybersecurity trust with your third parties.
FAQs
A vendor due diligence checklist has four main components:
1. Prioritize Vendors by Risk. Categorize vendors into groups depending on the amount of risk they pose to your organization.
2. Analyze Vendor Attack Surface. Assess their IT infrastructure, network, applications and the effectiveness of their information security.
3. Automate the Questionnaire Process. These questionnaires can be detailed and time-consuming to complete; automated solutions can save time and resources for everyone involved.
4. Continuously monitor risk. Ongoing monitoring is essential in a threat landscape of evolving risk.
A vendor due diligence process is the organized approach your organization takes to perform a thorough investigation of the vendor you are considering to start doing business with. While the vendor due diligence process varies according to each organization and its industry, region and type of vendor assessed, some standardized processes do exist.
Vendor due diligence should include an assessment of a vendor’s financial, operational, political and reputational risks to your organization. The approach taken in completing vendor due diligence depends on the nature of your vendor relationship.
