Vendor due diligence – it’s a favorite topic of a few people, but in today’s risky environment, it’s one of the most important ways to protect your organization. Vendor due diligence is how an organization examines a current or potential vendor’s risk to its business operations. Vendor due diligence is a key component of vendor management required by the Federal Banking Agencies.
However, knowing your vendors and understanding the risks they pose to your institution is far more than just a compliance requirement: it’s necessary for running a successful operation.
The third-party risk management guidelines – issued by the OCC and the FFIEC – are still causing ripples in the financial services community. And many organizations are still feeling the pressure. With increased reliance on third parties for these services, as well as increased scrutiny from examiners, auditors and even leadership teams and boards of directors, this pressure is more significant than it’s ever been.
Five Steps to Creating a Vendor Due Diligence Checklist
Whether vendor management is an outsourced service or still performed in-house, it’s time to rethink and mature your vendor due diligence process, starting with these five tips:
1. Prioritize Vendors by Risk
Due diligence should be performed on all vendors, but not to the same degree. Far too many organizations perform the same amount of due diligence on every vendor, likely resulting in inadequate due diligence on higher-risk vendors and excessive due diligence on lower-risk vendors. That’s a lose-lose proposition of inefficiency and inadequacy.
Using a risk-based vendor due diligence approach solves this problem. It focuses your effort where it’s most beneficial, which happens to coincide with the areas emphasized by regulatory guidance. Here are the four key steps to a risk-based vendor due diligence checklist:
- Pull the most recent list of all your vendors.
- Classify them by definitive “risk-based” categories: general vendors, confidential/sensitive data vendors and strategic vendors.
- Perform the appropriate level of due diligence as described below for those risk categories.
- Repeat the due diligence at appropriate intervals (for strategic vendors, no less than annually).
2. General Vendor Due Diligence: Quick and Painless
Any time you contract with an outside vendor, investigate the following factors and ensure all corresponding documentation is stored in a safe place, like a dedicated vendor management repository:
- Business Impact Analysis: Ask yourself: what happens to your organization if something happens to this vendor, i.e., they go out of business or lose a key subcontractor?
- Business Type and Status: Determine if the vendor is a legal entity and type: corporation, LLC or sole proprietorship.
- Insurance: Confirm the vendor has general liability insurance, and if any specialty insurance is needed.
- Contract: Develop a written, enforceable agreement.
- Service Level Agreements: Ensure that both parties have agreed on how performance will be measured.
- Relationship Owner: Identify the employee who will own this relationship and monitor performance.
- Confidentiality Statements: This typically occurs when proprietary information will be shared with the vendor, i.e., details about an upcoming product launch shared with a graphic designer or freelance writer.
This level of due diligence is sufficient for vendors in the General category, which likely make up most of your vendor list.
3. Confidential/Sensitive Data Vendor Due Diligence: Extra Cautious
Vendors that have access to your confidential or sensitive data should be placed in the Confidential/Sensitive Data category. In addition to completing the tasks for General vendors, you must conduct enough additional due diligence on these vendors to understand whether they can protect your data to the level required by the Gramm-Leach Bliley Act, including:
- Third-party Audit
- Additional Insurance
- Specific Contract Language
- Confidentiality Agreements
- Information Security
- Business Continuity and Disaster Recovery
- Employee Background Checks
- Additional Questions
- Vendor’s Due Diligence
While these additional tasks will require more time, remember that this level of vendor due diligence is only needed for a finite group.
4. Strategic Vendor Due Diligence: Ensure Your Business Viability and Continuity
These vendors are those without whom your institution could not operate. They perform a critical product, channel, operational or technological function. The strategic category usually consists of the fewest vendors, providing an inverse equation: the least number of vendors require the most due diligence. In addition to the Confidential/Sensitive Data and General information collected above, you should collect the following:
- Financial Soundness
- Ownership of the Company
- Contract Protections
- Continuous Relationship Monitoring
- Legal and Compliance Issues
- Mergers or Acquisitions
- Corporate Image, News and Social Media
- Alternative Vendor on Deck
That’s a lot of work, but for most organizations, this only needs to be completed on one or two vendors, and rarely more than five.
5. Don’t Go Overboard with Vendor Due Diligence Policies
One of the most common mistakes in vendor management is making the program unmanageable. This often stems from a misunderstanding about what is expected, resulting in unrealistic, unsustainable expectations, reducing the effectiveness of a vendor management program. Understand the “why” behind every document requested and every question asked. Rather than using cookie-cutter lists of hundreds of questions, only ask those relevant to your due diligence procedures.
Comprehensive Vendor Management is Achievable – and Necessary
While time-consuming, it’s in your institution’s best interest to ensure that general vendors have been appropriately vetted, that Confidential/Sensitive Data vendors can protect your sensitive data, and that Strategic vendors can perform their critical functions. Otherwise, the penalty could come in the form of both lost business and compliance violations – a double whammy no business wants to face.
Steve Sanders serves as CSI’s chief information security officer. In his role, Steve leads CSI’s information security vision, strategy and program, and chairs the company’s Information Security Committee. He also oversees vulnerability monitoring and awareness programs and information security training. With more than 15 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain command of cyber-risk oversight.