Managing risk through pre-contract vendor due diligence in a digitally connected world
Thanks to increasing globalization, today’s companies are increasingly exposed to risk, particularly through outsourcing to third party vendors. With a complex network of vendors to manage, you want to ensure that your organization is abreast of potential vulnerabilities by conducting pre-contract vendor due diligence. Even still, organizations struggle to gain a true sense of risk with ineffective vendor due diligence questionnaires. PWC found that out of the 71% of companies who are confident of their security activities, only 32% of require third parties to comply with their policies.
To develop true confidence in security practices throughout the extended enterprise, the process must begin with pre-contract vendor due diligence prior to onboarding. IT Security company SecurityScorecard recommends conducting vendor due diligence prior to entering a third-party relationship so that any problem areas can be addressed, or prices and contracts can be renegotiated as needed.
Our white paper, Conducting Pre-Contract Vendor Due Diligence, outlines how to modernize your due diligence process through automation. For a comprehensive risk picture, the white paper also details how to create a Vendor Risk Management program that is documented and repeatable. This can be followed by a two-stage pre-contract vendor due diligence process – both internally and externally:
Internal Due Diligence
- Identity – Are they who they say they are?
- Financial – Do they have outstanding debts or weak revenue streams?
- Reputation – Are they regarded well enough for the trust of your customers?
- Geographic – Where does your data go and is the vendor located in a potentially vulnerable area?
External Due Diligence
- Information Security – Is the data shared with them secure, and what controls are in place to ensure security?
- Business Continuity – In event of a disaster, does the vendor have resources and facilities to restore operations?
- Compliance – Do they have formal policies and processes to ensure compliance?
- Fourth-Party – What is the risk coming from your vendors’ vendors?
- Conflict of Interest – Is there potential for corruption? If so, are there restrictions put in place?
A comprehensive and consistent review of vendors evaluating the above requires large-scale questionnaires. A small to medium-size firm with a 400-question questionnaire and 70 critical vendors to assess needs to review answers to 28,000 questions. As you may imagine, using manual processes (spreadsheets) is not manageable. Automation is essential to implement and scale the vendor due diligence process.
The best way to manage vendor risk is by intercepting it at the start. Download our white paper and build a plan to formalize your pre-contract vendor due diligence process, and to automate it for efficiency, transparency, and consistency.