Vendor Centric Blog

Third-Party Due Diligence - One Size Does Not Fit All

 

I was in a meeting with a client a few weeks ago talking about third-party due diligence. We were discussing the types of due diligence they were considering on a few of their consulting vendors and a question came up that I hear pretty often: “Does a one size fits all approach make sense when it comes to performing due diligence on your third parties?”
 

When you think about third-party risk you can’t help but think of data privacy and cyber security as being the two getting the most attention right now. But those are only some of the risks we highlighted in our recent post titled Six Important Risks to Manage with Your Vendors.
 

The bottom line is that third-party due diligence is no longer optional - it’s required for every company regardless of size or industry. But does that mean you need to treat every third-party the same when performing due diligence?

 

From both a best practice and practical standpoint we believe firmly that the answer to this question is NO. Every vendor relationship is not created equal, and your due diligence needs to take that into account.

 

To shape the issue, let’s look at two entirely different types of vendor relationships.

 

Vendor #1 provides a SaaS based software solution that is one of the core platforms used in your business operations. Personally Identifiable Information (PII) is processed and stored in the system, and if something goes wrong with the application it will cause serious problems in providing services to your customers.

 

Vendor #2 is a consulting firm providing independent research for your organization. The outcome of their work will be incorporated into a major study you are releasing, but they are gathering all of the information independently. They have no access to confidential information and they do not perform or support any operational functions.

 

There is clearly a significant gap in the complexity and risks associated with the two relationships, and your due diligence should be aligned accordingly. Information and IT security are going to be critical areas you’ll want to evaluate for Vendor #1, while expertise, research methodology and use of subcontractors (i.e. fourth parties) will be important for Vendor #2.

So when you perform due diligence on your third parties, it’s crucial that you not use a one size fits all approach. Take a practical, risk-based approach, and align your due diligence activities with the identified areas of risk.


 

Please reload

Subscribe to the

Vendor Centric 

Blog

Subscribe to the

Vendor Centric 

Blog

Our

Publications

Rethinking Vendors

Our flagship publication shares our philosophy on power and untapped value of vendor relationships.

The Nonprofit CFO's Guide to Virtual Credit Cards

 

A step-by-step guide to automating a/p payment processing and creating new streams of revenue.

Subscribe to

Our Podcast

Related Blog Posts

Please reload

Contact Us

9841 Washingtonian Boulevard Suite 200 Gaithersburg, Maryland 20878

 

(240) 813-1170

 

info@vendorcentric.com

Follow Us

  • Vendor Centric Facebook
  • Vendor Centric Twitter
  • Vendor Centric LinkedIn

Subscribe to our

Rethinking Vendors Podcast

Vendor Centric Podcast

Copyright © 2018 Vendor Centric. All rights reserved.

Quick Links

Subscribe to our newsletter