Vendor due diligence refers to the thorough investigation and evaluation of the risk exposure your business might face from using a specific vendor. It is a standard risk management best practice and a legal requirement in many industries such as Financial Services, Healthcare and Pharmaceuticals.
The purpose of vendor due diligence is to obtain specific information to inform decisions about:
- Starting or restarting a relationship with a vendor, through a thorough initial assessment of its suitability as part of the qualification process, or
- Continuing or terminating an ongoing relationship with a vendor, through regular ongoing tracking of its performance in various areas over time.
The key factor in such a decision is the vendor’s ability and willingness to remediate or mitigate any identified risks to your business.
This article discusses an approach commonly used to create vendor due diligence questionnaires, covering:
Why use a Vendor Due questionnaire?
Benefits for your business:
- Clarity and consistency: Provides a clear and structured outline of the information required from a vendor, minimising ambiguity and uncertainty. It ensures that the same set of data is collected from all vendors, enabling consistent evaluation and comparison.
- Comprehensive data collection: Ensures all critical areas are covered, reducing the risk of missing important information.
- Documentation and record-keeping: Creates a documented record of the process, which can be referred to later if needed.
- Ease of use: Simple to use and readily understood by employees at various levels, simplifying training and onboarding processes.
- Flexibility and adaptability: Can be customised to fit the specific needs of different industries, businesses or regulatory environments.
- Improved decision-making: Organises information in a structured manner, helping your decision-makers review and analyse the data collected.
- Risk mitigation: Ensures all potential vendor risks are systematically identified, reviewed and addressed.
- Transparency and communication: Provides clear criteria for vendor evaluation to your stakeholders and the target vendors.
Benefits for your vendors
- Competitive advantage: Well-prepared vendors with comprehensive and organised information can stand out from competitors.
- Efficiency and time-savings: Simplifies the process for vendors to respond to due diligence requests.
- Guidance and clarity: Provides clear guidance on what information is needed, reducing uncertainty.
- Opportunity for improvement: Offers feedback on areas where the vendor may need to improve or provide additional information.
- Professionalism and credibility: Demonstrates the vendor’s professionalism and preparedness in providing the required information.
How much due diligence is necessary and how often?
You should perform some level of due diligence on every vendor you contract with.
The extent of that effort should be based on:
- Delivery criticality: How important is the vendor to your business? Consider the impact on your operations, finances, or reputation if the vendor fails to deliver.
- Risk potential: What are the actual or potential risks associated with using this vendor? Examples include data security risks (e.g., data theft or corruption), financial instability risks (e.g., potential for vendor bankruptcy), and operational disruption risks (e.g., vendor service outages).
- Switching difficulty: How easy would it be to switch to another vendor if necessary? Factors to consider include switching costs, availability of qualified alternatives, and the time required to transition.
Minimal due diligence might be enough for a low-cost office supplies vendor. However, a thorough assessment is crucial for a vendor managing your sensitive data, providing critical infrastructure services, or accessing your internal technology infrastructure to install or administer software.
A simple low-medium-high scale can rank a vendor’s position for each factor. Most of your vendors will require minimal due diligence, a few will need moderate effort, and strategic vendors will need thorough and more frequent reviews.
It's advisable to have a basic vendor due diligence questionnaire that describes the essential data to be obtained from and any that might need to be provided to, your existing and potential vendors.
This can be supplemented with extensions for more in-depth data collection when needed for the few essential vendors you rely on.
Timing for due diligence activities can be:
- Fixed: at least annually for critical and high-risk vendors, every 18-24 months for moderate-risk vendors, and every 2-3 years for low-risk vendors
- Occasional: regardless of a vendor’s risk level, the process should always be conducted on the occurrence of the following situations:
- Contract midpoint: for critical vendors
- Contract renewals: as part of the general review to determine if renewal is desirable
- Performance issues: if vendor performance is exhibiting a clear and persistent downward trend significant enough to reconsider the relationship
- Regulatory change: when new or updated regulations that apply to your vendors are released.
Ensure your vendor contracts include an obligation to comply with reasonable requests for their participation in the due diligence process.
How to Build Your Due Diligence Questionnaire
Building an effective and productive questionnaire can take a lot of insight. To inform your decision to begin or continue using a vendor, you need certainty that the requested data will provide a sufficient understanding of the vendor’s risk management approach and outcomes.
This can be achieved by involving subject matter experts from departments like Finance, IT and Legal, who have deep knowledge of the different types of risk facing their specific areas.
These people are best suited to assess returned vendor data for red flags. It's smart to use their expertise to determine the data needed from vendors and set up red flag indicators.
These experts can also assess available vendor due diligence questionnaires or those from industry bodies and associations, and propose any useful elements for inclusion.
Vendor Due Diligence Questionnaire Items
For both existing and potential vendors, common essential due diligence areas include:
Financial Health
Requires detailed financial documents and transparency:
- Annual Revenue
- Auditor’s Reports
- Cash Flow
- Credit Rating
- Debt Levels
- Insurance Coverage
- Profit Margins
- Recent Financial Statements
Operational Capability
Relies on vendor processes and documentation:
- Customer Service Standards
- Disaster Recovery Plans
- Performance Metrics
- Production Capacity
- Quality Control Processes
- Risk Management
- Scalability
- Supply Chain Management
- Technology Infrastructure
Legal Compliance
Requires comprehensive documentation:
- Anti-Corruption Policies
- Data Protection Policies
- Environmental Obligations
- Export Controls
- Health and Safety Standards
- Licenses and Permits
- Tax Compliance
Cybersecurity
Requires technical documentation and policies:
- Access Controls
- Breach Notification
- Compliance with Standards
- Date Last Updated
- Data Encryption Practices
- Incident Response Plans
- Network Security
- Security Policies
- SOC Reports
- Third-Party Security
- Vulnerability Assessments
Regulatory Compliance
Requires comprehensive documentation:
- Applicable Regulations
- Compliance with Regulations
- Applicable Standards
- Compliance with Standards
- Blacklists
How to Maintain Your Questionnaire
Your questionnaire must be kept relevant in the face of change drivers such as:
- Cybersecurity Threats: The evolving cyber threat landscape requires updated security practices.
- Emerging Technologies: Newer technologies like artificial intelligence and blockchain are introducing a range of new risks.
- Evolving Regulatory Landscape: Existing laws are being strengthened and new laws are introduced to cover more and more aspects of business operations that need to be added to your questionnaire.
- Industry Best Practices: Evolving best practices require regular updates to your questionnaire.
Schedule periodic reviews of your vendor due diligence questionnaire to ensure it remains relevant and addresses current risks. Incorporate changes based on regulatory updates, industry trends, and lessons learned from past vendor assessments.
How Gatekeeper Helps with Vendor Due Diligence
Vendor and Contract Lifecycle Management software like Gatekeeper can significantly streamline and enhance the vendor due diligence process, including questionnaire setup and monitoring. Here’s how:
Vendor Due Diligence Questionnaire Setup
- Centralised Repository: Gatekeeper offers a central location for storing and managing questionnaires. This ensures consistency and accessibility across your business.
- Collaboration: Multiple stakeholders can contribute to questionnaire development, ensuring that all necessary perspectives are considered.
- Conditional Logic: Gatekeeper can use conditional logic in questionnaires, where the answers given to earlier questions determine which questions will be raised next. This ensures the process focuses on relevant information.
Questionnaire Distribution and Monitoring
- Automated Distribution: Gatekeeper can automate the distribution ofquestionnaires to vendors, saving time and reducing errors
- Deadline Management: the software can set reminders and deadlines for vendor responses, ensuring timely completion of the due diligence data collection process
- Document Management: vendors can upload requested documents directly to the Gatekeeper platform, simplifying the process and increasing its manageability
- Tracking and reporting: the software can track the progress of checklist submissions, generate reports on completion rates, and identify any bottlenecks in the process
- Vendor Portal: vendors can access the questionnaire through a secure portal streamlining the information-gathering process
- Workflow Automation: Gatekeeper can automate the routing of completed checklists to the appropriate people for review and approval, ensuring efficient workflow management.
Additional benefits for the due diligence process
- Contract Management Integration: Vendor and Contract records in Gatekeeper are linked. This means your legal team can assess the due diligence responses before their contract review to ensure they’ve covered any risks identified throughout that process.
- Performance Monitoring: Gatekeeper can track vendor performance over time, comparing actual performance against contractual obligations and KPIs.
- Vendor Information Management: Gatekeeper can store and manage all vendor-related information, including financial data, insurance certificates, and compliance documentation, making it easily accessible for review at any time.
By leveraging Gatekeeper's capabilities, your business can significantly improve the efficiency, accuracy, and consistency of its vendor due diligence processes. The software empowers you to make informed decisions about vendor selection and management while reducing the risk of disruptions and financial losses.
Wrap-up
An effective vendor due diligence questionnaire is crucial for managing vendor-related risks and ensuring compliance with regulatory and industry standards. It provides clarity, consistency, and comprehensive data collection, benefitting both your business and its vendors.
Regular reviews and updates keep the questionnaire relevant in an evolving risk landscape. By using it, you can make informed decisions about starting or restarting, continuing, or terminating relationships with vendors, ultimately supporting your business’s risk management and operational resilience.
To get more information about how Gatekeeper can help with your Vendor Due Diligence activities, don't hesitate to get in touch with us.