Understanding the full scope of vendor risks is crucial to supply chain-related decision-making—but it may not be the easiest of tasks. According to Optiv’s research, 74% of companies do not have a list of all the vendors that have access to their data and personally identifiable information (PII), while 23% don’t evaluate third parties at all.

This is a major oversight as it can leave an organization vulnerable to numerous unidentified risks. To prevent this issue and understand vendor risks more deeply, you need to implement a comprehensive vendor due diligence (VDD) process.

Our guide will teach you everything you should know about VDD, including:

  • Common VDD use cases and benefits
  • The three approaches to VDD
  • Steps to conducting VDD (with a documentation checklist)

What is vendor due diligence?

Vendor due diligence is the process of gathering and assessing data from a vendor, supplier, or a similar third party to determine whether their business and security practices are acceptable for you to proceed with a partnership. It’s a crucial aspect of vendor risk management (VRM) because it lets you proactively address threats and vulnerabilities that can be exploited during the vendor lifecycle.

Specifically, VDD lets you address various types of vendor risks, such as:

{{cta_withimage20="/cta-modules"}}

Vendor due diligence use cases

Organizations typically conduct due diligence before onboarding a new vendor—but this isn’t the only scenario where it can be useful. It’s also worth performing vendor due diligence in the following situations:

  • Contract renewals
  • Major regulatory changes
  • Service additions, changes, or updates
  • Service issues

There are two main categories of vendor due diligence:

  1. Initial: A traditional type of procurement-related due diligence performed after a vendor responds to a request for proposal (RFP).
  2. Ongoing: Conducted periodically to remediate specific issues, uncover new risk points, and shape future vendor relationships.

Risk managers should combine both types of due diligence to fine-tune their VRM program and prioritize relevant risks as they emerge.

Benefits of vendor due diligence

Thorough due diligence might seem like a considerable endeavor—but it’s well worth the effort and resources you invest in it. In today’s complex supply chain environment with multiple interrelated parties, VDD offers the following concrete benefits:

  • Increased confidence in vendor decisions: Vendor due diligence gives you critical security and performance information to make data-driven partnership decisions.
  • Risk identification and mitigation: VDD facilitates a clear understanding of the vendor's risk profile, which you can then compare to your organization’s risk appetite and determine whether the detected risk level is acceptable. This assists in the development of proactive response plans for high-tier risk events.
  • Better visibility of vendor risks: If each vendor goes through a thorough VDD process, there’s a much lower chance of associated risks going undetected.
  • Regulatory compliance: VDD outlines risk assessments and similar processes required to ensure compliance with different standards and regulations.
  • Negotiation leverage with vetted vendors: A VDD report paints a risk-aware vendor profile, which can prevent overpriced bids and help you negotiate the best services on favorable terms.

Three approaches to vendor due diligence

Depending on the size and complexity of your vendor network, as well as your available resources and staff, you can choose between the following three approaches to VDD:

  1. In-house
  2. Shared
  3. Outsourced

1. In-house VDD

In-house VDD suggests you take care of the entire process internally, which enables complete control over every activity. For some organizations, this can mean they save a sizable amount of money they’d otherwise spend on outsourced procedures.

The downside of in-house VDD is that it can be time-consuming and potentially burden your team with additional work, especially if you rely on disparate systems and manual processes. The best way around this is to use a capable vendor risk management platform that can automate and streamline VDD and other activities to simplify your team's workflows.

{{cta_webinar4="/cta-modules"}} | Webinar: Vendor risk management

2. Shared VDD

Shared VDD refers to networks and data pools where you can find completed risk assessments and other relevant content maintained by vendors. The idea is for vendors to share resources like audit reports and compliance certificates on an accessible platform. This provides prospective organizations with up-to-date information during their diligence process.

While this approach takes most of the data-gathering work off your hands, it may not be as comprehensive as internal VDD. Every vendor has a unique risk profile, so you may still want to conduct a more tailored due diligence internally.

3. Outsourced VDD

The third option is to outsource VDD entirely to a provider offering managed services. This might be a good idea if your organization is severely understaffed and doesn’t have the necessary know-how or software resources.

Still, outsourced VDD can be quite costly, so it might not be the best solution for organizations on a limited risk management budget.

How to perform vendor due diligence

The VDD process involves the following four steps:

  1. Planning a baseline
  2. Gathering documents and analyzing various risks
  3. Reporting to promote decision-making
  4. Establishing continuous monitoring procedures

Step 1: Planning a baseline

The first step of VDD is about preparation—start by setting the main objective of the process to inform all the following steps. For example, if the objective is to explore a compliance issue or concern with an existing vendor, you’ll need to request a specific set of documentation, such as evidence of recurring activities, policies, procedures, or even a third-party attestation or certification.

At this stage, you should assess your organization’s risk appetite to determine acceptable risk levels for different vulnerabilities a vendor might bring (financial, operational, etc.). Once you establish a baseline, you’ll have a clear reference point to which you’ll compare VDD reports and make decisions.

Finally, make sure to check any regulations and standards, industry- or location-specific, that can affect your relationships with vendors. The goal is to identify whether you need to report specific information to regulatory bodies if you’re in a heavily regulated industry.

Step 2: Gathering documents and analyzing various risks

The scope of VDD paperwork may typically cover the following six types of analyses:

  1. Financial analysis
  2. Cybersecurity assessment
  3. Market assessment
  4. Legal and compliance assessment
  5. Operational review
  6. HR evaluation

Each of these analyses requires you to collect specific documents and data. The following table provides a condensed checklist of some of the key items you should gather:

Analysis Documents and data points
Financial analysis
  • Annual report
  • Tax documents
  • Loans and liabilities
Cybersecurity assessment
  • Internal or third-party cybersecurity audit reports
  • Data breach history
  • Incident response plan
  • Penetration testing report
  • Disaster recovery plan
Market assessment
  • Business plans
  • Main competitors
  • Industry trends
Legal and compliance assessment
  • Relevant regulatory and compliance attestations
  • Litigation history reports
  • Ongoing legal liabilities
Operational review
  • Business licenses
  • Corporate structure reports
  • List of subcontractors
HR evaluation
  • Hiring policies
  • Biographical data of key executives
  • Corporate culture statements

Organizations using vendor management platforms typically gather and store these documents within their software, which enables collective visibility for risk teams. 

{{cta_withimage5="/cta-modules"}}

Step 3: Reporting to promote decision-making

After gathering and assessing all of the above data, you need to turn it into actionable insights via a VDD report. While there’s no fixed structure the report should follow, it should encompass the following:

  • The scope of VDD
  • Key findings and risks
  • Suggestions for the path forward

Share the report with all the relevant stakeholders, which include legal and financial teams, to gather department-specific input you’ll use to make the final decision.

Step 4: Establishing continuous monitoring procedures

VDD isn’t only done pre-emptively or on a one-time basis. Risks don’t disappear after you’ve onboarded a vendor—if anything, many risks surface later (e.g., data privacy risks). That’s why you need to have a continuous monitoring process and system in place to track interconnected vendors and perform periodic assessments throughout your partnerships with them.

For such a continuous system to work, set clear monitoring parameters and controls against which you’ll compare a vendor’s performance and risk profile. Another great practice is to configure a unified overview of your relevant vendor risk data on a dashboard so that potential threats aren’t overlooked.

Develop in-depth VDD processes with Vanta

Vanta is an end-to-end trust management platform that helps organizations of all sizes automate compliance, manage risk, and prove trust. With Vanta's Vendor Risk Management solution, you can automate VDD and other VRM processes. The platform comes with built-in content—like risk scenarios and checklists— to help you design a tailored VDD workflow. Here are some features loved by VRM teams:

  • Automated vendor discovery (which also helps you uncover shadow IT)
  • Centralized vendor inventory with risk-tier categorizations
  • Customizable vendor risk auto-scoring and visualizations for easy comparison
  • Continuous monitoring of vendor status and risk profile
  • Over 300 integrations with various platforms, including procurement solutions
  • Vanta AI for fast review of vendor documents

Vanta also lets you (and any vendor using the platform) showcase your security and compliance posture through a dedicated Trust Center.

If you want to see the above features live, schedule a custom demo or or watch our free webinar to get started.

{{cta_simple5="/cta-modules"}}

Vendor lifecycle management

Vendor due diligence (VDD): A step-by-step guide

Understanding the full scope of vendor risks is crucial to supply chain-related decision-making—but it may not be the easiest of tasks. According to Optiv’s research, 74% of companies do not have a list of all the vendors that have access to their data and personally identifiable information (PII), while 23% don’t evaluate third parties at all.

This is a major oversight as it can leave an organization vulnerable to numerous unidentified risks. To prevent this issue and understand vendor risks more deeply, you need to implement a comprehensive vendor due diligence (VDD) process.

Our guide will teach you everything you should know about VDD, including:

  • Common VDD use cases and benefits
  • The three approaches to VDD
  • Steps to conducting VDD (with a documentation checklist)

What is vendor due diligence?

Vendor due diligence is the process of gathering and assessing data from a vendor, supplier, or a similar third party to determine whether their business and security practices are acceptable for you to proceed with a partnership. It’s a crucial aspect of vendor risk management (VRM) because it lets you proactively address threats and vulnerabilities that can be exploited during the vendor lifecycle.

Specifically, VDD lets you address various types of vendor risks, such as:

{{cta_withimage20="/cta-modules"}}

Vendor due diligence use cases

Organizations typically conduct due diligence before onboarding a new vendor—but this isn’t the only scenario where it can be useful. It’s also worth performing vendor due diligence in the following situations:

  • Contract renewals
  • Major regulatory changes
  • Service additions, changes, or updates
  • Service issues

There are two main categories of vendor due diligence:

  1. Initial: A traditional type of procurement-related due diligence performed after a vendor responds to a request for proposal (RFP).
  2. Ongoing: Conducted periodically to remediate specific issues, uncover new risk points, and shape future vendor relationships.

Risk managers should combine both types of due diligence to fine-tune their VRM program and prioritize relevant risks as they emerge.

Benefits of vendor due diligence

Thorough due diligence might seem like a considerable endeavor—but it’s well worth the effort and resources you invest in it. In today’s complex supply chain environment with multiple interrelated parties, VDD offers the following concrete benefits:

  • Increased confidence in vendor decisions: Vendor due diligence gives you critical security and performance information to make data-driven partnership decisions.
  • Risk identification and mitigation: VDD facilitates a clear understanding of the vendor's risk profile, which you can then compare to your organization’s risk appetite and determine whether the detected risk level is acceptable. This assists in the development of proactive response plans for high-tier risk events.
  • Better visibility of vendor risks: If each vendor goes through a thorough VDD process, there’s a much lower chance of associated risks going undetected.
  • Regulatory compliance: VDD outlines risk assessments and similar processes required to ensure compliance with different standards and regulations.
  • Negotiation leverage with vetted vendors: A VDD report paints a risk-aware vendor profile, which can prevent overpriced bids and help you negotiate the best services on favorable terms.

Three approaches to vendor due diligence

Depending on the size and complexity of your vendor network, as well as your available resources and staff, you can choose between the following three approaches to VDD:

  1. In-house
  2. Shared
  3. Outsourced

1. In-house VDD

In-house VDD suggests you take care of the entire process internally, which enables complete control over every activity. For some organizations, this can mean they save a sizable amount of money they’d otherwise spend on outsourced procedures.

The downside of in-house VDD is that it can be time-consuming and potentially burden your team with additional work, especially if you rely on disparate systems and manual processes. The best way around this is to use a capable vendor risk management platform that can automate and streamline VDD and other activities to simplify your team's workflows.

{{cta_webinar4="/cta-modules"}} | Webinar: Vendor risk management

2. Shared VDD

Shared VDD refers to networks and data pools where you can find completed risk assessments and other relevant content maintained by vendors. The idea is for vendors to share resources like audit reports and compliance certificates on an accessible platform. This provides prospective organizations with up-to-date information during their diligence process.

While this approach takes most of the data-gathering work off your hands, it may not be as comprehensive as internal VDD. Every vendor has a unique risk profile, so you may still want to conduct a more tailored due diligence internally.

3. Outsourced VDD

The third option is to outsource VDD entirely to a provider offering managed services. This might be a good idea if your organization is severely understaffed and doesn’t have the necessary know-how or software resources.

Still, outsourced VDD can be quite costly, so it might not be the best solution for organizations on a limited risk management budget.

How to perform vendor due diligence

The VDD process involves the following four steps:

  1. Planning a baseline
  2. Gathering documents and analyzing various risks
  3. Reporting to promote decision-making
  4. Establishing continuous monitoring procedures

Step 1: Planning a baseline

The first step of VDD is about preparation—start by setting the main objective of the process to inform all the following steps. For example, if the objective is to explore a compliance issue or concern with an existing vendor, you’ll need to request a specific set of documentation, such as evidence of recurring activities, policies, procedures, or even a third-party attestation or certification.

At this stage, you should assess your organization’s risk appetite to determine acceptable risk levels for different vulnerabilities a vendor might bring (financial, operational, etc.). Once you establish a baseline, you’ll have a clear reference point to which you’ll compare VDD reports and make decisions.

Finally, make sure to check any regulations and standards, industry- or location-specific, that can affect your relationships with vendors. The goal is to identify whether you need to report specific information to regulatory bodies if you’re in a heavily regulated industry.

Step 2: Gathering documents and analyzing various risks

The scope of VDD paperwork may typically cover the following six types of analyses:

  1. Financial analysis
  2. Cybersecurity assessment
  3. Market assessment
  4. Legal and compliance assessment
  5. Operational review
  6. HR evaluation

Each of these analyses requires you to collect specific documents and data. The following table provides a condensed checklist of some of the key items you should gather:

Analysis Documents and data points
Financial analysis
  • Annual report
  • Tax documents
  • Loans and liabilities
Cybersecurity assessment
  • Internal or third-party cybersecurity audit reports
  • Data breach history
  • Incident response plan
  • Penetration testing report
  • Disaster recovery plan
Market assessment
  • Business plans
  • Main competitors
  • Industry trends
Legal and compliance assessment
  • Relevant regulatory and compliance attestations
  • Litigation history reports
  • Ongoing legal liabilities
Operational review
  • Business licenses
  • Corporate structure reports
  • List of subcontractors
HR evaluation
  • Hiring policies
  • Biographical data of key executives
  • Corporate culture statements

Organizations using vendor management platforms typically gather and store these documents within their software, which enables collective visibility for risk teams. 

{{cta_withimage5="/cta-modules"}}

Step 3: Reporting to promote decision-making

After gathering and assessing all of the above data, you need to turn it into actionable insights via a VDD report. While there’s no fixed structure the report should follow, it should encompass the following:

  • The scope of VDD
  • Key findings and risks
  • Suggestions for the path forward

Share the report with all the relevant stakeholders, which include legal and financial teams, to gather department-specific input you’ll use to make the final decision.

Step 4: Establishing continuous monitoring procedures

VDD isn’t only done pre-emptively or on a one-time basis. Risks don’t disappear after you’ve onboarded a vendor—if anything, many risks surface later (e.g., data privacy risks). That’s why you need to have a continuous monitoring process and system in place to track interconnected vendors and perform periodic assessments throughout your partnerships with them.

For such a continuous system to work, set clear monitoring parameters and controls against which you’ll compare a vendor’s performance and risk profile. Another great practice is to configure a unified overview of your relevant vendor risk data on a dashboard so that potential threats aren’t overlooked.

Develop in-depth VDD processes with Vanta

Vanta is an end-to-end trust management platform that helps organizations of all sizes automate compliance, manage risk, and prove trust. With Vanta's Vendor Risk Management solution, you can automate VDD and other VRM processes. The platform comes with built-in content—like risk scenarios and checklists— to help you design a tailored VDD workflow. Here are some features loved by VRM teams:

  • Automated vendor discovery (which also helps you uncover shadow IT)
  • Centralized vendor inventory with risk-tier categorizations
  • Customizable vendor risk auto-scoring and visualizations for easy comparison
  • Continuous monitoring of vendor status and risk profile
  • Over 300 integrations with various platforms, including procurement solutions
  • Vanta AI for fast review of vendor documents

Vanta also lets you (and any vendor using the platform) showcase your security and compliance posture through a dedicated Trust Center.

If you want to see the above features live, schedule a custom demo or or watch our free webinar to get started.

{{cta_simple5="/cta-modules"}}

See how VRM automation works

Let's walk through an interactive tour of Vanta's Vendor Risk Management solution.

Explore more TPRM articles

Get started with TPRM

Start your TPRM journey with these related resources.

Security

How to minimize third-party risk with vendor management

Get insights and best practices from security & compliance experts on how to manage third-party vendor risk in this free guide.

This is some text inside of a div block.
This is some text inside of a div block.
Security

Vanta in Action: Vendor Risk Management

Vendor security reviews can be manual and time-consuming, draining security teams of precious hours. Vanta’s Vendor Risk Management solution changes that, automating and streamlining security reviews so that you can spend less time on repetitive work and more time strengthening your security posture. Curious to see what it looks like?

This is some text inside of a div block.
This is some text inside of a div block.
Security

10 important questions to add to your security questionnaire

We’ve identified 10 critical questions to include in your security questionnaire and why each answer is vital for informed decision-making.

This is some text inside of a div block.
This is some text inside of a div block.