Getting started with third-party due diligence

98% of companies have third-party relationships with at least one vendor who has experienced a breach in the last year. Given that the average company works with many third-party partners, the prevalence of breaches across the supply chain only underscores the importance of third-party due diligence: a process that empowers organizations to vet third parties before and throughout the business relationship.

As a result, third-party due diligence is not only an important part of an organization's compliance program but also a possible focus for regulators. To help you strengthen your approach, this article will explore: 

• What third-party due diligence is
• Why businesses need third-party due diligence
• An effective eight-step due diligence process
• Due diligence best practices to keep in mind

What is third-party due diligence? 

Third-party due diligence is the process of reviewing and monitoring your third-party partners for potential conflicts of interest or other legal, ethical and compliance issues. The need will typically arise when considering a new vendor or preparing for a merger or acquisition.

Though due diligence is typically associated with the beginning of a business relationship, third-party due diligence should be ongoing, meaning businesses should have a system in place to identify and mitigate potential third-party risks.

An effective third-party due diligence strategy may include: 

• Checking third-party vendor names against global databases and watch lists.
• Reviewing mentions of your third-party partner in press releases, media, web searches and more for possible signs of corruption.
• Verifying whether the third party or its leadership appears in country databases or government records.
• Crosscheck self-reported information from your due diligence questionnaire against information from your own investigation.
• Enhanced due diligence involves asking all vendors to complete a third-party due diligence checklist that discloses any relevant information about the company, the scope of the relationship, the third party’s owner and more. 

Why do we need third-party due diligence? 

Businesses need third-party due diligence because it helps them decide who to entrust with their sensitive information, assets and systems. This is critical, given that Gartner estimates 60% of businesses work with over 1,000 third parties — a number that will only increase as dispersed workplaces become the norm. 

At the same time, 82% of organizations give their third parties access to all cloud data when the cost of data breaches is rising. 

But the solution isn’t to restrict your third-party relationships. It’s to implement a third-party due diligence process that reduces risk and puts your organization's security first. 

8-step third-party due diligence process

Due diligence isn’t a set-it-and-forget-it approach. It’s an iterative process of implementing safeguards, monitoring those safeguards, then improving them as the industry and third-party landscape evolve. 

Here are some steps you can take to embed due diligence in all of your third-party relationships. 

1. Map the compliance landscape: Your risk exposure will significantly depend on the regulations you and your third parties must follow. Identifying compliance concerns will help you determine what red flags you need to look for once you vet your third parties. 
2. Define your objectives: Your due diligence process should align with any financial and strategic goals your company has and the third-party risks that might prevent your company from achieving them. 
3. Gather documentation: It is essential to make sure your third parties are who they say they are. If they’re a corporation, ask for documents like articles of incorporation and key shareholder information. If they are an individual, request proof of their identification and disclosures about any possible conflicts of interest.
4. Vet third parties: Check whether or not your third-party partner appears on any watch lists or sanction lists or appears in any negative media coverage.
5. Analyze your risk: Assess whether anything you’ve uncovered during vetting poses a risk to your business. This may vary between businesses and industries and should reflect the compliance issues and objectives you identified earlier. 
6. Document your process: Keep extensive records of any information or documentation you gather. This will help prove your regulatory compliance and validate your decisions about all third-party relationships. 
7. Monitor third parties: A third party might be in the clear at the beginning of your relationship but develop some red flags over time. Monitor them and your relationship with them to ensure you catch any risks before they threaten your reputation or bottom line. 
8. Review your process: Businesses evolve, and the third-party due diligence process you implement one year may be less effective the next. Review your process to ensure your due diligence meets your business’s needs. 

Third-party due diligence best practices

Even with an effective process, third-party due diligence practices can fall short. Massive amounts of data, complicated onboarding and even human error can all inhibit effective third-party due diligence. Strengthen your process with these best practices: 

1. Centralize third-party data: The more third parties you work with, the more data you’ll need to manage. Without a centralized database, it’s all too easy to overlook critical third-party risk information. Implementing a system for managing third-party information makes that data more accessible, useful, and defensible.
2. Verify self-reported information: If you've implemented a due diligence questionnaire, it's a good idea to crosscheck the data from your investigation with the information reported by the third party. Discrepancies could raise red flags that are worth further consideration.
3. Create risk tiers: Some vendors may introduce more risk than others, which means that some vendors may need extra attention during the due diligence process. Establishing tiers creates efficiencies because you can tailor your approach to the specific third party and the relationship you’ll have with them.
4. Assess their employees: Anyone the third-party employs can pose a risk of a breach — whether that’s accidental or intentional. Ensure your due diligence process extends to the third party’s employees to ensure they will all act in the best interest of your company.  
5. Implement controls: Controls safeguard your system. Ensure that you have a specific process for how third parties access your systems and that any third party you work with will follow them.
6. Automate your approach: Third-party due diligence should be always-on. If it’s not, risks may arise before you can mitigate them. Automation makes due diligence easier by delivering more third-party information without adding to risk and compliance teams’ workloads. 

Build a due diligence program that allows you to manage and continuously monitor risks

Effective third-party due diligence lays the groundwork for the rest of your risk management program. Anti-bribery and anti-corruption programs — among others — depend on comprehensive and accurate information on all of your third parties. 

But how often should you complete third-party due diligence, and how can you turn that process into a stronger risk-based due diligence program?

Download our white paper to learn the five-step process for implementing risk-based due diligence.