What is due diligence?

Due diligence involves conducting a review of a potential third party to determine the suitability of the vendor to provide the required products or services, the risks that the relationship may bring, and the controls that they have to mitigate risks. Due diligence helps ensure the organization selects an appropriate third party to partner with, and that the organization understands both the inherent and residual risks posed by the relationship.

What is involved in third-party due diligence?

Due diligence of third parties and vendors involves developing a deeper understanding of the third party’s:

• Ownership
• Operations
• Resources
• Financial status
• Relevant employees
• Risk and control framework
• Business continuity program
• Own third-party risk management program
• Other factors important to the third-party relationship

There are two types of vendor due diligence that should be conducted as a part of any third-party risk management (TPRM) program. These include:

• Initial Due Diligence: This occurs prior to entering an engagement with a vendor. An analysis of the vendor and verification that they will meet a company’s needs is conducted. This helps identify any potential risks and if the vendor is suitable to meet the financial and strategic goals of the organization.
• Ongoing Due Diligence: This type of due diligence is performed continuously, and monitors vendor relationships that an organization is already engaged with. This is critical, as issues can arise from the actions of a third party at any time, and risk profiles can change on an ongoing basis.

Why is it important for companies to implement vendor due diligence into their TPRM program?

By not performing adequate initial and ongoing due diligence, companies can expose themselves to risks from third parties that can put their operations and finances in jeopardy. Through due diligence processes, potential risks can be discovered early, leaving plenty of time to mitigate against the issue, or off board a third-party relationship if necessary.

In addition, third-party due diligence is a regulatory expectation for most major regulators. Regulators expect risk-based due diligence to be performed on all third parties (this means that due diligence should be commensurate to the risk the third-party engagement will bring to the organization). They also expect some form of ongoing monitoring – i.e., due diligence is not a one and done activity at the start of relationship. Some regulators also require due diligence for critical fourth parties.

How can Aravo help companies with vendor due diligence?

Aravo helps companies embed best practice principles for vendor due diligence processes into their TPRM program. This includes scoping third parties (understanding the landscape of third parties and which ones should be subject to due diligence), third-party assessments (assessing the level of risk associated with third parties and their engagements across multiple domains), conducting risk-based due diligence, managing the approval process, and mitigating identified risks.

All processes are automated to collect essential information from internal stakeholders and third parties, as well as information pulled from external content sources like Refinitiv, Dow Jones, RapidRatings, SecurityScorecard, BitSight, and more. In addition, ongoing due diligence is automated according to level, type of risk, and changes in risk profiles.

Share with Your Friends: