Stepping out of the Dark Ages of Vendor Due Diligence

February 8th, 2024 Eric Hensley Reading Time: 3 minutes
Duediligence Blogfeaturedimg1200x628

After years of working with organizations of all sizes, complexities, and industries one thing I have noticed is that many companies are still performing their vendor due diligence with long, drawn out yes/no questionnaires.

Maybe you’re using questionnaires and wondering, why you would change? Maybe you’re a part of a very mature program and wondering why in the world anyone still uses this methodology. Both situations definitely exist, and of course every shade in between. In particular, I see this the most in IT due diligence.

Historic Vendor Due Diligence

The easy explanation for why is that IT departments started performing due diligence on their suppliers first. The other risk domains were not yet on their radar. The first people who had to deal with this, who were usually IT people (like me) or CIOs, had to work with what was available at the time. They put together a series of what, at the time, were best practices.

This meant a big questionnaire where you lay out all of the possible controls that might apply to a vendor based on an understanding of risk in the marketplace. They handed these over to their vendors and said, “I need you, as a vendor, to answer every single one of these questions.” In the absence of enabling technologies or data, it was really the only way to do it.

The Need to Evolve

Unfortunately, I still often see these cases as a technology vendor. We have many relationships and some of them send us these questionnaires to complete. While it may seemingly work in the short-term, it won’t work at scale. Five years ago, you could possibly get away with sending a 500-question questionnaire to your top five IT vendors. You could review every single one of those answers on that questionnaire, creating an issue out of any “wrong” answers, and then chase those vendors to come up with corrective actions for those issues.

However, today, every company has dozens, or hundreds, or even thousands of third parties. Even medium-sized companies might have 200-300 IT vendors alone. This traditional methodology of sending everybody this massive audit-like questionnaire, reviewing every single answer in there, and then making a risk decision based on that, just doesn’t work with those kinds of numbers. This isn’t a trend that’s going to change, so you need to be able to scale.

The Modern, Automated Approach to Vendor Due Diligence

The modern approach to due diligence means leveraging automation and third-party sources of information so that you can scale up. As we started to see other risk domains become important in third-party risk management like ABAC risk, financial due diligence risk, ESG risk, and data privacy risk, we found that risk managers who were already used to operating at scale inside their business were running those risk domain programs. They knew they needed to assess massive risks inside of their business, so they applied a lot of these automation best practices to their TPRM.

Using automation means having models. Having models means having analytical tools that can automatically make decisions for you, so you don’t have to review 500 answers and turn the 12 that are “wrong” into issues, then requiring corrective actions.

If you continue to try to run due diligence the manual (big questionnaire) way, it’s not so much that you’ll be doing all of this extra work; what’s going to happen is you’re just not going to assess that risk for most of those vendors. You’re not going to get all of the infinite resources that you need to do this. If you don’t leverage these modern techniques like automation and third-party data in order to scale your risk management process, your overall risk profile will go up because effectively, you’ll only be able to assess, with any accuracy, your top 10% riskiest or most strategic suppliers.

Finding the Right Solution

The solution is a system that, based on risk models, can automatically evaluate all inputs. And, in an exception-based manner, reveal what should be looked at with rare and valuable human insight.

In such a system, you get to scale by taking advantage of sources of third-party risk intelligence data, but the challenge is that without the model and associated automation and exception-based processing, it can make your program (and your problem) worse.

For your riskiest or most strategic IT suppliers, absolutely run them through a full, questionnaire-based diligence program and review all of their answers. The important part is to realize that this solution doesn’t scale. Using automation, model-based risk assessment and third-party data allows you to assess all of your IT suppliers and reserve your manual assessment effort for only the riskiest or most strategic, lowering your overall risk profile.

To learn more about optimizing your vendor due diligence program, speak with one of Aravo’s experts today!

Eric Hensley

Eric is responsible for technical delivery of Aravo’s product offerings, including Engineering, QA and Hosting Operations. He has over 15 years’ experience in the development and delivery of enterprise SaaS offerings with a special focus on supply chain management and intelligence solutions.

Before joining Aravo, Eric served as Sr. Director of Technical Operations at Instill Corporation, where he developed infrastructure and integration solutions for supply chain intelligence systems in the foodservice industry. Eric joined Instill in 2002 and was instrumental in the development and deployment of highly scalable SaaS solutions responsible for processing the majority of daily foodservice transactions in North America. Prior to that, Eric served as Director of Technical Operations at ShipServ Ltd., where he was responsible for the development and deployment of one of the earliest SaaS transactional business exchanges, focused on the maritime shipping industry. While at ShipServ, Eric led the development and adoption of MTML, an XML-based transactional document standard now widely deployed in the shipping industry.

Eric holds a BA in Astrophysics with a specialization in Computer Science from the University of California, Berkeley.

Eric is responsible for technical delivery of Aravo’s product offerings, including Engineering, QA and Hosting Operations. He has over 15 years’ experience in the development and delivery of enterprise SaaS offerings with a special focus on supply chain management and intelligence solutions.

Share with Your Friends:

Subscribe to Blog Updates

Our Expertise
Who We Help

Ready to get started?

Get in touch for a better approach to third-party risk management