What is the vendor management definition of due diligence? It's certainly a pillar of vendor relationship management. If you are going to outsource, from bits of processes to entire services, due diligence is the practice that allows you to see trouble coming. You gather vendor due diligence documents when soliciting vendors to make sure you don't get yourself into a bad situation. You gather due diligence documents throughout the vendor contract to ensure the vendor is meeting their obligations and services are provided as expected.

This is one reason why vendor management is important. So we know why we need the due diligence, but sometimes it seems like we're just doing it to check off a list. Other times, the vendor doesn't even offer certain due diligence items we might feel we need. How can something so necessary be so convoluted?

Let's clear this up by looking at four steps you can follow to streamline your vendor due diligence process. These steps should be the foundation of your vendor due diligence checklist.

Vendor Due Diligence Process

Step 1: Gather the right documents using "trigger questions."

Asking for 20 documents from each vendor is not going to work for you, or for them. You're probably familiar with these two experiences.

(1) You ask for a document but the vendor has nothing of the sort. You are understanding as to why, so you officially document some kind of "exception" for this scenario.

(2) You didn't ask for a document because the vendor isn't designated as critical. But you come to find out the document would have warned you of an issue that could affect you. How is it both of these scenarios happen from the same document gathering method?

These scenarios are the result of a "bucket" method. You ask a few questions about a vendor and they end up in a certain "bucket," requiring a specific set of documents. It seems like an easy method, but the result is often inaccurate and unspecific evaluation resulting in the issues above.

Instead, use an "if-then" method to gather all the right documents and only the right documents. With "if-then" you can ask a trigger question, like "Would the company be significantly affected if the vendor's services were temporarily unavailable?" A "yes" answer would trigger you to gather their Business Continuity Plan. Why BCP? It is the document that will show you if the vendor is prepared to promptly recover service to you after a business disruption. Prompt return of service is exactly what you need if a temporary outage of the vendor would be significantly damaging to you.

Trigger questions are designed to guide you through establishing exactly what documents you need to review and why. This is important because you do not want to spend time gathering and reviewing documents that have no purpose for you. But you certainly don't want to miss the ones that do matter.

Step 2: Review the document to answer the "stability question."

Continuing with the BCP example, a BCP will help you see if the vendor has operational stability. A great way to pose the question to yourself is, "Is the vendor prepared to promptly recover our service from any business disruption?" This is the question you are looking to answer when reviewing the contents of the document.

(Side note: some vendors may cover this information as part of their Service Level Agreement. Just because the name on the document is not the same, do not dismiss it. It's all about the right content being there.)

Your stability question can be answered with: "yes", "no", or "not sure." If you answer "not sure", then it is time to get more information so you can be sure.

Step 3: Create an Action Plan

Action plans can sound very official and somewhat overwhelming. But your action plan could be as simple as continuing service with a vendor because no issues were found. In some cases; however, your action plan may be a bit more complex if the required action is to request changes to the vendor's service or contract. In some cases, an action plan may even be to replace the vendor.

Step 4: Report to Management

The final step is informing management. What do they need to know to feel confident in your choices without knowing every time-consuming detail? Give management a summary of the first three steps using this formula.

Since [Trigger Statement], we needed to confirm [type] stability by answering the question [Stability Question]. Based on our review of the vendor's [documents reviewed], we believe [Answer to Stability Question]. As such, we will [Action Plan.] 

Using our BCP example, your management summary could look something like this:

Since the company would be significantly affected if the vendor's services were temporarily unavailable, we needed to confirm operational stability by answering the question "Is the vendor prepared to promptly recover our service from any business disruption?" Based on our review of the vendor's Business Continuity Plan, we believe the vendor has little to no controls in place to recover from a business disruption. As such, we will begin searching for a replacement vendor.

This summary tells them what they need to know, why they need to know it, how you came to have this information, your opinion, and your intended next steps.

Follow this four-step process to reduce the workload of vendor due diligence and maintain a clear process.

Learn how to review your vendor SOC Reports in 15 minutes or less. Understand the basic structure, grab what you need from a few specific places, then be on your way