Vendors may promise to solve your problems, but you need to verify they can actually do so. The allure of generating business benefits from the arrangement might cause executives to pressure staff involved in the contracting and engagement process to skimp on due diligence. This may backfire if those vendors can’t deliver in the long run, or if they expose the organisation to significant risk.
In this blog we will cover:
- Due diligence in vendor risk management
- The consequence of skimping
- Good practice due diligence
Subscribe to our Knowledge Hub to make sure you catch the rest of our Vendor Risk Management blog series:
Due diligence in vendor risk management
A basic part of due diligence is understanding who you are dealing with. We covered in a previous blog the initial triaging and tiering process. This helps inform the level of due diligence you should conduct to obtain reasonable assurance the vendor can deliver. This can include:
- Are they genuine? Who am I really dealing with?
- Are they capable of delivering what they promise?
- Are they authorized to provide the offered services?
- What risks might undermine the engagement?
The first may be a simple check of government records regarding company registrations and ownership, but may involve some additional steps if you are dealing with multi-entity groups. You may need to make sure the individual you are dealing with has the appropriate authority to act on behalf of the company. If your organisation (or your regulators) are sensitive to dealing with overseas vendors, you may need to dig deeper into ownership structures.
Of course, they also need to deliver. Beyond simply verifying they are legitimate, you need to know that they are capable. This can include reviewing their leadership, appropriately qualified and skilled people, their capacity, and how they can scale if needed.
This assessment may need to be supported by obtaining specific evidence of policies, training programs, or on-site visits to observe their demonstrated capability. Dealing with start-ups or new players in the market carry additional risk, and may require additional rigour that appropriate leadership and business processes are in place.
While it seems a bit Business 101, verify any licences or memberships they might require in order to provide their services. You may want to consider any conditions that apply to that licence, and that these are also being met. For example, it might require minimum levels of insurance, or having key staff with minimum levels of qualifications. If these are not being met, it reduces confidence that other obligations are not being met.
And finally, you need to consider risks that might undermine the benefits of the agreement, beyond their capability to deliver. These could include risks like modern slavery in the supply chain, or increased cyber risk exposures due to integration.
The consequences of skimping
There can be major consequences if due diligence is not conducted properly (beyond making your vendor risk management specialists sad). Consider this quick pre-mortem before signing away: if the phrase “If only we’d known before we signed the contract…” could validly be responded to with “If only we’d checked…”, it sounds like due diligence you shouldn’t skip.
Malaysia is home to two-thirds of the worlds latex glove production. One of those producers is Supermax. Allegations of forced labour had been prominent in Supermax since at least 2019. In October 2021, United States Customs banned imports from Supermax, citing 10 out of 11 of the International Labour Organization’s indicators of forced labour.
Despite these long term allegations and the US ban – information that was readily available – the UK government approved Supermax as a supplier to its National Health Service in December 2021. The UK government was subsequently sued for its use of Supermax despite these alleged labour abuses.
One potential rebuttal to spending effort on due diligence is to rely on contractual clauses to enforce breaches by the vendor. You might be able to recover some of your loss, but rarely all of it. The opportunity cost alone as you change vendors or make business changes can be significant enough, but if the vendor simply absconds, goes bankrupt, or challenges the validity of contract clauses, you may be left out of pocket.
Good practice due diligence
Your efforts in due diligence should move you towards a decision – obtaining reasonable assurance that you can safely move forward (at least within the risks you are willing to accept). Depending on your industry or regulators, there may be some minimum due diligence requirements that are a must. Beyond that, here are some tips for effective and efficient due diligence:
- Take a risk-based approach. Which due diligence questions will ultimately help you make a decision?
- Do some basic news searches or sentiment analysis. For more material engagements, you may want to conduct more thorough searches for active legal cases or enforcement by regulators.
- Define what you want to act on, and how. When you get back a response or search results, you need to know how to interpret them, and next steps to resolve any anomalies
- Don’t ask questions or conduct due diligence that have no material effect on outcomes
- Tailor due diligence to the vendor at hand. If you are asking the same questions of every vendor, you are likely wasting effort or overlooking key issues
- Leverage technology to streamline processes and automate tasks
Conclusions and next steps
Vendor due diligence should not just be about ticking boxes. Develop a due diligence process that aligns with your business strategy and addresses the risks that vendors may pose to your organisation.
If you want to know more about building an effective vendor due diligence process, download our Vendor Risk Management eBook for a detailed step-by-step guide of to build an effective vendor risk management program.
Subscribe to our Knowledge Hub to make sure you catch the rest of our Vendor Risk Management blog series: