Vendor Vetting, Explained

Blog
March 13, 2024

Ascertain Potential Risk

The first step in vendor vetting is understanding your risk. What could go wrong if you work with this vendor? What are the potential consequences? Once you have a good idea of the risks, you can start developing criteria for how to assess those risks. Some factors to consider include:

  • the vendor's size and financial stability
  • their track record and reputation
  • the quality of their products or services
  • how well they meet your specific needs

Assess Financial Risk

One of the biggest risks associated with working with a vendor is financial risk. If the vendor goes out of business, files for bankruptcy, or otherwise fails to deliver on their contract with you, it can have serious consequences to your business. To assess a vendor's financial health, ask them to provide:

  • financial statements
  • credit reports
  • audit reports (if available)

If possible, get these documents from multiple sources and compare the vendor's financial statements to those of other vendors in their industry.

Assess Regulatory Risk

Before working with a vendor, you need to verify that they are compliant with the regulatory rules and standards that apply in your country. This may mean having them sign an agreement or NDA that ensures compliance.

Make sure all vendor agreements include:

  • a description of the vendor's obligations under law and regulation
  • an explanation as to how those obligations will be met
  • a vendor certification that they are compliant with all applicable laws and regulations

Run a Background Check on the Vendor

Before signing any agreements with  a vendor, it's a good idea to run a background check on them. This will help you identify any potential red flags, such as criminal convictions or past lawsuits.

There are several ways to run a background check on a vendor:

  • conduct a search of the vendor's name in online databases
  • contact the vendor's current and former clients to see if they have any negative comments or complaints
  • review the vendor's public filings with government agencies (e.g., Dun & Bradstreet, SEC)
  • speak with industry experts who may have experience working with this vendor
  • Ask for a Copy of the Vendor's Insurance Policy

When working with a vendor, it's important to know what type of insurance they have and how much coverage is provided. You may want to ask for a copy of the vendor's current policy so you can evaluate its terms and conditions before signing any agreements with them.

Conduct Internal Due Diligence

Once you've completed a vendor risk assessment and identified your top vendor candidates, it's time for due diligence. This involves evaluating the vendor internally, as well as externally with customers and third parties. The purpose is to get an accurate picture of the vendor's capabilities and reputation.

During due diligence, ask vendors to provide:

  • a list of current clients (preferably with contact information)
  • references you can speak with about their experiences working with this vendor
  • information on any recent legal disputes or other negative incidents involving this vendor

Conduct a Site Visit

If possible, conduct a site visit to the vendor's offices. This will allow you to get an idea of their workplace environment and culture, as well as assess any security risks associated with doing business with them.

During a vendor site visit, be sure to:

  • meet the vendor's employees in person so you can get an idea of their capabilities and experience level
  • check that the vendor takes security seriously by examining how they access vendor facilities (e.g., badges or biometric scanners) and whether they have any physical guards on duty at all times
  • review the vendor's business continuity plan and disaster recovery procedures
  • evaluate the quality of the vendor's products or services

If you're not able to visit the vendor's offices, ask them to send you a sample product or service so you can evaluate it yourself.

Create a Vendor Questionnaire

Once you have an idea of the general risks associated with a vendor, it's time to create a questionnaire. This questionnaire should cover all aspects of the vendor relationship, from business basics like contact information and company ownership to vendor-specific information like business continuity plans and physical security of vendor facilities.

When creating a vendor questionnaire, be sure to consider:

  • what type of vendor they are (in terms of products or services)
  • the length and nature of the relationship you're looking for with this vendor
  • the reason you are seeking out a new vendor in the first place
  • how they will fit into your vendor ecosystem
  • Screen Vendors Based on Their Questionnaire Responses

Once you have a vendor questionnaire, it's time to screen vendors based on their responses. This involves creating a rubric for how to score vendor responses and then reviewing them accordingly. Some questions might require binary answers (yes or no), while others will require a more subjective evaluation.

Some factors to consider when scoring vendor responses include:

  • the completeness of the response
  • the accuracy of the response
  • the timeliness of the response
  • how well the vendor addressed your specific concerns

If the vendor scores poorly in any of these areas, it's best to move on and continue your search.

Share on Social

Vendor Vetting, Explained

Blog
April 15, 2022
TPRM
April 15, 2022

Ascertain Potential Risk

The first step in vendor vetting is understanding your risk. What could go wrong if you work with this vendor? What are the potential consequences? Once you have a good idea of the risks, you can start developing criteria for how to assess those risks. Some factors to consider include:

  • the vendor's size and financial stability
  • their track record and reputation
  • the quality of their products or services
  • how well they meet your specific needs

Assess Financial Risk

One of the biggest risks associated with working with a vendor is financial risk. If the vendor goes out of business, files for bankruptcy, or otherwise fails to deliver on their contract with you, it can have serious consequences to your business. To assess a vendor's financial health, ask them to provide:

  • financial statements
  • credit reports
  • audit reports (if available)

If possible, get these documents from multiple sources and compare the vendor's financial statements to those of other vendors in their industry.

Assess Regulatory Risk

Before working with a vendor, you need to verify that they are compliant with the regulatory rules and standards that apply in your country. This may mean having them sign an agreement or NDA that ensures compliance.

Make sure all vendor agreements include:

  • a description of the vendor's obligations under law and regulation
  • an explanation as to how those obligations will be met
  • a vendor certification that they are compliant with all applicable laws and regulations

Run a Background Check on the Vendor

Before signing any agreements with  a vendor, it's a good idea to run a background check on them. This will help you identify any potential red flags, such as criminal convictions or past lawsuits.

There are several ways to run a background check on a vendor:

  • conduct a search of the vendor's name in online databases
  • contact the vendor's current and former clients to see if they have any negative comments or complaints
  • review the vendor's public filings with government agencies (e.g., Dun & Bradstreet, SEC)
  • speak with industry experts who may have experience working with this vendor
  • Ask for a Copy of the Vendor's Insurance Policy

When working with a vendor, it's important to know what type of insurance they have and how much coverage is provided. You may want to ask for a copy of the vendor's current policy so you can evaluate its terms and conditions before signing any agreements with them.

Conduct Internal Due Diligence

Once you've completed a vendor risk assessment and identified your top vendor candidates, it's time for due diligence. This involves evaluating the vendor internally, as well as externally with customers and third parties. The purpose is to get an accurate picture of the vendor's capabilities and reputation.

During due diligence, ask vendors to provide:

  • a list of current clients (preferably with contact information)
  • references you can speak with about their experiences working with this vendor
  • information on any recent legal disputes or other negative incidents involving this vendor

Conduct a Site Visit

If possible, conduct a site visit to the vendor's offices. This will allow you to get an idea of their workplace environment and culture, as well as assess any security risks associated with doing business with them.

During a vendor site visit, be sure to:

  • meet the vendor's employees in person so you can get an idea of their capabilities and experience level
  • check that the vendor takes security seriously by examining how they access vendor facilities (e.g., badges or biometric scanners) and whether they have any physical guards on duty at all times
  • review the vendor's business continuity plan and disaster recovery procedures
  • evaluate the quality of the vendor's products or services

If you're not able to visit the vendor's offices, ask them to send you a sample product or service so you can evaluate it yourself.

Create a Vendor Questionnaire

Once you have an idea of the general risks associated with a vendor, it's time to create a questionnaire. This questionnaire should cover all aspects of the vendor relationship, from business basics like contact information and company ownership to vendor-specific information like business continuity plans and physical security of vendor facilities.

When creating a vendor questionnaire, be sure to consider:

  • what type of vendor they are (in terms of products or services)
  • the length and nature of the relationship you're looking for with this vendor
  • the reason you are seeking out a new vendor in the first place
  • how they will fit into your vendor ecosystem
  • Screen Vendors Based on Their Questionnaire Responses

Once you have a vendor questionnaire, it's time to screen vendors based on their responses. This involves creating a rubric for how to score vendor responses and then reviewing them accordingly. Some questions might require binary answers (yes or no), while others will require a more subjective evaluation.

Some factors to consider when scoring vendor responses include:

  • the completeness of the response
  • the accuracy of the response
  • the timeliness of the response
  • how well the vendor addressed your specific concerns

If the vendor scores poorly in any of these areas, it's best to move on and continue your search.

expand icon

expand icon

expand icon