Top Six Tips and Points for Attention
How to make risk assessments and due diligence more effective
In summary, the main purpose of vendor due diligence is to inform risk assessments, and specifically allow firms to:
- Due diligence should be tailored to the extent of the risk. Effective due diligence is largely a matter of good training and judgment. Due diligence cannot be so thorough and expensive that it results in a business relationship or project not being cost effective.
- All risk cannot be avoided, and not all weaknesses of the organisation under examination may be uncovered. The aim of due diligence is a reasonable and proportionate level of enquiry into the specific aspect to enable a decision to be made as to whether the risk is low enough for it to be a reasonable business decision to proceed or continue with a project or business relationship.
- Due diligence checklists and questionnaires can facilitate the process. Similarly, there are various supplier assurance standards for assessing third parties. Technology can also help streamline the due diligence and risk management processes. However, it is important for the scope and approach to be tailored to the specific vendor and situation. This is where good judgment and experience come in.
- Due diligence has often been primarily Finance or Compliance-led. However, to be effective, it is likely to require a broader range of skillsets. In-house or external specialists should be involved where required to demonstrate due process and reasonable steps. It may not be cost-effective for a firm to develop and maintain all the required expertise in-house. External consultants specialised in due diligence are trained and experienced in identifying risks rigorously and efficiently.
- In order to be effective, vendor risk assessments should be geared towards taking full ownership of the risks and should not follow a tick-box approach. This implies gaining a good understanding the vendor itself, not just assigning a RAG or Tier rating. Effective ongoing risk management also has implications in terms of:
- How frequently we engage with critical vendors (more frequent touchpoints)
- The quality and content of the interactions in order to pick up any early warning signs and leading indicators (as opposed to only relying on traditional lagging measures such as quality of service).
- The internal organisation, dedicated resources and skillsets required to support a robust risk management process.
- In the context of Operational Resilience, firms need to focus on outcomes, think through severe but plausible scenarios with critical third parties and be able to provide evidence of reasonable steps and oversight exercised by Senior Management.
When must vendor due diligence and risk assessments be performed?
Initial vendor due diligence and risk assessment must be conducted prior to entering an agreement with an outsourcing or material third-party provider. During the course of the contractual relationship, due diligence and risk assessment must be carried out on an ongoing basis. The frequency of these ongoing assessments will be determined by the risk and materiality of the relationship as well as the nature of the products or services involved and any red flags that may come up.
Firms in scope are required to comply with the Outsourcing and Third-Party Risk Management obligations by 31 March 2022. Outsourcing arrangements entered into after 31 March 2021 should meet the expectations, including those relating to due diligence and risk assessment, by 31 March 2022. Any legacy outsourcing agreements should also be aligned to meet the expectations.