Menu Close

Vendor Risk Management and Due Diligence

Operational disruptions have the potential to threaten the viability of firms causing instability to the products and services that they provide.  The impact this can have to consumers and market participants is far reaching and wide as we have witnessed with the onset of the pandemic and other significant and notable market events affecting the financial system in recent years. 

As we continue to work with firms in helping them prepare and respond to such unforeseen events we have provided you with an overview of Operational Resilience, Outsourcing and Third Party Risk Management and Identifying Important Business Services. Today, our Senior Director and Regulatory Compliance Lead, Lindsey Domingo at Xcina Consulting, highlights the importance of the requirements for firms to perform appropriate and proportionate due diligence on all potential service providers and to assess the risks of every outsourcing arrangement. We outlined the regulatory expectations and concept of materiality in our edition on Outsourcing and Third-Party Risk Management. But what is due diligence and how does it relate to risk management?

This week’s edition covers the following:

Risk assessment and due diligence are separate concepts, but they are interrelated and work together. Due diligence is a form of risk assessment.


There are different types of due diligence with specific areas of focus.  Any significant risks that materialise can quickly have a negative impact.

Vendor due diligence and/or risk assessment establish whether a firm’s existing policies, procedures and controls are  adequate to reduce the assessed risks to an acceptable level.

Firms retain full responsibility for the effective governance and management of any risks to which the firm is exposed as a result of reliance on third parties.

Risk assessment and due diligence are not just something you conduct at the point of onboarding. The materiality of the risk should inform the approach, based on whether it represents a greater risk.

There’s a sufficient evidence to support the role effective due diligence and risk assessments can play in protecting and supporting firms.  Here are some top tips to help you along.

In summary, the main purpose of vendor due diligence is to inform risk assessments.  Both must be conducted prior to entering an agreement with an outsourcing or material third-party provider.