More and more, companies (including those in the automotive industry) outsource some of their most important functions to third-party vendors. Oftentimes, the most critical vendors have access to your systems, your confidential data and your customers’ confidential information. So while using third-party vendors brings efficiency and expertise to your organization, it also brings risk. To mitigate the risk of using a third-party vendor, it's important to engage in vendor due diligence on an ongoing basis, both before and after you engage the vendor. It is equally important to streamline your existing operational processes to manage vendor due diligence. While there is no one-size-fits-all for vendor due diligence, below are best practices to aid in avoiding risks:
- Management Support. Vendor due diligence is part of a strong corporate compliance program. Any effective compliance program starts with management support. The "tone at the top" will dictate whether your organization can initiate and sustain a successful vendor due diligence process.
- Determine the Risk Level of the Vendor. Classify each vendor based upon risk to your organization – generally firms classify vendors as low, medium and high risk. Risk factors include: 1) the type of data collected by the vendor; 2) the type of services provided by the vendor; 3) the contract amount; 4) the length of time the vendor has been in the business of providing the types of services subject to the agreement; 5) the vendor's financial wherewithal; 6) whether the vendor's services are critical to the mission of the business; and 7) whether there are other third-party competitors that could replace the vendor. Your due diligence process should align with the vendor risk. The higher the risk, the more expansive your due diligence process should be.
- Develop a Due Diligence Checklist. The due diligence checklist should be tailored to the risk of the vendor so that high-risk vendors receive the greatest scrutiny. Involve the key departments within your business, such as IT, finance, legal and procurement in developing your due diligence checklist. The checklist should elicit information about: 1) the business and its history; 2) the vendor's finances, insurance, cybersecurity policies; 3) how and where data is stored; 4) history of breaches; 5) number of terminated customers in the last 18 months; 6) the vendor's reputation (including online reviews or news reports); 7) litigation history; 8) business continuity plan; and 9) other key information relating to the services expected to be performed. If you are seeking vendors through an RFP process, include your due diligence checklist into the RFP.
- Analyze the Data Collected. Once you have collected information from the vendor, you must analyze the information in the context of your own policies, procedures and risk appetite.
- Assess and Mitigate the Risk. If you identify risk in your due diligence process, consider whether the risk is beyond acceptable for your company or whether there are ways to mitigate risk. If the risk posed by the vendor is too great, consider whether there are less risky (possibly more costly) vendors. If the risk can be mitigated, consider implementing risk mitigation strategies through contract terms or internal processes and procedures.
- Reassess Vendors on a Periodic Basis. You should update your due diligence on a periodic basis with the highest risk vendors requiring more frequent (i.e., annual) reassessment. Other events that could trigger a reassessment are a sale of the vendor, a data breach, a high number of customer complaints, financial difficulties of the vendor and any other event out of the ordinary course of business that could impact client services.
- Vendor Diligence in Acquisitions. If your organization acquires another company, you will likely inherit some or all of the vendors used by the acquired target. It is important to review the vendors used by the target and determine any overlap with the vendors your organization uses. In addition, for vendors that will continue to provide services post-acquisition, determine the level of diligence the target conducted and, if necessary, conduct your own diligence on these vendors.
- Automate the Process. To the extent possible, look to automate the due diligence process through the use of software or other technology. Automation should add consistency and efficiency to the process.
Vendor due diligence is essential to leverage the expertise of third parties while mitigating your organization’s risk. Taking the time to really understand the vendors that you propose to work with will potentially avoid costly breaches later when the vendor is providing services. If you have any questions about establishing a vendor due diligence process, please contact Linda Paullin-Hebden or your Warner Automotive Industry Group attorney.