A Checklist for Third-Party Due Diligence

Written by
RMI Team (P)

As organisations increasingly collaborate across borders to expand opportunities and grow into new markets, they also open themselves up to increased security and reputational risks 

The unsavoury behaviour of third parties, whether related to corruption, money laundering, labour exploitation, or poor cybersecurity hygiene, has an undeniable impact on your operations. According to Deloitte, third-party risk incidents, including supply chain failures, data breaches, and disruption to IT services, can cost organisations up to US$1 billion per incident.  

That’s why third-party due diligence is essential to mitigate business risks. Gathering the right information about potential vendors, agents, suppliers, or partners before getting into business with them is critical to preventing problems from appearing unannounced down the road.  

For business leaders keen to strengthen third-party due diligence but aren’t sure where to start, here’s a 3-step framework to help identify, address, and mitigate third-party-related risks.  

3-step framework to help identify, address, and mitigate third-party-related risks

Step 1: Identify vulnerabilities

No two organisations will have the same due diligence frameworks. Before embarking on any third-party evaluations, it’s important first to review internally which vulnerabilities currently exist, which risks top your organisation’s priority list, and assess the robustness of existing risk management tools.  

Some questions to ask include:  

  • How often do you conduct internal audits 
  • Do you have adequate business continuity plans, including supply chain alternatives? 
  • What are some of the jurisdictional considerations that may affect your operations, especially if you’re conducting business overseas?   
  • How strong is your internal risk culture? Do you have proper internal fraud prevention procedures, such as an ethics hotline or whistle-blower policy?  

Next comes prioritising risks that are essential to address when evaluating the fitness of third-party vendors and partners. For some organisations, it may be legal and regulatory risks, whereas, for others, it may be operational and financial risks. There’s also increasing importance being placed on cyber and data security.  

It’s highly improbable that your business will reach a zero risk stage – so focussing on attaining minimal risk is more important.  

Step 2: Conduct intelligence gathering

Once you’ve prioritised your list of third-party risks to address, you’ll need to collect intelligence that will help with your risk assessment.   

Due diligence identifies risks early so they can be better understood and managed upfront. Much like when conducting pre-employment background checks, it’s important to remember that the intelligence-gathering process isn’t meant to eliminate potential third parties – rather, it’s meant to help business leaders make better-informed decisions by enabling them to move forward with clarity and transparency.  

Here are some examples of intelligence you may choose to gather:  

  • Basic company information, including business certificates, licenses, and incorporation documents 
  • Background checks on the CEO, executives, and/or board members to identify Politically Exposed Persons (PEPs) and similar people-related risks 
  • Financial health documents, including a list of assets and liabilities, tax records, and others  
  • Cybersecurity-related information such as data breach history, compliance reports, penetration test results, and more  
  • Past litigation and settlements records  
  • Operational information to assess the quality of processes and identify inherent risks 
  • Interviews with existing employees to screen for potential markers of negative workplace culture, discrimination, or abuse 

For organisations that do not have sufficient internal knowledge, access, or resources to conduct such comprehensive checks, experienced specialists like RMI can step in to provide intelligence gathering and research services that are in-depth, tailored and cost-effective.

Step 3: Maintain oversight over your partnerships

Due diligence is only valuable if organisations take appropriate action. Even if a decision has been made to engage with a third-party agent, supplier or partner, it’s important to manage continually, monitor and maintain partnership-related risks.  

In fact, the Monetary Authority of Singapore (MAS) recently expanded its Technology Risk Management (TRM) Guidelines to require that financial institutions maintain ongoing oversight over all third parties involved in their customer value chain and not just conduct one-time assessments of their service providers. 

Risk management is not a one-and-done process. This is why third-party due diligence is recommended to be scheduled regularly to ensure that risk levels are regularly reviewed and maintained within acceptable levels. This should be practiced throughout the business relationship so that new or emerging risks don’t slip in undetected.  

Out of your control, but still within your responsibility

Managing third-party risk is an ongoing process that should be about prevention, not reaction. The choices of third-party partners and service providers may be out of your control, but it doesn’t change the fact that their actions directly impact your business risks. The increasing frequency of third-party incidents negatively impacting organisational reputation, earnings and value is clear and compelling enough reason for business leaders to prioritise third-party governance and due diligence. 

And the message from international regulators is clear: outsourcing doesn’t put an end to your responsibility. As your third-party footprint continues to grow, due diligence processes will become key to maintaining business resilience, especially as regulators place increasing pressure on organisations to better manage their end-to-end supply chains.