Third Party Risk Management

How Do I Perform Pre-Contract Due Diligence?

Performing pre-contract due diligence is critical to signing a contract with a vendor who is secure and respects your security. The risk assessment, along with technical and price evaluation, gives you a complete picture from which you can make a solid decision. Making sure the pre-contract due diligence  process is effective and clearly communicating what your expectations and goals are will help make the due diligence analysis a key input to the decision of which vendor to award the work to.

As part of the request for proposal (RFP) process, let the vendors know that you will be conducting a due diligence assessment as part of the RFP process, provide them with a list of the documents/content you would like, and let them know by when. Suggest that they might have a standard due diligence package and that their legal or compliance departments might have said package. This will help get the documents/content to you in a timely fashion while allowing you enough time to complete the analysis and risk rating.

An objective, in-depth assessment of the third party should be performed. Prior experience with the vendor or other knowledge should not be the entire basis for vendor selection. To perform that assessment, there are many other important topics that should be considered before selecting and entering into contracts with vendors. These include strategies and goals, legal and regulatory compliance, financial condition, business experience and rotation, and more. A full list along with descriptions can be found in OCC Bulletin 2013-29 under the header Due Diligence and Third Party Selection.

Once you have the documents, analyze them using your standard set of due diligence questions for a vendor and product of that inherent risk and type of product or service. In addition to covering the appropriate topics to the appropriate level of depth, make sure the documents are current. Look for version tracking information in the document to ensure it was reviewed in the previous year.

Determine the residual risk for each question as it is being answered, just like your standard due diligence process. With the ratings in place, the answers and ratings are then reviewed and signed-off on. This will yield your key performance indicators (KPIs) for each of the vendor/products you are considering outsourcing to. There will be an overall residual risk score as well as scores for each of the Federal Financial Institutions Examination Council’s (FFIEC) Rating Categories. This will let you see strengths and weaknesses at a glance.

You will also have a list of unmitigated risk. Assign probability of occurrence and dollar value of occurrence to each unmitigated risk. With this you have a total risk cost as well as an item-by-item risk cost. All of this information can be used to determine whether to award the contract to each vendor as well as being used in negotiations.

Performing pre-contract due diligence yields KPIs and unmitigated risk costs that, along with reviewing technical skill, cost, schedule, etc., provide the most complete picture from which to make the most informed decision on which vendor to outsource to. Upfront preparation yields both a crisp RFP review process as well as contributing to smooth onboarding.