And you don’t have any good options. We know, we can help.
Written by Josh Layne, Vice President of Vendor Management & Compliance
You don’t have time to fully review all of the due diligence documentation every year for every critical and important vendor you’re responsible for. You’re expected to, but, realistically, you don’t have the time.
You know it. We know it.
In the world of best practices for third-party vendor risk assessment, everyone expects you to make time. From examiners, auditors and risk specialists to endless articles and webinars, everyone is saying you need to make time. Vendor management experts, including us, recommend you make some time.
With that time you’re expected to:
- Deep dive into each of the different documents you have in hand, like:
- 100+ page SOC reports full of Klingon jargon
- Densely-formatted BCP’s
- vague security statements
- complex financial statements
- outdated insurance statements in 5-point font
- Assess every potential risk from every angle
- Make a decision about your “appetite” for risk and how you’ll “significantly reduce” and “effectively mitigate” each of the unlikely, though possible, risks you uncover
- Make detailed notes about your findings and decision so you can prove to everyone you did it and did it well…
- Then do it five, 10 or 20 more times for every vendor…
- Then do it year over year over year…
You don’t have time to do this! You know it. We know it.
Considering the list of expectations above, you’re now looking at a mountain of vendor documents and data gathered up for you to wade through. And you may believe you only have two bad options:
Bad option one: You make the time to do all steps listed above. You carefully and cautiously give it your best effort and focused attention for each vendor – sifting through all documents, reviewing the pages and checking all the boxes. You then make a detailed, considered decision about your vendors’ risks and how you can manage these risks. You want to turn over every stone that may have risk beneath it. It takes skill, endurance and a whole lot of time. You have truckloads of the first two, so you make the time.
The other, and more likely, option is…
Bad option two: You just can’t make time. Instead, you quickly move through each vendor package of documents, making sure to lightly review each doc for about 5.3 seconds, maybe a little more on the SOC reports, hoping you don’t miss anything obvious, and making sure you can prove you at least touched everything once. Really, you’re just hoping no one figures out you didn’t analyze each document thoroughly before accepting or rejecting the risk it may or may not have illuminated.
We know you really want to think of yourself as a bad option one kind of business owner who will put the work in and come out the other side with deep insights about the vendors and fully formed opinions about the potential risks you uncover. We also know you’re not willingly a bad option two due-diligence-reviewing speedster who cuts corners just to get the job done and keep examiners and auditors reasonably happy, so long as they’re not looking too hard at vendor management this cycle.
In most cases, well-meaning business owners start with bad option one and quickly fall into bad option two because of lack of time. Your time is a non-renewable resource and you’ll never get sunk time back. Without enough time, bad option one isn’t just impossible, it could be damaging. Spending your time carefully reviewing due diligence is time not spent in other areas you need to focus on.
In good conscious, Maple Street won’t recommend spending zero time or suggest you put just the minimal attention into due diligence reviews. This isn’t just because of your examiners and you risking noncompliance. For a well-run and effective vendor management program like ours to work, you need to identify risk and proactively manage potentially big risks when you uncover them. You need to know the big risks when making the hard decisions to renew, replace or renegotiate vendor contracts.
Big risks uncovered in due diligence can be:
- Repeated failed tests in the vendor’s continuity planning
- Knowing about complex controls the vendor expects you to have in place for the vendor’s controls to work, as described in a SOC report
- Financials that suggest likely deep cost cutting (i.e. performance issues) soon or even bankruptcy may be on the horizon
We won’t say there’s a magic bullet option that gives you time back and meets all of the expectations of your examiners. But we do believe you shouldn’t have to spend more of your limited time finding the big risks than necessary. There’s a third option, the smart option.
Smart option three: You engage Maple Street to provide a Street Smart Vendor Review Kit for your critical vendors.
Included in the Street Smart Vendor Review Kit:
- Fully summarized SOC reports, including for multiple SOC’s from a single vendor, with important risks highlighted
- From the SOCs, any controls you need in place clearly identified
- Financial analysis including a three-year trend (if available), not just a point in time, with common ratios calculated and practical advice about what they mean
- Insurance summary and comparison
- OFAC pull to assure vendor isn’t on the OFAC list
This option removes the need for you to spend your time carefully reading, sifting, documenting and analyzing the documents. You instead spend your time reviewing the big risks we uncover and deciding if the risk is acceptable, and if it’s not, how you will stay in front of it.
You don’t have time to fully review all of the due diligence documentation as you’re expected to every year. You know it. We know it.
And now you know there’s a smart option that meets expectations while taking up much less of your valuable time.
To learn more or order your Street Smart Vendor Review Kits, call 800-513-6839 or email VendorCompliance@maplestreetinc.com.