There are many risks implicit in doing business, and CEO’s and risk management officers face many internal and external threats. Most organisations face preventable risks; however, the burden of identifying risks can be too much, especially when dealing with third-party providers.

Most service providers offerings are often part of organisations’ core functions (i.e. internet-related services or cloud services); they have access to sensitive information, including your clients’ client details (PII), their financial data such as credit cards (PCI), or trade secrets; that impacts your data security or privacy programs; a worrying source of risk and, often than not, they drive up your cost. 

According to Ponemon Institute’s Cost of a Data Breach Report 2020, organisations spend £2.9 million ($3.86 million) recovering from security incidents. And third-party breaches cost $370,000 more than in-house breaches. Third-party breaches do happen, and many organisations aren’t prepared. In fact, Protiviti’s 2019 Vendor Risk Management Benchmark Study found that only 4 in 10 organisations have a fully mature vendor risk management process in place. 

It’s critical to follow a well-defined and comprehensive due diligence process when it comes to service providers. Having a services provider due diligence checklist allows you to see what obligations, liabilities, or any types of risks you’re assuming. 

What Is a Due Diligence Checklist?

A due diligence checklist is an organised way to analyse a service provider you want to work with. Following this checklist, you can learn about the Service Provider liabilities, benefits, and potential problems. Due diligence checklists are usually arranged in a basic format. However, they can be changed to fit different industries and professional relationships. A due diligence checklist can also be used for:

  • Preparing an audited financial statement or annual report
  • A public or private financing transaction
  • Bank financing
  • A joint venture
  • An initial public offering (IPO)
  • General risk management.

However, we developed a complete due diligence checklist for you to use on your service providers for this article. There are six core areas to consider when doing your due diligence vetting a service provider:

  1. General company information
  2. Financial review
  3. Reputational Risk
  4. Insurance
  5. Information Security Technical Review
  6. Policy Review

The questions could change based on your requirements or the company, industry, size, or region. The more you know about potential vendors, the easier it is to assess their risk. Let’s take a look!

1. Build an inventory of your service providers:

  • List the providers of significant core functions
  • List any smaller providers who might be working with individual departments

2. Rank each service provider based on risk by asking the following questions:

  • What service does this organisation provide?
  • Who owns the relationship with this provider?
  • Is this provider tied to your organisation’s most critical business operations?
  • What data do they have access to?

3. Collect information on each service provider, including basic information:

  • A business charter or articles of incorporation (or similar corporate charter)
  • Business location, and proof of location.
  • Business license: confirm that the company is legitimate
  • Overview of company structure
  • Information about executives and board members
  • Financial information: is the service provider financially solvent? Would you want to partner with a company that may not be in business next year? 
  • Insurance: gather information on general liability insurance, cyber insurance, or insurance-specific capabilities.

4. General risk information:

  • Is the service provider on any watch lists?
  • Any Lawsuits?
  • Any negative news coverage?
  • Any significant complaints or negative reviews from consumers?
  • Is the site physically secure?
  • Policy Review

Cyber risk Information:

  • Security rating
  • Assessment questionnaire
  • Retrieve the IT system outline
  • Any assets exposed to the open Internet?
  • Any cases of data breaches?

Final risk analysis:

  • Calculate your risk: Risk = Likelihood of a Data Breach X Impact of a Data Breach/Cost
  • Set a risk rating of high, medium, or low
  • Compare the above information with your risk appetite and determine whether your organisation should pursue a relationship with the service provider

How can CRI Group help you manage and respond to risks?

Managing third-party risk can be difficult. The work isn’t done when you understand the risks associated with doing working with third-party providers. With CRI Group, organisations can make the process simpler and gain a window into their service providers’ risk. 

Due diligence on potential business partners when adding a new vendor or hiring a new employee is vital to confirm the legitimacy and reduce the risks associated with such professional relationships. 

Our global integrity DueDiligence360 investigations provide your business with the critical information it needs in making sound decisions regarding mergers and acquisitions, strategic partnerships, and the selection of vendors, suppliers, and employees. And we offer different levels of due diligence to fit your needs:

  • Level I Basic: Basic due diligence
  • Level I Essential: Essential due Diligence
  • Level II EDD Enhanced Integrity Due Diligence
  • Level II EDD Plus Enhanced Integrity Due Diligence

Our Enhanced Integrity Due Diligence services will ensure that working with an, i.e. potential trade partner will ultimately achieve your organisation’s strategic and financial goals. To find out more about each level of due diligence, contact CRI Group HERE!

Who is CRI Group?

Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk ManagementEmployee Background ScreeningBusiness IntelligenceDue DiligenceCompliance Solutions and other professional Investigative Research solutions provider.

We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management SystemsISO 37301:2021 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification.

ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. Contact ABAC® for more on ISO Certification and training.

Share Insights