A guide to Vendor Due Diligence Questionnaires

The key factor in such a decision is the vendor’s ability and willingness to remediate or mitigate any identified risks to your business.

This article discusses an approach commonly used to create vendor due diligence questionnaires, covering:

FREE VRM CHECKLIST Your Vendor Risk Management Checklist 15 vendor risk management activities that your business should complete Insights into why each step matters and who should be involved Discover how a VCLM platform can help

Why use a Vendor Due questionnaire?

Benefits for your business:

Clarity and consistency: Provides a clear and structured outline of the information required from a vendor, minimising ambiguity and uncertainty. It ensures that the same set of data is collected from all vendors, enabling consistent evaluation and comparison.
Comprehensive data collection: Ensures all critical areas are covered, reducing the risk of missing important information.
Documentation and record-keeping: Creates a documented record of the process, which can be referred to later if needed.
Ease of use: Simple to use and readily understood by employees at various levels, simplifying training and onboarding processes.
Flexibility and adaptability: Can be customised to fit the specific needs of different industries, businesses or regulatory environments.
Improved decision-making: Organises information in a structured manner, helping your decision-makers review and analyse the data collected.
Risk mitigation: Ensures all potential vendor risks are systematically identified, reviewed and addressed.
Transparency and communication: Provides clear criteria for vendor evaluation to your stakeholders and the target vendors.

Benefits for your vendors

Competitive advantage: Well-prepared vendors with comprehensive and organised information can stand out from competitors.
Efficiency and time-savings: Simplifies the process for vendors to respond to due diligence requests.
Guidance and clarity: Provides clear guidance on what information is needed, reducing uncertainty.
Opportunity for improvement: Offers feedback on areas where the vendor may need to improve or provide additional information.
Professionalism and credibility: Demonstrates the vendor’s professionalism and preparedness in providing the required information.

How much due diligence is necessary and how often?

You should perform some level of due diligence on every vendor you contract with.

The extent of that effort should be based on:

Delivery criticality: How important is the vendor to your business? Consider the impact on your operations, finances, or reputation if the vendor fails to deliver.
Risk potential: What are the actual or potential risks associated with using this vendor? Examples include data security risks (e.g., data theft or corruption), financial instability risks (e.g., potential for vendor bankruptcy), and operational disruption risks (e.g., vendor service outages).
Switching difficulty: How easy would it be to switch to another vendor if necessary? Factors to consider include switching costs, availability of qualified alternatives, and the time required to transition.

Minimal due diligence might be enough for a low-cost office supplies vendor. However, a thorough assessment is crucial for a vendor managing your sensitive data, providing critical infrastructure services, or accessing your internal technology infrastructure to install or administer software.

A simple low-medium-high scale can rank a vendor’s position for each factor. Most of your vendors will require minimal due diligence, a few will need moderate effort, and strategic vendors will need thorough and more frequent reviews.

It's advisable to have a basic vendor due diligence questionnaire that describes the essential data to be obtained from and any that might need to be provided to, your existing and potential vendors.

This can be supplemented with extensions for more in-depth data collection when needed for the few essential vendors you rely on.

Timing for due diligence activities can be:

Fixed: at least annually for critical and high-risk vendors, every 18-24 months for moderate-risk vendors, and every 2-3 years for low-risk vendors
Occasional: regardless of a vendor’s risk level, the process should always be conducted on the occurrence of the following situations:

Contract midpoint: for critical vendors
Contract renewals: as part of the general review to determine if renewal is desirable
Performance issues: if vendor performance is exhibiting a clear and persistent downward trend significant enough to reconsider the relationship
Regulatory change: when new or updated regulations that apply to your vendors are released.

Ensure your vendor contracts include an obligation to comply with reasonable requests for their participation in the due diligence process.

FREE EBOOK DOWNLOAD A Guide to Vendor Management 5 chapters covering various stages of the vendor lifecycle, 8 actionable checklists to support core vendor management activities Guidance on how to manage your vendors in the face of regulation

How to Build Your Due Diligence Questionnaire

Building an effective and productive questionnaire can take a lot of insight. To inform your decision to begin or continue using a vendor, you need certainty that the requested data will provide a sufficient understanding of the vendor’s risk management approach and outcomes.

This can be achieved by involving subject matter experts from departments like Finance, IT and Legal, who have deep knowledge of the different types of risk facing their specific areas.

These people are best suited to assess returned vendor data for red flags. It's smart to use their expertise to determine the data needed from vendors and set up red flag indicators.

These experts can also assess available vendor due diligence questionnaires or those from industry bodies and associations, and propose any useful elements for inclusion.

Vendor Due Diligence Questionnaire Items

For both existing and potential vendors, common essential due diligence areas include:

Financial Health

Annual Revenue
Auditor’s Reports
Cash Flow
Credit Rating
Debt Levels
Insurance Coverage
Profit Margins
Recent Financial Statements

Operational Capability

Relies on vendor processes and documentation:

Customer Service Standards
Disaster Recovery Plans
Performance Metrics
Production Capacity
Quality Control Processes
Risk Management
Scalability
Supply Chain Management
Technology Infrastructure

Legal Compliance

Requires comprehensive documentation:

Anti-Corruption Policies
Data Protection Policies
Environmental Obligations
Export Controls
Health and Safety Standards
Licenses and Permits
Tax Compliance

Cybersecurity

Access Controls
Breach Notification
Compliance with Standards
Date Last Updated
Data Encryption Practices
Incident Response Plans
Network Security
Security Policies
SOC Reports
Third-Party Security
Vulnerability Assessments

Regulatory Compliance

Requires comprehensive documentation:

Applicable Regulations
Compliance with Regulations
Applicable Standards
Compliance with Standards
Blacklists

How to Maintain Your Questionnaire

Your questionnaire must be kept relevant in the face of change drivers such as:

Cybersecurity Threats: The evolving cyber threat landscape requires updated security practices.
Emerging Technologies: Newer technologies like artificial intelligence and blockchain are introducing a range of new risks.
Evolving Regulatory Landscape: Existing laws are being strengthened and new laws are introduced to cover more and more aspects of business operations that need to be added to your questionnaire.
Industry Best Practices: Evolving best practices require regular updates to your questionnaire.

Schedule periodic reviews of your vendor due diligence questionnaire to ensure it remains relevant and addresses current risks. Incorporate changes based on regulatory updates, industry trends, and lessons learned from past vendor assessments.

How Gatekeeper Helps with Vendor Due Diligence

Vendor and Contract Lifecycle Management software like Gatekeeper can significantly streamline and enhance the vendor due diligence process, including questionnaire setup and monitoring. Here’s how:

Vendor Due Diligence Questionnaire Setup

Centralised Repository: Gatekeeper offers a central location for storing and managing questionnaires. This ensures consistency and accessibility across your business.
Collaboration: Multiple stakeholders can contribute to questionnaire development, ensuring that all necessary perspectives are considered.
Conditional Logic: Gatekeeper can use conditional logic in questionnaires, where the answers given to earlier questions determine which questions will be raised next. This ensures the process focuses on relevant information.

Questionnaire Distribution and Monitoring

Automated Distribution: Gatekeeper can automate the distribution ofquestionnaires to vendors, saving time and reducing errors
Deadline Management: the software can set reminders and deadlines for vendor responses, ensuring timely completion of the due diligence data collection process
Document Management: vendors can upload requested documents directly to the Gatekeeper platform, simplifying the process and increasing its manageability
Tracking and reporting: the software can track the progress of checklist submissions, generate reports on completion rates, and identify any bottlenecks in the process
Vendor Portal: vendors can access the questionnaire through a secure portal streamlining the information-gathering process
Workflow Automation: Gatekeeper can automate the routing of completed checklists to the appropriate people for review and approval, ensuring efficient workflow management.

Additional benefits for the due diligence process

Contract Management Integration: Vendor and Contract records in Gatekeeper are linked. This means your legal team can assess the due diligence responses before their contract review to ensure they’ve covered any risks identified throughout that process.
Performance Monitoring: Gatekeeper can track vendor performance over time, comparing actual performance against contractual obligations and KPIs.
Vendor Information Management: Gatekeeper can store and manage all vendor-related information, including financial data, insurance certificates, and compliance documentation, making it easily accessible for review at any time.

By leveraging Gatekeeper's capabilities, your business can significantly improve the efficiency, accuracy, and consistency of its vendor due diligence processes. The software empowers you to make informed decisions about vendor selection and management while reducing the risk of disruptions and financial losses.

Wrap-up

An effective vendor due diligence questionnaire is crucial for managing vendor-related risks and ensuring compliance with regulatory and industry standards. It provides clarity, consistency, and comprehensive data collection, benefitting both your business and its vendors.

Regular reviews and updates keep the questionnaire relevant in an evolving risk landscape. By using it, you can make informed decisions about starting or restarting, continuing, or terminating relationships with vendors, ultimately supporting your business’s risk management and operational resilience.

To get more information about how Gatekeeper can help with your Vendor Due Diligence activities, don't hesitate to get in touch with us.

Rod Linsley

Rod is a seasoned Contracts Management and Procurement professional with a senior IT Management background, specialising in ICT contracts