Posted on Sep 13, 2021
Every day, organizations around the world use due diligence questionnaires (DDQs) to evaluate potential business partnerships and gain a better understanding of the way various third-party vendors conduct day-to-day operations. These questionnaires help organizations investigate potential business ventures or partnerships to confirm they are making a good investment before entering into an agreement with a third-party.
Unfortunately, there is no ‘one size fits all’ questionnaire, so it is crucial that organizations carefully consider which type of questionnaire will provide the most informative data and allow them to make the best business decisions. Below, we explore the meaning of and best aspects to cover in a DDQ, as well as outline 6 examples of successful questionnaires that your business can leverage to pinpoint vendor risk.
A due diligence questionnaire is a formal assessment made up of questions designed to outline the way a business complies with industry standards, implements cybersecurity initiatives, and manages its network. In most cases, a DDQ is used before a merger between two businesses to create transparency and confidence in the venture. Due diligence questionnaires can also be used bi-annually to ensure agreed upon business standards are continuously met by vendors.
DDQs are issued to simplify and condense the transaction of important information as well as efficiently collect data and streamline the disclosure process. They are designed to surface details and hidden information that otherwise would have been overlooked and prove to be most beneficial when addressing the following categories:
Due diligence questionnaires are an essential part of mergers and acquisitions. Before any transaction is complete, a business must confirm that the investment is beneficial and will pay off in the future. Outlining a vendor’s security, personnel, legal matters, compliance, current contract obligations, and financial history, a DDQ supplies important data that can be used to help decide between potential partners and reveal pertinent vendor security risks.
DDQs are equally as useful for investments. Typically highlighting core business credentials, these questionnaires explore topics and include details on company founders, client and supplier information, competitor analysis, and copyright. For example, a stakeholder may conduct a DDQ to ensure a potential business venture is worthy of investment. The DDQ will allow the stakeholder to better assess if the investment is worth the money, time, or even the potential risk it poses before any binding legal action is taken.
Vendor due diligence can include both proactive sell-side due diligence and third-party risk assessments.
Proactive sell-side due diligence is when a company plans to sell its business and predicts that multiple parties will be interested in buying. In this situation, they would conduct proactive vendor due diligence and also investigate risks within their own company. Then, when the company is ready to sell, this information can be provided to potential buyers without the hassle of having to complete an individual DDQ for each interested buyer. This process speeds up the sale significantly and can result in faster acquisition of the business.
A third-party risk assessment manages risk within supplier partnerships. No matter the vendor, there is always a level of risk associated with conducting business with another organization -- this could include financial, operational, reputational, and cyber risks. Since vendors will likely receive access to your business network, it is important to cover all bases before granting secure access and permissions. The vendor due diligence questionnaire stands to examine risk by retaining information on data security, human resource policies, financials, and references. Organizations can then use this information to set requirements that the vendor must uphold in order to meet the standards of the business relationship.
Acquiring the proper information and data from a vendor will prevent your business from signing contracts with hidden liabilities and will help to streamline the onboarding process. Below, we outline the top five most important aspects to cover during a vendor evaluation:
It is crucial to understand the ways cybersecurity is implemented into a vendor's business practices. As the world grows increasingly digital, vendors need to uphold cybersecurity best practices and network protection plans that correlate with industry standards. Questions concerning cybersecurity practices may include: asking if the vendor has participated in a vulnerability assessment, if they have implemented an information security awareness program, or if they have an IT team prepared to handle hacking attempts or system breaches. Insight into these questions will allow businesses to better assess a vendor’s security posture and determine where cybersecurity risks may lie.
Has the vendor you’re investigating developed a formal or well-documented business continuity plan? Not only does this secure longevity for the vendor's business, but it also demonstrates that the company has a plan and procedures set in place in the event of a network disaster. Your due diligence questions should provide insight to their disaster recovery plan and solution. Does the vendor have a structure to identify critical IT systems, an outline of steps needed to restart or recover networks, and employee emergency training guidelines? A disaster recovery plan ensures that critical data is protected in the event of a system failure or breach and must be a topic covered in your DDQ.
Ensure that the vendor maintains regulatory compliance by following state, federal, and international laws and regulations that are relevant to their industry. When a business fails to comply, they expose themselves to a series of potential lawsuits, financial liability, and reputational risks. The last thing a business wants to do is be associated with a vendor who doesn’t comply with industry standards. Since the regulatory environment is constantly changing, questions that review the way the vendor monitors for these changes and implements them into their compliance programs should be a top priority.
Sensitive data and information are some of the most important assets to an organization. Confidential employee data, bank account information and access to confidential files all run the risk of a breach if managed improperly. Therefore, data protection should be prioritized and managed closely. Businesses should address the systems of data management a vendor has in place to ensure the security of sensitive information.
Businesses must receive full transparency into the methods and procedures a vendor follows to maintain network security in order to avoid any surprises in the future. Your DDQ should include questions about the vendor’s level of visibility into their network, whether they are utilizing advanced monitoring and reporting tools, and the structures they have in place to ensure their network is managed in the most optimal way.
Due diligence questionnaires can easily get convoluted and cluttered with overlapping concerns and questions that could have been conjoined. Organizations have found it useful to create a standardized due diligence questionnaire template to cater to the kinds of investigations they perform regularly.
A questionnaire template saves businesses time and makes analysis of future vendor compliance easier since quarterly or bi-annual questionnaires use the same template. Let’s explore six DDQ examples to help inform your own DDQ development:
Principles for Responsible Investing (PRI) is an international organization that was founded by investors to promote the incorporation of environmental, social, and corporate governance factors into the decision-making process of investments. They’ve created their own DDQ checklist, along with other investment tools, and offer a clear overview of their process on how the questionnaire was developed. The checklist highlights four main categories that focus on policy, governance, investment process, and monitoring and reporting.
MISC business relationship DDQ can be classified as the moral questionnaire, as it ensures organizations comply with their ethical standards. MISC has a zero-tolerance policy against bribery and corruption and has a strong commitment to risk management. Their DDQ highlights their expectations and the documentation that they require for compliance.
The in-depth INREV DDQ is committed to sharing knowledge, advocating for best practices, and establishing transparency throughout the non-listed real estate investment industry. Their template is highly organized and easy to use, focusing on how to best assist investors and consultants throughout the due diligence process. It gives insight into strategy, management, risk processes, and projected performance outcomes. With the provided information, investors can determine if the proposal is best suited for them.
The environmental and social governance DDQ focuses on the responsibility of environmental and social governance and provides assistance for general partners looking to identify risks and best policies within an investment. Businesses can use this DDQ example both before and after an investment to single out potential threats or issues to the company that will likely require further attention.
The Institutional Limited Partners Association (ILPA) DDQ is a well-thought-out and continuously updated questionnaire that covers an array of real-world issues and questions. Constructed using questions from other questionnaires in the industry, the ILPA focuses on and covers fourteen critical areas from investment strategy, to the alignment of interest, to diversity and inclusion. A complete list of the covered aspects can be found in their DDQ example.
SecurityScorecard’s concise due diligence checklist simplifies the process of developing a DDQ and allows businesses to set up a structure and outline to follow before entering into a partnership with a provider. The checklist suggests following these steps for gathering necessary data:
This checklist can be personalized to the needs of your business and can provide you with basic vendor information that can be used to inform partnership decisions. However, you choose to utilize the checklist, uncovering potential risks before acquiring them is the most important outcome of a successful DDQ.
SecurityScorecard Atlas is the industry’s only completely integrated security ratings and vendor assessment solution, providing businesses with vendor assessments that are faster, more accurate, and provide unparalleled security. Instead of facilitating a questionnaire process and analyzing vendor risk on your own, Atlas does it for you. A centralized platform combined with machine learning, Atlas aligns the responses from your business’s questionnaire with SecurityScorecard Ratings to provide instant access and transparency into the level of cybersecurity risk that each potential partner poses. In addition, Altas can compare service providers’ questionnaire responses from past to present, streamlining your business’s risk assessment process.
Constant management of third-party risk can be difficult, however, with SecurityScorecard’s Atlas platform, businesses will be able to see how continuous security monitoring can give their business the proper answers and guidance they need to make the best business decisions every time.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.