Vendor due diligence differs from due diligence on prospective and/or current donors, in that
typically prospect development professionals will not receive regular requests for vendor due diligence. Rather,
vendor due diligence is necessary on the buy-side of any relationship with a vendor, not only prior to purchase
but also after said purchase, as vendors change over time – either through acquisition and mergers or
through further development of their products and features. This toolkit is designed to help prospect
development professionals understand their role in vendor due diligence and is meant to offer best practices and
to augment any institutional policy regarding vendor engagement and procurement. If your organization does not
already have vendor due diligence policies and procedures in place, this toolkit will help you formulate your
own. Additionally, if your organization already has vendor due diligence policies and procedures in place, this
toolkit could suggest some improvements to your current policy and/or your current due diligence
process.
What is Vendor Due Diligence
Prospect development professionals are tasked with mitigating risk to their nonprofit organization through a variety of activities. While typically these activities are aimed directly at prospective donors, prospect development professionals’ skills can also be employed for vendor due diligence processes. Vendor due diligence in this context is the analysis of available data to evaluate the risks of entering into an agreement or partnership with a prospective vendor or continuing an existing relationship with a current vendor. As vendors’ offerings change over time and vendors’ terms and conditions of service can update frequently over time, vendor due diligence should be conducted on a regular schedule. Prospect development professionals, as users of data products and software-as-a-service products, are uniquely positioned to perform vendor due diligence in that prospect development professionals understand the importance and confidentiality of an organization’s data as well as how that internal data can be enriched with external data and through available analytics and reporting platforms.
Vendor due diligence is the specific information analysis through the lens of ethical, legal, security, and privacy concerns the prospective or current vendor presents, either through former, current, or anticipated actions or those of connected persons. These concerns can range from criminal and legal issues to questionable sources of product development, such as with a data vendor the supply chain that vendor took to acquire that data to present such as a product offering. While prospect development professionals may not be the final decision makers, prospect development professionals may make recommendations regarding whether to move forward with a prospective or current vendor.
Some reasons to perform vendor due diligence research and risks associated with partnering with a prospective vendor or continuing to partner with a current vendor are listed below:
- Legal and regulatory risk - Could advancing the relationship with a prospective or current vendor expose the organization to legal or regulatory challenge? Is the prospective or current vendor compliant with data privacy and data security regulations?
- Financial risk – Could engaging with a prospective or current vendor jeopardize your organization’s reputation or ability to raise money in the future?
- Reputational risk – Could engaging with the vendor be perceived as inappropriate or unethical by your organization’s stakeholders?
- Dependency/operational risk – If the prospective or current vendor had to suddenly shut down its services and/or product lines, how would this impact your organization?
No department should work alone when it comes to exploring new vendors. Internal colleagues with whom you should consider partnering include:
- Procurement/Sourcing (vendors)
- IT and Security/Chief Information Security Officer (CISO) (technology)
- Finance (budget)
- Project Management
- Legal Counsel (contracts)
- Chief Privacy Officer
Conversations to consider include new vendor exploration, reviewing current vendors and contracts, the ability to provide technical support and training, and data sharing concerns.
Recognizing the need to manage vendor risk in the higher education community, the Higher Education Information Security Council’s (HEISC) Shared Assessments Working Group, working with Internet2 and REN-ISAC, created the Higher Education Community Vendor Assessment Toolkit (HECVAT). Before signing an agreement with a vendor, you can have the vendor fill out the HECVAT questionnaire so you can understand how they will secure your organization’s information. Apra’s ECC suggests partnering with your IT team, who can provide expertise and insight on the technical aspects covered by the HECVAT toolkit.
Vendor responses to the HECVAT questionnaire can be accessed by any organization, which should expedite procurement processes. Additionally, the use of the HECVAT tool will create consistency in the procurement process within an organization. There are several assessment tools available for free to download at the HECVAT website. These tools provide numerous questions which can be useful in vetting vendors. More information about HECVAT can be found here: https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit
The actual process of performing vendor due diligence can include the following (NOTE: Please reference the Search Terms for Vendor Due Diligence Research located herein.):
- Review your organization’s current procurement policies.
- Search court records for any recent and applicable lawsuits.
- Search the sexual offender registry (C-Suite).
- Run a negative news search for the vendor and the vendor’s subsidiaries if appropriate.
- Search for any negative news via social media and read through social media posts by the vendor.
- Research environmental, social, and governance issues, such as human rights policies.
- Research vendor’s DEI initiatives and/or C-Suite composition.
- Discover and read the terms and conditions of the vendor’s services and privacy policy. See herein Privacy Policies or Terms and Conditions for Common Vendors in Our Sector.
- If the vendor under consideration by your organization is providing data enrichment services to your organization, discover how the vendor sources its data (how and from whom). Does your institution allow you to acquire scraped data?
- Ask for details regarding the following questions: What does your vendor do with your organization’s data? How long do they keep it? Where is it stored? Who owns it? With whom do they share it to deliver the services you want? How does the vendor minimize bias in their data and models/scores?
When considering using a vendor and/or renewing services with a current vendor, one should thoroughly review the vendor’s stated terms and conditions in addition to their privacy policy to ensure these are in alignment with your organization’s data security, privacy, and sharing practices. The following chart provides links to various vendors’ terms and conditions and privacy policies; this enumeration does not imply endorsement by Apra nor endorsement by any member of the Ethics & Compliance Committee:
*This does not represent an endorsement by Apra.
|
Sources
|
Suggested Search Focus
|
|
News databases like Lexis/Nexis or Factiva (see search terms for due diligence research)
|
Both vendor and C-Suite
|
|
Internet search (see search terms for due diligence research)
|
Both vendor and C-Suite
|
|
Court records databases, such as PACER
|
Both vendor and C-Suite
|
|
Website including any associated organizations
|
Both vendor and C-Suite of parent company
|
|
Corporate Watch
|
Both vendor and C-Suite
|
|
Financial Records/Annual Reports
|
Vendor and pertinent subsidiaries
|
|
SEC filings
|
Vendor, pertinent subsidiaries, and C-Suite of parent company
|
|
Companies House
|
Vendor and pertinent subsidiaries
|
|
Corporate registries & business directories, including governmental sites
|
|
|
Foundation Sites like Candid or OSCR
|
|
|
Business and Human Rights Resource Centre
|
|
|
Social Media Presence
|
|
|
Other Sources as relevant
|
|
In addition to the Educause HECVAT process, a risk assessment score can further guide your organization in developing a consistent, objective, and transparent approach to scoring vendor risk and helps to aid decision making. You may also wish to assign a numeric value for each incident discovered at certain levels.
|
Risk Level
|
Financial
|
Legal & Regulatory
|
Reputational
|
Operational/Dependency
|
|
High
|
Evidence of money laundering, fraud, funds misappropriation, and financial irregularities
|
Substantial and/or repeated evidence of flouting regulations and laws, e.g., criminal convictions and large fines, etc.
|
Substantial and/or repeated evidence of serious criticism from other organizations, peers and stakeholders; and/or evidence of practices and behaviors that undermine the organization’s public profile, e.g., conflicts with organization’s donation acceptance policy
|
Substantial evidence that the partnership could undermine the organization’s program work, i.e., the acceptance of the partnership could lead to significant changes to your organization’s strategy
|
|
Medium
|
Not applicable
|
Evidence of minor flouting of regulations and laws and/or allegations of bad practice
|
Significant evidence of negative media coverage from other organizations, stakeholders or peers; and/or evidence of practices and behaviors that undermine the organization’s public profile
|
Significant evidence and/or historical evidence that the partnership could undermine the organization’s program work i.e. the acceptance of the partnership could lead to minor changes to your organization’s strategy
|
|
Low
|
Not applicable
|
No evidence or allegations of legal and regulatory bad practices
|
No or minimal negative media coverage on the organization or individual
|
No or minimal evidence that the partnership could undermine the organization’s mission
|
Below are suggested terms to use while conducting vendor due diligence research, whether through a general internet search or via online news sources, such as a newspaper or magazine. These terms should be used with Boolean terms (e.g., and, not, or or) and connectors (e.g., “”, W/n, etc.) for more exhaustive query results. Additionally, when appropriate and able to do so, use wildcard characters (e.g., !, ?, or *) to expand on the root of a search term (e.g., indict! would also return instances of indicting and indictment and indictments). Boolean search tutorials can be viewed here:
|
SUGGESTED SEARCH TERMS
|
|
Scandal
|
Controversy
|
Allegation
|
Corruption
|
Disgrace
|
|
Prosecution
|
Criticism
|
Fraud
|
Investigation
|
Speculation
|
|
Court Case
|
Lawsuit
|
Class Action
|
Sanction
|
Conspiracy
|
|
Defendant
|
Plaintiff
|
Verdict
|
Warrant
|
Crime
|
|
Criminal
|
Fraudulent
|
Liable
|
Damage
|
Depose
|
|
Felony
|
Malfeasance
|
Guilty
|
Misappropriation
|
Conviction
|
|
Indict
|
Human Rights
|
Child Labor
|
Supply Chain
|
Discrimination
|
|
Assault
|
Sexual Assault
|
Felony
|
Racketeering
|
Antitrust
|
The following is from Lexis Nexis and shared with permission:
How do I find negative information about a company?
Intel w/10 abus! or accus! or alleg! or arraign! or arrest! or assault! or attack! or bankrupt! or beat! or breach! or brib! or ( chapter pre/1 7 or 11 ) or charg! or conspir! or co-conspir! or convict! or corrupt! or court! or crime or criminal! or critici! or deceiv! or decept! or defendant or defraud! or denied or deny or disciplin! or discrim! or distort! or embattled or fraud! or guilt! or harass! or illegal! or incriminat! or indict! or inside! info! or insolv! or investigat! or judgement or judgment or launder! or liquidat! or litigat! or manipul! or misappropriat! or misconduct or misdeme! or mismanag! or misrepresent! or negligen! or offen! or probat! or prosecut! or racketeer! or revocation or revoke* or risk! or sabotag! or sanction! or scam! or scandal! or separat! or steal! or stole* or sued or suing or suspen! or terroris! or theft or threat! or unlawful! or verdict or violat! or violen!
Credits:
This vendor due diligence toolkit was initially drafted by Apra’s Ethics and Compliance Committee’s subcommittee members Elizabeth Goodman, Lori Hood Lawson, Jennifer Schlager, and Megan Horton. This toolkit utilizes many elements of the Due Diligence Toolkit as well.