Due Diligence
Due diligence is the process of thoroughly investigating a vendor's security posture, compliance status, financial health, and operational practices before entering a contractual relationship, and on a recurring basis thereafter. It has traditionally relied on questionnaires; modern third-party cyber risk management combines questionnaire-based and outside-in technical evidence for a complete, independent picture.
What is Due Diligence in TPCRM?
Due diligence is the structured evaluation of a vendor's security, financial, and operational risk before your organization signs a contract or grants system access. It's the one point in the vendor relationship where you hold full leverage. Before a signature, you can reject a vendor, demand remediation, or renegotiate terms. After, you're managing whatever risk you already agreed to accept.
That distinction is why due diligence gets treated as a gate rather than a formality in mature third-party risk programs, even though it's often the first step to get compressed when procurement is in a hurry to close a deal.
What Does Due Diligence Cover Beyond a Security Questionnaire?
Due diligence covers more than a vendor's answers to a questionnaire. It pulls together external evidence of the vendor's actual security posture, documentation like SOC 2 reports or ISO certifications, financial stability indicators, and a check of the vendor's subcontractors and fourth parties that will also touch your data. A questionnaire alone only tells you what a vendor says about itself. External scanning and document verification tell you whether that's true.
This is also where the relationship's criticality tier gets set for the first time. A vendor that will handle regulated customer data warrants a deeper, more verified review than a vendor providing office supplies, and that distinction should be decided before either review starts, not discovered partway through.
When in the Vendor Lifecycle Does Due Diligence Happen?
Due diligence happens before the contract is signed, which makes it the only stage of the vendor relationship where the organization isn't already committed. It sits at the very start of the vendor lifecycle, ahead of vendor onboarding, ahead of system access, and ahead of any data flowing between the two organizations. Procurement teams often want to move fast at this stage because a deal is waiting to close. Risk teams want to move carefully, because this is the last moment before that vendor's risk becomes a permanent part of the organization's attack surface.
How Is Due Diligence Different From Ongoing Vendor Risk Assessment?
Due diligence is a one-time, pre-contract evaluation, while vendor risk assessment more broadly refers to the recurring evaluations that continue throughout the relationship, at renewal, after a material change, or in response to a new risk signal. Due diligence answers "should we start this relationship?" The ongoing assessment cycle that follows answers "should we continue it?" Skipping due diligence doesn't just delay a problem. It removes the one stage where rejecting a high-risk vendor was still a real option rather than a costly exit.
Why Does Manual Due Diligence Slow Down Vendor Onboarding?
Manual due diligence slows down onboarding because it depends on chasing documents, waiting on vendor responses, and reviewing evidence by hand, none of which scale when a procurement team is vetting dozens of vendors at once. A single SOC 2 report can run well past a hundred pages, and mapping its controls against an organization's required framework by hand takes hours per vendor, repeated every time. The business impact shows up as a backlog. Deals that are otherwise ready to close sit waiting on a security review that hasn't started yet, and that delay gets blamed on security long after the actual bottleneck was a manual process. Accelerating pre-contract due diligence with AI is how leading programs have closed that gap.
Black Kite's AI-powered vendor risk assessments parse vendor documentation and map it to your required frameworks automatically, cutting that review from weeks to hours.
What Regulatory Frameworks Require Documented Due Diligence?
Several regulatory regimes expect organizations to document that vendor due diligence actually happened, not just that a vendor was eventually approved. Financial services oversight bodies, healthcare regulators enforcing HIPAA, and data protection laws like GDPR all place responsibility on the contracting organization for risk introduced by vendors handling regulated data, which makes pre-contract evidence a practical necessity even where the rule itself doesn't spell out the word "due diligence."
The common thread across these regimes is the same: examiners and auditors want a paper trail showing the organization evaluated a vendor's risk before extending trust to it, not a record built after something already went wrong.
What's the Cost of Skipping Due Diligence on a Critical Vendor?
Skipping or rushing due diligence on a critical vendor means inheriting whatever risk that vendor already carries, without ever having the chance to catch it before the contract was signed. Black Kite's research shows that 67% of known third-party breaches now involve ransomware, and a meaningful share of those incidents trace back to a vendor relationship that was never properly vetted at the start. The cost isn't abstract. It's the breach notification, the regulatory inquiry, and the customer churn that follows a vendor incident your organization had no contractual leverage to prevent because it never asked the right questions before signing.
Frequently Asked Questions About Due Diligence
Who owns due diligence inside an organization?
Ownership typically sits with procurement, security, or risk teams jointly, with security or risk holding veto power over vendors that fail to meet a minimum bar. Splitting ownership without a clear veto path is one of the most common reasons high-risk vendors slip through.
How detailed should due diligence be for a low-risk vendor?
Due diligence should scale with criticality. A vendor with no access to sensitive systems or data warrants a lighter review than one handling regulated data, but every vendor should clear a documented minimum bar, even a brief one, before a contract is signed.