blog Market Intelligence /marketintelligence/en/news-insights/blog/the-four-steps-of-effective-due-diligence content esgSubNav
Discover more about S&P Global’s offerings
In This List
Blog

The Four Steps of Effective Due Diligence
Case Study

A Credit Union Enriches Its CRM System with Actionable Lending Insights

Blog

Investment Banking Essentials: August 21

Blog

Banking Essentials Newsletter: August 21st Edition

Blog

The Importance of High-Quality Data for Effective Due Diligence


The Four Steps of Effective Due Diligence

Creditworthiness, cybersecurity, reputation, and more. Risk is everywhere for financial organizations that depend on third-party suppliers, making due diligence crucial in an increasingly unpredictable ‒ and increasingly regulated ‒ world. It’s critical that financial services organizations bring greater rigor, depth, and innovation to third-party risk management (TPRM) processes, especially when faced with the growing expectations of clients, regulators, and internal stakeholders.

Initial due diligence captures key details on a third-party, but the importance and value of ongoing due diligence cannot be overlooked. A continuous process can capture inevitable changes due to new personnel, shifts in the supply chain, or external factors linked to economic or geopolitical risks and should include ongoing risk-based oversight and monitoring.

Maximizing Risk Mitigation

Effective due diligence is comprised of four stages, with multiple processes at every step. Each has a specific purpose that, when completed in order, maximizes the effectiveness and risk mitigation of an organization’s due diligence process. The four stages include:

  • Stage One: Scheduling and Outreach
  • Stage Two: Information Gathering
  • Stage Three: Assessment
  • Stage Four: Risk Scoring and Decision-Making

Stage One: Scheduling and Outreach

Every due diligence process requires engaging with third parties to develop a broader view of the risk landscape. This could include identifying whether a third party uses third- or fourth- party relationships or whether there are specific factors within their supply chain that could impact the risk profile and, therefore, the due diligence profile.

Initial Scheduling

  • Define the due diligence intake process for new third-party relationships based on the inherent risk and/or criticality.
  • Schedule the management of ongoing monitoring.

Third-party Outreach

  • Check availability of assessment control data and evidence used already. If available, leverage this information for Stage Two and Three.
  • Connect with the third party for collection of additional due diligence information.

Stage Two: Information Gathering

Based on an enterprise’s risk profile, additional information and evidence may need to be collected and validated. For example, Business Continuity Plans (BCPs) can be an essential factor for larger organizations, requiring evidence and periodic BCP scenario tests. Similarly, many organizations have increased requirements around environmental, social, and governance (ESG) policies and procedures for all third parties. Once collected, this information must be validated using external sources.

Information Collection and Evidence Validation

  • Conduct a high-level review of new due diligence information from the due diligence questionnaire (DDQ), including performance of completeness, consistency checks, and evidence validation.

Stage Three: Assessment

Next, it’s necessary to evaluate the controls. This requires understanding an enterprise’s required level of compliance across all relevant domains that are in scope for the service under due diligence, including financial, legal and compliance, and information security. Together, these paint a broad picture of how strong a firm’s processes are, and what protocols are appropriate and necessary when considering the due diligence requirements. This can be an iterative process that includes inspection of the evidence submitted by the third party and/or further inquiries with their subject matter experts.

After completion of the assessment, it needs to be applied to a firm’s risk profile to understand the inherent risks and where these may have changed. This assessment can be combined with internal risk scoring and risk management policies for a complete understanding of the residual risk. This refers to the level of risk that remains after security measures and controls have been applied to mitigate the inherent risks and is fundamental for making informed risk-based decisions. As firms incorporate the lessons learnt from this residual risk analysis, they are better able to identify and mitigate vulnerabilities, develop a robust response and recovery strategy, and become more resilient to future disruption.

Control Evaluation and Assessment

  • Assess the control design, implementation, and documentation.
  • Review if controls are in line with agreed Service Level Agreements (SLAs) and processes.
  • Verify the final due diligence assessment report when ready.
  • Move any issues to issue/remediation management.

Stage Four: Risk Scoring and Decision-Making

Decision-making is more complex than a simple “Yes/No” when onboarding a third party. A decision must be made as to which third parties to prioritize, and the extent of due diligence needed. The decision then is whether to proceed or not based on a score that summarizes the overall posture of a supplier across relevant risk domains. Such scoring can be an enabler for efficient risk-based decision-making.

It’s then important to determine if long-term oversight is needed or if existing relationships should be reassessed. This remediation process looks again at the data, or incorporates new or changed data, to provide an up-to-date assessment. Questions may arise as to whether the residual risk is in line with a firm’s risk appetite, if the terms and conditions changed, and if SLAs are still in-line with the risks being assumed.

Then frequency of review needs to be considered, noting how often a relationship needs to be reassessed and what will be involved.

Risk Scoring and Decision Making

  • Conduct internal risk scoring (if applicable) based on the due diligence assessment report.
  • Review the assessment of results and scoring.
  • Finalize the decision to onboard/proceed based on acceptance criteria/risk appetite.

Prioritized Remediation

  • Manage actions/remediation items resulting from the due diligence assessment, as needed.

Capitalizing on Efficiencies

An effective risk management program should provide full transparency for all vendors. S&P Global KY3P® (“KY3P”) helps financial institutions simplify third-party oversight processes with a centralized data hub to collect and maintain up-to-date information on vendors in one location to assist with implementing best practices and ensuring audit readiness. Standardized questionnaires allow vendor information to be requested and stored once, with updates applied as needed.

The KY3P platform helps firms collect and maintain risk information, including cybersecurity and financial ratings, sanctions data, news alerts, cyber event data, and questionnaire responses from third parties that can be used to generate risk scores. The recently released 5.0 assessment methodology enhances firms’ regulatory compliance, optimizes risk management by aligning with industry-standard risk types, increases risk transparency, and improves clarity for clearer risk communication to business teams. Users can then effectively configure workflows to engage and inform relevant decision-makers so that TPRM staff can focus on risks instead of managing spreadsheets and emails, and chasing business owners and vendors. Driven by insights from diverse banks, customers, and S&P Global cross-industry experience, the KY3P blended framework consists of control objectives critical to business.

Learn more about KY3P and how it can help with the important due diligence process
Click Here
Ready to see KY3P in action?
Request a demo