Third Party Risk: Focus on Impact, Not Questionnaires
The 47-page vendor questionnaire strikes again.
HR wants a new applicant tracking system to handle candidate personal data and sync with job boards. InfoSec sends the standard security assessment - the same one used for office supplies, marketing tools, and cloud storage.
Three weeks later: the vendor’s frustrated, procurement’s delayed, and no one knows if the system can even meet GDPR or secure candidate data.
Sound familiar? We’re doing due diligence backwards.
Most pre-engagement assessments fail because they evaluate vendor controls before understanding the business impact of vendor failure. Why are we asking for an ISO27001 certificate before we know, what happens if the vendor goes down - or requesting a penetration test before understanding the consequences of data corruption in candidate records?
The result? Vendors give generic answers to generic questions, and you’re no closer to knowing whether their controls match your real-world needs.
Good due diligence starts with your own risk context:
- What’s the impact of vendor unavailability? Is this system core to revenue, or just a convenience tool?
- What’s the impact of a data breach? Is it storing customer data or just lunch orders?
- How would their failure cascade into other critical processes?
The vendor can tell you what they do and what data they touch. Only you can assess what that means for your business.
And it’s not just impact. Certain inherent vendor traits affect likelihood and resilience:
- Financial health: Weak balance sheets increase the risk of sudden service degradation or contract termination - even if their tech stack is solid.
- Geopolitical exposure: Operating in unstable regulatory environments or sanctions-prone regions can disrupt service or raise compliance flags overnight.
- Technology dependencies: Vendors tightly coupled to specific platforms or cloud providers introduce inherited concentration risk - their single points of failure become yours.
DORA requires that pre-contractual assessment match the criticality and risk profile of the service. High-risk services get deep due diligence. Commodity services don’t. That proportionate approach avoids both over-assessing the trivial and under-assessing the critical - and even non-regulated organizations benefit from the same mindset.
You don’t need more due diligence. You need smarter due diligence - built around your business, your risks, and your dependencies. And this is, what we’ll talk about next.