Requesting third-party risk due diligence

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Requesting Third-party Risk Due Diligence

    Requesting third-party risk due diligence is essential for evaluating the risks associated with engaging third parties or their subsidiaries, known as fourth parties. This process helps organizations make informed decisions and implement necessary controls to mitigate potential risks from external relationships.

    Show full answer Show less

    Key Features

    • Request Process: Any employee can initiate a due diligence request for a third-party engagement.
    • Approval Workflow: Notifications are sent to relevant parties, including the Due Diligence Request Assignment Group, to manage the request effectively.
    • Engagement Types: Options include onboarding new engagements, reassessing existing ones, and offboarding relationships, with or without conducting further due diligence.
    • Tracking: Each request is assigned a unique ID for easy tracking and communication with reviewers.

    Key Outcomes

    By conducting due diligence, organizations can:

    • Identify and understand potential risks associated with third-party interactions.
    • Make informed decisions regarding onboarding, reassessing, or offboarding third-party relationships.
    • Mitigate risks that could impact operations and ensure compliance with internal and external standards.

    For additional information on the due diligence workflow and risk assessment, refer to the relevant documentation within the Third-party Risk Management system.

    Request third-party risk due diligence to determine the level of risk for interactions with a third party, engagement, or fourth party by using Third-party Risk Management. You conduct due diligence to become aware of the associated risks so that you can make informed decisions, establish appropriate controls, and mitigate the potential negative impact when working with external parties.

    Any employee at your organization can request due diligence, which is an investigation or examination of business relationship risk, for an engagement.
    • An engagement is the informal or contracted relationship that you intend to form with a third party that could potentially expose your organization to risk. The engagement outlines the services or products to be provided by the third party and other details of the relationship.
    • A third party is any organization or individual that you’ve interacted or entered into a business relationship with. Third parties can have subsidiaries and can contract with fourth parties. For example, departments are subsidiaries.
    • A fourth party can contract with further parties. All downstream parties, such as the fourth through the nth parties, carry risk in the same ways as third parties.

    For more information about the terms that are used in these sections or why you might conduct due diligence, see Terminology and Why you conduct due diligence.

    The following infographic shows the due diligence request process.


    Infographic that shows the due diligence request process in the due diligence workflow. For the text description, refer to the process steps that follows.
    The following are the steps of the due diligence request process.
    1. An employee at your organization requests due diligence for a third-party engagement.
    2. The system sends out an email notification to the employee who made the request.
    3. The system sends out an email notification to the Due diligence request assignment group.
    4. A member of the group can assign a Third-party risk (TPR) manager [sn_vdr_risk_asmt.vendor_risk_manager] or TPR assessor [sn_vdr_risk_asmt.vendor_assessor] to act as the owner of the request.
    5. The system sends out an email notification to the assigned owner of the due diligence request.
    6. The TPR manager reviews the request for due diligence for the engagement and approves it. If the information provided by the requester was insufficient or the engagement isn’t possible for your organization, the TPR manager rejects it.
    7. The IRQ process starts after the TPR manager approves the request for due diligence.

    To learn more about creating or monitoring a due diligence request, see Request due diligence for a third-party engagement and Monitoring the due diligence request process.

    When creating a due diligence request, the following options are available:

    • Onboard a new engagement Start the onboarding process for a new engagement with an existing third party. For more information about this type of onboarding, see Example — Onboarding a third party.
    • Reassess an existing engagement Reassess an existing engagement when the conditions change. For example, let's say that you hear adverse news or have changes in your third-party's supply lines. You might want to reassess the risk by conducting additional due diligence.
    • Reassess an existing engagement for contract renewal Reassess the risk before your organization renews the contract with a current third party or engagement by conducting due diligence.
    • Offboard an engagement with due diligence Determine if offboarding (terminating the relationship) with an engagement is the optimal course of action by conducting due diligence. For example, it might be too risky to switch third parties or engagements even if their current performance doesn’t meet expectations.

      Extenuating circumstances can contribute to the decision. For example, if the third party is sourcing materials that are difficult to obtain, switching providers might be costly and introduce additional risks. In such cases, continuing with the existing third party, with whom a long-term relationship exists, might be preferable to mitigate potential disruptions and higher risks.

    • Offboard an engagement with no due diligence Request that an engagement be permanently terminated when an engagement ends or you want to switch to a different third party for other reasons. In this case, you typically don't need to conduct additional due diligence. The process does, however, include the normal Inherent Risk Questionnaire (IRQ) process to confirm that the services provided by the engagement will no longer continue. For more information about this type of offboarding, see Offboarding an engagement without conducting due diligence.
    For each due diligence request, the system auto-assigns a unique ID number that starts with the text DDR. Use the ID to track your request. You can post a message to reviewers and add attachments from the page.

    The following example shows how a new due diligence request appears.

    Figure 1. Due diligence request tracking example
    Due diligence request view from the activity tab in Employee Service Center.

    For more information on the different processes that make up the overall due diligence workflow, see Due diligence workflow and Assessing your third-party risk.