Third-party due diligence is how you investigate the risk a vendor, supplier, or partner brings before you engage them, and how you keep that picture current for as long as you rely on them.
It’s the foundation of any third-party risk management program, and it’s where regulators and your board look first when something goes wrong.
Most teams treat due diligence as a step to clear before onboarding. The better question is whether it would hold up. Months later, can you account for what you looked at, what you concluded, and why you accepted the risk? That’s what separates a program that files well from one that survives an audit.
- What is Third-Party Due Diligence?
- Why is Third-Party Due Diligence a Program, Not a One-Time Check?
- What Is The Third-Party Due Diligence Process?
- What Risks Does Third-Party Due Diligence Surface?
- Where Do Third-Party Due Diligence Programs Fall Short?
- Operationalizing Continuous Due Diligence
- Third-Party Due Diligence: Common Questions
What is Third-Party Due Diligence?
Third-party due diligence is the process of gathering and analyzing data on the security, financial, operational, and reputational risks a third party could pose, then weighing that risk against your organization’s tolerance for it. It’s a critical early step in third-party risk management, and it runs across the full relationship, from sourcing and selection through onboarding and ongoing oversight.
Third-party due diligence is often confused with vendor due diligence, though the two operate at different levels. Vendor due diligence is the pre-contract and onboarding evaluation of a specific vendor you are deciding whether to engage. Third-party due diligence is the broader program discipline that governs how you assess and monitor every third party across its lifecycle. Any single vendor evaluation is one instance of it.
Why is Third-Party Due Diligence a Program, Not a One-Time Check?
A third party’s risk profile changes over time. As your network of vendors and suppliers grows and becomes more interconnected, each relationship brings its own exposure, and that exposure shifts as the third party’s circumstances change. A partner that was low-risk at signing can turn high-risk after an acquisition, a breach, or a new regulation.
On the security side, Verizon’s 2026 Data Breach Investigations Report found that third-party involvement appeared in 48% of breaches, up from 30% the year before. Together, that’s a 60% year-over-year increase. On the compliance side, Stanford Law School’s Foreign Corrupt Practices Act Clearinghouse has tracked third-party intermediaries like agents, consultants, contractors in roughly 90% of FCPA enforcement matters since the statute’s 1977 enactment. In both cases, the risk that lands on your organization originates outside it, in a relationship you chose to enter.
That’s why mature programs treat due diligence as continuous. Diligence done before you sign is when you have more options: you can decline outright, require fixes first, or negotiate protections into the agreement. Diligence repeated throughout the relationship keeps the assessment accurate after conditions change. Where a third party relies on its own subcontractors, the same logic extends to those fourth and nth parties.
What Is The Third-Party Due Diligence Process?
A repeatable process is what makes diligence defensible rather than ad hoc. The same seven steps apply regardless of third-party tier, while the depth at each step changes.
-
Define scope and risk appetite
Set what level of risk you will accept, and what that means for this third party’s category, data sensitivity, and regulatory exposure.
-
Tier the third party
Not every relationship warrants the same scrutiny. Gauge how critical the third party’s goods or services are and how much access to sensitive data or systems they need. Those two factors set the third party’s profiled risk, its likely risk level based on observable signals such as industry, location, ownership, and financial standing.
Use it to right-size the work: the vendor that runs your payroll or holds customer records earns a full review and ongoing monitoring, while a landscaping contractor with no system access clears with basic checks. Scoring and tiering third parties consistently is what makes those depth decisions defensible.
-
Collect information
Gather a vendor risk assessment questionnaire scoped to the third party’s tier, financial records, and current certifications such as ISO 27001 or SOC 2.
-
Validate against external intelligence
Self-reported answers are a starting point, not proof. Confirm them against independent sources: sanction and watchlist screening, adverse media, financial data, and external monitoring of the third party’s security posture.
-
Decide and set conditions
Proceed, decline, or proceed with conditions written into the contract.
-
Document the decision
Record what you assessed, what you found, and why you accepted or mitigated each risk. This record is what makes the decision defensible later.
-
Monitor for the life of the relationship
Replace the annual questionnaire with continuous monitoring that flags new breaches, financial distress, regulatory action, or operational disruption as they occur.
What Risks Does Third-Party Due Diligence Surface?
Due diligence doesn’t introduce a new set of risk categories. It assesses the same ones that define a mature supplier risk management program: cybersecurity, compliance, financial health, operational performance, ESG and reputational exposure, and geopolitical and event risk.
What due diligence adds is verification. At onboarding, each category gets tested against outside evidence, not the third party’s own account of itself, before the relationship starts and the assessment becomes something you’re relying on rather than checking.
Where Do Third-Party Due Diligence Programs Fall Short?
Three failure points recur, and each widens the same gap between what a program documents and what it can defend.
The first is treating diligence as a one-time gate. New risk enters after onboarding, and a program that stops monitoring once the contract is signed can’t see it. The original assessment becomes a snapshot that ages by the day.
The second is stopping at the direct third party. A program that examines only the parties it contracts with leaves the fourth and Nth parties beneath them unchecked, and a single shared subprocessor there can concentrate risk across an entire portfolio. Mature programs map that extended chain and carry diligence into the relationships their third parties depend on.
The third is weak data underneath the program. In KPMG’s 2026 Global Third-Party Risk Management Survey, only 15% of leaders reported high confidence in the data underpinning their programs. A diligence decision is only as defensible as the data behind it, and most programs are working from data they can’t fully stand behind.
Operationalizing Continuous Due Diligence
The strongest programs close those gaps by design. They tier third parties consistently, combine internal assessment with external monitoring in a single view, and treat diligence as continuous rather than a point in time.
Done well, due diligence stops being a file you assemble for an audit and becomes a live picture of your third-party risk. That’s the difference between a program that holds up and a file that only looks right in the moment someone signs off on it.For teams formalizing that discipline, third-party risk management solutions bring assessment, tiering, and monitoring into one workflow.
Some third-party due diligence platforms are built for exactly that: unifying third-party risk assessment with financial, cyber, operational, ESG, and reputational monitoring into a closed-loop view from sourcing through offboarding.
See continuous third-party due diligence in practice.
Book a DemoThird-Party Due Diligence: Common Questions
What is third-party due diligence?
What is the third-party due diligence process?
What is a third-party due diligence policy?
What regulations require third-party due diligence?
Editor’s Note: This post was originally published on Prevalent.net. In October 2024, Mitratech acquired the AI-enabled third-party risk management, Prevalent. The content has been updated July 2026 to include information aligned with our product offerings, regulatory changes, and compliance.
