The Vendor Vetting Fiasco: Why Your Due Diligence Is a Joke

The postings on this site are my own and do not necessarily represent FTI Consulting’s positions, strategies or opinions.

Welcome back to the circus, folks! If you thought the opening act of Third-Party Risk Management was wild, just wait until you see this next performance. Today, we’re diving into the comedy of errors that is vendor vetting—the part of TPRM where companies think they’re being diligent, but in reality, they’re just setting themselves up for disaster.

Picture this: you’re sitting at your desk, sipping coffee, and feeling pretty good about the fact that you’re about to “vet” a new vendor. You’ve got a list of questions, a checklist that’s been approved by some committee, and maybe even a PowerPoint presentation ready to impress the bosses. You’re thinking, “What could possibly go wrong?”

Oh, where do I start?

The Checkbox Comedy

Let’s be honest—vendor vetting has become the ultimate checkbox exercise. Companies love to say they’re doing their “due diligence,” but in practice, it’s more like filling out a BuzzFeed quiz to find out which Disney villain you are. The questions are there, but are they meaningful? Not really. They’re designed to make you feel like you’re doing something important without actually digging into the messy, complicated reality of whether this vendor is going to be a liability.

Take, for example, the classic question: “Do you comply with all relevant regulations?” Well, what do you expect them to say? “No, we prefer to flirt with legal disasters?” The reality is, many vendors will check “yes” without batting an eyelid, even if they’ve got a compliance record shakier than a house of cards in a windstorm.

The “Trust Me” Trap

But wait, it gets better! Enter the “Trust Me” trap. This is where you ask your potential vendor about their cybersecurity measures, their data protection policies, or their disaster recovery plans, and they respond with something like, “Oh, we’ve got that covered.” Really? Got it covered? That’s as reassuring as a clown saying, “Don’t worry, I’ve done this stunt a thousand times” right before launching themselves out of a cannon.

Companies often take these vague reassurances at face value, filing away the vendor’s response as if it were a golden seal of approval. Meanwhile, behind the scenes, that vendor could be running on outdated systems, minimal security protocols, and a wing and a prayer.

The Hall of Mirrors: Seeing What You Want to See

Another fan-favorite in the vendor vetting fiasco is the Hall of Mirrors. This is where companies only see what they want to see. Did the vendor give a slick presentation? Was the sales pitch charming? Congratulations, you’ve just been dazzled by smoke and mirrors. The vendor might have all the right buzzwords—“innovative,” “cutting-edge,” “robust”—but when you scratch the surface, there’s often little substance beneath.

What’s worse is that companies, eager to move forward, might ignore glaring red flags because they’ve already invested time, money, or—heaven forbid—emotion into the decision. It’s the corporate equivalent of convincing yourself that the carnival ride is safe even though it’s held together by duct tape and wishful thinking.

The Punchline: When Due Diligence Fails

Here’s the punchline: when your due diligence process is a joke, the consequences are anything but funny. We’re talking data breaches, regulatory fines, operational failures—the kind of stuff that keeps CEOs up at night. And all because the vendor vetting process was more about going through the motions than actually uncovering potential risks.

But don’t despair! There’s still hope for those willing to step up their game. In the next act, we’ll explore the world of risk assessments—the art of guessing in TPRM. Because if you thought vendor vetting was tricky, wait until you try to predict the unpredictable.

So, stay tuned as I continue this journey through the circus of TPRM. The next post, “Risk Assessments: The Art of Guessing in TPRM,” will teach you how to avoid stepping on those metaphorical rakes scattered across the vendor landscape. Until then, remember: in the world of third-party risk, due diligence isn’t just a task—it’s an art.

Stay vigilant, and see you in the next post!