Best Practices for Screening and Due Diligence

laura hoek head of operations 3rdrisk
Laura Hoek
July 23, 2025
5
min read

Third-party due diligence doesn’t have to be a black hole of spreadsheets and guesswork. In this blog, we break down best practices for screening and due diligence in 2025 – from risk-based tiering and regulatory checks to continuous monitoring and automation. Get practical tips to protect your business, save time, and stay compliant with frameworks like DORA and NIS-2.

Due diligence best practices

Introduction

Third-party relationships are the lifeblood of modern business, from cloud providers to suppliers, but they also introduce significant risk. Robust screening and due diligence of vendors and partners have never been more critical. Why? For one, economic crime and fraud threats are rampant. Organisations worldwide lose an estimated 5% of their annual revenue to fraud, often perpetrated through external partners. Regulators are also raising the bar. New rules like the EU’s Digital Operational Resilience Act (DORA) and NIS-2 directive demand stricter oversight of third-party risks. Meanwhile, stakeholders (customers, investors, and boards) expect companies to manage vendor risk proactively; nobody wants to see their business in headlines due to a supplier’s scandal.

Effective screening and due diligence act as your first line of defence. They help you catch high-risk third parties before they wreak havoc, protecting your reputation, finances, and compliance status. In this post, we’ll break down what screening and due diligence really mean, why they matter more than ever in 2025, and a step-by-step game plan to do it right. We’ll also highlight common pitfalls (we’ve all been there) and how to avoid them.

Why Screening and Due Diligence Matter More Than Ever

Third-party risk is no longer an afterthought – it’s front and centre. Recent years have seen a spike in vendor-related incidents. Global surveys indicate that third parties are involved in most major bribery or corruption cases, underscoring the need for vigilant oversight. If a supplier engages in bribery or a contractor has weak cybersecurity or violates human rights, your organisation could pay the price.

Evolving regulations have also turned up the heat. Europe’s DORA (Digital Operational Resilience Act) requires banks and financial firms to ensure the resilience of their ICT service providers, meaning you must vet and monitor your tech vendors’ risk controls. The NIS-2 directive similarly expands cybersecurity requirements across sectors, including mandates to address supply chain cyber risk. Environmental and social accountability is rising too, with frameworks like the proposed Corporate Sustainability Due Diligence Directive (CS3D) pushing companies to scrutinise human rights and environmental practices in their supply chains. Even anti-money laundering (AML) rules now hold companies accountable for third-party behaviour (think Know-Your-Customer, but for vendors). In short, regulators now expect businesses to manage third-party risks properly, with laws like DORA and NIS-2 setting strict requirements. Non-compliance can result in hefty fines or sanctions, not to mention reputational damage.

Beyond regulations, consider the financial and reputational stakes. A single rogue third party can cause outsized damage. The World Bank has noted that roughly 70% of procurement corruption cases involve third-party agents or intermediaries, meaning if someone in your supply chain is playing dirty, it’s likely via a “middleman.” And on the fraud front, remember that 5% revenue loss stat, much of that stems from vendors overbilling, fake suppliers, kickback schemes, and so on. No wonder third-party risk is a CEO-level concern in 2025.

In summary, screening and due diligence act as your organisational immune system against external threats. They matter more than ever because the world has changed: more outsourcing and partnerships, more complex supply chains, and more scrutiny from governments and the public.

What Are Screening and Due Diligence?

These two terms often go hand-in-hand in third-party risk management, but they aren’t exactly the same thing. Let’s clarify:

Screening

Think of screening as a quick initial filter or background check. It’s the process of quickly checking a third party against certain red-flag databases or criteria. For example, running the company or its principals through sanctions lists, politically exposed persons (PEP) lists, negative news searches, or basic credit checks. Screening is typically automated and happens early, often before deeper engagement. The goal is to spot any immediate show-stoppers. (If a vendor pops up on an OFAC sanctions list or has a glaring fraud history, you want to know on Day 1, not after signing a contract!)

Due Diligence

Due diligence is more comprehensive. It’s the in-depth evaluation of a third party’s risk profile. This goes beyond a yes/no checklist and involves gathering detailed information and documentation from the third party, assessing multiple risk domains (financial, legal, cyber, operational, etc.), and analysing the findings. Due diligence often means sending questionnaires, doing risk assessments, reviewing evidence (certifications, audit reports), and possibly interviewing the vendor. It’s a combination of automation (tools and data feeds) and human judgment. If screening is a quick airport security scan, due diligence is the full inspection. It aims to verify that a vendor is who they claim to be and won’t expose you to unacceptable risk.

How they complement each other

Screening and due diligence work best as a one-two punch. You might start by screening a new vendor to ensure no obvious red flags. If they pass the screen, you then conduct due diligence appropriate to their risk tier (more on tiering soon). Screening is generally ongoing too – e.g. continuous sanctions monitoring in case a partner gets blacklisted after onboarding. Meanwhile, due diligence isn’t a one-time thing either; it should be refreshed periodically. In practice, screening feeds into due diligence. The results of initial screening can help tailor your due diligence focus (for instance, if screening finds the company is registered in a high-risk country, you’ll dig deeper into their anti-bribery controls during due diligence).

To illustrate, imagine you’re evaluating a new software vendor. Screening might immediately flag that the vendor’s CEO was mentioned in a recent fraud case, hence a big red flag! You might stop right there. Alternatively, screening finds nothing scary – green light to proceed. Now your due diligence kicks in: you send the vendor a detailed security questionnaire, review their financial statements, check customer references, verify they have cyber insurance, ensure they comply with standards like ISO 27001, and scour news for any past data breaches. In doing so, you build a holistic risk profile.

In short, screening = quick risk triage, due diligence = deep dive risk analysis. Both are vital. Together, they help you “know your third party” before and during the relationship, much like KYC (Know Your Customer) in banking. As we often say in risk management: trust, but verify. Screening gives you initial trust signals; due diligence verifies continuously.

Step-by-Step Due Diligence Best Practices

Ready to level up your due diligence process? Let’s walk through best practices step by step. These steps form an integrated approach that combines structured assessments, risk-based prioritisation, real-time data feeds, and good old human judgment. The result will be a more resilient and efficient program (and far fewer sleepless nights wondering if you missed something about that vendor!).

1. Risk-Based Tiering of Third Parties


Not all third parties carry equal risk. Start by tiering your vendors and partners by risk level (often as part of third-party onboarding). Essentially, segment your third-party inventory based on inherent risk – for example: Tier 1 (high criticality or high risk), Tier 2 (medium risk), Tier 3 (low risk). Criteria for tiering include the nature of the service, access to sensitive data, regulatory exposure, geographic location, contract value, etc. A catering supplier might be low risk, whereas an IT cloud provider with your customer data is high risk. This tiering drives how much due diligence you apply: higher risk, deeper due diligence. Tools can help automate this initial segmentation. For instance, platforms like 3rdRisk let you build a centralised third-party inventory and assign an inherent risk score or tier to each supplier during onboarding. The key is to allocate your due diligence efforts wisely – don’t waste time deeply vetting a low-risk office supplies vendor while giving a critical cloud provider only a cursory look. Risk-based tiering ensures a proportionate approach: you focus resources where they truly matter.

By the way, at 3rdRisk, we're using AI to generate automatic (inherent) risk profiles of third parties. This saves a lot of time and helps to get a quick understanding of the initial risks posed by third-party relationships.

2. Define Clear Due Diligence Criteria and Scope


Next, establish what exactly you will check for each risk tier. This means defining the due diligence criteria and the scope of assessment. It helps to create a standard due diligence checklist or questionnaire template, tailored by tier. Cover the major risk domains:

Compliance checks

Verify the third party complies with relevant laws, regulations, and standards. This can include AML/KYC (for distributors or agents handling payments), sanctions screening, anti-bribery (are they on any bribery blacklists or do they have ABC policies?), data privacy (GDPR compliance if applicable), and any industry-specific regs. For example, if you’re a financial institution, you’ll check if the vendor meets DORA requirements for operational resilience. If you’re evaluating a supply chain partner, you might assess ESG factors (environmental, social, governance practices) in light of frameworks like CSDDD or your own ethics code. Essentially, list the regulatory and compliance areas the vendor must adhere to and verify them one by one (licenses, certifications, past violations, etc.).

Operational and Cyber Risk

Assess the third party’s operational stability and cybersecurity posture. Operational due diligence looks at their ability to deliver reliably: Are their financials sound, or are they one bad quarter away from bankruptcy? Do they have sufficient capacity, quality controls, and business continuity plans? Cyber due diligence is absolutely critical today – if a vendor has weak security, they might be the gateway for hackers into your data. So evaluate their info security controls (you can use questionnaires aligned to standards like ISO 27001 or NIST), inquire about data encryption, access controls, incident response plans, etc. You might also leverage external cyber risk ratings (services like BitSight or SecurityScorecard) to get an independent view of their security health. Remember, over half of organisations admit they lack sufficient visibility into their supply chain’s cyber vulnerabilities – so don’t be one of those. Make cyber/operational risk a core part of due diligence.

Reputational and Ethical Indicators

A third party’s reputation can be a leading indicator of future problems. Check for any red flags in news or public records: past frauds, lawsuits, corruption cases, environmental or labour violations, etc. A quick media scan or a tool like Dow Jones Risk & Compliance (for adverse media) can surface negative news. Also consider the third party’s ESG profile: do they have a history of pollution or human rights issues? With the growing focus on ESG, reputational due diligence is key. 70% of procurement corruption cases involve third parties, and often it’s an ethical lapse like paying bribes or using forced labour that lands a company in hot water. So, ensure your due diligence criteria include reputational checks. If something concerning is found, you may require the vendor to explain or remediate it before proceeding (or decide to walk away).

By defining these criteria upfront, you create a structured due diligence process. Think of it as your risk assessment playbook. It also helps ensure consistency – every high-risk vendor gets the same thorough treatment, and nothing important slips through cracks. One pro tip: align your due diligence checklist with recognised frameworks or standards. For instance, if you’re in finance, map checks to what DORA or the Basel guidelines expect for third-party oversight. If in healthcare, include HIPAA-related queries for vendors handling PHI. This alignment makes sure your process is audit-ready and in line with evolving best practices.

3. Leverage Internal and External Data Sources


Gone are the days when due diligence meant emailing out Word questionnaires and trusting the responses blindly. In 2025, smart due diligence combines internal data (what you gather from the third party) with external data from authoritative sources. This blended approach gives you a richer, more objective view. Here are some data sources to tap:

Internal/Direct Assessments

This is info you get from the third party. Survey them about their controls, request documents (financial reports, certificates, policies), and maybe even perform an on-site visit or audit for the highest-risk partners. Modern TPRM platforms can automate a lot of this – e.g. sending an online questionnaire for the vendor to fill, which then scores their responses.

External Data Feeds

Augment the self-reported info with independent intelligence. There are many specialised data providers and integrations available. For cybersecurity, services like BitSight or SecurityScorecard provide continuous security ratings of companies (scoring things like open ports, breach history, etc.). For financial health, you might use credit ratings or services like Dun & Bradstreet. For compliance screening, databases from Dow Jones, Refinitiv World-Check, or LexisNexis can flag sanctions, watchlists, and negative news. For ESG and sustainability risk, tools like EcoVadis or supply chain monitors like Prewave can supply data on a supplier’s ESG performance and real-time risk alerts (e.g. reports of protests, environmental damage, etc.). In fact, leading platforms (including 3rdRisk) offer out-of-the-box integrations to many such data sources. For example, 3rdRisk can pull in data from BitSight, SecurityScorecard, LexisNexis, Business Radar, OpenSanctions and more to enrich a third-party’s risk profile automatically. The benefit is real-time insight: if a vendor’s cyber rating drops or if they get hit with a new lawsuit, you see it without waiting for next year’s questionnaire.

Internal Knowledge and Experience

Don’t forget your own organisation’s tribal knowledge. Maybe another department already used this vendor and had issues – tap into that. Centralise internal performance data on vendors (like incidents, past audit findings). A collaborative internal approach ensures you’re not operating in a silo. Some companies even maintain an internal “risk register” or database of all third-party issues, accessible to risk managers.

By leveraging these data sources, you move to a “trust, but verify (and verify, and verify)” model. Automation here is key: set up your system to automatically scan and update risk indicators from these feeds. It reduces manual effort and catches things humans might miss. Plus, it frees up your team’s time to analyse and act on the information rather than spend all day gathering it. As a result, your due diligence becomes continuous and dynamic, not just a static checklist completed at onboarding.

3rdRisk offers plenty of integrations with internal and external data sources. See for some examples our integration overview.

4. Automate and Scale the Process


Many organisations still rely on email questionnaires and spreadsheets for due diligence. That might work when you have 5 vendors, but not when you have 500 or 5,000. One of the best practices for 2025 is to introduce automation and workflow tools to scale your due diligence process. This doesn’t mean replacing humans – it means letting technology handle repetitive tasks and record-keeping, so humans can focus on judgment calls.

How can you automate due diligence? A few ways: Use a dedicated third-party risk management (TPRM) platform or vendor risk module to manage the workflow. These platforms typically provide templated questionnaires, automated reminders to vendors (so you’re not chasing them for responses), and risk scoring engines that auto-calculate a risk rating based on the vendor’s answers and external data. Some even have AI that can flag concerning answers or summarise long documents for you. For lower-risk vendors, you might employ pre-built workflows – e.g. a simplified due diligence process that auto-approves if certain criteria are met (like the vendor only gets a basic check because they don’t touch critical systems). This “low-touch” approach for low-risk vendors ensures you’re not overburdening the team, while high-risk vendors automatically trigger a deeper review (workflow might assign tasks to InfoSec to do a vulnerability scan, to Compliance to do an on-site audit, etc.).

Automation also helps with consistency. It’s like having a cookbook; every vendor in Tier 1 goes through the same recipe of checks and approvals. No ad hoc skipping steps because someone got busy. Many platforms let you set risk thresholds and escalation rules: for example, if a vendor’s questionnaire score is below 70% or a critical control is missing, automatically flag it and route it to a senior risk officer for review before approval. This kind of risk-based routing is far more efficient than one-size-fits-all manual processes.

Another pro tip: integrate your due diligence process with other systems. For instance, if you have a procurement system or IT ticketing system, integrate it such that no new vendor gets fully onboarded or paid until due diligence is completed and approved in the TPRM system. I’ve seen colleagues implement clever workflows like “if vendor is marked high-risk in the TPRM tool, automatically create a task for Internal Audit to schedule a review after 6 months.” The possibilities are endless, but the principle is the same: use technology to lighten the load and catch the slips. As a result, your team can manage many more third parties without sacrificing quality.

Plus, automation makes the process a lot more pleasant for your business stakeholders and even the vendors. No one likes a 500-question Excel sheet emailed with a 2-day deadline. A user-friendly portal where vendors can fill in info and see their progress makes cooperation smoother – and your team can track everything in one dashboard.

5. Continuous Monitoring After Onboarding


Due diligence is not a one-and-done activity. One of the biggest mistakes organisations make is failing to update due diligence over time – essentially, doing a thorough check at onboarding and then assuming everything is fine forever. In reality, risk is fluid. A third party that was low risk two years ago might become high risk today due to a breach, a leadership change, or geopolitical events. Over 80% of legal and compliance leaders say they have identified third-party risks after the initial onboarding and due diligence. Translation: if you’re not doing continuous monitoring, you’re likely missing the majority of issues.

Best practice is to implement a continuous monitoring program for your third parties. This involves two components: ongoing passive monitoring (via those external data sources and news alerts we discussed) and periodic active reviews. Ongoing monitoring means if there’s a new sanctions entry, an enforcement action, a cyber incident, etc., you get notified in real time. Many TPRM solutions have built-in continuous monitoring for cyber and compliance. For example, if your vendor’s security rating drops below a threshold or if negative news hits, you’ll see an alert on their profile.

Periodic reviews mean reassessing the vendor at set intervals based on risk. High-risk vendors might be reviewed (i.e. refreshed due diligence) annually or even quarterly. Moderate risk maybe every 1-2 years. Low risk, perhaps every 3 years or if a trigger event occurs. During a refresh, you’d update the questionnaire, ask for the latest documents (e.g. their newest SOC 2 report or financial statement), and see if anything material changed. This ensures that over a multi-year engagement, you aren’t relying on stale information. It also satisfies regulators who often ask, “How do you know the risk didn’t increase since you onboarded this supplier 5 years ago?” You can answer confidently that you have a schedule of periodic re-assessment and continuous monitoring in place.

To make this concrete: imagine you onboarded a marketing agency last year. All was good. But unbeknownst to you, in the past month, that agency suffered a data breach and was plastered all over the news – you’d want to know ASAP, right? Continuous monitoring would flag that immediately, so you could take action (e.g. investigate if your data was affected, perhaps pause new projects with them). Or say a vendor’s financial health starts tanking, reflected in a credit score drop – your monitoring tool catches it, you dig in and discover they lost a major client. You might decide to start sourcing an alternative in case they fail. Without continuous oversight, you’d be blindsided.

So treat due diligence as a lifecycle, not a checkpoint. The mantra is “trust continuously, but verify continuously”. This ongoing vigilance will dramatically reduce the “unknown unknowns” in your third-party landscape and prevent nasty surprises. It’s a bit like health monitoring – you don’t just get a one-time checkup and then ignore your health for a decade; you do regular check-ins to catch issues early.

6. Document and Report Everything (Audit-Ready Trail)


If it isn’t documented, did it even happen? (Auditors would say no!) A crucial best practice is to maintain a solid audit trail of your due diligence activities and be able to report on third-party risk status at any time. This serves multiple purposes: it keeps leadership informed, demonstrates compliance to regulators, and provides evidence if ever something goes wrong despite your efforts.

Here’s what to document: All the artefacts of due diligence – completed questionnaires, risk scores, screenshots of screening results, meeting notes, certifications obtained, and so on. Also log the decisions made: approved, conditional approval, rejected, with dates and who approved. If you decided to onboard a high-risk vendor with mitigating controls, document what those controls are (e.g. “Vendor lacks XYZ certification but will undergo external audit within 3 months – agreed by risk committee on Jan 5, 2025”). Essentially, preserve the story of each third party’s risk evaluation. Good TPRM software will do this automatically in profiles and audit logs. If you’re using manual methods, ensure there’s a shared repository (like a SharePoint or GRC tool) where all due diligence files and forms live in an organised way.

Reporting is also important. Boards and executives increasingly want to see metrics on third-party risk. Set up structured risk profiles and reports that roll up information like: How many third parties do we have? How many high-risk vs medium vs low? How many have outstanding issues or pending remediation? Are there any concentrations (e.g. 40% of our critical vendors rely on one cloud hosting provider – concentration risk)? Automated tools can generate dashboards for this. Even simple reports like a heat map of vendors by risk tier and category can be very illuminating to management.

Moreover, if a regulator comes knocking (or as part of your annual DORA or NIS-2 compliance review), you should be able to produce documentation to show your due diligence process. For example: “Here is our Third-Party Due Diligence policy. Here’s an example of a completed assessment for a high-risk vendor. Here is evidence we screened all vendors against sanctions lists as of this quarter.” Being audit-ready not only avoids penalties but also builds internal credibility for the program. It shows that you’re running a professional, mature risk management function.

Don’t worry, this doesn’t mean drowning in paperwork. With everything digitised, you can store and retrieve records easily. The main point is to be transparent and accountable in your process. Internally, this documentation helps when there are personnel changes, too – if a new risk manager picks up the vendor portfolio, they can understand past decisions by reading the records. It’s all about creating continuity and confidence in your due diligence program.

Common Mistakes (and How to Avoid Them)

Even with the best intentions, due diligence programs can stumble. Let’s highlight a few common mistakes organisations make in third-party screening and due diligence, and some friendly advice on how to dodge these pitfalls:

Over-Reliance on Manual Processes: Maybe you’re still using Excel trackers and email threads to manage due diligence. We get it – change is hard. But manual processes don’t scale and are prone to human error. People forget to follow up, or Bob leaves the company, and his spreadsheet knowledge leaves with him.

Avoidance tip: Start introducing automation in small steps. Maybe implement a simple vendor risk questionnaire tool, or use a shared online folder with standardised forms. Gradually build toward a centralised platform. Automate routine checks (like nightly sanction screenings). Free up your humans for analysis, not copy-pasting data at 11 pm. Your team (and Bob’s eventual replacement) will thank you.

Lack of Clear Risk Thresholds. Some programs treat every vendor the same because they haven’t defined risk thresholds or tiering. The result: either overkill, where you’re grilling the janitorial services provider with a 200-question survey, or underkill, where you give a critical cloud provider only a cursory check because you’re swamped.

Avoidance tip: As discussed, tier your vendors and set clear criteria for each tier’s due diligence depth. Also define thresholds for escalation. For example, if any vendor’s inherent risk score is above, say, 8/10, that’s automatically “high risk” and triggers a senior management sign-off. If a vendor has access to customer data, that’s a non-negotiable full security assessment. Having these rules pre-defined removes guesswork and ensures consistency. It also helps other departments understand why you’re asking 50 questions of one vendor and only 5 of another – it’s because their risk profiles differ.

“One-and-Done” Syndrome (Failing to Update Due Diligence): This is extremely common – companies do a big due diligence effort when onboarding a vendor, then file it away and don’t look again for years. Meanwhile, the vendor’s situation may have changed drastically.

Avoidance tip: Implement the continuous monitoring and periodic review practices we detailed. To make it manageable, use automation and calendar reminders. Many TPRM tools can send you an alert, “It’s time to refresh Vendor X’s assessment”. If you don’t have a fancy tool, even a spreadsheet with review dates and a quarterly check can work. Also, instil a culture of “if you see something, say something” internally – e.g. if an account manager hears the vendor had a breach, they should alert risk management even if it’s mid-cycle. Keeping due diligence evergreen is work, yes, but far less work than cleaning up after an unforeseen vendor fiasco. As Gartner’s research indicates, a huge chunk of third-party risks only come to light after onboarding. So don’t let your guard down after the ink is dry on the contract. Keep listening, checking, and updating.

By sidestepping these common mistakes, you’ll greatly enhance your program’s effectiveness. In essence: embrace tools and structure (to fix manual woes), be risk-based (to fix one-size-fits-all approaches), and stay vigilant throughout the lifecycle (to fix the one-and-done issue). If you find yourself guilty of any of the above, don’t worry – many of us have been there. The good news is you can course-correct starting now using the best practices we’ve discussed.

Conclusion

In third‑party risk, a structured and proactive due diligence process is a real advantage. By adding structure, speed and consistency to how you screen and assess partners, you cut down on nasty surprises later. Rather than scrambling when a vendor lets you down, you can move forward with confidence, knowing you have done your homework and continue to monitor them.

The practices we outlined, such as risk tiering, multi‑domain checks, automation, data feeds, ongoing monitoring and clear records, all point to one theme: be prepared. Build a process that is agile with real‑time data and automation, and thorough where human expertise matters most. It takes some upfront effort and the right tools, but it pays off by avoiding regulatory issues, financial losses and sleepless nights.

We have seen how an integrated approach transforms third‑party risk management. Moving beyond static questionnaires to continuous feeds, scoring, and audit‑ready reports reduces manual effort, gives deeper insights and creates transparency across your vendors. Think of it as an extra team working quietly in the background, spotting risks and organising information.

The takeaway: whether through a platform or your processes, bring structure, data and a human touch to due diligence. It is not just about ticking boxes. Done well, it protects your business, keeps regulators at bay, and lets you pursue opportunities with confidence.

If you are curious how we bring these elements together, take a look at our other insights, such as our blog on third‑party onboarding best practices or how we approach risk profiling with AI compared to legacy methods.

Due diligence done diligently is what keeps you out of trouble and sets you up for safer partnerships and growth in 2025. Happy screening.

Looking for an easy way to manage third-party risks?

Get a quick introduction to our third-party risk platform and make informed decisions today.

Laura Hoek
Head of Operations

Want to read more?

Read more helpful content on third-party risk management and compliance.

Dave van Gulik
Trust Alliance

“3rdRisk is our go-to platform for third-party risk and compliance management. Why? Because it’s based on the latest standards in our field, highly flexible, intuitive, and pleasant to work with.”