Supplier due diligence: Third-Party Risk Management (TPRM)

When a supplier is "urgent," Purchasing typically faces two poor options: halt the deal or proceed based on a hunch. The third (and useful) option is to move forward with minimal evidence. That's the idea behind Third-Party Risk Management (TPRM): not to complicate your life, but to help you buy with greater certainty, protect your reputation, and reduce surprises in the supply chain.

The important thing to understand is that TPRM is not synonymous with distrust, nor with filling out forms for the sake of filling them out. It's a practical way to answer a question that inevitably arises: "Why do we trust this supplier, and what did we do to validate them?" And whether that question stems from an operational issue (non-compliance, quality, fraud, penalties, negative news) or from an internal audit, the answer is built on the same foundation: clear criteria + consistent evidence.

 

Risk doesn't always come from the customer: it also comes from the supplier.

In practice, a supplier can affect more than just a contract: it can impact your business continuity, your reputation, and your exposure to non-compliance, even if you're not "the compliance department." That's why modern due diligence frameworks emphasize something simple: the review must be risk-based, not identical for everyone. OECD It presents it as a process to identify and address real or potential impacts on operations, supply chains, and business relationships.

And here's an idea that Purchasing will benefit from: if you try to "check everything the same way," all you'll achieve is bureaucracy... and people will end up skipping the process. The point isn't to check more; it's to check better, with proportionality.

 

Supplier lifecycle diagram and key moments for risk-based due diligence (marked by a “Q”).

 

TPRM in clear Spanish: deciding “yes” with conditions and evidence

In real life, almost no supplier is “perfect” or “disposable.” What you can do is make conditional decisions: “yes, but with documentation,” “yes, but with clauses,” “yes, but with monitoring,” “yes, but not for this type of service.” This logic is consistent with guidelines that describe due diligence as a process integrated into operations, not as a one-off event at the outset. For example, the DOJ (Department of Justice) emphasizes that third-party management should correspond to the level of risk and be maintained throughout the relationship, not just during onboarding.

If we apply this to Purchasing and Supply Chain, TPRM becomes a way to consistently answer three questions that really matter:

First, who is the supplier company, really? (identity and existence). Second, what relevant signs are there that you don't want to find out about late? (reputation, lists, background, conflicts). Third, what evidence should you keep so you can explain the decision without drama? (minimal and traceable documentation).

 

The checklist that actually works: three layers, one story

The word “checklist” often sounds intimidating because it implies “more steps.” But when done right, a checklist is a short, repeatable process. For business suppliers, that process begins with identity: a consistent company name, a verifiable minimum presence, consistent tax or corporate information, and clarity on exactly what they will sell and how. The goal isn't to investigate out of morbid curiosity; it's to avoid purchasing from entities you can't even pinpoint when something goes wrong.

The second layer is reading signals without overreacting. This is where list screening and context come into play. Instead of thinking "it appears/it doesn't appear," it's helpful to think "what kind of signal is it?" A restrictive list (due to sanctions) isn't handled the same way as an informational signal (public notices), and neither should be treated as an automatic judgment without identity verification. That's why it makes sense for your Purchasing process to have a bridge to reference resources like the section on ListsNot to memorize list names, but to understand what each source means and how to interpret it without falling into myths like "blacklist".

The third layer is the one most people leave until last, and then struggle with: minimal evidence. It's the difference between "we did due diligence" and "we can prove it." Interestingly, third-party guides (even in banking) emphasize that these materials aren't "recipes" or safety nets; their value lies in helping you build risk management practices that work in your specific context.

 

Informative lists: when the signal asks for context, not a verdict

Informational lists provide clues for better understanding a person or company, but they should rarely, on their own, influence a critical decision without further analysis. Think of news articles, reputation reports, public alerts, or cross-references that suggest further investigation. Ultimately, these sources are meant to help you ask the right questions, not to jump to conclusions.

This is where the cultural challenge often arises: non-specialized areas want a binary answer (“yes or no?”), but serious compliance rarely operates in black and white. The practical solution is to translate the result into a defensible conclusion: “There is a signal, I classify it as informative, I conduct further due diligence, and my decision is supported.” That statement, well-supported, reduces friction with the business and saves you from endless internal discussions.

 

 

Documentation and evidence to avoid slowing down your operation

If someone asks you tomorrow, “What did you validate?”, you don’t need a 40-page document. You need traceability: what you checked, when, what you found, and what you decided. And this is where proportionality saves you: you don’t document a local stationery supplier the same way you document a critical supplier handling payments, logistics, or sensitive information.

An easy way to standardize without becoming overly repetitive is to align the evidence to three risk levels (low, medium, high) and decide which "minimum defensible" applies. The table below is not intended as a universal rule; it is a practical guide that you can adapt to your industry and level of criticality, in the spirit of ensuring that due diligence is context-sensitive.

 

 

In everyday life, this translates to something very human: when you're under time pressure, what helps most isn't "doing it perfectly," but having a quick way to cover the essentials. That's why, for specific cases, an individual consultation can be a good starting point: you validate the company, make a more informed decision, and keep a record of the consultation. If your process is well-structured, this consultation doesn't replace your judgment; it enhances it.

And beware of a common mistake: documenting it as if it were a screenshot. What you need is a reconstructible result. Think, "If someone repeats this in three months, would they understand why we decided this way?" That question is the best filter against pointless bureaucracy.

 

Monitoring: because the supplier changes (and so does the risk)

Due diligence that only occurs at the outset is like checking the spare tire the day you buy the car: helpful, but insufficient. Suppliers change: ownership changes, operations change, partners change, reputations change. That's why international best practices emphasize that third-party management must consider the relationship's lifecycle and be sustained, especially for higher-risk third parties.

In practical terms, monitoring doesn't have to be cumbersome: it can be a periodic review for "medium" suppliers, and more frequent or event-based monitoring for "high" suppliers. The key is that your policy states it simply and that your evidence supports it.

At some point, you'll also encounter individual suppliers (freelancers, consultants, intermediaries). The same logic applies here: identity, signals, and evidence. Only the available data and the type of exposure change (for example, when they act on your behalf or manage payments). Mentioning this in your Purchasing policy usually avoids an operational loophole: "we only review companies," and then the risk is introduced through an individual.

 

A technological solution: Q-Detect

If your challenge is to make a quick decision without jeopardizing your reputation, the key is timely validation with evidence. With us, you can resolve this in two simple ways: with Q-Detect or with a individual consultation when dealing with a specific supplier. This way you move forward with greater certainty, reduce rework, and leave useful documentation for internal audits.

 

Conclusion

Supplier due diligence isn't about creating obstacles to purchasing; it's about eliminating surprises. When TPRM is designed with clear language, proportionality, and minimal evidence, procurement gains speed and control: fewer blind decisions, less rework, and better communication with audit, finance, and business.

If you're currently caught between "we don't check anything" and "we check too much," there's a middle ground, and it works: review the essentials, document what's defensible, and monitor what changes. In supply chain management, that's not theory: it's continuity.

Share this post on
Facebook
LinkedIn
X

Detect. Assess. Decide.

Connect with an advisor who will guide you step-by-step to find the best solution for your company.

Welcome!

Select the system you wish to access

Platform 1.0

Q-Detect