Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Proof of Concept with new Vendor

    Posted 05-24-2024 10:27 AM

    What is common practice from a TPRM perspective if doing a proof of concept with a vendor.  Do you perform the appropriate due diligence still prior to entering into a POC relationship or perform the DD prior to entering into a long-term relationship?  I know what my gut is telling me but I am curious what others experience or thoughts are.  



  • 2.  RE: Proof of Concept with new Vendor

    This message was posted by a user wishing to remain anonymous
    Posted 05-24-2024 03:34 PM
    This message was posted by a user wishing to remain anonymous

    It's a subjective situation, but viewing from the vendor perspective likely makes this question easier to resolve:

    If a company asks for a proof of concept of us, we're expecting to deliver and earn the business. To find out later that we need to produce __________________ (which we won't do) to do business with them, would be an enormous waste of our time and resources. We would have thought the requestor did their research based on publicly available information before doing all that work. 

    (This thought process likely is driven in part by their own experiences managing their own vendors - and the knowledge that some companies -sadly - simply don't perform due diligence at all.)

    Viewed from the "searcher perspective" - I'd rather know that - on paper - they're a company we can do business with before going through that exercise.

    Proof of concept is much more involved than a simple demo - and that, to me, can and should precede due diligence.

    Hope this helps.




  • 3.  RE: Proof of Concept with new Vendor

    Posted 05-24-2024 03:34 PM

    This is a great question, and I would be interested in hearing how others approach it. We still perform some due diligence on all POCs. We do try to streamline the process for the POC to try and make the process easier/faster for our business owners, particularly if the information shared for the POC is obfuscated data and there is no connection to our production environment. 

    I think there is validity to both a streamlined and full review approach, as a full due diligence review will let you know what risks you will need to mitigate from the start...and at the same time the benefits of a streamline approach ensure quicker turn time, data security for organization, and less time invested should it not end up being the tool of choice. 




  • 4.  RE: Proof of Concept with new Vendor

    Posted 05-25-2024 05:17 AM

    Let's look at this from a Knowledge-Centric perspective.

    Due diligence among other things should establish your expectations about the technical expertise including cyber security, domain expertise, org culture including knowledge sharing, etc..

    In order to confirm your expectations you might ask for a POC, to learn HOW the vendor would approach implementing a limited set of requirements (technical expertise including cyber security), HOW MUCH the vendor's team know abut the problem domain (domain expertise),  and HOW the communication with the vendor would look like (org culture including knowledge sharing). 

    Thus, a proper due diligence is a prerequisite for a POC.