Third-party vendor risk assessment checklist
Engaging third-party vendors introduces legal, regulatory, and reputational risk. This checklist guides in-house counsel and procurement teams through a structured vendor risk assessment before contract execution.
This is a 12-step checklist for conducting a legal risk assessment of a third-party vendor before engagement. It covers due diligence, data handling, insurance, subcontracting, and ongoing monitoring obligations under Australian law.
The checklist
Classify the vendor risk tier
Categorise the vendor as critical, high, medium, or low risk based on data access, revenue dependency, and regulatory exposure.
Verify corporate standing
Check the vendor's ASIC registration, ABN status, and any external administration history.
Run sanctions and PEP screening
Screen the vendor and its beneficial owners against DFAT consolidated sanctions and PEP lists.
Assess data handling practices
Review the vendor's data collection, storage, and breach notification processes against the Australian Privacy Principles.
Evaluate subcontractor chain
Identify any subcontractors the vendor uses and confirm that subcontracting is permitted under the proposed terms.
Review insurance coverage
Confirm the vendor holds adequate professional indemnity, public liability, and cyber insurance for the engagement scope.
Confirm modern slavery compliance
Assess the vendor's modern slavery risk and confirm whether a Modern Slavery Statement has been published.
Check industry-specific regulation
Identify any sector-specific licensing requirements — AFSL, security licence, building licence — applicable to the vendor.
Evaluate business continuity plan
Review the vendor's disaster recovery and business continuity arrangements, including RPO and RTO commitments.
Assess financial viability
Review the vendor's latest financial statements or credit report to assess solvency risk.
Confirm conflict of interest declarations
Obtain conflict of interest declarations from the vendor and cross-check against internal registers.
Document risk rating and approval
Record the risk assessment outcome, attach supporting documents, and obtain sign-off from the appropriate delegate.
When this checklist applies
Use this checklist before onboarding any new third-party vendor or during periodic reassessment of existing vendors.
Common pitfalls
- Treating all vendors identically without tiered risk classification
- Not screening subcontractors in the vendor supply chain
- Accepting self-assessed vendor questionnaires at face value
- Overlooking modern slavery obligations for high-risk procurement
- Failing to schedule periodic reassessment after onboarding
Run this checklist on a real matter
Quillio helps legal teams flag vendor risk factors and draft due diligence questionnaires. Start a free trial at /free-trial.
This checklist is a general guide to vendor risk assessment. Requirements vary by industry, risk tier, and applicable regulation — obtain tailored legal advice before finalising.
Use this checklist on your matter.
Quillio can run this checklist on a specific NSW conveyancing matter — confirm each item, calculate adjustments, and generate the supporting documents. The free trial requires no credit card.
Start your free trial