vendor-due-diligence-patrick-munro

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Vendor Due Diligence Framework

供应商尽职调查框架

Overview

概述

Comprehensive vendor assessment and due diligence framework for IT service providers, technology vendors, and third-party service providers. Creates structured risk assessments, evaluation reports, and ongoing monitoring frameworks across financial, operational, compliance, security, and reputational dimensions.

针对IT服务提供商、技术供应商及第三方服务提供商的全面供应商评估与尽职调查框架。可从财务、运营、合规、安全及声誉维度生成结构化风险评估、评估报告及持续监控框架。

LEGAL DISCLAIMER

法律免责声明

IMPORTANT: This skill provides general information and frameworks for vendor assessment purposes only. It does NOT constitute legal, financial, or professional advice. Users should:

Consult qualified legal counsel for specific legal requirements in their jurisdiction
Engage appropriate financial and security professionals for detailed assessments
Verify all regulatory requirements independently
Adapt all frameworks to their specific organizational needs and risk tolerance
Not rely on this skill as a substitute for professional due diligence services

The frameworks provided are templates only. Actual vendor assessments require expertise in law, finance, cybersecurity, and risk management. Neither the skill creator nor Claude/Anthropic assumes any liability for decisions made based on this skill's output.

重要提示：本Skill仅为供应商评估提供通用信息与框架，不构成法律、财务或专业建议。用户应：

就所在司法管辖区的具体法律要求咨询合格法律顾问
聘请合适的财务与安全专业人员开展详细评估
独立核实所有监管要求
根据自身组织需求与风险承受能力调整所有框架
不要将本Skill作为专业尽职调查服务的替代方案

所提供的框架仅为模板。实际供应商评估需要法律、财务、网络安全及风险管理领域的专业知识。Skill创建者及Claude/Anthropic均不对基于本Skill输出做出的决策承担任何责任。

When to Use This Skill

本Skill的适用场景

Use this skill when you need to:

Evaluate new vendors, technology providers, or service partners
Conduct third-party risk assessments for procurement decisions
Perform critical vendor due diligence for regulatory compliance (DORA, NIS2, GDPR, SOX, etc.)
Create vendor onboarding documentation and assessment frameworks
Establish ongoing vendor monitoring and review processes
Assess vendor concentration risk and business continuity implications
Generate executive-level vendor risk reports

当你需要以下服务时，可使用本Skill：

评估新供应商、技术提供商或服务合作伙伴
为采购决策开展第三方风险评估
为合规要求（DORA、NIS2、GDPR、SOX等）执行关键供应商尽职调查
制作供应商入职文档与评估框架
建立持续的供应商监控与审查流程
评估供应商集中度风险及业务连续性影响
生成高管层供应商风险报告

Core Capabilities

核心能力

1. Three-Phase Assessment Process

1. 三阶段评估流程

Phase 1: Initial Screening (Days 1-5)

Financial stability assessment (credit ratings, financial statements, market position)
Basic compliance verification (certifications, licenses, regulatory status)
Preliminary security posture review (ISO 27001, SOC 2, cyber insurance)
Reputational check (news screening, litigation history, sanctions lists)
Business continuity basics (disaster recovery, backup systems)

Phase 2: Detailed Assessment (Days 5-15)

In-depth security evaluation (penetration testing, vulnerability management, incident response)
Operational deep-dive (SLAs, performance metrics, capacity planning, change management)
Compliance audit (GDPR, industry-specific regulations, data residency, cross-border transfers)
Financial analysis (cash flow stability, debt ratios, insurance coverage, bonding capacity)
Contractual risk review (liability caps, indemnification, IP ownership, termination rights)
Subcontractor and fourth-party risk assessment

Phase 3: Final Evaluation & Decision (Days 15-20)

Comprehensive risk scoring and rating (1-5 scale across all dimensions)
Executive summary with recommendation (approve, approve with conditions, reject)
Risk mitigation plan for identified gaps
Onboarding roadmap with specific requirements
Ongoing monitoring framework and KPIs

阶段1：初步筛选（第1-5天）

财务稳定性评估（信用评级、财务报表、市场地位）
基础合规验证（认证、许可证、监管状态）
初步安全态势审查（ISO 27001、SOC 2、网络保险）
声誉核查（新闻筛查、诉讼历史、制裁名单）
业务连续性基础（灾难恢复、备份系统）

阶段2：详细评估（第5-15天）

深度安全评估（渗透测试、漏洞管理、事件响应）
运营深度调研（SLA、绩效指标、容量规划、变更管理）
合规审计（GDPR、行业特定法规、数据驻留、跨境传输）
财务分析（现金流稳定性、债务比率、保险覆盖范围、担保能力）
合同风险审查（责任限额、赔偿条款、知识产权所有权、终止权利）
分包商及第四方风险评估

阶段3：最终评估与决策（第15-20天）

全面风险评分与评级（所有维度采用1-5分制）
含建议的高管摘要（批准、附条件批准、拒绝）
针对已识别差距的风险缓解计划
含具体要求的入职路线图
持续监控框架与KPI

2. Multi-Factor Risk Scoring System

2. 多因素风险评分系统

Each vendor receives scores (1=Low Risk to 5=Critical Risk) across:

Financial Risk: Creditworthiness, revenue stability, insurance adequacy, concentration risk
Operational Risk: Service delivery capability, business continuity, dependency/single points of failure
Compliance Risk: Regulatory adherence, audit findings, data protection practices, certification status
Security Risk: Cyber resilience, access controls, incident response, data encryption, vulnerability management
Reputational Risk: Public perception, litigation history, ethical practices, ESG factors
Strategic Risk: Service criticality, exit/transition difficulty, vendor lock-in, innovation capability

Enhanced Feature: Weighted risk calculations based on service criticality. Critical services (payment processing, customer data systems) receive 2x weight on security and compliance factors.

每个供应商将在以下维度获得评分（1=低风险至5=极高风险）：

财务风险：信用度、收入稳定性、保险充足性、集中度风险
运营风险：服务交付能力、业务连续性、依赖度/单点故障
合规风险：监管合规性、审计结果、数据保护实践、认证状态
安全风险：网络韧性、访问控制、事件响应、数据加密、漏洞管理
声誉风险：公众认知、诉讼历史、道德实践、ESG因素
战略风险：服务关键性、退出/过渡难度、供应商锁定、创新能力

增强功能：基于服务关键性的加权风险计算。关键服务（支付处理、客户数据系统）的安全与合规因素权重翻倍。

3. Regulatory Compliance Checklists

3. 合规监管清单

Pre-built assessment templates for:

GDPR: Data processing agreements, sub-processor management, cross-border transfers, breach notification
DORA (Digital Operational Resilience Act): ICT third-party risk management, concentration risk, exit strategies
NIS2: Supply chain security, incident reporting, security measures for essential/important entities
SOX: Internal controls for financial reporting, audit trail requirements
PCI DSS: Payment card data security (if applicable)
ISO 27001/SOC 2: Information security management, control frameworks
Industry-specific: HIPAA (healthcare), FINMA (financial services), FedRAMP (government)

Enhanced Feature: Regulatory gap analysis that identifies which requirements the vendor currently fails to meet and severity classification (blocker, major concern, minor gap, acceptable with mitigation).

预构建的评估模板适用于：

GDPR：数据处理协议、分包商管理、跨境传输、 breach通知
DORA（数字运营韧性法案）：ICT第三方风险管理、集中度风险、退出策略
NIS2：供应链安全、事件报告、关键/重要实体的安全措施
SOX：财务报告内部控制、审计跟踪要求
PCI DSS：支付卡数据安全（如适用）
ISO 27001/SOC 2：信息安全管理、控制框架
行业特定：HIPAA（医疗保健）、FINMA（金融服务）、FedRAMP（政府）

增强功能：监管差距分析，可识别供应商当前未满足的要求及严重程度分类（阻塞项、主要问题、次要差距、可接受且可缓解）。

4. Document Request Lists

4. 文件请求清单

Comprehensive documentation requirements organized by assessment phase:

Financial: Audited financials (3 years), D&B reports, insurance certificates, bank references
Legal/Compliance: Certifications (ISO, SOC 2), audit reports, privacy policies, DPAs, sub-processor lists
Security: Penetration test results, vulnerability scan reports, incident response plans, disaster recovery documentation
Operational: SLA templates, performance metrics, customer references, org charts, escalation procedures
Contractual: Standard agreements, liability caps, indemnification terms, IP assignment provisions

按评估阶段整理的全面文档要求：

财务：经审计的财务报表（3年）、邓白氏报告、保险凭证、银行推荐信
法律/合规：认证（ISO、SOC 2）、审计报告、隐私政策、DPA、分包商名单
安全：渗透测试结果、漏洞扫描报告、事件响应计划、灾难恢复文档
运营：SLA模板、绩效指标、客户推荐信、组织架构图、升级流程
合同：标准协议、责任限额、赔偿条款、知识产权转让条款

5. Vendor Interview Frameworks

5. 供应商访谈框架

Structured interview guides for:

Executive Leadership: Strategic vision, financial outlook, growth plans, M&A activity
Security/IT Teams: Architecture reviews, access controls, encryption practices, patch management
Compliance Officers: Regulatory adherence, audit processes, remediation tracking
Operations Managers: Service delivery, incident management, change control, capacity planning
Legal/Contracts: Negotiation flexibility, standard terms, liability frameworks

Enhanced Feature: Red flag detection prompts - specific questions designed to uncover hidden risks (e.g., "Describe your three most recent security incidents and response," "What percentage of revenue comes from your top 3 clients?")

结构化访谈指南适用于：

高管层：战略愿景、财务前景、增长计划、并购活动
安全/IT团队：架构审查、访问控制、加密实践、补丁管理
合规官员：监管合规性、审计流程、整改跟踪
运营经理：服务交付、事件管理、变更控制、容量规划
法律/合同团队：谈判灵活性、标准条款、责任框架

增强功能：红旗检测提示 - 用于发现隐藏风险的特定问题（例如：“描述你方最近三起安全事件及响应情况”、“你方前三大客户贡献的收入占比是多少？”）

6. Ongoing Monitoring Frameworks

6. 持续监控框架

Post-onboarding continuous oversight:

Quarterly Reviews: Performance metrics, security updates, compliance status, financial health
Annual Assessments: Full re-evaluation of risk scores, certification renewals, contract renegotiation
Event-Triggered Reviews: M&A activity, security breaches, regulatory violations, leadership changes, service disruptions
KPI Dashboards: Uptime, response times, security metrics, compliance status, financial indicators

Enhanced Feature: Early warning indicators (EWIs) that trigger immediate re-assessment - bankruptcy filings, mass layoffs, major customer losses, data breaches, audit failures, regulatory fines.

入职后的持续监督：

季度审查：绩效指标、安全更新、合规状态、财务健康
年度评估：风险评分全面重估、认证更新、合同重新谈判
事件触发审查：并购活动、安全 breach、监管违规、领导层变动、服务中断
KPI仪表板：正常运行时间、响应时间、安全指标、合规状态、财务指标

增强功能：预警指标（EWI），触发立即重新评估 - 破产申请、大规模裁员、主要客户流失、数据 breach、审计失败、监管罚款。

Output Formats

输出格式

Vendor Risk Report

供应商风险报告

Comprehensive assessment report including:

Executive summary with risk rating and recommendation
Detailed findings by risk category with evidence
Risk score matrix (visual heat map)
Gap analysis against regulatory requirements
Mitigation recommendations with priority levels
Onboarding requirements and conditions
Monitoring and review schedule

全面评估报告包括：

含风险评级与建议的高管摘要
按风险分类的详细发现及证据
风险评分矩阵（可视化热图）
针对监管要求的差距分析
含优先级的缓解建议
入职要求与条件
监控与审查时间表

Vendor Comparison Matrix

供应商对比矩阵

Side-by-side evaluation of multiple vendors:

Risk scores across all dimensions
Compliance coverage comparison
Cost-benefit analysis
Strengths/weaknesses summary
Recommended vendor with justification

多供应商并排评估：

所有维度的风险评分
合规覆盖范围对比
成本效益分析
优势/劣势摘要
含理由的推荐供应商

Onboarding Checklist

入职清单

Structured requirements list:

Pre-contract deliverables (certifications, insurance, references)
Contract negotiation priorities (liability, SLAs, termination rights)
Integration requirements (APIs, data formats, security controls)
Ongoing obligations (reporting, audit rights, performance reviews)

Enhanced Feature: Risk-based onboarding paths - higher risk vendors face stricter requirements (more frequent reviews, additional certifications, enhanced SLAs, stronger termination rights).

结构化要求清单：

合同前交付物（认证、保险、推荐信）
合同谈判优先级（责任、SLA、终止权利）
集成要求（API、数据格式、安全控制）
持续义务（报告、审计权利、绩效审查）

增强功能：基于风险的入职路径 - 高风险供应商需满足更严格的要求（更频繁的审查、额外认证、强化SLA、更有力的终止权利）。

Best Practices

最佳实践

Proportional Assessment: Scale diligence depth to service criticality and risk exposure
- Critical/High Risk: Full Phase 1-3 assessment with external expert validation
- Medium Risk: Phase 1-2 with selective Phase 3 elements
- Low Risk: Phase 1 with streamlined Phase 2
Document Everything: Maintain audit trail of assessment decisions, risk acceptances, and mitigation measures
Involve Stakeholders: Include Legal, IT/Security, Procurement, Business Units, and Compliance in assessment process
Challenge Vendor Claims: Verify certifications independently, request evidence, conduct site visits for critical vendors
Plan for Exit: Always assess vendor replaceability, data portability, and transition complexity before signing
Continuous Monitoring: Due diligence is not one-time - reassess regularly and after triggering events
Concentrate Risk Management: Track total vendor exposure across organization to identify dangerous concentration

Enhanced Feature: Third-party validation recommendations - when to engage external auditors, security firms, or legal counsel for independent verification (critical vendors, regulated services, high-value contracts).

比例评估：根据服务关键性与风险暴露程度调整尽职调查深度
- 关键/高风险：完整的1-3阶段评估，辅以外部专家验证
- 中风险：1-2阶段评估，选择性采用第3阶段内容
- 低风险：第1阶段评估，简化第2阶段流程
全面记录：保留评估决策、风险接受及缓解措施的审计跟踪
利益相关方参与：邀请法律、IT/安全、采购、业务单元及合规部门参与评估流程
质疑供应商声明：独立核实认证，要求提供证据，对关键供应商开展现场考察
规划退出方案：签署合同前始终评估供应商可替代性、数据可移植性及过渡复杂度
持续监控：尽职调查并非一次性工作 - 定期重新评估，且在触发事件后重新评估
集中度风险管理：跟踪整个组织的供应商总暴露情况，识别危险的集中度

增强功能：第三方验证建议 - 何时聘请外部审计师、安全公司或法律顾问开展独立验证（关键供应商、受监管服务、高价值合同）。

Risk Mitigation Strategies

风险缓解策略

Common approaches to address identified gaps:

Financial: Require parent company guarantees, increase insurance requirements, shorten payment terms, implement performance bonds
Security: Mandate specific controls, require penetration testing, implement enhanced monitoring, restrict data access
Compliance: Require certification achievement within timeframe, implement audit rights, add regulatory breach termination clauses
Operational: Define stricter SLAs, require redundancy, implement escrow for critical IP/code, establish backup vendor relationships
Strategic: Limit contract term, build exit provisions, avoid proprietary lock-in, maintain dual-source options

针对已识别差距的常见解决方法：

财务：要求母公司担保、提高保险要求、缩短付款期限、实施履约保证金
安全：强制要求特定控制措施、要求渗透测试、实施强化监控、限制数据访问
合规：要求在规定时间内获得认证、落实审计权利、添加监管违规终止条款
运营：定义更严格的SLA、要求冗余、为关键知识产权/代码设立托管、建立备用供应商关系
战略：限制合同期限、制定退出条款、避免专有锁定、维持双源供应选项

Limitations and Disclaimers

局限性与免责声明

This skill does NOT:

Replace professional due diligence services (legal, financial, technical audits)
Provide legal advice on specific contracts or regulatory requirements
Guarantee vendor performance or eliminate all risks
Substitute for organization-specific risk frameworks and policies
Fulfill regulatory obligations without expert validation
Create attorney-client, fiduciary, or advisory relationships

Users must:

Adapt all frameworks to their specific industry, jurisdiction, and risk tolerance
Engage qualified professionals for regulated assessments
Verify all regulatory requirements independently
Obtain necessary internal approvals before vendor engagement
Maintain documentation for audit and compliance purposes
Update assessment criteria as regulations and threats evolve

本Skill不：

替代专业尽职调查服务（法律、财务、技术审计）
就特定合同或监管要求提供法律建议
保证供应商绩效或消除所有风险
替代组织特定的风险框架与政策
无需专家验证即可满足监管义务
建立律师-客户、受托或咨询关系

用户必须：

根据自身行业、司法管辖区及风险承受能力调整所有框架
聘请合格专业人员开展受监管的评估
独立核实所有监管要求
在供应商合作前获得必要的内部批准
保留文档用于审计与合规目的
随着法规与威胁演变更新评估标准

Regulatory Context

监管背景

While this skill references common regulations (GDPR, DORA, NIS2, etc.), users must:

Verify current regulatory requirements in their jurisdiction
Consult legal counsel for compliance obligations
Not rely on this skill for legal interpretation
Understand that regulatory landscapes change constantly
Recognize that enforcement varies by regulator and jurisdiction

Last Updated Framework Version: January 2025 (Regulatory references may become outdated)

尽管本Skill参考了常见法规（GDPR、DORA、NIS2等），但用户必须：

核实所在司法管辖区的当前监管要求
就合规义务咨询法律顾问
不要依赖本Skill进行法律解释
了解监管环境不断变化
认识到监管执行因监管机构与司法管辖区而异

框架最后更新版本：2025年1月（监管参考可能过时）

Example Use Cases

示例用例

Financial Institution under DORA: Assessing cloud service provider for critical payment systems
Healthcare Organization: Evaluating SaaS vendor handling protected health information (HIPAA)
Manufacturing Company: Third-party risk assessment for industrial control system provider
E-commerce Platform: Payment processor due diligence under PCI DSS requirements
Government Agency: FedRAMP compliance assessment for cloud infrastructure provider
Startup: Rapid vendor screening for limited-risk, non-critical services

FINAL REMINDER: This is an educational framework and starting point only. Professional due diligence requires expertise in law, finance, cybersecurity, and risk management. Always engage qualified professionals for critical vendor assessments and do not rely solely on this skill for decision-making.

受DORA监管的金融机构：评估为关键支付系统提供服务的云服务商
医疗机构：评估处理受保护健康信息的SaaS供应商（HIPAA）
制造企业：对工业控制系统提供商开展第三方风险评估
电商平台：根据PCI DSS要求开展支付处理器尽职调查
政府机构：对云基础设施提供商开展FedRAMP合规评估
初创企业：对低风险、非关键服务开展快速供应商筛选

最终提醒：本框架仅为教育性内容与起点。专业尽职调查需要法律、财务、网络安全及风险管理领域的专业知识。针对关键供应商评估，务必聘请合格专业人员，不要仅依赖本Skill做出决策。