Taking Onboarding Due Diligence Beyond CYA

Vendor onboarding puts conflicting pressures on procurement and supply chain professionals. You’re tasked with performing thorough due diligence, but at the same time, you need to onboard companies as quickly as possible. The incentive structure encourages you to do the minimum due diligence to cover your assets (CYA), to put it politely. There’s strong incentive to keep things moving over digging deeper, even if it means accepting certain risks. Here’s why that incentive structure can harm you, and what you can do to mitigate risk AND accelerate the process.

How Perverse Incentives Creep Into Due Diligence

Due diligence is a critical part of vendor management. It protects your IP, mitigates risk, and lets you address a range of foreign influence, security, compliance, and/or ESG goals. But while companies will talk a good game about the importance of supplier reliability, due diligence isn’t seen as a profit driver, and that limits how high a priority it can be. Sure, it can prevent costly emergency orders and disruptions, but so long as the vendors are reasonably responsible (or so the conventional wisdom goes), those kinds of events are going to be rare.

On top of that, onboarding is a long, costly pain in the neck already. It can easily take a month or longer to research and compare vendors, collect attestations, send out RFPs, do your own assessments, and handle all the details of contract negotiation. You don’t have time to verify every vendor’s attestations and dig into their reputations, or the affiliations of their board members, even if you wanted to.

And there’s a really strong incentive to approve a vendor, even when their background is less than ideal. If you uncover a worrying risk two weeks into the process, you don’t have time to start the process over and put onboarding behind schedule. So you mitigate the risk as well as you can with controls or contract penalties, and hope for the best.

Why CYA Will Bite You in the End

CYA due diligence mitigates risk to a degree, but the only risk it adequately addresses is that posed by auditors. Even if you’ve done enough to demonstrate due diligence, there are still all kinds of opportunities for serious risks to leak through. And it can happen fast. One of the most dramatic examples was the 2025 Jaguar Land Rover (JLR) ransomware attack. By compromising third-party IT resources, the attackers shut down production for five weeks, costing the company roughly £1.9 billion, or $2.6 billion, making it the most costly cyberattack in UK history. It was so damaging that it decreased car manufacturing in the country by 27% for September, and affected 5,000 downstream businesses.

But failing to detect vendor vulnerabilities isn’t the only issue with traditional due diligence. It can also fail to detect structural supply chain vulnerabilities that can derail production. KFC’s 2018 UK supply chain disaster is a classic example of this. On February 14th, 2018, the company switched suppliers to DHL. There was nothing wrong with DHL; they were, and still are, a seasoned supplier with a solid reputation. But there was a problem that made DHL unsuitable for KFC’s use case: the company had only one warehouse in the UK, compared to the six of their previous supplier.

On the day the company switched, a major accident closed the M6 motorway near that warehouse, bringing traffic to a standstill. With KFC’s delivery trucks stuck in traffic and no alternate warehouse, the company had no way to supply their restaurants. Just four days later, only 266 of the company’s 870 locations across the British Isles were opened — less than a third of their restaurants across the UK and Ireland. And importantly, this all happened without any mistakes on the supplier’s part; the company simply failed to fully understand their supply chain risks when choosing a new partner.

How to Take Due Diligence Beyond CYA

Fortunately, although the problem is complicated, the fix is pretty simple: you need a technological solution to accelerate your supplier vetting and onboarding. A vendor intelligence platform like Craft expands your due diligence capabilities, empowering you to evaluate suppliers more completely in less time, and expanding due diligence to areas that are traditionally impractical to perform for most suppliers.

Deeper vetting in less time

Craft empowers you to do deep supplier research in minutes. Our supplier intelligence platform provides hundreds of data points gathered from thousands of datastreams to create a complete risk profile for any vendor. An intuitive interface enables you to go from a broad view of major risk signals to the details of financial performance or compliance with a few clicks. You can investigate negative press just as easily, eliminating the reputation risk of unsavory suppliers.

Our in-built agentic AI can draft a full executive report in seconds, complete with an executive summary and section-by-section summaries of the most critical risk factors, so you can easily digest and share complex supplier information. That means you can perform almost all of your due diligence in a single session, brief stakeholders with no additional work, and get a more complete, accurate picture of prospective vendors than ever before.

Expanded due diligence

Craft expands due diligence in two primary ways. First, it gives you access to information that would normally be prohibitively time-consuming to acquire. We provide supplier network visibility, so you can look deeper into your supply chain and spot hidden liabilities from linked suppliers. We also provide information on supplier leadership, indicating national and organizational affiliations, sanctions, and politically exposed status, so you can better protect your IP and ensure legal compliance. We can even help you prevent situations like the KFC shortage by mapping your supply chain, so you can visualize locations and potential weak points before it’s too late.

That means you can winnow your candidates quickly, and start with a smaller list of higher quality suppliers than before — all while potentially saving weeks of time. That extra time lets you expand your due diligence further, by digging deeper into the vendors that matter most, reviewing documentation, investigating supplier attestations, or performing site visits and audits.

That means quicker onboarding, less frustration, and lower risk across the board. Contact us to see just how quick and effective due diligence can be..

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.