Due Diligence and Ongoing Monitoring

Hi All. Pretty excited to see this community start and be so dedicated to third party risk. One question that came to mind was if you consider onsite reviews a component of due diligence? And how do you determine which vendors should have an onsite review?

Yes, onsite reviews are definitely a form of due diligence and often very helpful to confirm items that they will not share otherwise. For expense reasons, onsite visits will likely be only for your most mission-critical or perhaps new large volume vendors (core processors, etc.).

 

 

Original Message:
Sent: 09-11-2019 01:33 PM
From: Lola Bradley
Subject: Do you consider onsite reviews a component of due diligence?

Hi All. Pretty excited to see this community start and be so dedicated to third party risk. One question that came to mind was if you consider onsite reviews a component of due diligence? And how do you determine which vendors should have an onsite review?

Looking into developing guidelines for my firm for onsite vendor visits, and this is one approach I'd like to build on:

When it Might Be Worthwhile for a Risk Team Visiting a Vendor Prior to Signing a Contract

• Signing with a critical vendor that's new to the market.
• A new critical vendor can't provide all the due diligence documents you need.
• You have learned that the vendor is having issues.

Conduct onsite vendor visits only when there is something important that's can't be uncovered with some research at your desk.  Otherwise you may be wasting time and money.

Your thoughts?
Original Message:
Sent: 09-11-2019 01:33 PM
From: Lola Bradley
Subject: Do you consider onsite reviews a component of due diligence?

Hi All. Pretty excited to see this community start and be so dedicated to third party risk. One question that came to mind was if you consider onsite reviews a component of due diligence? And how do you determine which vendors should have an onsite review?

It greatly depends on the type of business and the risk level. I also base it on what other controls they have in place.  For example, if they are high risk and are able to provide annually proof of a third party audit and information security certifications, I may not perform an onsite.

If the vendor (or local requirements) do not have the above, I will send a local employee there with a checklist of where to look under the hood.  This is prior to contract negotiations and the formal document collection portion of our due diligence program. It saves us time.

For applicable vendors, I will do annual assessments both virtually and on site.  In cases where there may be issues, I will try to send a local employee with a checklist of what to look for.

Original Message:
Sent: 09-16-2019 10:37 AM
From: Dan Graham
Subject: Do you consider onsite reviews a component of due diligence?

Looking into developing guidelines for my firm for onsite vendor visits, and this is one approach I'd like to build on:

When it Might Be Worthwhile for a Risk Team Visiting a Vendor Prior to Signing a Contract

• Signing with a critical vendor that's new to the market.
• A new critical vendor can't provide all the due diligence documents you need.
• You have learned that the vendor is having issues.

Conduct onsite vendor visits only when there is something important that's can't be uncovered with some research at your desk.  Otherwise you may be wasting time and money.

Your thoughts?
Original Message:
Sent: 09-11-2019 01:33 PM
From: Lola Bradley
Subject: Do you consider onsite reviews a component of due diligence?

Hi All. Pretty excited to see this community start and be so dedicated to third party risk. One question that came to mind was if you consider onsite reviews a component of due diligence? And how do you determine which vendors should have an onsite review?

​For Vendors who access or house NPI there is value in demonstrating to your regulators and clients that you do a thorough review of logical and physical controls.  Otherwise, I agree with your thought process in determining if a visit is required.

------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management
------------------------------

Original Message:
Sent: 09-16-2019 10:37 AM
From: Dan Graham
Subject: Do you consider onsite reviews a component of due diligence?

Looking into developing guidelines for my firm for onsite vendor visits, and this is one approach I'd like to build on:

When it Might Be Worthwhile for a Risk Team Visiting a Vendor Prior to Signing a Contract

• Signing with a critical vendor that's new to the market.
• A new critical vendor can't provide all the due diligence documents you need.
• You have learned that the vendor is having issues.

Conduct onsite vendor visits only when there is something important that's can't be uncovered with some research at your desk.  Otherwise you may be wasting time and money.

Your thoughts?
Original Message:
Sent: 09-11-2019 01:33 PM
From: Lola Bradley
Subject: Do you consider onsite reviews a component of due diligence?

Hi All. Pretty excited to see this community start and be so dedicated to third party risk. One question that came to mind was if you consider onsite reviews a component of due diligence? And how do you determine which vendors should have an onsite review?