Policy, Program and Procedures

 View Only
  • 1.  Filing an exception

    This message was posted by a user wishing to remain anonymous
    Posted 11-01-2021 08:12 AM
    This message was posted by a user wishing to remain anonymous

    What process does your program use when a business owner wants to seek an exception to due diligence? In particular. what types of forms do you use and who reviews the exception after it's been filed?

  • 2.  RE: Filing an exception

    Posted 11-01-2021 08:58 AM
    I can't say I've seen a business owner able to request an exception to the vendor review process. I've only seen exceptions driven by policy [there are a few threads on that out here somewhere]. 

    If it's a customer that is a government body, like Fannie Mae, for example, then I could see an exception, but that would have to be outlined in the Vendor Due Diligence policy, rather than opening up a chance for a laundry list of ad hoc exceptions that defy policy.

  • 3.  RE: Filing an exception

    Posted 11-01-2021 09:13 AM
    We try to make exceptions most difficult. We have a tool we use which is built on OpenPages. The tool is controlled and managed by our Business Controls group. (A small team of Risk Analysts with the authority to evaluate and enter these risks.) The requestor will have to identify a Director Level person to be the business focal.

    We also have a list of approved suppliers and sub-processors. Should a group or team need a product from a supplier who is not on the list, they must open a Risk in the tool. Our tool only recognizes two kinds of Risk, Exceptions which will not be fixed and Deviations which will be fixed. For suppliers and sub-processors, exceptions are not allowed. Your Risk must be a deviation. 

    Lately, we have excluded SolarWinds for several reasons. The business has given the teams until the end of the year to replace all components. In the meantime, these teams need to continue to run this tool until a suitable replacement can be found. The deviation is then in place to manage the Risk until the problem is solved. No exceptions.

    Hope this makes sense.