Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Construction Services and Contractors

    Posted 08-12-2020 05:16 PM
    Good afternoon, 

    We're looking at streamlining the risk assessment and due diligence process for a few categories of third parties-one being construction services. 

    Often, my vendor management team is first notified of a request when the facilities team submits a specific proposal from a specific contractor. In our current process, we are conducting due diligence at that time, but have run into issues with timing and efficiency related to responding to the request and vendors not meeting our requirements (though to be fair they are not yet well communicated) and need to make a change. Some examples are elevator maintenance and repair, asbestos removal, painting and general office build-out construction services.

    What are your processes for assessing risk, conducting due diligence and onboarding third parties that will provide construction services? How are your vendor management teams taking these types of requests and do you require the business team to verify things like licensure and insurance, or does your team pull those documents as part of the due diligence process?

    Thank you, in advance, for your time. 
    Allison


  • 2.  RE: Construction Services and Contractors

    This message was posted by a user wishing to remain anonymous
    Posted 08-14-2020 10:00 AM
    This message was posted by a user wishing to remain anonymous

    Hi Allison! 

    Good questions. I think the biggest issue here is timing. I'll assume that your team is hearing about these engagements after a bidding process has already taken place, and the facilities team (or other business team) has already reached a final selection. I also assume that once they reach their selection, they don't necessarily realize how long the risk assessment and due diligence process may take. It's not uncommon for business areas to view TPRM as a box they need to check in order to get a contract signed, as opposed to a partnering process in the vetting and selection process. 

    If you have a vendor management team that conducts risk assessments and due diligence, I don't think there is a need to push the standard vetting (license and insurance) to the business. I think a better solution would be to educate staff, and request that your team be involved earlier in the selection process. One thing that has helped me in the past is to create and disseminate flow chart or process document that briefly explains (with approximate timelines) your vendor management process. Also explain how you can assist with selection by providing insight that the business might not have otherwise discovered. 

    As far as the due diligence that should be done, that all depends on your risk assessment. Aside from the general business validation you mentioned above, stick to the fundamental risk drivers that determine inherent risk - will they have unescorted access to facilities? Is it a major financial engagement? Will they have direct or indirect access to data or systems? Etc...

    I'd be interested to hear if that sounds like a good plan to you, and of course, if anyone agrees or disagrees with my thought process - always good to hear different opinions!


  • 3.  RE: Construction Services and Contractors

    This message was posted by a user wishing to remain anonymous
    Posted 12-07-2021 12:16 PM
    This message was posted by a user wishing to remain anonymous

    Are you willing to share your disseminate flow chart? I am interested to see what that consists of. 

    Thanks


  • 4.  RE: Construction Services and Contractors

    Posted 12-08-2021 09:13 PM
    Hi Allison,
     Having experienced similar issues to you our Facilities Team has agreed to issuing a series of RFI/RFP's that will enable one to prequalify a variety of facility related contractors. Once prequalified the Facilities Team can pick anyone on the prequalified  listing. This is something I've done across multiple sectors and has been met the needs of all key stakeholders.