Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Oversight Requirements

    Posted 03-08-2022 12:41 PM
    I came from a financial institution where we categorized vendors by Critical, moderate, non essential. I am new to the inherent risk and the residual risk ratings. I got hired on at a new credit union and the oversight tasks are confusing. For critical High risk vendors there is no question in my mind that the Due Diligence needs to be ran annually and I need to review the BCP/DR, SOC, Update insurance certificate, cyber security review, info sec review, financial review and PCI compliance. Should I not review all of those for Critical vendors that are moderate or low risk as well? If that vendor went down and their product/service affected our financial institution with a huge impact I would think that despite the risk, its a critical vendor, they are one of the most important vendors to keep an eye on? I beleive the entire oversight automation requirements are not set up correctly and I want to change them for example. 
    For a Critical high risk vendor with no NPI access it is currently set to review the contract, SOC and BCP annually. 
    but for a high risk non critical vendor with NPI access it is set to review the same information as a high risk critical NPI access vendor annually. This does not make sense. Can someone help me

  • 2.  RE: Oversight Requirements

    Posted 03-10-2022 10:44 AM
    My organization reviews all third parties at least annually and more frequently based on risk rating. Criticals are every quarter, at a minimum. Moderates, bi-annually, and Low or "non-essential", annually. Any third party could be reviewed more frequently based on issues or other things that might be going on.

  • 3.  RE: Oversight Requirements

    Posted 03-10-2022 11:35 AM
    We categorize our vendors as Critical, Significant or Non-Essential. Critical vendors are reviewed annually, significant, every other year and non-essential, every 3 years. Of course, if we are aware of any possible issues, then we can review more often.

    Within those categories, we determine if the vendors are a high, medium or low risk. If the risk level goes up at the time of the review, then we discuss how we want to handle it. Do we want to review and re-negotiate the contract? Do we want to leave as is? Do we want to terminate the relationship? Communicate with the vendor, regarding our issues and request them to resolve them? Things like that.

    I hope you find this helpful. ​

    Cheryl Turner