Due Diligence and Ongoing Monitoring

  • 1.  Reporting Inquiry

    Posted 09-16-2021 09:49 AM

    Just curious what others use for reporting milestones within their respective vendor management programs. Our department is still in its infancy, but starting to look more at the reporting aspect and wanted to get an idea on what others might be reporting on. I realize every step could be measured, but I think that would be overkill.


  • 2.  RE: Reporting Inquiry

    Posted 09-16-2021 10:15 AM
    Hi John, we are currently reporting on the following metrics for TPRM:
    • Vendors by operational criticality
    • Vendors by Data Risk
    • DR critical vendors (vendor relationships that we need to ensure included in our DR planning and resource matrix)
    • New vendors onboarded
    • Pending vendors (in on boarding process)
    • GLBA vendors
    • Annual review status (for specific level of operational criticality)
    • 4th party concentration (geographical concentration and concentration with a specific entity)
    • Foreign owned 3rd parties
    • Watchlist (vendors who have triggered a higher level of risk review)


    Shelly Chase
    Senior Risk Analyst Officer

  • 3.  RE: Reporting Inquiry

    Posted 09-16-2021 10:24 AM
    Thank you, Shelly! How are you tracking your vendors, though? My reporting is currently excel based and dependent on dates I enter as milestones. This is a small, one-person department at present, so it can be a bit of a challenge at times.

  • 4.  RE: Reporting Inquiry

    Posted 09-16-2021 10:50 AM
    Hey John, We just wrapped up development of a workflow to help us specifically with onboarding and ongoing due diligence.  The milestone dates we are tracking are:
    1) Date vendor onboarding began- this ties to date business owner initiated the new vendor workflow.
    2) Date vendor onboarding completed and vendor approved to vendor panel
    3) Follow-up dates for action steps/deliverables (this is automated.  We have identified a target completion time period for each task and follow-ups are timed to occur weekly, or more frequently, should the workflow task not be completed within that specified time period.)
    3) Next certification date (next date we need to complete ongoing due diligence review for approved/onboarded vendors)
    4) During recertification process we track 14-day follows through completion of recertification review process

    Because we have automated the workflow we can additionally slice and dice by the various onboarding steps such as how many vendors have completed due diligence documentation gathering, how many contracts requiring attorney review have that review completed, how many vendors are with senior leadership for approval)

    We also include contract management in our TPRM program so we track specific to the contract
    1) Contract renewal date
    2) Notification of termination date (date would need to notify vendor should we choose to terminate the relationship)
    3) Business unit notification (certain period of time prior to notification of termination that we provide a reminder to business unit owner so they can begin their work to determine if want to recontract, renegotiate, terminate.  This time period is dependent on the type of relationship, for a core provider would be 1 year, for a critical vendor would be 90-180 days depending on complexity to move services etc)

    Finally, we have some broader TPRM requirements that we need to complete and we track those milestones as well so we can report out completion.  The big one is annual request for ROE reports to regulators for regulated vendors.


    Shelly Chase
    Senior Risk Analyst Officer

  • 5.  RE: Reporting Inquiry

    Posted 09-17-2021 10:30 AM
    Thank you, Shelly! That's basically the milestones I'm currently using so I feel a bit better that I'm actually capturing good data.