Due Diligence and Ongoing Monitoring

​Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.

Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?

​We have found if we require it to be done and done well, we, vendor management, has to control it.  We keep the business users informed and involved but we facilitate the process and all of the due diligence gathering.
Original Message:
Sent: 11-05-2019 04:26 PM
From: Josh Bowman
Subject: Due Diligence Owner

​Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.

Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?

We have a centralized VM Program, with a Vendor Program Manager responsible for the policies, processes, monitoring, and metrics.  Individual vendor managers are the relationship managers for their own vendors that follow the centralized process, due diligence, contracts, etc.
Original Message:
Sent: 11-05-2019 04:35 PM
From: Tracy Wilson
Subject: Due Diligence Owner

​We have found if we require it to be done and done well, we, vendor management, has to control it.  We keep the business users informed and involved but we facilitate the process and all of the due diligence gathering.
Original Message:
Sent: 11-05-2019 04:26 PM
From: Josh Bowman
Subject: Due Diligence Owner

​Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.

Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?

Thanks, Michele. That's the system we also have in place today. Do you have confidence in the work your business owners perform? And are they (relatively) on time?​
Original Message:
Sent: 11-05-2019 04:51 PM
From: Michele Deo
Subject: Due Diligence Owner

We have a centralized VM Program, with a Vendor Program Manager responsible for the policies, processes, monitoring, and metrics.  Individual vendor managers are the relationship managers for their own vendors that follow the centralized process, due diligence, contracts, etc.
Original Message:
Sent: 11-05-2019 04:35 PM
From: Tracy Wilson
Subject: Due Diligence Owner

​We have found if we require it to be done and done well, we, vendor management, has to control it.  We keep the business users informed and involved but we facilitate the process and all of the due diligence gathering.
Original Message:
Sent: 11-05-2019 04:26 PM
From: Josh Bowman
Subject: Due Diligence Owner

​Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.

Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?

No I do not have confidence that they are really understanding the relationship conversation, what to review in the information they are collecting.  But that is the risk that has been accepted.  The areas of where big risk such as security, our ISO reviews the SOCS, financial, our CFO reviews financials, and contracts are reviewed by attorney.  The key concerns I have are with the new data privacy laws coming thru and will the vendor managers know the right questions to ask there, and ensure the protections are put in every relationship, contract.  Education will be key here, but a program needs to be put into place first.
Original Message:
Sent: 11-05-2019 04:55 PM
From: Josh Bowman
Subject: Due Diligence Owner

Thanks, Michele. That's the system we also have in place today. Do you have confidence in the work your business owners perform? And are they (relatively) on time?​
Original Message:
Sent: 11-05-2019 04:51 PM
From: Michele Deo
Subject: Due Diligence Owner

We have a centralized VM Program, with a Vendor Program Manager responsible for the policies, processes, monitoring, and metrics.  Individual vendor managers are the relationship managers for their own vendors that follow the centralized process, due diligence, contracts, etc.
Original Message:
Sent: 11-05-2019 04:35 PM
From: Tracy Wilson
Subject: Due Diligence Owner

​We have found if we require it to be done and done well, we, vendor management, has to control it.  We keep the business users informed and involved but we facilitate the process and all of the due diligence gathering.
Original Message:
Sent: 11-05-2019 04:26 PM
From: Josh Bowman
Subject: Due Diligence Owner

​Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.

Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?

This message was posted by a user wishing to remain anonymous

We still have it fragmented, but for our group (which has many of the critical vendors), the onboarding due diligence is done by me, along with Infosec Manager.  We do this to keep some oversight and separation of duties. The annual due diligence is done by me, but I have some periodic that I require the relationship manager to do.
Original Message:
Sent: 11-05-2019 04:51 PM
From: Michele Deo
Subject: Due Diligence Owner

We have a centralized VM Program, with a Vendor Program Manager responsible for the policies, processes, monitoring, and metrics.  Individual vendor managers are the relationship managers for their own vendors that follow the centralized process, due diligence, contracts, etc.
Original Message:
Sent: 11-05-2019 04:35 PM
From: Tracy Wilson
Subject: Due Diligence Owner

​We have found if we require it to be done and done well, we, vendor management, has to control it.  We keep the business users informed and involved but we facilitate the process and all of the due diligence gathering.
Original Message:
Sent: 11-05-2019 04:26 PM
From: Josh Bowman
Subject: Due Diligence Owner

​Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.

Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?

Thank you, Tracy. I'm starting to come to the same conclusion. ​
Original Message:
Sent: 11-05-2019 04:35 PM
From: Tracy Wilson
Subject: Due Diligence Owner

​We have found if we require it to be done and done well, we, vendor management, has to control it.  We keep the business users informed and involved but we facilitate the process and all of the due diligence gathering.
Original Message:
Sent: 11-05-2019 04:26 PM
From: Josh Bowman
Subject: Due Diligence Owner

​Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.

Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?

This is interesting, our auditor has informed me that we should be having our business owners review the SOC reports. She thinks they are the best ones to know the systems, and typically I might agree, except I have 40 years banking experience and have worked on every software the bank has so not sure I agree.   When the business owners review do they fill out a checklist, send you a report or what do you get back from them?​
Original Message:
Sent: 11-05-2019 04:26 PM
From: Josh Bowman
Subject: Due Diligence Owner

​Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.

Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?

We have a SOC review checklist template that they use to confirm they've reviewed it. But I agree - I have more confidence in my ability to review a SOC report than I have in my business owners.​
Original Message:
Sent: 11-05-2019 04:36 PM
From: Angie Truscinski
Subject: Due Diligence Owner

This is interesting, our auditor has informed me that we should be having our business owners review the SOC reports. She thinks they are the best ones to know the systems, and typically I might agree, except I have 40 years banking experience and have worked on every software the bank has so not sure I agree.   When the business owners review do they fill out a checklist, send you a report or what do you get back from them?​
Original Message:
Sent: 11-05-2019 04:26 PM
From: Josh Bowman
Subject: Due Diligence Owner

​Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.

Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?

Over the past year we have revamped our vendor due diligence process and held firm wide trainings to get all stakeholders up to date on our process. We have Vendor Relationship Managers (VRMs) who are responsible for the vendor relationship. Our Risk & Controls team takes the lead in coordinating the actual due diligence being performed. We handle the due diligence calendar for each vendor and submit the questionnaires to each vendor. The VRMs are responsible for reviewing their specific vendor's profile annually and making Risk and Controls aware of any changes to the relationship so we are aware of what type of questionnaire to send vendors. Also, if we do not hear back from vendors or, have follow up questions on information provided by the vendor, the VRM will help to coordinate requests, follow ups, and any necessary meetings/calls. When a vendor responds to our questionnaire the Risk and Controls team reviews the questionnaire for completeness and then submits oversight tasks to the responsible subject matter experts (BCP, Information Security, Operational including SOC Reports, and Data Privacy) to complete their review of the questionnaire responses and any provided reports/policies/procedure documents. Once each SME completes their review the Risk and Controls team performs an inherent and residual risk assessment on the vendor that is reviewed and accepted by the VRM.
Original Message:
Sent: 11-05-2019 04:26 PM
From: Josh Bowman
Subject: Due Diligence Owner

​Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.

Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?

​My experience is that the business is more focused on the day to day ops and truly lacks the focus and awareness of the risks, or they aren't going to raise risks up because 1) putting controls in place will cost them time and effort  2) They perceive that others will think less of their ability for not having the controls in place to begin with.
There must be independence when assessing vendor risk to ensure not only the vendor's ability to meet requirements and perform the work to meet the needs of the company, but also to ensure that the business has proper oversight and controls in place to ensure the company meets regulatory expectations related to risk.
Best of Luck!

------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management

------------------------------

Original Message:
Sent: 11-05-2019 04:26 PM
From: Josh Bowman
Subject: Due Diligence Owner

​Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.

Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?

Thanks everyone for your feedback. You're confirming my opinions!​
Original Message:
Sent: 11-06-2019 07:30 AM
From: Jennifer Wilkinson
Subject: Due Diligence Owner

​My experience is that the business is more focused on the day to day ops and truly lacks the focus and awareness of the risks, or they aren't going to raise risks up because 1) putting controls in place will cost them time and effort  2) They perceive that others will think less of their ability for not having the controls in place to begin with.
There must be independence when assessing vendor risk to ensure not only the vendor's ability to meet requirements and perform the work to meet the needs of the company, but also to ensure that the business has proper oversight and controls in place to ensure the company meets regulatory expectations related to risk.
Best of Luck!

------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management


Original Message:
Sent: 11-05-2019 04:26 PM
From: Josh Bowman
Subject: Due Diligence Owner

​Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.

Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?

This message was posted by a user wishing to remain anonymous

I am a VM Specialist. Pretty much the business unit notifies us that they want to work with a new vendor. We send them a form to complete and after we receive that we start to gather the DD documentation. Once received we review all documentation.
Original Message:
Sent: 11-06-2019 08:11 AM
From: Josh Bowman
Subject: Due Diligence Owner

Thanks everyone for your feedback. You're confirming my opinions!​
Original Message:
Sent: 11-06-2019 07:30 AM
From: Jennifer Wilkinson
Subject: Due Diligence Owner

​My experience is that the business is more focused on the day to day ops and truly lacks the focus and awareness of the risks, or they aren't going to raise risks up because 1) putting controls in place will cost them time and effort  2) They perceive that others will think less of their ability for not having the controls in place to begin with.
There must be independence when assessing vendor risk to ensure not only the vendor's ability to meet requirements and perform the work to meet the needs of the company, but also to ensure that the business has proper oversight and controls in place to ensure the company meets regulatory expectations related to risk.
Best of Luck!

------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management


Original Message:
Sent: 11-05-2019 04:26 PM
From: Josh Bowman
Subject: Due Diligence Owner

​Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.

Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?

As the Vendor Management Officer, I manage the due diligence. I am notified when the vendor relationship managers want to conduct business with a new vendor. The vendor relationship manager acts as a filter between myself and the new vendor. I will send the various due diligence requests and questionnaires to the vendor relationship manager to send to their vendor contact. In order for the process to move smoothly and swiftly, I have to manage the process completely.
Original Message:
Sent: 11-05-2019 04:26 PM
From: Josh Bowman
Subject: Due Diligence Owner

​Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.

Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?