My experience is that the business is more focused on the day to day ops and truly lacks the focus and awareness of the risks, or they aren't going to raise risks up because 1) putting controls in place will cost them time and effort 2) They perceive that others will think less of their ability for not having the controls in place to begin with.
There must be independence when assessing vendor risk to ensure not only the vendor's ability to meet requirements and perform the work to meet the needs of the company, but also to ensure that the business has proper oversight and controls in place to ensure the company meets regulatory expectations related to risk.
Best of Luck!
------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management
------------------------------
Original Message:
Sent: 11-05-2019 04:26 PM
From: Josh Bowman
Subject: Due Diligence Owner
Curious about people's experiences here. I manage a decentralized VM program in which my business owners are responsible for completing due diligence on their vendors. Vendor Management reviews and rates their work, but I wonder if I'd be better served by having VM do the due diligence work ourselves. I have low confidence in the quality of my business owners' work and it's perpetually late. I understand this, because conducting DD is not a core strength for any of them and they have other things to do. We've only recently expanded our VM function to the point where we would even have the resources to do this work for our business owners.
Has anyone worked in both types of systems? If so, what worked better? Were there any cons to having the VM function manage DD?