Our small community bank has a Risk Management Team that meets monthly. Our vendors are currently reviewed 6 months prior to the vendor's contract renewal date (this is to ensure a timely review prior to the contract's term notice requirements). Only our Tier 1 High Risk vendors and Tier 2 High Risk vendors receive a full vendor due diligence evaluation to include COI, Financials, BCP, DR, SOCs, Security & Privacy review. Tier 2 Medium and Low, Tier 3, Tier 4, Tier 5, Tier 6 vendors are reviewed at their contract renewal date, but mostly through a risk assessment and vendor/product/service performance, their stability and controls, contract review, etc. Since they are not deemed critical, the vendor review is less. My program has a total of 109 vendors, 25 of which are considered critical-high risk, so reviewing them monthly according to their contract renewal date means we are reviewing less than 5 critical vendors a month annually.
------------------------------
Joni D
------------------------------
Original Message:
Sent: 01-02-2020 07:29 AM
From: Jennifer Wilkinson
Subject: Vendor Review Frequency
Hi Colleen and Happy New Year!
Each October we pull the calendar of Vendors in scope for the following year and we spread them out over the course of the year. The goal is to have all critical vendors completed by September (it isn't always possible). Each of my staff is assigned a portfolio of vendors that are critical, medium risk, and low risk throughout the year.
I hope that helps!
------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management
Original Message:
Sent: 01-01-2020 07:40 PM
From: Colleen Jewell-Suiter
Subject: Vendor Review Frequency
Hi All,
We are currently discussing the frequency of our annual vendor review project. Our current process is to review all designated critical and high risk vendors annually at a point in time, typically in the spring. As our vendor volume has grown, this is causing us to re-evaluate the frequency due to level of documentation and time it's taking to complete. I'm curious as to how others are managing this process? For the vendors you review annually, do you review a certain number of vendors monthly or quarterly, or do you review them all at once?
Appreciate your thoughts!
Colleen