Due Diligence and Ongoing Monitoring

  • 1.  Vendor hierarchy

    This message was posted by a user wishing to remain anonymous
    Posted 09-28-2021 11:37 AM
    This message was posted by a user wishing to remain anonymous

    I am working with a US based Bank could some one advise how we can maintain Vendor hierarchy in our ERP system (Parent/Child) relationship based on the entity we are paying vs the other legal entities of vendor involved as part of shared IT infra and the parent company. Just to be clear with my request I would like to explain with the help of a simple example we are having contract with Google Canada (servicing Legal entity of Vendor), Google US is the company from which Google Canada is sharing the common tech Infra ( This will be used for the purpose of risk assessment) and than we will also have the Parent company Alphabet which is the holding company for both Google US and Google Canada.

    My Question is that what are the standard practices on maintaining the Vendor Hierarchy in ERP system and how to track on ongoing basis incase of any change.


  • 2.  RE: Vendor hierarchy

    Posted 09-29-2021 09:20 AM
    We maintain a data object for Parent Company to manage this type of situation, as well as providing the ability to segregate responsible vendor owner or segregate exceptionally different risk profiles.  The Parent object provides the ability to report on the whole TP relationship while provideing sensible granularity. It also makes recording who owns what, this week much simpler.   
    Examples: 
    We use the same vendor for both in-house and hosted solutions (my CyberSec and their CyberSec respectively). 
    One line of business uses the vendor for staff tools and other uses the vendor for customer facing deliverables. 

    Contracts(Products) are linked at the "vendor" level, vendors are (optionally) linked to Parent Companies.