Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Due Diligence Q&A

    Posted 09-24-2019 02:50 PM

    Hi everyone, below are due diligence related questions - we want your thoughts. Last week, Venminder had their Third Party Risk Management Bootcamp! It was three days, 6 sessions and 11 presentations long, covered by nine experts. Needless to say, a lot of great information was shared. There were also a lot of great questions that came in during those live sessions. The team thought it would be helpful to share what those questions were and provide answers as well. Chime in if you have further answers for any of these or any further comments. And, if you're interested in viewing the recordings, you'll find the link on the Program Improvement library page.

    Q: Can you provide the enforcement action website?
    A: Paymentlawadvisor.com and you can also look at each of the prudential regulators' websites and their monthly enforcement action publications.

    Q: I have several third parties that do not provide thorough due diligence. They will only provide table of contents to their policies or procedures. How do you overcome this barrier?
    A: It depends on what you're looking for. In some cases, you really want to make sure you're drilling down and asking for very specific items and explaining why it's needed. In that case, create some sort of dialogue between yourself, your senior management and the vendor's senior manager explaining why these items are non-negotiable. It's important in a business relationship to make sure that you're not going to have compliance issues, financial issues, information security issues and more prior to entering the relationship. The table of contents simply isn't enough to address anything more than the surface level of the issue. You need to dig deeper to get a real understanding. Therefore, I would prep a memo or letter that lays out exactly what you're looking for. If they aren't willing to provide it, follow an escalation chain where you say what you asked for, when and why they wouldn't provide it, the creative solutions you offered to them to obtain the information, etc. This way senior management can decide if they're willing to accept this exception.

     

    Q: How do you recommend vendor risk management assess/monitor vendors where we do not have a contract? Some are fourth parties.
    A: In some cases, you need to rely on your third party and ensure that they're upholding the same standards that you'd be putting on your own third parties. In other cases, you want them to provide evidence of that and be transparent in the process. Ultimately, you're the one on the hook to be accountable for your customers' data so you want to make sure you're going as far as you possibly can to make sure all is well.

     

    Q: Is there somewhere an organization can go to obtain vendor complaints similar to BBB regarding the services they offer?
    A: There are several. Other areas are ripoffreport.com, the CFPB complaint database, states attorney general websites as some have their own complaint database, Google News searches, social media searches and you can contractually obligate the vendor to provide a list. 

     

    Q: Any comments on situations where "Risk" owns Vendor Management, unless "it plugs in", and then IT owns that Vendor Risk Management?
    A: I always believe that Risk should be independent of any business unit function, including IT – gives you autonomy and an equal vote, rather than being drowned out by business issues.

    Q: It's great to see that the role of vendor manager has been elevated to a professional risk focused role. Do you foresee that there will be more regulatory requirements around vendor management education and certifications going forward?
    A: Yes, there will – particularly given the heightened focus on cybersecurity and breaches.

     

    Q: Where can we find resources for exact oversight and reporting standards for each industry to help us customize our due diligence for each business?
    A: There is no single source – it will depend largely on how your company uses that particular service or function. However, there are many resources available in the community libraries.

     

    Q: What level of due diligence do you recommend for fourth party vendors?
    A: Precisely the same as your third party.

     

    Q: Do you vet prior to a contract and do you have documented standards?
    A: Yes, definitely prior to the contract and yes, I always had documented guidelines on what I planned to reasonably obtain.

     

    Q: Why would we not require them to provide all the due diligence documentation in advance? This would be part of why we do or do not sign a contract. As long as we sign an NDA.
    A: We always try but sometimes they simply will not provide prior to a contract.

     

    Q: Where in the third party risk management (TPRM) critical path (initial due diligence and risk assessment, contract, onboarding, monitoring, etc.) is onboarding performed?
    A: Onboarding should be done as early as possible – definitely pre-contract.

     

    Q: What is the difference between a centralized vs decentralized vendor risk management (VRM) program?
    A: A centralized vendor risk management program means there is one person or group of people typically in the second line of defense own the responsibility of vendor management. For example, they will vet the vendors, assess due diligence, participate in contract negotiation, etc. This core team ensures your vendor management program is being executed properly. A decentralized vendor risk management program is when the job of vendor management has been spread across the organization which becomes extremely difficult to manage.

     

    Q: Would this group consider a bank that holds company money, or a rating agency such as Standard & Poor, a third party vendor?
    A: Yes, definitely- provides a service to the financial institution – thus it is a third party provider.

     

    Q: Can Dana (Dana Bowers, Founder and Chief Solution Architect at Venminder) touch on her thoughts on where vendor risk management sits within the lines of defense? Our program is currently with the second line, but we've gotten critiques that our activities should really be performed by the first line.
    A: Definitely second line – happy to discuss in more detail for specifics.

     

    Q: How far into fourth parties do you need to dig? i.e. if your third is considered very diligent can you use that, or must you vet the fourth as detailed as your third party?
    A: If they are handling any sort of proprietary or confidential information, dig as deeply as though they are in the office next to you.

     

    Q: Do you have a preferred resource you use to stay on top of regulation and actions taken?
    A: Ballard Spahr, JD Supra, Bryan Cave and all of the regulators' websites.

     

    Q: When starting the vendor due diligence on high-risk vendors who originally turned in their documentation 9 months previously, would you use their information and start from there? Or would you send out the SIG questionnaire and request documentation now?
    A: If it was complete 9 months ago, I'd be ok starting from there, otherwise, start fresh.

    Brittany Padgett
    Community Manager
    Third Party ThinkTank



  • 2.  RE: Due Diligence Q&A

    Posted 10-02-2019 05:55 PM
    Response to:  I have several third parties that do not provide thorough due diligence.
    As a vendor and third party risk management, there is a fine line on what is shared and how.  As a vendor, it is a common practice to provide summary or high level sanitized data as an artifact, you protect that information internally but once it is in the clients domain you've lost control on how that document is protected (and used).  As a second though as the client, you also do not want to go back to your vendor and explain the loss of control of their documents.  That does not mean that you do not have the requirement to know if there is sufficient controls such as policies.  There are several other ways diligence can be viewed such as read in depth over a webex, temporarily available in a authorized environment, onsite or by an independent firm (is the scope noted in a SOC 2 type 2 report).   Be sure to document the assessment of the review.  If these will not be shared in any form - and there is no independent attestations, the risk needs to be accepted by the business line(s) impacted at the appropriate level.  Example - no information security policy may need to be approved the business wanting to use the provider, the CISO, CIO and depending on your business legal as this could impact existing contractual agreements (e.g. PCI).

    What level of due diligence do you recommend for fourth party vendors?
    Requires some thought, if the 3rd party doesn't contractually have the right to the fourth party, what you may be able to perform can be inhibited.  I suggest starting contractually to have fourth parties aware of the following the requirements set forth including right to audit.  Generally, it is also a better practice to audit the 3rd party's vendor management program.  The level of assessment is dependent on the criticality and sensitivity of the work efforts, a data center generally has independent attestations ( SOC, ISO, SOX) some do them every 6 mos, others 18-24 mos so ensure you obtain recent information and there are no deficiencies.  With the interconnectivity of company services the level of diligence at 4th parties should rely more on the 3rd party as the work effort can be enormous if you find that the 4th parties are really 5th and 6th in line of the processing.


  • 3.  RE: Due Diligence Q&A

    Posted 10-03-2019 10:19 AM
    Great answer!  Thanks for the information!