Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Are Site Visits Necessary?

    Posted 12-01-2021 04:34 PM

    I want to solicit feedback from the group.  This is a current hot-topic discussion at our institution.  Our TPRM program conducts site visits of our critical vendors, and even some of our high-risk vendors; but no one here really knows why.  I researched whether there is a regulatory requirement for site visits, and none of the banking regulatory agencies requires site visits.  In fact, only the OCC even mentions site visits (i.e., companies "may" consider site visits).

    So questions came up:  (1) why do we do even do site visits?  (2) what have we every found from site visits in the past?  (3) do we think we would ever find anything of significance from a critical vendor that is publicly traded, that has a SSAE 16, that is regulated?  For the past 10 years, the only thing we'd ever found was that the data center door was propped open as IT was moving out obsolete servers.

    I think there may be situations where site visits are warranted....company that is new to the industry, company that can't readily provide requested documents, company that has too many control weaknesses on their SSAE 16 report that we want to decide whether to continue doing business with (i.e., meet with management to do a gut-check to see if they realize the severity of their control weaknesses).

    We are thinking of conducting site visits of vendors that may be small, but may have customer impact, may require our SME to do an assessment of their program (e.g., compliance, BSA, etc.).  So our site visits will be focused on business purposes vs. regulatory expectations or what everyone considers TPRM best practices.  We plan on continue doing our normal monitoring processes (e.g., monthly/quarterly meetings with our vendor representatives, review their public regulatory reports or risk assessment reports, ad hoc calls on any significant SSAE 16 weaknesses, etc.).

    Thoughts?  All comments welcomed.

    Thanks in advance.

    Albert Lau
    Deputy Chief Risk Officer
    East West Bank

     



  • 2.  RE: Are Site Visits Necessary?

    Posted 12-02-2021 08:30 AM
    I agree with your assessment, site visits are not required by regulation and we do not require them to be completed as part of our standard risk assessment process. 

    That being said we treat them as one tool in our tool kit the same as any other risk assessment tool.  At contracting we do build in the contractual obligation to allow site visits should we choose to complete one however, we will only complete one if we think there is useful information or insights we can gather from physically being onsite.  Some of the primary reasons we might choose to go onsite are: relationship building that we think we can accomplish by an onsite visit, specific issues or problems that we want to ensure have been addressed or a very specific and significant risk that we are taking on that warrants that extra level of due diligence.

    Personally speaking I have never found something that surprised me (or shocked me) as part of an onsite visit.  Generally speaking you need to arrange the visit in advance so the vendor is going to be putting their best foot forward, if they didn't that would certainly be a red flag but probably not the first.  The takeaway from onsite visits I have found is to raise our level of comfort that identified risks are appropriately mitigated with policies and procedures implemented and in use.

    I think your proposed policy for site visits makes allot of sense.  From a regulatory standpoint you have a consistent repeatable policy for onsite visits that mitigates specific identified risk and I think that is what our regulators are looking for. 

    Shelly

    ------------------------------
    Shelly Chase
    Senior Risk Analyst Officer
    ------------------------------



  • 3.  RE: Are Site Visits Necessary?

    This message was posted by a user wishing to remain anonymous
    Posted 12-02-2021 08:40 AM
    This message was posted by a user wishing to remain anonymous

    One way to filter on-site due diligence is to focus on your critical vendors. Another is by periodicity. But.....thinking that you'll never learn anything by going on-site is a mistake. You can learn about corporate culture. You will learn about who to trust and rely upon. You will learn who gets things done, and who is simply a poser. These things are hard to gain via email, traditional conference call or Zoom. There is no substitute for a face to face discussion. And never will be.


  • 4.  RE: Are Site Visits Necessary?

    Posted 12-02-2021 09:26 AM
    Hello Albert-

    Our institution is OCC regulated. Pre-Pandemic we did go on site to the majority of our critical vendors to conduct on site reviews and found value in doing so. It is also a client confidence boosting best practice.  Site visits let you have insight into the vendors shops to see how things operate and the ability to test their physical controls as well as take notice of things that you could not validate with confidence unless on site. We (as you mentioned) also include non-critical customer facing providers in the site visit calendar. We also, may decide a site visit will not provide much value if the vendor is more technology aligned- We may visit a data Center or technology vendor based on their SOC review or if there are other concerns, but if the vendors documentation is satisfactory and they are performing well without issue or incidents we may agree that a site visit isn't necessary and conduct our review remotely.
    Off the top of my head, via a site visit we have identified these kinds of things:
    • PiggyBack entries into the building without validating credentials
    • lack of security cameras (or cameras that don't work as reported)
    • Secure rooms that are not secure
    • 4th party vendors on site unattended
    • Violations of clean desk policies and sharing of passwords to applications that contain confidential information
    • Policies/procedures provided not accurately reflecting the process the way it is being executed.
    • Face to Face discussions with heads of departments vendor SMEs (Vendor Management, Compliance, InfoSec etc.) 
    ​In some cases we have also found that while our primary goal is to ensure the vendor is performing well and is not causing undue or unknown risks to the organization, but on these site reviews we also get a chance to understand some pain points the vendor may be experiencing with our line of business to ensure that the vendor's concerns are addressed appropriately and timely.  In the end, your program should indicate to your regulators and clients that vendor related oversight has the right level of engagement from the first, second and third line and these decisions have a risked based decision tied to them (going v. not going onsite) So one person is not making a decision to go or not go. I send a list of vendors in scope for a review and have the list approved by my Compliance Info Sec, Procurement and TPRM for review and approval so they know who is in scope and who is going.
    Good Luck to you!

    ------------------------------
    Jenn Wilkinson
    Vice President
    Strategic Vendor Management
    Cenlar FSB
    ------------------------------