We request any available reports for critical and significant/high risk vendors roughly twice a year. It's rare, but we have seen serious issues identified with some of our significant vendors - serious enough to at least question whether we would want to continue doing business with them.
In response to reported MRAs and MRIAs, I document the issues and notify the vendor owner. Although it is their responsibility to follow-up on these issues, I do assist with this process. All issues not resolved/remediated are reported to our the vendor owner and the Executive Team quarterly (a process we just started). Not sure if this information will be reported to the Board. Currently, we are only reporting information about the overall program annually to the Board.
My experience with vendors is that some are very tight-lipped about remediation efforts. I mentioned this recently to our lead examiner (OCC) and he stated that he was a little surprised, but to make sure and document the requests and responses. Most will at least provide some form of response to issues identified.
Original Message:
Sent: 04-12-2022 11:53 AM
From: Anonymous Member
Subject: Interagency Exams of Service Providers
This message was posted by a user wishing to remain anonymous
I am only posting anonymously as I am new to my company and do not know their policy on these types of forums.
We have a precedent of requesting Interagency Exams of Service Providers for our critical vendors. Many times these reports are dated and over 18 months old.
- Do any of you request these and if so, what do you do if anything to mitigate any MRA, MRIA type findings?
- Do you report the findings to the Enterprise Risk Committee?
- Do you report the existence of these to the Board?
- Do you report if the vendor has a response memo saying they have remediated the issues and are awaiting validation?
My opinion is these are old findings and do not really have a lot of risk weight if they have been remediated, would love to hear other opinions as well.
Thanks!