Due Diligence and Ongoing Monitoring

We understand that an effective Vendor Management program includes monitoring and managing third party relationships. A key element in the process is conducting a risk assessment. The risk assessment is a component to assigning a risk ranking to the vendor. Once you have conducted the risk and identified the areas of concern, where do you capture/document the risk mitigation strategies?

If you capture the risk mitigation strategies in your vendor management tool, are the strategies specific to the vendor or more general, selected from a drop-down list, for example?

If you have examples to share, please do.

Thanks,

------------------------------
Mark Ewert, CPCU, CIC
Director Vendor Management
Penn National Insurance
------------------------------

Hi Mark,

We capture our risk mitigation strategies in our ERM tool which we also utilize for TPRM.  Our TPRM risk mitigations are not usually vendor specific but broader.  For example, if a vendor is providing a model we would capture that vendor specific model risk at the individual vendor level but the mitigations for that model risk would be covered by the enterprise Model Risk Policy and associated mitigations.  Similarly, for data confidentiality risk for a specific vendor the mitigations would be in the enterprise Information Security and IT policies and associated mitigations.  

That being said we are trying to draw a cleared line to the identified vendor risks and associated mitigations within our ERM solution.  Because our TPRM program is contained within our ERM solution, there is internal functionality to make those explicit links.  Currently, when we board a new vendor, we map the CUEC's explicitly to our existing controls/mitigations.  This is a manual review that we store within our ERM system at the vendor level however its not easily reportable data.  In the coming year the plan is to build off the functionality of our ERM system to automate this process and increase data collection and reportability.

Its its helpful to see how we map our mitigations and controls to vendor risk manually, let me know.  I am happy to share what our current mapping looks like.

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------

Original Message:
Sent: 12-09-2021 05:41 PM
From: Mark Ewert
Subject: Capturing Vendor Specific Risk Mitigation

We understand that an effective Vendor Management program includes monitoring and managing third party relationships. A key element in the process is conducting a risk assessment. The risk assessment is a component to assigning a risk ranking to the vendor. Once you have conducted the risk and identified the areas of concern, where do you capture/document the risk mitigation strategies?

If you capture the risk mitigation strategies in your vendor management tool, are the strategies specific to the vendor or more general, selected from a drop-down list, for example?

If you have examples to share, please do.

Thanks,

------------------------------
Mark Ewert, CPCU, CIC
Director Vendor Management
Penn National Insurance
------------------------------