Due Diligence and Ongoing Monitoring

 View Only
Expand all | Collapse all

Asking the community at large

  • 1.  Asking the community at large

    Posted 09-11-2019 01:03 PM
    Curious - do you vary the frequency of your due diligence based on the level of risk (e.g., high risk = annual due diligence updates; moderate = every other year; low = every 3 years or contract renewal time)?


  • 2.  RE: Asking the community at large

    Posted 09-11-2019 01:06 PM
    At our bank we complete an annual due diligence for levels of crtiticality


  • 3.  RE: Asking the community at large

    Posted 09-11-2019 01:16 PM
    Yes. We do it based on level of risk.


  • 4.  RE: Asking the community at large

    Posted 09-11-2019 01:25 PM
    We do utilize this model. We've found it to be much more efficient since very rarely do policies / procedures / processes get overhauled with full change to regulation within a year's time.  Also, just gathering the data/info, reviewing it, sending back for clarifications, and then sorting through the document submissions can take up to 2 months time on our end even with the efficiency enhancements of the Venminder platform. 

    That becomes more hassle than helpful if were chasing docs that don't justify the end game of a full review of a non-crit / replaceable service that won't effect revenue if they're suddenly offline.


  • 5.  RE: Asking the community at large

    Posted 09-11-2019 01:32 PM
    Yes, it really does depend both on the frequency of review you feel is required predicated on the level risk presented the particular third party, as well as, very practically, the workload that you can handle - obviously, you can throttle both from a timing standpoint or by spreading across the calendar a bit.  The challenge of getting the information back and adequately reviewing it is always a big sticking point.  But, ultimately, I do think there is real value in making sure that the frequency of due diligence is firmly tied to the level of risk presented by the product or service being outsourced.


  • 6.  RE: Asking the community at large

    Posted 09-24-2019 07:34 AM
    ​High (Tier 1) annual
    Medium (Tier 2) 12-18months
    Low (Tier 3) every 36 months

    ------------------------------
    Jenn Wilkinson
    Vice President
    Strategic Vendor Management
    ------------------------------



  • 7.  RE: Asking the community at large

    Posted 10-04-2019 08:33 AM
    We currently complete a risk assessment and significance questionnaire annually for all vendors.  We also have set a life cycle for each type of vendor due diligence document.  We request these documents as they expire, which helps us to have contact with each vendor throughout the year.  However, in terms of relationship review, these are completed 6-12 months prior to contract renewal/expiration depending on criticality/risk/time to replace the vendor.


  • 8.  RE: Asking the community at large

    Posted 10-09-2019 06:04 PM
    ​We do this based on classification/criticality. A guess for you/the group: do you schedule the next due diligence a year after the due diligence was complete or the contract was signed or the project (if applicable) was implemented? For example, we completed a vendor due diligence August 2018 and determined due diligence should be done yearly however, the contract wasn't signed until February 2019 and the product is still being implemented. It is time for due diligence (if we base it off of the due diligence completion date of August 2018) but it doesn't make sense necessarily to do it now if the product isn't even implemented fully. Thoughts?


  • 9.  RE: Asking the community at large

    Posted 10-10-2019 07:37 AM
    We do stagger it. Tier 1 an​nually, 2 every 12-18 months, 3 every 36 months. we track insurance expirations and contract expirations by date, but the full review happens according to the frequency by tier.

    ------------------------------
    Jenn Wilkinson
    Vice President
    Strategic Vendor Management

    ------------------------------



  • 10.  RE: Asking the community at large

    Posted 10-10-2019 07:45 AM
    We do all annual review in the 4th qrt, that way that year's pentest and SOC2s are usually done, also easier to manage at once in my opinion.


  • 11.  RE: Asking the community at large

    Posted 10-10-2019 09:15 AM
    It depends on how the contract is worded but ​I annually review my vendors based on the contract date even if the actual implementation of the product/service was a few months later. The reason I do it this way is because of the Term Requirements within the contract (the part where it states you are required to give 30, 60, 90 day written notice of non-renewal). I review the vendor 6 months prior to the 30, 60, 90 day requirement in the contract so if there is consideration of terminating our relationship with that vendor, we can meet the term requirement and have time to find a replacement if necessary. On critical vendors, my annual review date is at least 2 years prior to the term requirement.

    This has worked well for me, however following a recent IT Audit, the auditor has now pointed out that on the vendors that I am required to review SOC/SSAE16/SSAE18 reports on, I should be scheduling my annual reviews based on those report dates so that I am always reviewing the most current SOC/SSAE16/SSAE18s for those vendors. So now I'm trying to figure out how to transition my vendor management program to keep in line with my contract term review, while making sure I am reviewing the most current reports. This is challenging! 

    Anyone else have thoughts or suggestions?

    ------------------------------
    Joni D
    ------------------------------