Due Diligence and Ongoing Monitoring

  • 1.  KRI/KPI Reporting

    This message was posted by a user wishing to remain anonymous
    Posted 08-16-2021 03:16 PM
    This message was posted by a user wishing to remain anonymous

    I'm looking to expand KRI/KPI Reporting and I'm curious what other programs are reporting on. Appreciate the feedback in advance.


  • 2.  RE: KRI/KPI Reporting

    This message was posted by a user wishing to remain anonymous
    Posted 08-18-2021 06:14 PM
    This message was posted by a user wishing to remain anonymous

    These are some of the things I report on within my program:

    Operational metrics:

    • % SLA met to complete due diligence
    • % of SLA to provide, formal, including any findings/risks, report to the business
    • Timely escalations, based on expected due dates  for the questionnaire, evidence, etc.  (keeping business apprised of roadblocks that may impact SLA

     Governance metrics:

    • # of contracts signed without due diligence
    • # of critical and high-risk vendors where internal risk assessment not updated at least yearly
    • # critical and high-risk vendors not having undergone due diligence (either onboard or ongoing)
    • #critical or high-risk vendors with high risks

     

    Board metrics:

    • # of open audit and regulatory matters, status, and trends
    • # of critical vendors, based on key risk categories (business, spend, PII, concentration, etc.) trends
    • # of concentrated vendors and trends, by business and functional areas 
    • # critical and high-risk vendors on watchlist ( did not meet SLA< financial concerns, didn't remediate high risks as per scheduled, etc. ) and trends
    • # f top risks identified with vendor portfolio and potential impact (customer, regulatory strategic, etc.)
    Hope this helps.