Risk Assessments

 View Only
  • 1.  Ongoing Due Diligence

    This message was posted by a user wishing to remain anonymous
    Posted 02-04-2020 08:08 AM
    This message was posted by a user wishing to remain anonymous

    I work for a Credit Union that is $2.5 Billion, we have over 300 employees and 19 branches.  I'm looking for guidance from places similar in size.

    I am new to Vendor Management and my department is in the beginning stages of development.

    We have decided to use the Category column to group our vendor in order to make a checklist to determine what ongoing due diligence information we will collect.  Which left us with a couple vendors we are unsure of what to collect.

    1.  What ongoing due diligence is everyone collecting for Utility Vendors?  Or are you just checking the box in Venminder that states "Exempt from oversight requirements" (when you added your category of phone company,etc.)

    2.  Security Vendors (ie: Pelmac for camera's)?

    3.  Companies like Ascensus (platform for IRA's & HSA's)?

    Any and all feedback is greatly appreciated.


  • 2.  RE: Ongoing Due Diligence

    Posted 02-04-2020 08:29 AM
    1.  What ongoing due diligence is everyone collecting for Utility Vendors?  Or are you just checking the box in Venminder that states "Exempt from oversight requirements" (when you added your category of phone company,etc.)
    I treat utility companies as "commodity" items, exempt from review.

    2.  Security Vendors (ie: Pelmac for camera's)?
    While not expecting the same level of detail I would from an organization supplying IT support, I complete reviews of companies such as security vendors through review of available documentation as well as questions about privacy and security training, confidentiality agreements between the company and their employees, use of the cloud, how they deal with security incidents, secure portal technology, background checks, etc.  You can learn a lot about a company simply by the way they respond to your questions.  Are they professional?  Do they understand why you're asking for information about their business and security practices?

    3.  Companies like Ascensus (platform for IRA's & HSA's)?
     It appears Ascensus is a Bank.  As such, they would be subject to government oversight, SEC, etc.  While I exempt these organizations from our vendor review process, you could reach out to your regulators and/or look online to see if you can access reports that may be available (ex:  FFIEC IT-ROE) 

    Rosalie Stremple




  • 3.  RE: Ongoing Due Diligence

    Posted 02-04-2020 10:15 AM
    We do our due diligence based on risk rating, but we count utility as "nonessential" so we aren't re-assessing something that we can't really shop around for anyway. But security, Ascensus, etc are reviewed based on the category we place them in. Ascensus is moderate risk for us, so we have a list we of documents to collect on a bi-annual basis to review them (baseline documents like privacy policy, COI, plus SOC 2/SSAE 18, record retention policy, internal/external audit reports, financials (if willing to provide), etc).

    I started overseeing vendor management last Spring, so I am still fairly new as well and it's definitely a work in progress! We are a slightly smaller institution, but not by much. We have around 240 vendors in our system currently.


  • 4.  RE: Ongoing Due Diligence

    Posted 02-05-2020 12:29 PM
    1.  What ongoing due diligence is everyone collecting for Utility Vendors?  Or are you just checking the box in Venminder that states "Exempt from oversight requirements" (when you added your category of phone company,etc.) We actually classify our Electric Utility providers as critical with annual reviews, especially the one that supplies our Operations/Data Center. Due diligence requirements are limited since they do not access confidential information and do not have access to our premises. All we collect are financials and OFAC checks on principal management. You may be able to get some regulatory certifications, but realistically, there is little point since we have no choice of providers. Same is true of our Gas company since our Ops Center backup generator runs on natural gas. All other utilities are classed as non-critical and on a 5 year review cycle. We built an abbreviated Inherent Risk questionnaire in Venminder to accommodate these providers.

     2.  Security Vendors (ie: Pelmac for camera's)? We treat our Security vendors as full due diligence providers since they do have access to sensitive and confidential information. We review them on cycle based on risk rating. All of them that we have used have been for the most part cooperative in providing ample documentation.

    3.  Companies like Ascensus (platform for IRA's & HSA's)? We have just entered into a relationship with one such provider (a Bank) and were able to get a full set of due diligence documentation including external audit reports. They are treated as a full due diligence provider on a review cycle based on risk rating. To get a financial institution's financial report, go to the FFIEC website and search for their Call Report.