Due Diligence and Ongoing Monitoring

 View Only
Venminder Venmonitor
Back to discussions
Expand all | Collapse all

Vendors excluded from vendor management

  • 1.  Vendors excluded from vendor management

    Posted 12-14-2020 11:06 AM
    Are there specific industries or vendors that you exclude from your vendor list or vendor management program, such as utilites, appraisers, FED, etc.?


  • 2.  RE: Vendors excluded from vendor management

    Posted 12-14-2020 12:00 PM
    Here comes the dreaded "it depends.' In my world, my vendors are organized by internal consumption or as part of a sales program. I have several "lists" of vendors that I am responsible for, so this gets murky. Every vendor who is part of the vendor management program is on the "Vendor List". 

    There can be valid reasons for omitting a vendor name from a specific vendor list. This is must be a business decision and not a program decision. If you are managing a vendor then they are on your list. If the business does not want to disclose this information, then this is a different thing. 

    Is this what you are looking for? Or are you thinking of something else/some other reason?
    Original Message


  • 3.  RE: Vendors excluded from vendor management

    Posted 12-14-2020 12:16 PM
    Thank you Mark. This helps.
    I was wondering if there are types of vendors (utilities, title companies, appraisers, etc.) that I don't have to include on my vendor list and therefore don't have to risk rate or perform due diligence. For example, appraisers are on a board approved list, but not on our vendor list because we don't have a contract with them and their service is a one time event (i.e. one appraisal at a time). Also, utilities are not on our list since we have no control over which utility services we can use and they wouldn't provide any due diligence documents anyway. ​
    Original Message


  • 4.  RE: Vendors excluded from vendor management

    Posted 12-14-2020 12:01 PM
    We exclude the following:
    • Entities receiving charitable contributions
    • Entities from which travel, meals and entertainment are purchased.
    • Dues paid to an association.
    • Providers of magazines or periodicals.
    • Federal, state or local governments or entities engaged by the government for the collection of taxes and fees
    We also have a number of insurance company related exceptions.

    Finally, the US Postal Service and public utilities are exempt from our oversight and monitoring process.
    Original Message


  • 5.  RE: Vendors excluded from vendor management

    Posted 12-14-2020 12:20 PM
    Thank you Mark. That's what I was looking.
    Original Message


  • 6.  RE: Vendors excluded from vendor management

    This message was posted by a user wishing to remain anonymous
    Posted 06-02-2021 03:29 PM
    This message was posted by a user wishing to remain anonymous

    Hi Mark,  

    Can you please elaborate on the insurance companies that are included and excluded from your program?   Since the terms and conditions are set forth in the policy, what would you evaluate?  Solvency and data privacy perhaps?
    Original Message


  • 7.  RE: Vendors excluded from vendor management

    Posted 06-08-2021 02:15 PM
    We don't exclude insurance companies from our program. As an insurance company our claims operation pays lots of third parties which on the surface one might identify as a vendor.

    We exclude the following entities that receive payment because of a Company issued insurance policy:
    o Policyholders
    o Claimants
    o Appraisers
    o Contractors
    o Court Reporters
    o Experts
    o Medical Providers
    o Police and Fire Departments
    o Attorneys hired for reasons other than direct representation of the policyholder or the Company

    For example, you are in an automobile collision and choose XYZ Auto Body to repair your vehicle. The insurance company issues a payment to XYZ Auto Body to pay for the amount of the repairs in excess of the policy deductible. The insurance company didn't select XYZ Auto Body, you did. Should XYZ Auto Body be subject to a vendor management program? We don't think so.
    Original Message


  • 8.  RE: Vendors excluded from vendor management

    Posted 12-14-2020 12:01 PM
    Yes, there are a handful.  For example, provisioning of external legal services, leasing/real estate, mergers/acquisitions.
    Original Message


  • 9.  RE: Vendors excluded from vendor management

    Posted 12-14-2020 12:22 PM
    Thank you Aaron. This helps me define our exemptions from our vendor list.
    Original Message


  • 10.  RE: Vendors excluded from vendor management

    Posted 12-14-2020 01:02 PM
    This is a constantly changing section of our program.  After I last reviewed the topic, this was the list I came up with:
    • Utility Companies/ISPs
    • Financial Institutions
    • Government Agencies
    • Lawyers and Auditors (professional services)
    Does anyone currently handle Credit Bureaus (TU/Ex/Ef) or Card Networks (Visa/MC) differently?  I have trouble with these categories as there are limited alternatives in the space for comparison purposes.
    Original Message


  • 11.  RE: Vendors excluded from vendor management

    Posted 12-14-2020 01:13 PM
    Our CU submits a Risk Acceptance Request for the credit bureaus to our senior leadership for review.  They recognize that our CU is not the only source of the data & that reputational risk falls on the credit bureau.  This is reviewed annually.
    Our vendor inventory does not include- utilities, charitable organizations, supply vendors.  If we have any documentation it is saved in our contract repository for a single source of information.
    Original Message


  • 12.  RE: Vendors excluded from vendor management

    Posted 12-14-2020 04:48 PM
    Why are some of you excluding Lawyers and Auditors (professional services)? Those vendors use the same internet. They probably get some of the same phishing emails.

    I agree with excluding vendors your organization had no choice in selecting. However, I cannot see excluding the CPA firm that audits our books or our external firm that supplements our internal audit team.
    Original Message


  • 13.  RE: Vendors excluded from vendor management

    Posted 12-14-2020 05:53 PM

    I've made a case to reduce the diligence on attorneys, but not to exclude them altogether.

     

    We have determined a few categories could be looked at lightly and less often – utilities certainly, but also retailers where there is no exchange of NPPI.  We might pay an office supply place money out of AP, but I don't really see them as worthy of much time for risk assessment.  Government agencies can make the list also, though we still try to get what we can from them, if only for peace of mind.

     

    The core question for me is whether the vendor needs or uses non-public information.

     

    Thanks,

          Dave

     

    David Howe

    Chief Information Officer

     

     




    Original Message


  • 14.  RE: Vendors excluded from vendor management

    Posted 12-14-2020 06:28 PM
    I think the type of access is incredibly important in determining the level of diligence on professional services.

    I want to note: attorneys are extremely likely to be targeted for scams/phishing/etc. I do not know about other professional industries, but the legal industry as a whole has a bullseye on its back from fraudsters. As a whole, it is generally behind the curve when it comes to data security. I personally know a law-firm who has had a full ransomware attack on more than one occasion. This is especially true when it comes to legal services which involve the movement of money (real estate, for example). 

    So to me it comes to back to the nature of the relationship and the information being shared. 


    Loriann Ouimet
    Corporate Counsel
    Original Message


  • 15.  RE: Vendors excluded from vendor management

    Posted 12-15-2020 08:25 AM
    Thank you Loriann. 

    Do you risk rate attorneys and ​do they provide you with due diligence documentation? 

    Also, do you include title companies on your vendor list?
    Original Message


  • 16.  RE: Vendors excluded from vendor management

    Posted 12-15-2020 08:56 AM
    We do risk rate attorneys and appraisers as well as any external legal council.  The volume of NPPI that they might have access to determines the amount of due diligence documentation that we require.  A single use real estate closing attorney as an example we would require confidentiality/non-disclosure, proof of professional insurance and verification license in good standing. 

    Interested in how/if others may risk rate marshals and constables hired individually to secure collateral, serve summons etc.  That is an internal discussion we are having currently.​
    Original Message


  • 17.  RE: Vendors excluded from vendor management

    Posted 12-15-2020 08:29 AM
    We have credit bureaus on our list but not Visa or MasterCard. We do include our ATM processor and debit card provider on our vendor list.​
    Original Message


  • 18.  RE: Vendors excluded from vendor management

    This message was posted by a user wishing to remain anonymous
    Posted 06-02-2021 11:37 AM
    This message was posted by a user wishing to remain anonymous

    Do you evaluate resellers of software?  If so, do you perform due diligence for both the reseller and/or the underlying vendor software company?  If you evaluate the reseller, what due diligence do you perform?  Since there is no direct relationship with the vendor that produces the software, how do you evaluate them?   Do you categorize them as a 4th party?
    Original Message


  • 19.  RE: Vendors excluded from vendor management

    Posted 06-02-2021 12:58 PM
    I am very interested to hear what others are doing, I feel like there is no clear cut "right" answer.

    What we are doing is tracking the re-seller as the vendor (3rd party) and the actual software provider as 4th party (downstream).  A couple of different reasons we ended up here- the first was spending allot of time talking to InfoSec and IT and getting their thoughts on who do we go to for support, who is the actual contract with etc.  ​The second was the realities of obtaining due diligence and creating a productive relationship, its much easier with the reseller and next to impossible with a Microsoft.

    I am mostly happy with how is working and its consistent with our existing policy.  Where I struggle a bit is in how to assess the risk.  Based on our risk metrics, a reseller would not be a critical vendor- they are easily replaceable etc.  The software/services provided by the 4th party thru the reseller however may be operationally critical.  For this reason we have started to build out risk metrics for 4th parties to include concentration risk to get a better look in.  

    Shelly
    Original Message


  • 20.  RE: Vendors excluded from vendor management

    This message was posted by a user wishing to remain anonymous
    Posted 06-02-2021 02:55 PM
    This message was posted by a user wishing to remain anonymous

    ​We do the same thing....started performing due diligence on the provider as a 4th party last year.  The amount and type of due diligence needs to be catered to the situation.  For example, if the reseller is critical to the implementation and maintenance of the 4th party software, then it may be considered high-risk or critical; if the reseller is just a middleman, then maybe not so critical since there may be multiple resellers in the marketplace for us to access the 4th party.  However, if the 4th party software is critical to our operations, then it may be considered critical, with related heightened due diligence, even though the reseller may be of lower risk.  One good think about the reseller relationship is that often they perform their own 3rd party due diligence on the 4th party for which we may rely, or the reseller may act as the intermediary in requesting the due diligence documentation from the 4th party on our behalf.
    Original Message