Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Capturing Vendor Risk Mitigation

    Posted 07-28-2022 09:20 AM
    Our relationship managers go through a risk assessment and risk ranking process for each vendor. Our risk ranking matrix includes eight risk factors:
    1. Personal or Health Information
    2. Business Information
    3. Access to Internal Environment
    4. Business Criticality
    5. Materiality to Operation
    6. Materiality to Financials
    7. Regulatory Noncompliance
    8. Replacement Difficulty
    Each risk factor can be assigned a degree of risk of No Impact, Moderate or Critical.  The relationship manager answer a series of questions which determines the degree of risk for each risk factor and the overall risk level.

    Currently we do not capture the risk mitigation for each risk factor ranked moderate or critical in our vendor management system. I am thinking of starting that. Do you capture the risk mitigation strategy for your vendors? If yes, do you capture at the risk factor level or at the overall vendor level? If you capture that information, will you share the general categories with me?

    I am thinking about providing a multi-select list in our vendor management system, LogicManager. The multi-select list could include options such as: encryption, contractual terms, access restrictions managed internally, and lastly an "other" option that will permit free-form text. 

    Thank you for sharing.

    Mark Ewert, CPCU, CIC
    Director Vendor Management
    Penn National Insurance

  • 2.  RE: Capturing Vendor Risk Mitigation

    Posted 08-11-2022 11:17 AM

    I wanted to answer your question about capturing the risk mitigation for each moderate or critical factor or at the vendor level. Regarding any risk or mitigation strategy, you should evaluate at the engagement level (product or service) vs. just the vendor. When a vendor has multiple engagements, their risk rating should default to the highest rated engagement.

    As for capturing the risk mitigation, I am unclear if you are referring to specific controls that the vendor must have or other internal strategies. Generally, a  vendor's control environment should be documented both in their risk assessment or due diligence questionnaire, the documentation provided by the vendor, and the documented risk review provided by your SME.

    If I misunderstood your question, please let me know. I want to help you get the right answer. I would also love to hear from other members.

  • 3.  RE: Capturing Vendor Risk Mitigation

    Posted 08-11-2022 11:20 AM

    The level of effort and the specific actions required to manage vendor risk effectively can vary depending on the number of vendors and the risk level presented by each. However, the number of vendors is a significant factor when determining the number of staff.

    When it comes down to it, every vendor engagement must undergo at least seven activities: planning, inherent risk assessment, due diligence, contracting, risk reassessment, ongoing monitoring, and offboarding. So to get the most basic idea of how many significant actions would be required, you could multiply the number of vendors you have by those seven activities. If you have 500 vendors, that would be around 3500 individual actions to be performed by the TPRM team – each requiring various levels of in-depth work. And that doesn't even include the other TPRM activities like reporting, policy and program updates, issues tracking, and management or training vendor owners.

  • 4.  RE: Capturing Vendor Risk Mitigation

    Posted 08-24-2022 01:49 PM
    I think you might want to consider capturing the Control Effectiveness instead of looking to capture each risk mitigation. 
    Lean on Subject Matter Experts to review the Controls on an engagement basis. So you're not necessarily looking at the Vendor; but you're reviewing the Risk of the particular engagement with that particular Vendor. You can then ask the vendor a set of questions, where the risk is higher; along with requesting supporting documentation to demonstrate they have Controls to mitigate the risk. The SMEs can review the responses and supporting documents to rate the effectiveness of the control... This is the Inherent Risk (risk absent controls) the Control Effectiveness is then used to calculate the Residual Risk (risk with controls). If you've set a Risk Appetite, is the Residual Risk within your Risk Appetite? 

    Keeping in mind, of your 8 Risk Categories; depending on the engagement, you might only have a few you want to dig into deeper.
    And the scale of the risk (Likelihood and Impact) will determine what additional information you need to assess their Controls. That is. You might have a lite questionnaire for Medium Risk on Business Criticality but a deeper review if the Inherent risk is High.

    Hope that helps. 

    Bradley Martin


  • 5.  RE: Capturing Vendor Risk Mitigation

    Posted 08-24-2022 02:47 PM
    Thank you, very helpful. My mind couldn't come up with the word controls. That is exactly what I meant.

    Mark Ewert, CPCU, CIC
    Director Vendor Management
    Penn National Insurance