Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Capturing Vendor Risk Mitigation

    Posted 19 days ago
    Our relationship managers go through a risk assessment and risk ranking process for each vendor. Our risk ranking matrix includes eight risk factors:
    1. Personal or Health Information
    2. Business Information
    3. Access to Internal Environment
    4. Business Criticality
    5. Materiality to Operation
    6. Materiality to Financials
    7. Regulatory Noncompliance
    8. Replacement Difficulty
    Each risk factor can be assigned a degree of risk of No Impact, Moderate or Critical.  The relationship manager answer a series of questions which determines the degree of risk for each risk factor and the overall risk level.

    Currently we do not capture the risk mitigation for each risk factor ranked moderate or critical in our vendor management system. I am thinking of starting that. Do you capture the risk mitigation strategy for your vendors? If yes, do you capture at the risk factor level or at the overall vendor level? If you capture that information, will you share the general categories with me?

    I am thinking about providing a multi-select list in our vendor management system, LogicManager. The multi-select list could include options such as: encryption, contractual terms, access restrictions managed internally, and lastly an "other" option that will permit free-form text. 

    Thank you for sharing.

    Mark Ewert, CPCU, CIC
    Director Vendor Management
    Penn National Insurance

  • 2.  RE: Capturing Vendor Risk Mitigation

    Posted 5 days ago

    I wanted to answer your question about capturing the risk mitigation for each moderate or critical factor or at the vendor level. Regarding any risk or mitigation strategy, you should evaluate at the engagement level (product or service) vs. just the vendor. When a vendor has multiple engagements, their risk rating should default to the highest rated engagement.

    As for capturing the risk mitigation, I am unclear if you are referring to specific controls that the vendor must have or other internal strategies. Generally, a  vendor's control environment should be documented both in their risk assessment or due diligence questionnaire, the documentation provided by the vendor, and the documented risk review provided by your SME.

    If I misunderstood your question, please let me know. I want to help you get the right answer. I would also love to hear from other members.

  • 3.  RE: Capturing Vendor Risk Mitigation

    Posted 5 days ago

    The level of effort and the specific actions required to manage vendor risk effectively can vary depending on the number of vendors and the risk level presented by each. However, the number of vendors is a significant factor when determining the number of staff.

    When it comes down to it, every vendor engagement must undergo at least seven activities: planning, inherent risk assessment, due diligence, contracting, risk reassessment, ongoing monitoring, and offboarding. So to get the most basic idea of how many significant actions would be required, you could multiply the number of vendors you have by those seven activities. If you have 500 vendors, that would be around 3500 individual actions to be performed by the TPRM team – each requiring various levels of in-depth work. And that doesn't even include the other TPRM activities like reporting, policy and program updates, issues tracking, and management or training vendor owners.