This is where having an Intake process that lives above your risk assessment becomes handy.
And you can use Categories to cycle certain Third Parties down a separate path... Not all things need Enhanced Due Diligence... and in some cases you want to pre-screen to determine if other processes need to be invoked.
For instance, Attorneys can be vetted differently, depending on how they are going to be used. We don't need to do a full blown Inherent risk assessment if we're using an Attorney to help us write up one customer deal (prep of loan docs for instance). So I'd not drop them in the Venminder process as the starting point. But prescreen to determine if there's an evidence we need to do a deeper assessment.
And we should have other pre-screening activities, prior to a Venminder scrub... Is the business unit attempting to bring in Technology? If we do a quick assessment with IT an InfoSec... we can determine if we should be spending any time at all with on-boarding or risk assessments... If IT says, no that's not going to work in our environment or InfoSec says that's not going to be safe in our environment, we can put a stop to wasted expenses...
Further, is this an activity that needs go through Venminder at all? Donations we give to community groups for our CRA program. We just need to know who is getting the money; do a quick OFAC screen... don't need a PO don't need a contract... just need A/P to cut a check... so minimum review only...
The vendors used under the legacy Reg Q program; vendors paid from a commercial customers account analysis credits; part of the Bank's Treasury Management Services (TMS) program. You still need to vet the Third Party; but the risk assessment is unnecessary. Basic Due Diligence and Know Your Vendor (KYV) process. Your form Tri-Party Agreement...
And Affiliates... you have Reg W requirements... and there needs to be a clearly defined accounting for expenses. But you're not going to do a risk assessment on an Affiliate...
Pre-screening also allows you to help the business determine if they need to run through a formal program management process; if they need to run through a Sourcing process (formal RFP) if the expected spend is going to trip other oversight and approval processes. And you may want to use pre-screening to determine if you'll trip over Exclusivity clauses with other vendors (and avoid a potential breach).
So, I do recommend using Categories and assigning specific due diligence activities that are appropriate for the risk related to that specific category; and the pre-screen process is a better way of managing resources and only spending time on those Third Parties that need your extra attention...
For me, I only really care about 300-400 of the 3000+ third parties in my inventory... and then only 80 to 120 of those I care about get a lot more attention... It allows me to focus resources on those third parties that need deeper Due Diligence reviews, better contracting efforts and On-going monitoring and reporting...
Sent: 08-08-2022 02:10 PM
From: Anonymous Member
Subject: Consulting and audit firm due diligence
This message was posted by a user wishing to remain anonymous
Just wanted to verify with everybody as to what type of documentation do you request for your due diligence on below vendors:
Thank you for the input.