Due Diligence and Ongoing Monitoring

Hello lovely folks!

I am building out our third party risk management program and am looking to have as much automation as possible. I understand that a human touch is required to ensure all the i's are dotted and the t's are crossed, but trying to have much of the heavy lifting done by automation. This includes the assessment of which documents are required for due diligence. We have a rudimentary system for assigning risk ratings and a pretty airtight method of assigning criticality, meaning that by the time our risk team reaches out to the business unit to request for due diligence documents, we have a fairly good idea as to which category of risk / criticality the vendor will fall under. And we have a general list of documents that we can request of vendors. Unfortunately, we do not currently have a matrix that aligns the risk / criticality ratings and the due diligence documents that should be requested, and I am struggling to find guidance. 

For some context: Criticality for us is defined by 3 questions: 

"In the event of a vendor failure, how long would it take before we face significant material impact?"

"Does the vendor have access to PII?" 

"How long would it take to find and implement a suitable replacement for this vendor? 

Risk rating is defined by conducting CLEAR searches on the vendor, general research on the vendor, and if we have an existing relationship, a review of that relationship including documents and failures. The thresholds are less black and white compared to the criticality assessment.  

My question is this: which documents for due diligence should we have set as a baseline for each risk / criticality rating of a vendor? 

In a perfect world, we would have a list that goes something like this

LOW RISK, MINOR VENDOR (list of documents we need)

LOW RISK, MATERIAL VENDOR (list of documents we need)

LOW RISK, CRITICAL VENDOR (list of documents we need)

MEDIUM RISK, MINOR VENDOR (list of documents we need)

MEDIUM RISK, MATERIAL VENDOR (list of documents we need)

MEDIUM RISK, CRITICAL VENDOR (list of documents we need)

HIGH RISK, MINOR VENDOR (list of documents we need)

HIGH RISK, MATERIAL VENDOR (list of documents we need)

HIGH RISK, CRITICAL VENDOR (list of documents we need)

Once we have assessed the risk / criticality of the vendor, we will look in the list and have a human analyze if the list is adequate, not requesting enough information, or is too much for the request. (the dotting of the i's and crossing of the t's)

Intuitively, I know we will need more documentation for higher risk / more critical vendors. But I am struggling with drawing the line and setting up the base requirements. I understand that every vendor has their own unique challenges however there must be some degree of baseline that can be applied. For example, 100% of our vendors are required to provide a W-9, regardless of the risk assessment. 

Does anyone have any guidance / resources that could help me create the due diligence document requirements for each tier of vendor? 

This is a wonderful question, and I just want to commend your obvious commitment to maturing your TPRM program through automation. Your current processes seem very well-developed, and I think your program will become even more efficient over time as you continue to implement new strategies.  

Before I get into your question about baseline due diligence, I first want to clarify your criticality definition. I noticed that your first and last questions are open-ended, and I wasn't sure if you already had defined thresholds for those answers. In my experience, criticality is easier to define if you're using yes/no questions. In other words, that first question might be slightly revised to something like, "In the event of a vendor failure, would it take less than 24 hours before we face significant material impact?" If you already have a threshold, then I think you're on the right track. Also, it's best to use a simple "critical or non-critical" classification. It looks like you may be using the terms "minor" and "material" for criticality, but this can create a lot of nuances when it comes to classifying your vendors as critical.

Moving on to baseline due diligence documents, you might want to consider using a combined approach where you're first looking at risk rating and criticality, then looking at the type of inherent risk. Here are some questions that might help create your document requirements:

1. Is the vendor a legitimate business entity with a good reputation? This question can help you determine which foundational/baseline documents to collect from all vendors, regardless of risk level or criticality. Collecting the vendor's W-9 is a good way to verify the vendor's legal name, address, tax ID, etc. It's also good to verify the vendor's ownership structure, any affiliated companies, and potentially the biographies of key managers and owners. Ensuring the vendor has a good reputation might involve an OFAC check, negative news search, credit report, or certificate of good standing. These baseline documents might be adequate to use for all of your low-risk, non-critical vendors.

2. What do we need to collect if there's elevated risk in the relationship? With any type of elevated risk (cyber, reputational, operational, financial, etc.), it may help to think of some additional documents to collect, such as confidentiality agreements and a list of the vendor's subcontractors/fourth parties. Some organizations might want to collect other information like insurance certificates, applicable compliance policies, the vendor's TPRM practices, SOC reports, and 3 years of audited financials. These documents, along with the baseline documents, may be appropriate for moderate-risk, non-critical vendors.

Beyond these two questions, your due diligence requirements will likely be more dependent on the type of inherent risk involved in the vendor relationship. From your criticality question, it looks like any vendor with access to PII is considered critical. Here are a few more questions that can help determine document requirements from critical and high-risk vendors:

3. Is the vendor capable and qualified to safeguard our data? Consider what documents can show evidence of the vendor's abilities to protect your data. This might include various policies and procedures, security testing results, data flow diagrams, and a potential on-site visit. 

4. Can the vendor continue to serve our organization during and after a business-disrupting event? Documents like business continuity and disaster recovery plans and testing results can help reveal issues with your vendor's operational resilience. Incident management policies may also be helpful to review, as they show how your vendor will detect, respond, and resolve information security incidents.

I hope these questions can give you a good starting point as you determine your own due diligence requirements. Other organizations may have their own strategies, and I'd love to see how others are developing their documentation requirements.