Due Diligence and Ongoing Monitoring

How are others documenting ongoing monitoring activities for third parties? Today our team has a template and asks the business leader responsible for the vendor to populate which includes the types of ongoing monitoring they are conducting and frequency. 

Any suggestions or tips to enhance our current process?

Hi there, here are a number of tips regarding documenting ongoing monitoring:

First, an ongoing monitoring plan should be both well documented and actively supported by the board and senior management. In order to carry out the objectives of the Third-Party Risk Management Program, there needs to be sufficient bandwidth (resources) because an Ongoing Monitoring plan necessitates being engaged with your organization's vendors routinely. This also means that it is your main objective to ensure your vendors are complying with regulatory expectations.

Additionally, there are three main ways you can continuously measure vendor performance: Using scorecards, collaborating with vendor owners (aka Engagement owners or LOBs), and communicating regularly with your vendors.

• Performance Scorecards contain service level agreements tied to metrics, and are not subjective, but objective, which means that they should contain definite and measurable terms. A fail or a meet are unambiguous and recorded for every performance period. The scorecards are retained for internal and external regulators, used as evidence of conforming or non-conforming vendor health, and used as leverage for retaining a healthy vendor relationship where the vendor meets or exceeds SLAs or a vendor breach or failure is used both to track and monitor or ultimately terminate the relationship.
• Performance review meetings with your organization's vendors are important, too. Hold joint calls to discuss performance, formalize meeting minutes captured for historical reference and regulators, document any issues that require escalation and remediation plans both for your management and the vendors, and use such documentation to develop and track for historical reference, particularly contract termination or renewal.

Here is my cadence recommendation for vendor performance review meetings.

Contingent on risk ratings as follows: Critical – quarterly, High – semi annually, Mod/Low- annually

If your organization has the bandwidth to meet more frequently, then you are free to meet more often to ensure performance in on track, meaning it's in accordance with the contractual SLAs tied to the vendor scorecard.

Ongoing Monitoring should be a constant routine for taking the temperature of the vendor relationship and fortifying strong communication about vendor performance.

I look forward to what others are doing!