Policy, Program and Procedures

 View Only

  • 1.  Frequency of performance reviews for non-critical vendors

    Posted 08-28-2024 01:53 PM

    Hello,

    We are a regional P&C insurance company with about 400 in-scope vendors for our vendor management program. We currently have 40 critical vendors. I have a question about the frequency of performance reviews (separate from determining criticality and vendor risk assessments).

    We have determined performance reviews for our critical vendors will be required bi-annually unless they are identified as a status of "On Watch" (quarterly) or "Unsatisfactory" (monthly). I am wondering what frequency other companies have set for non-critical vendors? 

    Since the KPIs for performance reviews are specific to each vendor, this process is fairly complex for 400 vendors so I want to make sure we right size this requirement for our company and our vendors.

    Looking forward to hearing what others are doing or plan to do.

    Thanks,

    Christi Osburn

    PEMCO Mutual Insurance Company



  • 2.  RE: Frequency of performance reviews for non-critical vendors

    This message was posted by a user wishing to remain anonymous
    Posted 08-28-2024 08:17 PM
    This message was posted by a user wishing to remain anonymous

    We have 4 levels of vendor, critical, high, medium and low.

    • Critical are reviewed annually
    • High are reviewed every 2 years
    • Medium are reviewed every 3-4 years
    • Low are generally not reviewed

    All of that being said, all vendors are reviewed:

    • As part our our due diligence process prior to an agreement being signed
    • When a service is added or an existing one is changed
    • At every renewal
    • When we are made aware of a material change in the vendor organization

    Additional reviews may be done if a vendor is acquired, makes an acquisition that may impact on our service, fails to meet defined requirements, e.g. providing an unqualified SOC report, retaining PCI certification, etc.

    I hope this helps.

    CK


    Original Message


  • 3.  RE: Frequency of performance reviews for non-critical vendors

    Posted 08-29-2024 12:13 PM
    CK,
    Thanks for the information. I want to confirm that your reviews are performance reviews versus risk assessments, or maybe you do them at the same time.
    Also, are the high, medium, and low levels of vendors related to risk? Or how do you identify each level?
    Thank you,
    Christi 
    Christi Osburn
    Vendor Management Program Manager




    Original Message


  • 4.  RE: Frequency of performance reviews for non-critical vendors

    This message was posted by a user wishing to remain anonymous
    Posted 08-29-2024 01:43 PM
    This message was posted by a user wishing to remain anonymous

    Kristi,

    The assessments are all risk based. Ensuring performance is being met belongs to the business until contract provisions are not met, which is considered a change in risk.

    All vendor levels are based on risk.

    • Critical
      • Immediate impact on the ability to carry on business
    • High
      • Impact across the organization
      • Would require significant change to maintain operations e.g. find a replacement vendor, shift to manual processes, etc.
      • Some services unavailable beyond DR RTO
    • Medium
      • Limited impact
      • Some changes to process would be required
      • Some services unavailable for times within the DR RTO
    • Low
      • Minimal impact
      • Process changes may be required

    I hope this helps.

    CK


    Original Message