Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Frequency of Vendor Risk & Due Diligence Questionnaires

    Posted 02-06-2025 06:30 PM
    We have designed our vendor management program and vendor risk management policy by risk rating. So, we have 10 risk areas and give an inherent risk rating to each in-scope vendor for each of the 10 risk areas. For example, Vendor A is high inherent risk in customer interactions AND low inherent risk in Geopolitical (and so on for all 10 risk areas).
    We ask the Vendor Relationship Owner for a vendor to complete our Inherent Risk Questionnaire when a vendor is onboarded and, then, based on the inherent risk outcome. For high inherent risk in a risk area, we send the Inherent Risk Questionnaire annually. For moderate inherent risk, we send the Inherent Risk Questionnaire every 3 years. For low inherent risk in a risk area, we send the Inherent Risk Questionnaire every 5 years. We also ask vendor relationship owners to ask for a new Inherent Risk Questionnaire for all 10 risk areas if the scope of the product/service the vendor provides us changes.
    As I understand it, the frequency of assessing for inherent risk is based off the inherent risk rating and date completed. For example, if we assessed Vendor A for inherent risk in customer interactions in January 2025 AND their risk rating = high inherent risk - the next time we will assess Vendor A's inherent risk for customer interactions is January 2026 since our frequency = annual for high inherent risk. 
    Now to my question and where I need feedback...Continuing my example of Vendor A, because they were high inherent risk in customer interactions when we assessed Vendor A in January 2025 - we followed up with a vendor risk/due diligence questionnaire to determine the residual risk. Let's say that was completed in April 2025. If we assess again for inherent risk in January 2026 (see paragraph above), and they remain high inherent risk in customer interactions - do we need to complete the vendor risk/due diligence questionnaire annually to, so we would do it again in January/February 2026 which is less than a year since we completed it last? Or is there a best practice frequency for determining residual risk? (i.e. if we have gathered due diligence for a vendor less than 12 months ago, do we do it again)?
    How do some of you handle it and why? We want to make sure we are assessing internal controls and supplier controls properly but also don't want to ask our vendors to complete questionnaires every 10 months. Any help, input, feedback, and ideas you can provide is appreciated. 
    Thank you,
    Christi Osburn
    (PEMCO Mutual Insurance Company)


  • 2.  RE: Frequency of Vendor Risk & Due Diligence Questionnaires

    Posted 02-09-2025 09:17 AM

    When we determine inherent risk, it triggers according to score a questionnaire (or not) by risk domain. When answers received, this results in a residual risk depending on the replies received. This residual risk would trigger the frequency. In order to avoid that, we decided on a yearly frequency for Very High and High, while Medium and Low would be every 3 years or contract renewal. But we are really reviewing to not fully send the questionnaires automatically. The trigger would be with a grace period, meaning we would inform the SME of the upcoming reassessment but not send it out for a month allowing the SME to review whether to allow it to go through, to delay it, or to cancel it all together (the last option mainly if there is intel that we would offboard supplier soon anyway). Hope this make sense


    Original Message