Due Diligence and Ongoing Monitoring

GM, I was in a webinar a while back, and they were talking about a process to extend ongoing monitoring cycles based on how well a vendor scored re ongoing due diligence.  For example, Extending a High Inherent risk vendor's annual Ongoing monitoring due diligence cycle from 12 months to say 18 months BASED on how well they scored re Residual Risk.  I am trying to gather more information on this topic.  Sounds like a unicorn and the Regulators may never buy into this, however, would like to know more.

Did anyone here of this?

regards

I haven't attended the webinar in question, but I think it is safe to say that this advice is a bit misguided. When identifying your vendors' risk management and monitoring routines, they should always be based on the inherent risk, every time. And when it comes to effective TPRM, consistency is key.

Beyond the regulatory expectations, the most compelling rationale for this practice is that the inherent risk doesn't dissipate or disappear because of a vendor's controls. Remember, the controls are only reviewed at a point in time and can and do change or fail. Ensuring you align your risk management and monitoring cadence to inherent risk means you perform your risk management activities at the right frequency and rigor to be consistent with the level of risk presented. Residual risk should only be used to determine the following:

·        If the existing controls are enough, or if more mitigation is necessary

·        If the residual risk is beyond your organization's risk appetite

·        Which of your vendors requires the most rigorous risk monitoring ( an engagement where the inherent risk = high, residual risk = high, may need even more frequent risk assessment and monitoring)

·        The amount of residual risk collectively across your vendor portfolio- which can help demonstrate the effectiveness of your process

In conclusion, please ensure your TPRM risk management and monitoring activities are always aligned with inherent risk ratings only. I hope that is helpful, but I would love to hear from other group members.

GM, I was in a webinar a while back, and they were talking about a process to extend ongoing monitoring cycles based on how well a vendor scored re ongoing due diligence.  For example, Extending a High Inherent risk vendor's annual Ongoing monitoring due diligence cycle from 12 months to say 18 months BASED on how well they scored re Residual Risk.  I am trying to gather more information on this topic.  Sounds like a unicorn and the Regulators may never buy into this, however, would like to know more.

Did anyone here of this?

regards

I haven't attended the webinar in question, but I think it is safe to say that this advice is a bit misguided. When identifying your vendors' risk management and monitoring routines, they should always be based on the inherent risk, every time. And when it comes to effective TPRM, consistency is key.

Beyond the regulatory expectations, the most compelling rationale for this practice is that the inherent risk doesn't dissipate or disappear because of a vendor's controls. Remember, the controls are only reviewed at a point in time and can and do change or fail. Ensuring you align your risk management and monitoring cadence to inherent risk means you perform your risk management activities at the right frequency and rigor to be consistent with the level of risk presented. Residual risk should only be used to determine the following:

·        If the existing controls are enough, or if more mitigation is necessary

·        If the residual risk is beyond your organization's risk appetite

·        Which of your vendors requires the most rigorous risk monitoring ( an engagement where the inherent risk = high, residual risk = high, may need even more frequent risk assessment and monitoring)

·        The amount of residual risk collectively across your vendor portfolio- which can help demonstrate the effectiveness of your process

In conclusion, please ensure your TPRM risk management and monitoring activities are always aligned with inherent risk ratings only. I hope that is helpful, but I would love to hear from other group members.

GM, I was in a webinar a while back, and they were talking about a process to extend ongoing monitoring cycles based on how well a vendor scored re ongoing due diligence.  For example, Extending a High Inherent risk vendor's annual Ongoing monitoring due diligence cycle from 12 months to say 18 months BASED on how well they scored re Residual Risk.  I am trying to gather more information on this topic.  Sounds like a unicorn and the Regulators may never buy into this, however, would like to know more.

Did anyone here of this?

regards

Correct - Always inherent risk. You can get a supplier who looks to have excellent controls in place and you may be tempted to trust them to maintain this in force. But companies change over time so you always have to assume the worst!!

I haven't attended the webinar in question, but I think it is safe to say that this advice is a bit misguided. When identifying your vendors' risk management and monitoring routines, they should always be based on the inherent risk, every time. And when it comes to effective TPRM, consistency is key.

Beyond the regulatory expectations, the most compelling rationale for this practice is that the inherent risk doesn't dissipate or disappear because of a vendor's controls. Remember, the controls are only reviewed at a point in time and can and do change or fail. Ensuring you align your risk management and monitoring cadence to inherent risk means you perform your risk management activities at the right frequency and rigor to be consistent with the level of risk presented. Residual risk should only be used to determine the following:

·        If the existing controls are enough, or if more mitigation is necessary

·        If the residual risk is beyond your organization's risk appetite

·        Which of your vendors requires the most rigorous risk monitoring ( an engagement where the inherent risk = high, residual risk = high, may need even more frequent risk assessment and monitoring)

·        The amount of residual risk collectively across your vendor portfolio- which can help demonstrate the effectiveness of your process

In conclusion, please ensure your TPRM risk management and monitoring activities are always aligned with inherent risk ratings only. I hope that is helpful, but I would love to hear from other group members.

GM, I was in a webinar a while back, and they were talking about a process to extend ongoing monitoring cycles based on how well a vendor scored re ongoing due diligence.  For example, Extending a High Inherent risk vendor's annual Ongoing monitoring due diligence cycle from 12 months to say 18 months BASED on how well they scored re Residual Risk.  I am trying to gather more information on this topic.  Sounds like a unicorn and the Regulators may never buy into this, however, would like to know more.

Did anyone here of this?

regards

You have to balance the Risk Appetite of your institution and the overall criticality of your outsourced relationship and build a balanced risk based approach to your oversight.   I would not say just because they have a "clean" review you should lengthen oversight across the board.   However, if you can demonstrate your rationale behind risk based oversight. IE - Critical and High risk have one frequency of review, and Moderate risk has longer timeline for some types of controls reviews then you would have balanced approach.  For example, maintain continued oversight to Financials, performance, customer complaints, regulatory complaints, insurance, etc, but lengthen the time you review policies, procedures, soc reports etc.  However, if you see financials, performance or complaints increase in risk, then conduct more frequent control oversight.  (When you see risk rise, take action).     In this approach, it's not a "blanket" extending time between all oversight activity. 

Correct - Always inherent risk. You can get a supplier who looks to have excellent controls in place and you may be tempted to trust them to maintain this in force. But companies change over time so you always have to assume the worst!!

I haven't attended the webinar in question, but I think it is safe to say that this advice is a bit misguided. When identifying your vendors' risk management and monitoring routines, they should always be based on the inherent risk, every time. And when it comes to effective TPRM, consistency is key.

Beyond the regulatory expectations, the most compelling rationale for this practice is that the inherent risk doesn't dissipate or disappear because of a vendor's controls. Remember, the controls are only reviewed at a point in time and can and do change or fail. Ensuring you align your risk management and monitoring cadence to inherent risk means you perform your risk management activities at the right frequency and rigor to be consistent with the level of risk presented. Residual risk should only be used to determine the following:

·        If the existing controls are enough, or if more mitigation is necessary

·        If the residual risk is beyond your organization's risk appetite

·        Which of your vendors requires the most rigorous risk monitoring ( an engagement where the inherent risk = high, residual risk = high, may need even more frequent risk assessment and monitoring)

·        The amount of residual risk collectively across your vendor portfolio- which can help demonstrate the effectiveness of your process

In conclusion, please ensure your TPRM risk management and monitoring activities are always aligned with inherent risk ratings only. I hope that is helpful, but I would love to hear from other group members.

GM, I was in a webinar a while back, and they were talking about a process to extend ongoing monitoring cycles based on how well a vendor scored re ongoing due diligence.  For example, Extending a High Inherent risk vendor's annual Ongoing monitoring due diligence cycle from 12 months to say 18 months BASED on how well they scored re Residual Risk.  I am trying to gather more information on this topic.  Sounds like a unicorn and the Regulators may never buy into this, however, would like to know more.

Did anyone here of this?

regards