Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Ongoing Monitoring - Next Review Date

    This message was posted by a user wishing to remain anonymous
    Posted 04-10-2024 01:53 PM
    This message was posted by a user wishing to remain anonymous

    Hello! Does ongoing monitoring need to be completed within the same calendar year of the next scheduled review date or by the actual date of the next scheduled review? For example, I have a high risk vendor who needs to be reviewed annually. We started their annual review April 2023, but it took quite awhile to get the required / proper documentation from them, so the 2023 reviews were just finalized in Feb 2024. Should their next review date be April 2024 or should I just try to have those completed by year end since high risk vendors are on an annual cadence? 

    Thanks in advance for your help!



  • 2.  RE: Ongoing Monitoring - Next Review Date

    This message was posted by a user wishing to remain anonymous
    Posted 04-10-2024 05:09 PM
    This message was posted by a user wishing to remain anonymous

    We have a schedule set for 10 months out of the year for every department. For a department that only has a couple of vendors to be reviewed, and we find that maybe one vendor is late with sending us their due diligence we move the whole department to a different month. For other departments, like IT that have so many vendors to review, I complete the vendors we have docs for and report them to the board along with a list of which vendors could not be completed and why. Once they are completed, I send the same list to the board again but this time with a part 2 showing the vendors that previously weren't completed. 

    Knowing how long it takes to gather financials for some vendors we have made sure they are scheduled towards the end of the year in Oct or Nov.




  • 3.  RE: Ongoing Monitoring - Next Review Date

    Posted 04-10-2024 05:15 PM

    We just recently changed our Policy to state "once per calendar year" vs. annually to deal with the issue of how long it takes to get docs from some vendors.  We also have a vendor do the ongoing due diligence reviews for most of our higher risk vendors and they start those reviews in April of each year. So, this policy change was also made to accommodate this schedule. If we find that we won't be able to complete a DD review on time, we would notify the Board.


    Original Message


  • 4.  RE: Ongoing Monitoring - Next Review Date

    Posted 04-11-2024 06:28 AM

    Hello,

     

    I have mine set to every 12 months unless there are changes then it is completed earlier.  I do not change the timeframe when it takes longer to get the documents.  I keep my reviews within the contract termination timeline as well.  This way if there are drastic issues, they can be addressed prior to contract renewals.  This allows for enough time to cancel as well.

     

    Thanks,
    Kelli Shoup | Technology Support Lead/Information Security Specialist

    The Farmers Bank

    This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.




    Original Message


  • 5.  RE: Ongoing Monitoring - Next Review Date

    This message was posted by a user wishing to remain anonymous
    Posted 04-10-2024 05:11 PM
    This message was posted by a user wishing to remain anonymous

    We have a critical vendor review "season" per say. We start around April and typically wrap up reviews and board presentations by the end of the summer. Vendors that take longer to respond get reported later in the season. I'll review the dates of the documents that I have when we start to see if they would still be applicable to the time period of the current review season that we're in or if the vendor likely has a newer document available.