This is a great question and highlights a really important issue about document expiration. I would say the best approach is to have a system in place to make sure you're tracking any documents like insurance certificates or SOC reports that have expiration dates. This can help serve as a reminder to request these documents as they expire.
As far as periodic due diligence reviews, it's generally recommended to follow this cadence:
· Critical and High-Risk: At least annually, but reviews may be more frequent if there have been issues such as declining performance or a security incident
· Moderate: Every 18-24 months, depending on the product or service type
· Low: Every three years, or at contract renewal
So, here's an example of what that might look like. Let's say you've scheduled a due diligence review for your critical vendor on July 1. However, their insurance certificate expires on December 31. You could still keep that July 1 review date to review other due diligence documents and make sure they're current and valid. You would just need to set a reminder and reach out to the vendor closer to the December 31 expiration date to request a new insurance certificate. This could be as simple as an email or calendar notification, although you may need to consider another solution if you need to track dozens or hundreds of dates.
I hope my answer is helpful and I'm interested to see if other members have suggestions on how to set reminders for document collection.