Due Diligence and Ongoing Monitoring

Dear Forum Members,

I am a beginner in this domain. Hence may ask very simple questions. Please help me to understand and progress:

1. During onboarding and ongoing stage, is it suggested to use the same vendor risk questionnaire during inherent risk assessment, vendor due diligence, contract review and further risk re-assessments. Or different questionnaire is supposed to be used in all these vital events?
2. Post obtaining the residual risk rating what are the succeeding activities as a TPRM managers we are supposed to carry out.

1. For us, it comes down to how our technology scores the risks - we have to have one questionnaire with conditional questions based upon the services that are provided to ultimately derive the total risk score. But, to answer the question, there should be question sets that are based specifically on the third-party, the services it provides (technology, cloud, fair lending, consulting, legal, etc.) and how they will complete the services (US based employees, US contractors, off-shore resources, etc.)
2. Once the residual risk is ascertained, you should be monitoring for emerging risks (market, interest rates, social unrest, political, legislative, etc.), events (cyber, disaster, etc.), third-party specific risks (poor financial reports, being acquired, regulatory actions, complaints, etc.), contract monitoring, insurance expiration monitoring, new services that are added without going through a new due-diligence/risk assessment - just to name the most important.

Dear Forum Members,

I am a beginner in this domain. Hence may ask very simple questions. Please help me to understand and progress:

1. During onboarding and ongoing stage, is it suggested to use the same vendor risk questionnaire during inherent risk assessment, vendor due diligence, contract review and further risk re-assessments. Or different questionnaire is supposed to be used in all these vital events?
2. Post obtaining the residual risk rating what are the succeeding activities as a TPRM managers we are supposed to carry out.

Thanks for your response. But the query was different.

to elaborate, for a  specific vendor do we have to use same set of questionnaire during inherent risk assessment, due diligence and further risk re assessment and due diligence in the monitoring phase?

thanks

Aiswarya

1. For us, it comes down to how our technology scores the risks - we have to have one questionnaire with conditional questions based upon the services that are provided to ultimately derive the total risk score. But, to answer the question, there should be question sets that are based specifically on the third-party, the services it provides (technology, cloud, fair lending, consulting, legal, etc.) and how they will complete the services (US based employees, US contractors, off-shore resources, etc.)
2. Once the residual risk is ascertained, you should be monitoring for emerging risks (market, interest rates, social unrest, political, legislative, etc.), events (cyber, disaster, etc.), third-party specific risks (poor financial reports, being acquired, regulatory actions, complaints, etc.), contract monitoring, insurance expiration monitoring, new services that are added without going through a new due-diligence/risk assessment - just to name the most important.

Dear Forum Members,

I am a beginner in this domain. Hence may ask very simple questions. Please help me to understand and progress:

1. During onboarding and ongoing stage, is it suggested to use the same vendor risk questionnaire during inherent risk assessment, vendor due diligence, contract review and further risk re-assessments. Or different questionnaire is supposed to be used in all these vital events?
2. Post obtaining the residual risk rating what are the succeeding activities as a TPRM managers we are supposed to carry out.

Aiswarya,

If I understand your question, it sounds like you're asking if the same questionnaire should be used for all of these stages/events for a single vendor.  The answer is no.  Your inherent risk questionnaire is meant to determine the risks associated with outsourcing a specific service and the specifics to how that service is performed.  This questionnaire should ask about what data the vendor has access to, how they access said, are they storing/hosting the data, how much data do they have, etc.  It should also confirm where the data is being accessed or hosted, any regulatory risks (privacy, fraud, red flags, etc), any operational risks (business continuity/disaster recovery), and any other industry-specific risks you might have. 

Your due diligence questionnaires should be focused on the vendor's control environment(s) and validating if they have acceptable controls in place to reduce the inherent risk. These could vary a bit for onboarding and ongoing due diligence, but they should mostly be asking for the same information.  

Once you have your residual risk, you'll want to make sure you've documented and are actioning on any material risks you discovered.  If the residual risk is still high, you may want to take additional action to further control/secure any of your company's data as it wouldn't seem to be well secured by your vendor.  If you have a continuous monitoring program/solution, you'll want to ensure to keep engaged there as well.  

Hopefully, this addressed your specific questions. 

Thanks for your response. But the query was different.

to elaborate, for a  specific vendor do we have to use same set of questionnaire during inherent risk assessment, due diligence and further risk re assessment and due diligence in the monitoring phase?

thanks

Aiswarya

1. For us, it comes down to how our technology scores the risks - we have to have one questionnaire with conditional questions based upon the services that are provided to ultimately derive the total risk score. But, to answer the question, there should be question sets that are based specifically on the third-party, the services it provides (technology, cloud, fair lending, consulting, legal, etc.) and how they will complete the services (US based employees, US contractors, off-shore resources, etc.)
2. Once the residual risk is ascertained, you should be monitoring for emerging risks (market, interest rates, social unrest, political, legislative, etc.), events (cyber, disaster, etc.), third-party specific risks (poor financial reports, being acquired, regulatory actions, complaints, etc.), contract monitoring, insurance expiration monitoring, new services that are added without going through a new due-diligence/risk assessment - just to name the most important.

Dear Forum Members,

I am a beginner in this domain. Hence may ask very simple questions. Please help me to understand and progress:

1. During onboarding and ongoing stage, is it suggested to use the same vendor risk questionnaire during inherent risk assessment, vendor due diligence, contract review and further risk re-assessments. Or different questionnaire is supposed to be used in all these vital events?
2. Post obtaining the residual risk rating what are the succeeding activities as a TPRM managers we are supposed to carry out.

Dear Eric,

Thanks for the response. Is it possible to get a sample questionnaire for both inherent risk assessment and due diligence? This will help me to get much clarity by lookin at the difference. 

Please help

Regards,

Aiswarya

Aiswarya,

If I understand your question, it sounds like you're asking if the same questionnaire should be used for all of these stages/events for a single vendor.  The answer is no.  Your inherent risk questionnaire is meant to determine the risks associated with outsourcing a specific service and the specifics to how that service is performed.  This questionnaire should ask about what data the vendor has access to, how they access said, are they storing/hosting the data, how much data do they have, etc.  It should also confirm where the data is being accessed or hosted, any regulatory risks (privacy, fraud, red flags, etc), any operational risks (business continuity/disaster recovery), and any other industry-specific risks you might have. 

Your due diligence questionnaires should be focused on the vendor's control environment(s) and validating if they have acceptable controls in place to reduce the inherent risk. These could vary a bit for onboarding and ongoing due diligence, but they should mostly be asking for the same information.  

Once you have your residual risk, you'll want to make sure you've documented and are actioning on any material risks you discovered.  If the residual risk is still high, you may want to take additional action to further control/secure any of your company's data as it wouldn't seem to be well secured by your vendor.  If you have a continuous monitoring program/solution, you'll want to ensure to keep engaged there as well.  

Hopefully, this addressed your specific questions. 

Thanks for your response. But the query was different.

to elaborate, for a  specific vendor do we have to use same set of questionnaire during inherent risk assessment, due diligence and further risk re assessment and due diligence in the monitoring phase?

thanks

Aiswarya

1. For us, it comes down to how our technology scores the risks - we have to have one questionnaire with conditional questions based upon the services that are provided to ultimately derive the total risk score. But, to answer the question, there should be question sets that are based specifically on the third-party, the services it provides (technology, cloud, fair lending, consulting, legal, etc.) and how they will complete the services (US based employees, US contractors, off-shore resources, etc.)
2. Once the residual risk is ascertained, you should be monitoring for emerging risks (market, interest rates, social unrest, political, legislative, etc.), events (cyber, disaster, etc.), third-party specific risks (poor financial reports, being acquired, regulatory actions, complaints, etc.), contract monitoring, insurance expiration monitoring, new services that are added without going through a new due-diligence/risk assessment - just to name the most important.

Dear Forum Members,

I am a beginner in this domain. Hence may ask very simple questions. Please help me to understand and progress:

1. During onboarding and ongoing stage, is it suggested to use the same vendor risk questionnaire during inherent risk assessment, vendor due diligence, contract review and further risk re-assessments. Or different questionnaire is supposed to be used in all these vital events?
2. Post obtaining the residual risk rating what are the succeeding activities as a TPRM managers we are supposed to carry out.

Aiswarya,

The Third-Party Risk Association (https://www.tprassociation.org/) is a great resource if you're looking to build more knowledge/understanding of the industry.  They have a template Inherent Risk Questionnaire and just released a template Information Security Questionnaire that would be used for due diligence.  This should help give you a better idea of what these each would look like and the questions asked in each.  You have to be a member to get access, but the standard membership is free and I believe it gives you access to the templates.  These questionnaires/resources are put together by the community so they are built via input from actual practitioners doing the work.  More questionnaires and resources will be released in the future as they are completed. 

Hopefully, this helps provide even more clarity.  The TPRA is also putting on a free virtual conference in September.  You should take a look and consider registering for it.  It's focused on operational risk and resilience and should have a lot of great information to help you build on your understanding.

Dear Eric,

Thanks for the response. Is it possible to get a sample questionnaire for both inherent risk assessment and due diligence? This will help me to get much clarity by lookin at the difference. 

Please help

Regards,

Aiswarya

Aiswarya,

If I understand your question, it sounds like you're asking if the same questionnaire should be used for all of these stages/events for a single vendor.  The answer is no.  Your inherent risk questionnaire is meant to determine the risks associated with outsourcing a specific service and the specifics to how that service is performed.  This questionnaire should ask about what data the vendor has access to, how they access said, are they storing/hosting the data, how much data do they have, etc.  It should also confirm where the data is being accessed or hosted, any regulatory risks (privacy, fraud, red flags, etc), any operational risks (business continuity/disaster recovery), and any other industry-specific risks you might have. 

Your due diligence questionnaires should be focused on the vendor's control environment(s) and validating if they have acceptable controls in place to reduce the inherent risk. These could vary a bit for onboarding and ongoing due diligence, but they should mostly be asking for the same information.  

Once you have your residual risk, you'll want to make sure you've documented and are actioning on any material risks you discovered.  If the residual risk is still high, you may want to take additional action to further control/secure any of your company's data as it wouldn't seem to be well secured by your vendor.  If you have a continuous monitoring program/solution, you'll want to ensure to keep engaged there as well.  

Hopefully, this addressed your specific questions. 

Thanks for your response. But the query was different.

to elaborate, for a  specific vendor do we have to use same set of questionnaire during inherent risk assessment, due diligence and further risk re assessment and due diligence in the monitoring phase?

thanks

Aiswarya

1. For us, it comes down to how our technology scores the risks - we have to have one questionnaire with conditional questions based upon the services that are provided to ultimately derive the total risk score. But, to answer the question, there should be question sets that are based specifically on the third-party, the services it provides (technology, cloud, fair lending, consulting, legal, etc.) and how they will complete the services (US based employees, US contractors, off-shore resources, etc.)
2. Once the residual risk is ascertained, you should be monitoring for emerging risks (market, interest rates, social unrest, political, legislative, etc.), events (cyber, disaster, etc.), third-party specific risks (poor financial reports, being acquired, regulatory actions, complaints, etc.), contract monitoring, insurance expiration monitoring, new services that are added without going through a new due-diligence/risk assessment - just to name the most important.

Dear Forum Members,

I am a beginner in this domain. Hence may ask very simple questions. Please help me to understand and progress:

1. During onboarding and ongoing stage, is it suggested to use the same vendor risk questionnaire during inherent risk assessment, vendor due diligence, contract review and further risk re-assessments. Or different questionnaire is supposed to be used in all these vital events?
2. Post obtaining the residual risk rating what are the succeeding activities as a TPRM managers we are supposed to carry out.

Aiswarya,

The Third-Party Risk Association (https://www.tprassociation.org/) is a great resource if you're looking to build more knowledge/understanding of the industry.  They have a template Inherent Risk Questionnaire and just released a template Information Security Questionnaire that would be used for due diligence.  This should help give you a better idea of what these each would look like and the questions asked in each.  You have to be a member to get access, but the standard membership is free and I believe it gives you access to the templates.  These questionnaires/resources are put together by the community so they are built via input from actual practitioners doing the work.  More questionnaires and resources will be released in the future as they are completed. 

Hopefully, this helps provide even more clarity.  The TPRA is also putting on a free virtual conference in September.  You should take a look and consider registering for it.  It's focused on operational risk and resilience and should have a lot of great information to help you build on your understanding.

Dear Eric,

Thanks for the response. Is it possible to get a sample questionnaire for both inherent risk assessment and due diligence? This will help me to get much clarity by lookin at the difference. 

Please help

Regards,

Aiswarya

Aiswarya,

If I understand your question, it sounds like you're asking if the same questionnaire should be used for all of these stages/events for a single vendor.  The answer is no.  Your inherent risk questionnaire is meant to determine the risks associated with outsourcing a specific service and the specifics to how that service is performed.  This questionnaire should ask about what data the vendor has access to, how they access said, are they storing/hosting the data, how much data do they have, etc.  It should also confirm where the data is being accessed or hosted, any regulatory risks (privacy, fraud, red flags, etc), any operational risks (business continuity/disaster recovery), and any other industry-specific risks you might have. 

Your due diligence questionnaires should be focused on the vendor's control environment(s) and validating if they have acceptable controls in place to reduce the inherent risk. These could vary a bit for onboarding and ongoing due diligence, but they should mostly be asking for the same information.  

Once you have your residual risk, you'll want to make sure you've documented and are actioning on any material risks you discovered.  If the residual risk is still high, you may want to take additional action to further control/secure any of your company's data as it wouldn't seem to be well secured by your vendor.  If you have a continuous monitoring program/solution, you'll want to ensure to keep engaged there as well.  

Hopefully, this addressed your specific questions. 

Thanks for your response. But the query was different.

to elaborate, for a  specific vendor do we have to use same set of questionnaire during inherent risk assessment, due diligence and further risk re assessment and due diligence in the monitoring phase?

thanks

Aiswarya

1. For us, it comes down to how our technology scores the risks - we have to have one questionnaire with conditional questions based upon the services that are provided to ultimately derive the total risk score. But, to answer the question, there should be question sets that are based specifically on the third-party, the services it provides (technology, cloud, fair lending, consulting, legal, etc.) and how they will complete the services (US based employees, US contractors, off-shore resources, etc.)
2. Once the residual risk is ascertained, you should be monitoring for emerging risks (market, interest rates, social unrest, political, legislative, etc.), events (cyber, disaster, etc.), third-party specific risks (poor financial reports, being acquired, regulatory actions, complaints, etc.), contract monitoring, insurance expiration monitoring, new services that are added without going through a new due-diligence/risk assessment - just to name the most important.

Dear Forum Members,

I am a beginner in this domain. Hence may ask very simple questions. Please help me to understand and progress:

1. During onboarding and ongoing stage, is it suggested to use the same vendor risk questionnaire during inherent risk assessment, vendor due diligence, contract review and further risk re-assessments. Or different questionnaire is supposed to be used in all these vital events?
2. Post obtaining the residual risk rating what are the succeeding activities as a TPRM managers we are supposed to carry out.

I have subscribed to the Third-Party Risk Association standard membership, however I cannot locate the template Inherent Risk Questionnaire and the template Information Security Questionnaire used for due diligence.  Please can clarify how to find these template documents on the TRRA website.

Aiswarya,

The Third-Party Risk Association (https://www.tprassociation.org/) is a great resource if you're looking to build more knowledge/understanding of the industry.  They have a template Inherent Risk Questionnaire and just released a template Information Security Questionnaire that would be used for due diligence.  This should help give you a better idea of what these each would look like and the questions asked in each.  You have to be a member to get access, but the standard membership is free and I believe it gives you access to the templates.  These questionnaires/resources are put together by the community so they are built via input from actual practitioners doing the work.  More questionnaires and resources will be released in the future as they are completed. 

Hopefully, this helps provide even more clarity.  The TPRA is also putting on a free virtual conference in September.  You should take a look and consider registering for it.  It's focused on operational risk and resilience and should have a lot of great information to help you build on your understanding.

Dear Eric,

Thanks for the response. Is it possible to get a sample questionnaire for both inherent risk assessment and due diligence? This will help me to get much clarity by lookin at the difference. 

Please help

Regards,

Aiswarya

Aiswarya,

If I understand your question, it sounds like you're asking if the same questionnaire should be used for all of these stages/events for a single vendor.  The answer is no.  Your inherent risk questionnaire is meant to determine the risks associated with outsourcing a specific service and the specifics to how that service is performed.  This questionnaire should ask about what data the vendor has access to, how they access said, are they storing/hosting the data, how much data do they have, etc.  It should also confirm where the data is being accessed or hosted, any regulatory risks (privacy, fraud, red flags, etc), any operational risks (business continuity/disaster recovery), and any other industry-specific risks you might have. 

Your due diligence questionnaires should be focused on the vendor's control environment(s) and validating if they have acceptable controls in place to reduce the inherent risk. These could vary a bit for onboarding and ongoing due diligence, but they should mostly be asking for the same information.  

Once you have your residual risk, you'll want to make sure you've documented and are actioning on any material risks you discovered.  If the residual risk is still high, you may want to take additional action to further control/secure any of your company's data as it wouldn't seem to be well secured by your vendor.  If you have a continuous monitoring program/solution, you'll want to ensure to keep engaged there as well.  

Hopefully, this addressed your specific questions. 

Thanks for your response. But the query was different.

to elaborate, for a  specific vendor do we have to use same set of questionnaire during inherent risk assessment, due diligence and further risk re assessment and due diligence in the monitoring phase?

thanks

Aiswarya

1. For us, it comes down to how our technology scores the risks - we have to have one questionnaire with conditional questions based upon the services that are provided to ultimately derive the total risk score. But, to answer the question, there should be question sets that are based specifically on the third-party, the services it provides (technology, cloud, fair lending, consulting, legal, etc.) and how they will complete the services (US based employees, US contractors, off-shore resources, etc.)
2. Once the residual risk is ascertained, you should be monitoring for emerging risks (market, interest rates, social unrest, political, legislative, etc.), events (cyber, disaster, etc.), third-party specific risks (poor financial reports, being acquired, regulatory actions, complaints, etc.), contract monitoring, insurance expiration monitoring, new services that are added without going through a new due-diligence/risk assessment - just to name the most important.

Dear Forum Members,

I am a beginner in this domain. Hence may ask very simple questions. Please help me to understand and progress:

1. During onboarding and ongoing stage, is it suggested to use the same vendor risk questionnaire during inherent risk assessment, vendor due diligence, contract review and further risk re-assessments. Or different questionnaire is supposed to be used in all these vital events?
2. Post obtaining the residual risk rating what are the succeeding activities as a TPRM managers we are supposed to carry out.

Hi,

You can et those templates in- File Share | TPRA (tprassociation.org).

Hope this helps!!

Regards,

Aiswarya

I have subscribed to the Third-Party Risk Association standard membership, however I cannot locate the template Inherent Risk Questionnaire and the template Information Security Questionnaire used for due diligence.  Please can clarify how to find these template documents on the TRRA website.

Aiswarya,

The Third-Party Risk Association (https://www.tprassociation.org/) is a great resource if you're looking to build more knowledge/understanding of the industry.  They have a template Inherent Risk Questionnaire and just released a template Information Security Questionnaire that would be used for due diligence.  This should help give you a better idea of what these each would look like and the questions asked in each.  You have to be a member to get access, but the standard membership is free and I believe it gives you access to the templates.  These questionnaires/resources are put together by the community so they are built via input from actual practitioners doing the work.  More questionnaires and resources will be released in the future as they are completed. 

Hopefully, this helps provide even more clarity.  The TPRA is also putting on a free virtual conference in September.  You should take a look and consider registering for it.  It's focused on operational risk and resilience and should have a lot of great information to help you build on your understanding.

Dear Eric,

Thanks for the response. Is it possible to get a sample questionnaire for both inherent risk assessment and due diligence? This will help me to get much clarity by lookin at the difference. 

Please help

Regards,

Aiswarya

Aiswarya,

If I understand your question, it sounds like you're asking if the same questionnaire should be used for all of these stages/events for a single vendor.  The answer is no.  Your inherent risk questionnaire is meant to determine the risks associated with outsourcing a specific service and the specifics to how that service is performed.  This questionnaire should ask about what data the vendor has access to, how they access said, are they storing/hosting the data, how much data do they have, etc.  It should also confirm where the data is being accessed or hosted, any regulatory risks (privacy, fraud, red flags, etc), any operational risks (business continuity/disaster recovery), and any other industry-specific risks you might have. 

Your due diligence questionnaires should be focused on the vendor's control environment(s) and validating if they have acceptable controls in place to reduce the inherent risk. These could vary a bit for onboarding and ongoing due diligence, but they should mostly be asking for the same information.  

Once you have your residual risk, you'll want to make sure you've documented and are actioning on any material risks you discovered.  If the residual risk is still high, you may want to take additional action to further control/secure any of your company's data as it wouldn't seem to be well secured by your vendor.  If you have a continuous monitoring program/solution, you'll want to ensure to keep engaged there as well.  

Hopefully, this addressed your specific questions. 

Thanks for your response. But the query was different.

to elaborate, for a  specific vendor do we have to use same set of questionnaire during inherent risk assessment, due diligence and further risk re assessment and due diligence in the monitoring phase?

thanks

Aiswarya

1. For us, it comes down to how our technology scores the risks - we have to have one questionnaire with conditional questions based upon the services that are provided to ultimately derive the total risk score. But, to answer the question, there should be question sets that are based specifically on the third-party, the services it provides (technology, cloud, fair lending, consulting, legal, etc.) and how they will complete the services (US based employees, US contractors, off-shore resources, etc.)
2. Once the residual risk is ascertained, you should be monitoring for emerging risks (market, interest rates, social unrest, political, legislative, etc.), events (cyber, disaster, etc.), third-party specific risks (poor financial reports, being acquired, regulatory actions, complaints, etc.), contract monitoring, insurance expiration monitoring, new services that are added without going through a new due-diligence/risk assessment - just to name the most important.

Dear Forum Members,

I am a beginner in this domain. Hence may ask very simple questions. Please help me to understand and progress:

1. During onboarding and ongoing stage, is it suggested to use the same vendor risk questionnaire during inherent risk assessment, vendor due diligence, contract review and further risk re-assessments. Or different questionnaire is supposed to be used in all these vital events?
2. Post obtaining the residual risk rating what are the succeeding activities as a TPRM managers we are supposed to carry out.