Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Realistic time line for onboarding

    Posted 06-17-2024 08:50 AM

    Hello I am looking fore as may replies as possible so I can build a realistic SLA time line for my relationship owners. 

    How long do you require to clear onboarding for Critical, High and even Moderate inherent vendors . From intake questionnaire (after vendor is selected), meeting with relationship owners and SME's, initial DD request, review of DD and final rating? Does not need to include legal contract review. 

    Now you and I both know there are too may factors to account for but I must set expectations and I am counting on SMEs from InfoSec, compliance, ops and finance to review docs. I must allow them a full week (and really it is a bit longer) to do the reviews then I have to do another review of their reviews to do the "residual" review. What do you you think is a reasonable expectation to put in a standard and make available in trainings?

    Is 30 days reasonable? 

    We do intake meetings once a week as there are so many people involved (infosec, PMO, legal, compliance, IT architect) and I am still just building this program so I want to set the expectation at 45 days vs the current 30. 

    But I would love to hear from others and their time frames. Thank you so much



  • 2.  RE: Realistic time line for onboarding

    Posted 06-17-2024 09:26 AM
    We have a "two week ball in your court" agreement with the SMEs who review assessments completed by the vendor. So the reviewer has two weeks to review, but if they send follow-up questions the clock stops and will restart when the responses are received. We have so far gotten away with not having an overall timeline as we continuously tell the business that the time it will take depends on how quickly their vendor responds and the quality of the answers.

    Good luck!
    ***********************************************************************************************
    CONFIDENTIALITY NOTICE: This e-mail and any attachments are intended only for the individual or
    company to which it is addressed and may contain information which is privileged, confidential or
    prohibited from disclosure. If you are not the intended recipient, you are hereby notified that
    any use, dissemination, or copying of this e-mail or attachments is strictly prohibited. If you have
    received this transmission in error, please return the material received to the sender and delete all
    copies from your system. Thank you.
    ***********************************************************************************************





  • 3.  RE: Realistic time line for onboarding

    This message was posted by a user wishing to remain anonymous
    Posted 06-17-2024 01:07 PM
    This message was posted by a user wishing to remain anonymous

    "We have so far gotten away with not having an overall timeline as we continuously tell the business that the time it will take depends on how quickly their vendor responds and the quality of the answers."

    Exactly!

    Except...some vendors won't be very responsive at all. (The law of market power: If you are the bigger, wealthier entity, you're more likely to get your way.)  For example, the basic set of cloud providers  will give you what they give you....and that's all you're ever going to get.

    Back to the timing question, you'll also get it when those larger vendors decide to provide the information. Always a good time to interact with the internal requestor..."can't move along the process without getting the response".

    Most importantly, keeping the vendor owner engaged and informed is a big part of this process. If they feel like they know what's going on, even if what's going on isn't progress, they'll at least know why.