Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Reassessment cadence doesn't align to contract renewals

    This message was posted by a user wishing to remain anonymous
    Posted 08-23-2024 02:09 PM
    This message was posted by a user wishing to remain anonymous

    Hi. I was contemplating if I should post this topic in Program, Policies, Procedures, but I think it'll be best here.

    Our reassessment cadence of third parties don't align with renewals. I think the root cause is because assessments are being completed after execution of contracts. These continue to not align as we continue to reassess based on assessment date and not contract execution/renewals. I think I answered my own question here, but I'm not sure if my approach is the general consensus. It would be to identify contract renewal dates across the board and then reassess to match those dates and not to the date the assessment happened. If this is the approach you would take, how do I have leaders align to this since they don't want to? 

    Thank you for your input!



  • 2.  RE: Reassessment cadence doesn't align to contract renewals

    Posted 08-27-2024 01:00 PM

    I think your question brings up an interesting, yet common dilemma. It might seem practical to align those re-assessment dates and contract renewal dates, but this could potentially create issues with vendors that are critical or have elevated risk.

    For example, one of your critical vendor contracts is set to be renewed on September 1. You plan to complete a re-assessment on that same day, or maybe a few days before. However, this re-assessment could identify changes to the vendor's risk, which requires additional due diligence. That wouldn't give you much time to review that due diligence and make any changes before the contract is renewed.

    Also consider if your critical vendor contract has a term of longer than one year. That would mean you're not completing a re-assessment until that contract renewal, and you could be missing important changes to the vendor's risk. If a contract is coming up for renewal, the re-assessment should be somewhat current, at least within the past 6 months.

    I'm unsure of what your current re-assessment cadence looks like, but this is what we recommend:

    • critical and high-risk vendors – at least annually
    • moderate-risk vendors – every 18 months to two years
    • low-risk vendors – every two to three years, or before contract renewal

    Keeping track of these different dates for contract renewals and re-assessments can be challenging, so it's important to figure out a system, ideally with automated reminders, that works consistently for your organization.

    I hope my reply helps clarify some best practices around this topic, and I'd love to hear how others are managing their vendor re-assessments.  




  • 3.  RE: Reassessment cadence doesn't align to contract renewals

    This message was posted by a user wishing to remain anonymous
    Posted 08-28-2024 12:52 PM
    This message was posted by a user wishing to remain anonymous

    Great question. We handle this issue by coordinating assessments based on vendor risk. Our approach aligns with the cadence Chritine mentioned:

    • Critical and high-risk vendors: At least annually
    • Moderate-risk vendors: Every 18 months to two years
    • Low-risk vendors: Every two to three years, or before contract renewal

    The only difference is that our review dates are based on two factors: when their security documentation expires, and 30 days prior to contract renewal. We use a GRC tool to manage this process, which provides us with reminders and information on upcoming renewals list to ensure we stay on top of things. Additionally, in the event of security incidents (e.g., with platforms like Snowflake or MoveIT), we can send out impact questionnaires. This is another way we meet our continuous monitoring requirements.




  • 4.  RE: Reassessment cadence doesn't align to contract renewals

    This message was posted by a user wishing to remain anonymous
    Posted 08-28-2024 02:02 PM
    This message was posted by a user wishing to remain anonymous

    Thank you both. We have that same cadence.

    As an example, lets say a contract was signed in February 2024, but missed assessment and so the assessment was completed after contract execution in May 2024. I'm thinking I should move the reassessment in May 2025 to February 2025.

    Most often there's no conflict between security documentation expiration and contract renewal aligning, but what if there were. Would you generally choose 30 days prior to contract renewal over security documentation expiration or the other way around?




  • 5.  RE: Reassessment cadence doesn't align to contract renewals

    Posted 08-28-2024 04:05 PM

    Thank you for providing the example, and I just want to make sure I understand your process. It seems like your "assessment" is referring to the overall process of the inherent risk assessment + due diligence. Does this mean that the vendor contract was signed before you performed an inherent risk assessment and collected due diligence? These activities should be completed before you sign the contract, but I understand that some organizations might not follow this process if they're not heavily regulated in TPRM.

    If I understood that correctly, I would recommend re-evaluating your process to ensure that the risk assessment and due diligence are performed before contract execution on all new vendor engagements.

    In the example you provided above, it may be more effective to set that risk re-assessment date to a month or so before the contract renewal so you have enough time to review those due diligence documents and address any issues. And moving forward, you could keep that new re-assessment date.

    And as far as documents that have expiration dates, those should always be collected whenever they expire, which might be outside of the contract renewal date and risk re-assessment date.

    Here's what this whole process might look like for a new vendor:

    January 2024 – You perform an inherent risk assessment on a new vendor, which results in a high-risk rating and critical classification. During the due diligence process, one of the documents they submit is an insurance certificate that is valid through June 1, 2024.

    February 2024 – The vendor contract is negotiated and signed, with a term length of 12 months.

    Note: Make sure you're aware of any auto-renew clauses, to allow for enough time to re-review the vendor. For example, if the contract says the something like this agreement will auto-renew for 12 months if the customer does not provide written notice of non-renewal at least 45 days in advance of the contract term expiration date. In this case, the periodic risk re-assessment should occur well before 45 days of the renewal date.

    Late May 2024 – You request an updated insurance certificate from this vendor.

    August 2024 – You perform a mid-term contract review.

    December 2024 – You perform a periodic risk assessment on this vendor, 2 months before the contract auto-renew date. If the vendor owner determines there are changes to the vendor engagement, you may need to collect additional due diligence. From there, you can make decisions about renewing the contract or letting it expire.