Due Diligence and Ongoing Monitoring

We have a committee that vets our vendors. It is made up of members of IS, IT, IA, ERM, Compliance, BC, Legal and VM. We review all the documentation to assess the risk, then determine if it is OK to move forward with the vendor. 

We currently have a prospective vendor that will have our employee information. It is a smaller vendor, but they're not supplying the documentation we need to determine our employees' information will be secure. As a result, the committee is not recommending the vendor.

With that being said, if executive management wants to accept the risk anyway, they can do so.

I attended a VM Webinar earlier this week and they mentioned some sort of Risk Assessment document that we could have upper management sign off on to indicate that even though we believe the relationship with a potential vendor poses a lot of risk, management is willing to accept the risk. The document would be signed and dated.

Do any of you have a document you use for this purpose that you can share? I'm thinking we could use the same document to identify when we do approve a vendor, as evidence they were indeed vetted and approved by the committee.

TIA

Cheryl

Original Message:
Sent: 4/20/2023 10:51:00 AM
From: Cheryl Turner
Subject: Risk Override Document

We have a committee that vets our vendors. It is made up of members of IS, IT, IA, ERM, Compliance, BC, Legal and VM. We review all the documentation to assess the risk, then determine if it is OK to move forward with the vendor. 

We currently have a prospective vendor that will have our employee information. It is a smaller vendor, but they're not supplying the documentation we need to determine our employees' information will be secure. As a result, the committee is not recommending the vendor.

With that being said, if executive management wants to accept the risk anyway, they can do so.

I attended a VM Webinar earlier this week and they mentioned some sort of Risk Assessment document that we could have upper management sign off on to indicate that even though we believe the relationship with a potential vendor poses a lot of risk, management is willing to accept the risk. The document would be signed and dated.

Do any of you have a document you use for this purpose that you can share? I'm thinking we could use the same document to identify when we do approve a vendor, as evidence they were indeed vetted and approved by the committee.

TIA

Cheryl

Original Message:
Sent: 4/20/2023 11:01:00 AM
From: Tina O'Donnell
Subject: RE: Risk Override Document

Original Message:
Sent: 4/20/2023 10:51:00 AM
From: Cheryl Turner
Subject: Risk Override Document

We have a committee that vets our vendors. It is made up of members of IS, IT, IA, ERM, Compliance, BC, Legal and VM. We review all the documentation to assess the risk, then determine if it is OK to move forward with the vendor. 

We currently have a prospective vendor that will have our employee information. It is a smaller vendor, but they're not supplying the documentation we need to determine our employees' information will be secure. As a result, the committee is not recommending the vendor.

With that being said, if executive management wants to accept the risk anyway, they can do so.

I attended a VM Webinar earlier this week and they mentioned some sort of Risk Assessment document that we could have upper management sign off on to indicate that even though we believe the relationship with a potential vendor poses a lot of risk, management is willing to accept the risk. The document would be signed and dated.

Do any of you have a document you use for this purpose that you can share? I'm thinking we could use the same document to identify when we do approve a vendor, as evidence they were indeed vetted and approved by the committee.

TIA

Cheryl

can i please get a copy of that lso?

Original Message:
Sent: 4/20/2023 11:01:00 AM
From: Tina O'Donnell
Subject: RE: Risk Override Document

Original Message:
Sent: 4/20/2023 10:51:00 AM
From: Cheryl Turner
Subject: Risk Override Document

We have a committee that vets our vendors. It is made up of members of IS, IT, IA, ERM, Compliance, BC, Legal and VM. We review all the documentation to assess the risk, then determine if it is OK to move forward with the vendor. 

We currently have a prospective vendor that will have our employee information. It is a smaller vendor, but they're not supplying the documentation we need to determine our employees' information will be secure. As a result, the committee is not recommending the vendor.

With that being said, if executive management wants to accept the risk anyway, they can do so.

I attended a VM Webinar earlier this week and they mentioned some sort of Risk Assessment document that we could have upper management sign off on to indicate that even though we believe the relationship with a potential vendor poses a lot of risk, management is willing to accept the risk. The document would be signed and dated.

Do any of you have a document you use for this purpose that you can share? I'm thinking we could use the same document to identify when we do approve a vendor, as evidence they were indeed vetted and approved by the committee.

TIA

Cheryl

We have a committee that vets our vendors. It is made up of members of IS, IT, IA, ERM, Compliance, BC, Legal and VM. We review all the documentation to assess the risk, then determine if it is OK to move forward with the vendor. 

We currently have a prospective vendor that will have our employee information. It is a smaller vendor, but they're not supplying the documentation we need to determine our employees' information will be secure. As a result, the committee is not recommending the vendor.

With that being said, if executive management wants to accept the risk anyway, they can do so.

I attended a VM Webinar earlier this week and they mentioned some sort of Risk Assessment document that we could have upper management sign off on to indicate that even though we believe the relationship with a potential vendor poses a lot of risk, management is willing to accept the risk. The document would be signed and dated.

Do any of you have a document you use for this purpose that you can share? I'm thinking we could use the same document to identify when we do approve a vendor, as evidence they were indeed vetted and approved by the committee.

TIA

Cheryl