Policy, Program and Procedures

 View Only

  • 1.  Vendor DD vs. Third Party Service Providers

    Posted 07-23-2025 09:05 AM

    For those in the mortgage lending or financial instituion space, how do you handle due diligence for Third Party Service Providers & Leadshare Agreements. Does it roll up to Vendor Mgt team or a different team? How extensive is your due diligence? Would anyone be willing to share their best practices? 



  • 2.  RE: Vendor DD vs. Third Party Service Providers

    Posted 07-23-2025 02:10 PM
    Here is a summary of our procedure:
    The business owner plays a role in initial vetting and ongoing performance monitoring. The first step in onboarding is for the business owner to complete an Inherent Risk Assessment Questionnaire. This questionnaire helps classify the vendor according to its risk level, generating a risk profile based on how critical and dependent the service is. Using that risk profile, the Third-Party Risk Management (TPRM) team determines which due diligence documents are needed to address any identified risks. TPRM then asks the Business Owner to collect these documents from the vendor.

    It is important to always remind stakeholders that no contract should be signed and no service should begin until TPRM has completed its review and given formal approval. Once documents are received, TPRM conducts an initial review and initiates a Subject Matter Expert (SME) review through the designated software platform, including a full assessment of the agreement itself. If the vendor passes due diligence, TPRM notifies the Business Owner and grants permission to proceed with executing the agreement.

    However, if gaps are found in the documentation, TPRM will either request missing materials, secure a vendor attestation, or recommend amending the agreement to include necessary clauses. At every stage, the process must follow a risk-based approach, and under no circumstances should a contract be finalised without proper due diligence and TPRM approval.




  • 3.  RE: Vendor DD vs. Third Party Service Providers

    Posted 07-24-2025 01:17 PM

    Hello Olawale,

    Your procedure is very similar to ours here at the Ohio Public Employees Retirement System. The challenge I often face however, is being made aware of a new vendor to begin the risk and due diligence processes. What process do you use so you are informed the business is working with a new vendor before they go straight to contract review with the Legal team?

    Any information you can provide is helpful. Thank you,



  • 4.  RE: Vendor DD vs. Third Party Service Providers

    Posted 07-25-2025 01:12 PM
    Thank you for your message. At our organisation, we've established a clear process outlined in our Third Party Risk Management (TPRM) procedure, which mandates that all vendors must undergo TPRM screening prior to any engagement.
    Business owners are routinely reminded not to engage vendors until they've been assessed and onboarded by the TPRM team. However, we do understand that in practice, some business units may occasionally bypass this process-often due to urgency, oversight, or the perception that it's a one-off engagement.
    To address this challenge and reinforce compliance, we've implemented a control that requires the Finance team to verify with TPRM whether a vendor has been properly onboarded before processing any invoices. This checkpoint has proven effective in curbing unauthorized engagements and keeping our risk posture aligned with policy.
    I hope this helps!


  • 5.  RE: Vendor DD vs. Third Party Service Providers

    This message was posted by a user wishing to remain anonymous
    Posted 07-25-2025 01:12 PM
    This message was posted by a user wishing to remain anonymous

    You are not alone! It is an ongoing challenge for us at times. Larger vendors not so much but the smaller ones or the ones that do not require a contract are hard to contain. We have a very close relationship with our Legal team so anything that comes to them they check with us to make sure it has gone through DD. 


    Original Message


  • 6.  RE: Vendor DD vs. Third Party Service Providers

    This message was posted by a user wishing to remain anonymous
    Posted 25 days ago

    This message was posted by a user wishing to remain anonymous

    I totally agree with your process in principal. In practice its not always so smooth to perform due diligence and obtain required documentation on certain third party services/providers (subscription services, market exchanges, clearing houses for example). How do you tend to manage the due diligence process for these service types to ensure you are comfortable to proceed?