Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Vendor Management Disagrees with Business Owner

    This message was posted by a user wishing to remain anonymous
    Posted 29 days ago
    This message was posted by a user wishing to remain anonymous

    Our Vendor Management typically does not make decisions about Business Owner vendor choices as long as the due diligence passes our criteria, and Technology and Project Management sign off. 

    Right now, we are reviewing a vendor that doesn't seem like a good fit for our organization, has provided two consecutive years of unaudited financials that are so different they can't be compared, has some adverse media, is too new to have complaint history, etc.  This vendor also has the potential to drive volume in customer service areas, and the Business Owner cannot explain the vendor's process without going to the vendor.

    This is the first time that Vendor Management has recommended that we pass on this one for now, and re-visit in a year or two.  The Business Owner wants to move forward with this "future facing" vendor.  VM has requested that representatives from all potentially impacted areas meet to talk about this vendor and decide as a group.  Since this approach has not been needed previously, we're getting some push back. 

    Any tips for handling this situation?


  • 2.  RE: Vendor Management Disagrees with Business Owner

    This message was posted by a user wishing to remain anonymous
    Posted 28 days ago
    This message was posted by a user wishing to remain anonymous

    We have a couple of things to address this: 
    1- we have a governance group related to all things third party that includes representation from lines of business, technology, risk, vendor mngt, TPRM, Compliance, IA, Info Sec, Procurement and technology in which we discuss things like Procurement's work in process- emerging and current risk, status on due diligence and findings remediation, watch list updates etc. This group meets monthly, so as a starting point we could, bring this up in this forum to engage a conversation along the lines of a credible challenge. 
    Second- for a vendor who does not meet our due diligence standards, they must pursue a risk acceptance and submit a detailed document explaining the deficiency, the risks associated to the deficiency and how they will be mitigated. This process is documented in our TPRM program and there is a procedure to follow to document it. 
    This RA document is then reviewed by me for my input and then our operating committee must review and approve. If our CRO does not agree with OpCo and the business decision then it would go through Executive Committee and ultimately  the board risk committee who would make the final decision.  All of this is archived for audit and regulatory review (should they ask for it) to demonstrate that this was escalated and reviewed appropriately for a decision. 
    At the end of the day, I need to demonstrate that we disagreed, and escalated for appropriate visibility to get to a final approval or denial that is documented. I look at it this way- if something goes wrong, I am not the one who allowed the exception as the head of TPRM. I am the one who called it like I saw it, and let the others make the decision and document that decision. When the regulators come in to review it isnt me they are going to question about it as my objection was documented.   Good Luck!


  • 3.  RE: Vendor Management Disagrees with Business Owner

    Posted 26 days ago
    As the other poster states; this is a Governance and documentation issue. 
    If Policy and Procedures don't have a clear "approval" process defined, you may have a harder time. 

    My process is similar. TRPM approval is required for all non-critical third party engagements (so, I do have final say; to an extent). 
    If it's critical, then the Board Risk Committee has to approve; and they look to me for guidance (that is, did it pass TPRM and do I recommend approval).  I know the "approval" in the second line is a bit controversial; but everyone kept asking for my approval, so if they want me to have the job, I took it and put it in policy. 

    That said, in procedures, they can escalate to CRO, GC and Board Risk Committee. So I can tell the list line, if you disagree with them and still want to move forward, follow this process (and I have a form) and seek approval from CRO, GC and BRC. That all gets documented. 

    btw, no one has yet sought to escalate to BRC for Approval. a few went to CRO and GC... both said, what did TPRM say? when they responded that TPRM didn't approve. both CRO and GC said. "you might want listen to TPRM." no one has gone to the Board to override me, yet. :-) 

    That doesn't solve your problem. I know. What you may want to do is walk the business unit through the bad day scenarios. and if they still want to move forward with management blessing, then insist on a short term contract 12 months or less... when it goes sideways you want to be able to get out without too much pain. 
    Good luck! 



    ------------------------------
    Bradley Martin

    ------------------------------



  • 4.  RE: Vendor Management Disagrees with Business Owner

    This message was posted by a user wishing to remain anonymous
    Posted 23 days ago
    This message was posted by a user wishing to remain anonymous

    Thank you - some good ideas in both responses!