Estimating the time for due diligence or a controls review is a complex question that must consider many variables. These include the complexity of the product or service, the vendor's response to risk questionnaires, the submission of due diligence documents, and the availability of your subject matter experts. It's a challenge that requires careful planning.
However, you can implement some measures to better estimate the time it might take and meet those turnaround times.
- Standardize your due diligence requirements and vendor document requests.
- In the vendor requests, provide precise descriptions of the documents you are requesting, what you seek to verify with those documents, and whether any substitutions are permitted.
- It's crucial to inform the vendor owner or stakeholder responsible for the vendor that due diligence requests have been made. It's their responsibility to ensure the vendor fulfills those requests within the allotted time frame.
- Do not start the clock until the vendor has provided everything necessary to begin the review.
- Secure a fixed time commitment each week from your SMEs
- Once a review has been put into queue provide the vendor owner or stakeholder a fixed due date that reflects the maximum. Provide updates if anything changes.
The average turnaround time for reviews can vary from two to six weeks in most cases. But how do you calculate it? Here are a few suggestions:
If you are using internal subject matter experts, you will need to secure a weekly time commitment from them to complete the reviews - let's say 6 hours a week as a baseline. Tracking the time it takes to complete a review can help you determine how many reviews can be completed in a fixed time frame. This number will need to be reviewed often and adjusted if necessary. For instance, if it takes an average of three hours to complete a cybersecurity review, you can expect about two reviews to be completed per week.
To gauge your turnaround times using this number, you need to consider how many reviews are in the queue and set a maximum limit. For example, if you have eight reviews in the queue and a single SME committing 6 hours -or two reviews a week, that would be your allocation for the next month. If you want to set an expectation that reviews will be completed within 20 business days (four weeks), you cannot take on any more reviews until some of those have been completed, you secure more time from the SME, or you are granted access to additional SME resources either internally or externally.
When you reach your limit, you could start sending overflow reviews to backup SMEs or outsource them entirely to ensure that you still meet the 20-business-day time frame. Alternatively, you could add additional time, such as 25 business days.
It's important to remember that while this creates a framework, in the real world, even the best plans can be interrupted. You may be asked to reprioritize a review to move it to the front of the line, or issues may be discovered requiring remediation that creates additional back-and-forth.
I hope some of this information is useful, but I would love to hear from other think tank members, too.
Original Message:
Sent: 05-28-2024 07:34 AM
From: Anonymous Member
Subject: Vendor onboarding - time to complete oversight
This message was posted by a user wishing to remain anonymous
Are there any 'industry standards' for the amount of time a security review could take when onboarding a new vendor?
We're trying to refine our onboarding processes and are experiencing the usual complaints about how long it takes to complete internal review, especially with software vendors. I'm trying to find information against which I can benchmark our current process.