Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Vendor Response to Questionnaires

    Posted 27 days ago

    Hey all - we recently pulled a report to get a good idea of how many vendors respond to our due diligence questionnaire. We have close to a 50% response rate, but when we break it down to our critical vendors it is below 20% that will respond, with the rest only providing documents (or portal access) and possibly their SIG. I'm curious what is your experience and response rate? If you have higher than 50%, what do you feel makes your response rate successful? 

    TIA! 



  • 2.  RE: Vendor Response to Questionnaires

    Posted 27 days ago

    We found our response rates to be closer to 15% after initial contracts were written. We moved our critical vendors to a 3rd party vendor to improve their accountability and our record keeping. We still have a handful that take a couple of touches to accomplish the task at hand but we have increased our response rates to over 95% with our vendor's help.

     

    Misty Wilson

     

    Compliance and Quality Control Manager

     

    A picture containing text, clipart  Description automatically generated

     

    NMLS ID 114937 • 11737 Administration Drive Suite 100, St. Louis, MO 63146 • Any rate, payment or costs are estimated. Your actual rate, payment, and costs could be higher.  Get an official Loan Estimate before choosing a loan.

     

    This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message.

     


     

     






  • 3.  RE: Vendor Response to Questionnaires

    Posted 26 days ago

    We are very selective in the vendors that are required to answer questionnaire, provide a SOC report, and/or financials. First, we don't have the staff to read all the information contained so we limit it to our critical vendors only. Second, The information requested is based on the risk factor that made them critical. For example, if replacement difficulty is the only critical factor, we only request financials. If it is access to our environment, we don't ask for anything because that is on us. We control our security/access. We only ask for a SOC 1 when the vendor directly impacts our financials.

    When you implement controls on what you are requesting, your success rate will be much higher. A shotgun approach only makes more work for your team and may frustrate your vendors.



    ------------------------------
    Mark Ewert, CPCU, CIC
    Director Vendor Management
    Penn National Insurance
    ------------------------------



  • 4.  RE: Vendor Response to Questionnaires

    Posted 24 days ago

    We follow a risk based approach, asking appropriate questions depending on what the supplier does for us and their business cirticality but we also find the response rate to be very low. 

    What does everyone do when it comes to ongoing due diligence (refreshes) when their suppliers do not respond? what course of action do you take?




  • 5.  RE: Vendor Response to Questionnaires

    Posted 23 days ago

    Another option would be to perform "stacking".  While a SIG (just an example) may not give you enough reasonable assurance (depending on supplier criticality, etc.) What if you were to add to your documentation that you also have a clean SOC and a verbal conversation with the supplier SME regarding the control in question.  By stacking different/multiple items together, you have more of that reasonable assurance that the control is in place. Document what you verified and what the supplier would not share. Then, if possible, write up a statement noting how you reached a reasonable assurance by stacking multiple items. Thank you. 



    ------------------------------
    Marlon Stone
    ------------------------------