Risk Assessments

 View Only
Expand all | Collapse all

Vetting smaller vendors

  • 1.  Vetting smaller vendors

    Posted 04-02-2024 04:30 PM

    I am in the process of vetting some smaller vendors and attorney firms that does not have all the required documentation. Does anyone have a process or questions they use to vet smaller vendors that they can share? 



  • 2.  RE: Vetting smaller vendors

    Posted 04-03-2024 08:03 AM

    Hi, if you want to provide your email I can send you the questions we send our law firms 




  • 3.  RE: Vetting smaller vendors

    Posted 04-03-2024 08:25 AM

    Good Morning!

     

    I would be interested in seeing your questionnaire. 

     

    Thanks!

    Heather

     

    Heather Flewallen

    Third Party Risk Management – VP
    Fannie Mae

     

    Ask me about Third Party Risk or check out our Third Party Risk Resources page.



    This e-mail and its attachments are confidential and solely for the intended addressee(s). Do not share or use them without Fannie Mae's approval. If received in error, delete the message and contact the sender.

     

     


    Fannie Mae Confidential






  • 4.  RE: Vetting smaller vendors

    Posted 04-03-2024 08:48 AM

    What is your email address?




  • 5.  RE: Vetting smaller vendors

    Posted 04-03-2024 09:52 AM

    Hi – sorry, I thought it would come through!  It's [email has been removed by the Community Manager for privacy reasons. Please view contact information or message the member directly by clicking on their name and choosing the Send Message option.] Thanks!

     


    Fannie Mae Confidential

    From: Tara Murray via Third Party ThinkTank
    Sent: Wednesday, April 3, 2024 8:48 AM
    To: Flewallen, Heather
    Subject: RE: Risk Assessments : Vetting smaller vendors

     

    What is your email address?




    Original Message:
    Sent: 4/3/2024 8:48:00 AM
    From: Tara Murray
    Subject: RE: Vetting smaller vendors

    What is your email address?


    Original Message:
    Sent: 04-03-2024 08:05 AM
    From: Heather Flewallen
    Subject: Vetting smaller vendors

    Good Morning!

     

    I would be interested in seeing your questionnaire. 

     

    Thanks!

    Heather

     

    Heather Flewallen

    Third Party Risk Management – VP
    Fannie Mae

     

    Ask me about Third Party Risk or check out our Third Party Risk Resources page.



    This e-mail and its attachments are confidential and solely for the intended addressee(s). Do not share or use them without Fannie Mae's approval. If received in error, delete the message and contact the sender.

     

     


    Fannie Mae Confidential




    Original Message:
    Sent: 4/3/2024 8:03:00 AM
    From: Tara Murray
    Subject: RE: Vetting smaller vendors

    Hi, if you want to provide your email I can send you the questions we send our law firms 


    Original Message:
    Sent: 04-02-2024 04:29 PM
    From: Michael Prowell
    Subject: Vetting smaller vendors

    I am in the process of vetting some smaller vendors and attorney firms that does not have all the required documentation. Does anyone have a process or questions they use to vet smaller vendors that they can share? 



  • 6.  RE: Vetting smaller vendors

    Posted 04-03-2024 09:52 AM

    Good morning,

     

    I would as well.  Thank you.

     

    Best,

    Paula

    ______________________________________________________

    Paula McDonough Manager, Vendor Management and Legal Operations


    A close-up of a logo  Description automatically generated

     

     

     


    Classification: Internal






  • 7.  RE: Vetting smaller vendors

    Posted 04-03-2024 09:07 AM

    You can send it to [email has been removed by the Community Manager for privacy reasons. Please view contact information or message the member directly by clicking on their name and choosing the Send Message option.]

    Thank You 




  • 8.  RE: Vetting smaller vendors

    Posted 04-03-2024 09:14 AM

    HI Tara, 

    Can you also send to me at [email has been removed by the Community Manager for privacy reasons. Please view contact information or message the member directly by clicking on their name and choosing the Send Message option.]

    Thank you. 




  • 9.  RE: Vetting smaller vendors

    Posted 04-03-2024 09:17 AM

    Hi, can you please send to me also? I'd love to review! [email has been removed by the Community Manager for privacy reasons. Please view contact information or message the member directly by clicking on their name and choosing the Send Message option.]




  • 10.  RE: Vetting smaller vendors

    Posted 04-03-2024 09:24 AM

    i wouldn't mind seeing what you have too please 

    [email has been removed by the Community Manager for privacy reasons. Please view contact information or message the member directly by clicking on their name and choosing the Send Message option.]




  • 11.  RE: Vetting smaller vendors

    Posted 04-03-2024 10:54 AM

    I would also like the information! [email has been removed by the Community Manager for privacy reasons]. Cheers! 




  • 12.  RE: Vetting smaller vendors

    Posted 04-03-2024 09:29 AM

    Hi Tara, I'd love to review what you have for law firms as well. You can send to [email has been removed by the Community Manager for privacy reasons. Please view contact information or message the member directly by clicking on their name and choosing the Send Message option.]. Thanks for sharing!




  • 13.  RE: Vetting smaller vendors

    Posted 04-03-2024 09:52 AM

    Hi Tara –

     

    Any chance you would be able to provide your email and folks could privately email you if they would like a copy of your questions?  This is a great forum and I very much appreciate you offering your materials as a resource – the challenge is that all our inboxes will be flooded today with folks sending you their email addresses! Just trying to offer a better solution.

     

    Thanks,

    Mike

     

     

    Michael Magone  Director of Technology Services
    P: 406-655-2495
    Stockman Bank
     |  Technology - Billings

     






  • 14.  RE: Vetting smaller vendors

    Posted 04-03-2024 11:04 AM
      |   view attached

    Sorry for the inbox overload. If anyone wants to see what I use for our attorney questionnaire I provided a screenshot for you. 

    Tara


    Attachment(s)



  • 15.  RE: Vetting smaller vendors

    Posted 04-03-2024 09:52 AM

    Hi, Tara. If you could also send it to [email has been removed by the Community Manager for privacy reasons. Please view contact information or message the member directly by clicking on their name and choosing the Send Message option.] that would be great!




  • 16.  RE: Vetting smaller vendors

    Posted 04-03-2024 08:11 AM

    Back in the day (when GLBA was still a newborn), most vendors were clueless regarding the due diligence exchange that necessary for their regulated clients.  Often there were no internal processes for handling due diligence questionnaires and the last thing you wanted was to have risk content addressed by anyone on a sales team.

    I learned that the key was to locate the right vendor resource ('thank you, LinkedIn') which was often the CIO or head of IT back then and have a phone conversation with my questionnaire in front of me.  I always explained what I was doing and that the discussion notes would be incorporated into our formal 'vendor management' documentation.  It worked in the nascent days of the discipline and can probably be used for the small vendors.

    The associated reality is that many small firms do not have the resources or the governance maturity to be effectively providing services to regulated entities.  I work for a global financial institution and encounter this dilemma in niche markets where the choice of vendors is very limited (example, a payroll vendor in a country where you only have a dozen employees).  In such cases where there is weak assurance of controls or program maturity, there should be a solid internal review process to determine if the third-party risk is within the tolerance level of the business unit itself (financially) or the organization as a whole (cyber and reputation exposures).



    ------------------------------
    L. Beachy
    ------------------------------



  • 17.  RE: Vetting smaller vendors

    Posted 04-03-2024 12:06 PM

    Something to consider about smaller vendors.    The smaller vendor is more likely to succumb to a hack that implants ransomware or other breach that uploads into the vendor's client's system because the vendor is trusted and qualified.  Consequently, more information about their approach cybersecurity and data.   When qualifying counsel, we always ask if they are listed in Martindale Hubbel and ask about any pending liability claims.  Notification about breaches/cyber incidents need to be clear with professional and small vendor relationships, particularly if the engagement terms don't provide for timely notice. 



    ------------------------------
    Tony Schweiger
    Managing Principal
    The Tomorrow Group, LLC
    ------------------------------