This message was posted by a user wishing to remain anonymous
Monthly, we report:
- Total Vendor counts by Tier (based on risk/criticality), Cloud, On-Prem, and Foreign
- The vendor name, tier, etc. for any new and/or terminated vendors since last report
- Vendors on our watch list, due to performance issues, financial stability concerns, etc.
- Vendors currently under consideration or in the initial vendor review process
- Vendors past due for their periodic review – the Board wants assurance that we're keeping up with periodic reviews
Annually, we provide a complete list of all vendors, sorted by Tier, but also showing Cloud, On-Prem, and Foreign
Senior management and vendor owners also receive a monthly report showing all vendor services whose contracts are coming due for autorenewal in the next 120 days.
Original Message:
Sent: 02-01-2021 03:43 PM
From: Anonymous Member
Subject: What to report to boards?
This message was posted by a user wishing to remain anonymous
We are really struggling with reporting. We are supposed to report to an Enterprise Risk Management board (internal management) and the Risk Committee of the Board (Director level), and we're just having trouble discerning what is truly meaningful and beneficial. What type of information do you typically report at your institution and how often is that reporting taking place? Any help is GREATLY appreciated!