Due Diligence and Ongoing Monitoring

I came from a financial institution where we categorized vendors by Critical, moderate, non essential. I am new to the inherent risk and the residual risk ratings. I got hired on at a new credit union and the oversight tasks are confusing. For critical High risk vendors there is no question in my mind that the Due Diligence needs to be ran annually and I need to review the BCP/DR, SOC, Update insurance certificate, cyber security review, info sec review, financial review and PCI compliance. Should I not review all of those for Critical vendors that are moderate or low risk as well? If that vendor went down and their product/service affected our financial institution with a huge impact I would think that despite the risk, its a critical vendor, they are one of the most important vendors to keep an eye on? I beleive the entire oversight automation requirements are not set up correctly and I want to change them for example. 
For a Critical high risk vendor with no NPI access it is currently set to review the contract, SOC and BCP annually. 
but for a high risk non critical vendor with NPI access it is set to review the same information as a high risk critical NPI access vendor annually. This does not make sense. Can someone help me

My organization reviews all third parties at least annually and more frequently based on risk rating. Criticals are every quarter, at a minimum. Moderates, bi-annually, and Low or "non-essential", annually. Any third party could be reviewed more frequently based on issues or other things that might be going on.
Original Message:
Sent: 03-08-2022 12:40 PM
From: samantha mckenzie
Subject: Oversight Requirements

I came from a financial institution where we categorized vendors by Critical, moderate, non essential. I am new to the inherent risk and the residual risk ratings. I got hired on at a new credit union and the oversight tasks are confusing. For critical High risk vendors there is no question in my mind that the Due Diligence needs to be ran annually and I need to review the BCP/DR, SOC, Update insurance certificate, cyber security review, info sec review, financial review and PCI compliance. Should I not review all of those for Critical vendors that are moderate or low risk as well? If that vendor went down and their product/service affected our financial institution with a huge impact I would think that despite the risk, its a critical vendor, they are one of the most important vendors to keep an eye on? I beleive the entire oversight automation requirements are not set up correctly and I want to change them for example. 
For a Critical high risk vendor with no NPI access it is currently set to review the contract, SOC and BCP annually. 
but for a high risk non critical vendor with NPI access it is set to review the same information as a high risk critical NPI access vendor annually. This does not make sense. Can someone help me

Hi All,

How do you look at DD for Equifax and/or TransUnion? I am performing DD on both of them for the first time and when looking at the Better Business Bureau and CFPB, there are alot of complaints on both of them. They also have low customer ratings on some of the customer review sites.

They are both huge companies though, with hundreds and thousands of customers that they offer credit reports for. Many of them haven't complained. Do you consider the nature of the product or the number of complaints based on their overall volume?

I haven't looked at Experian, but imagine they get alot of complaints too.

Thanks so much!

Cheryl Turner

Original Message:
Sent: 03-10-2022 10:43 AM
From: Meg Smith
Subject: Oversight Requirements

My organization reviews all third parties at least annually and more frequently based on risk rating. Criticals are every quarter, at a minimum. Moderates, bi-annually, and Low or "non-essential", annually. Any third party could be reviewed more frequently based on issues or other things that might be going on.
Original Message:
Sent: 03-08-2022 12:40 PM
From: samantha mckenzie
Subject: Oversight Requirements

I came from a financial institution where we categorized vendors by Critical, moderate, non essential. I am new to the inherent risk and the residual risk ratings. I got hired on at a new credit union and the oversight tasks are confusing. For critical High risk vendors there is no question in my mind that the Due Diligence needs to be ran annually and I need to review the BCP/DR, SOC, Update insurance certificate, cyber security review, info sec review, financial review and PCI compliance. Should I not review all of those for Critical vendors that are moderate or low risk as well? If that vendor went down and their product/service affected our financial institution with a huge impact I would think that despite the risk, its a critical vendor, they are one of the most important vendors to keep an eye on? I beleive the entire oversight automation requirements are not set up correctly and I want to change them for example. 
For a Critical high risk vendor with no NPI access it is currently set to review the contract, SOC and BCP annually. 
but for a high risk non critical vendor with NPI access it is set to review the same information as a high risk critical NPI access vendor annually. This does not make sense. Can someone help me

This message was posted by a user wishing to remain anonymous

I review Trans Union annually and although there are a lot of complaints, we take it as the nature of the business they provide. For them, we primarily focus on the business aspect and how it pertains to us, and if there is anything questionable on the Executive Summary reports I reach out for a further explanation. 

Original Message:
Sent: 04-25-2024 03:50 PM
From: Cheryl Turner
Subject: Oversight Requirements

Hi All,

How do you look at DD for Equifax and/or TransUnion? I am performing DD on both of them for the first time and when looking at the Better Business Bureau and CFPB, there are alot of complaints on both of them. They also have low customer ratings on some of the customer review sites.

They are both huge companies though, with hundreds and thousands of customers that they offer credit reports for. Many of them haven't complained. Do you consider the nature of the product or the number of complaints based on their overall volume?

I haven't looked at Experian, but imagine they get alot of complaints too.

Thanks so much!

Cheryl Turner

Original Message:
Sent: 03-10-2022 10:43 AM
From: Meg Smith
Subject: Oversight Requirements

My organization reviews all third parties at least annually and more frequently based on risk rating. Criticals are every quarter, at a minimum. Moderates, bi-annually, and Low or "non-essential", annually. Any third party could be reviewed more frequently based on issues or other things that might be going on.
Original Message:
Sent: 03-08-2022 12:40 PM
From: samantha mckenzie
Subject: Oversight Requirements

I came from a financial institution where we categorized vendors by Critical, moderate, non essential. I am new to the inherent risk and the residual risk ratings. I got hired on at a new credit union and the oversight tasks are confusing. For critical High risk vendors there is no question in my mind that the Due Diligence needs to be ran annually and I need to review the BCP/DR, SOC, Update insurance certificate, cyber security review, info sec review, financial review and PCI compliance. Should I not review all of those for Critical vendors that are moderate or low risk as well? If that vendor went down and their product/service affected our financial institution with a huge impact I would think that despite the risk, its a critical vendor, they are one of the most important vendors to keep an eye on? I beleive the entire oversight automation requirements are not set up correctly and I want to change them for example. 
For a Critical high risk vendor with no NPI access it is currently set to review the contract, SOC and BCP annually. 
but for a high risk non critical vendor with NPI access it is set to review the same information as a high risk critical NPI access vendor annually. This does not make sense. Can someone help me

We categorize our vendors as Critical, Significant or Non-Essential. Critical vendors are reviewed annually, significant, every other year and non-essential, every 3 years. Of course, if we are aware of any possible issues, then we can review more often.

Within those categories, we determine if the vendors are a high, medium or low risk. If the risk level goes up at the time of the review, then we discuss how we want to handle it. Do we want to review and re-negotiate the contract? Do we want to leave as is? Do we want to terminate the relationship? Communicate with the vendor, regarding our issues and request them to resolve them? Things like that.

I hope you find this helpful. ​

------------------------------
Cheryl Turner
------------------------------

Original Message:
Sent: 03-08-2022 12:40 PM
From: samantha mckenzie
Subject: Oversight Requirements

I came from a financial institution where we categorized vendors by Critical, moderate, non essential. I am new to the inherent risk and the residual risk ratings. I got hired on at a new credit union and the oversight tasks are confusing. For critical High risk vendors there is no question in my mind that the Due Diligence needs to be ran annually and I need to review the BCP/DR, SOC, Update insurance certificate, cyber security review, info sec review, financial review and PCI compliance. Should I not review all of those for Critical vendors that are moderate or low risk as well? If that vendor went down and their product/service affected our financial institution with a huge impact I would think that despite the risk, its a critical vendor, they are one of the most important vendors to keep an eye on? I beleive the entire oversight automation requirements are not set up correctly and I want to change them for example. 
For a Critical high risk vendor with no NPI access it is currently set to review the contract, SOC and BCP annually. 
but for a high risk non critical vendor with NPI access it is set to review the same information as a high risk critical NPI access vendor annually. This does not make sense. Can someone help me