Due Diligence and Ongoing Monitoring

Who in your organization receives vendor due diligence?

In our financial institution, due diligence summaries are sent to the department SVP, VP, and Director, and the General Counsel.  A few weeks later, the department VP must formally acknowledge that the due diligence was received, reviewed, and CUEC/UER tested (if applicable).

Due to some risky situations uncovered recently with a couple of critical vendors, and our organizational structure (in many cases, the VP accepts AND manages the risk), I believe that others outside of the immediate department should receive due diligence summaries so that the risks are more widely known. 

If I propose this change, the first question I will receive is "what do other organizations do?"  How is due diligence communicated in your organization and to whom?

This message was posted by a user wishing to remain anonymous

In our organisation, risk acceptance generally requires multiple approvals and acceptance. At a high-level:

• Risk Input Form is completed
  • Contains info about the risk, types of data, systems, compensating controls, remediation plans, etc.
• Request is reviewed by a risk manager who
  • gathers any additional information
  • provides an assessment and recommendation
  • sends request to senior management who own the 'business' function that has the risk and to any others that may be impacted
    • for example if it is a finance system, both the CFO and CIO must accept the risk

Far from perfect, it works most of the time.

Hope it helps.