Due Diligence and Ongoing Monitoring

Curious how other TPRM groups are vetting Law Firms within their organization.  We have an unintentional large volume of Law Firms that we do business with; there is no written process for onboarding them or vetting their services.  I feel like this is a big miss considering the NPI and PII they may have access too.  

This message was posted by a user wishing to remain anonymous

Good question. Firms I have worked with have also had the same challenge. I think all law firms need to be assessed in some way, but it should be proportionate, depending on a firms ongoing reliance on them and the sensitivity of any data shared with them. As a general rule

High Risk - Retained external counsel managing ongoing regulatory investigations

Medium Risk - Panel law firms for contract, litigation or corporate advisory work

Low Risk - Ad-hoc local counsel for minor employment or property matters

Therefore, for High and Medium risk services we would perform full scale due diligence, for Low Risk maybe just a NDA and a background check