Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Monitoring Frequency: based on inherent or residual risk?

    Posted 11-29-2022 02:03 PM
    Hi!
    could you please share your thoughts and experince on the following: 
    Do you schedule the frequency of the vendors' review based on the inherent risk or residual? and why? 
    Thank you


  • 2.  RE: Monitoring Frequency: based on inherent or residual risk?

    Posted 11-29-2022 02:08 PM
    Hello,

    We schedule vendor performance reviews and due diligence reviews based on the inherent risk for that vendor.
    The reason we use inherent risk is to ensure the residual risk remains at an acceptable level and is fresh.
    Once the residual risk becomes stale we assume the vendor's residual risk is the same as its inherent risk and must be lowered with documents supporting strong security controls, financial health, and any other applicable risk domains.

    I hope this helps!
    Original Message


  • 3.  RE: Monitoring Frequency: based on inherent or residual risk?

    Posted 11-29-2022 02:12 PM
    Thanks, Cody.
    Original Message


  • 4.  RE: Monitoring Frequency: based on inherent or residual risk?

    Posted 11-29-2022 05:18 PM
    We base our ongoing monitoring on two key factors, the vendor type (also known as category and/or tier) = critical, significant conventional and the residual risk = low, moderate, substantial or high. A critical third party provider with high residual risk would be monitored annually.

    ------------------------------
    Becky
    ------------------------------

    Original Message


  • 5.  RE: Monitoring Frequency: based on inherent or residual risk?

    Posted 11-29-2022 02:11 PM

    Hello! We were just discussing this topic this morning. We base the frequency on inherent risk. We feel that if we mitigate the residual risks with controls, then a high risk vendor may not be reviewed on the frequency that they should be reviewed. For example, High Inherent Risk and with controls is now Low Residual Risk. They would move from annual (high) to every three years (low).

     

    Tina O'Donnell, AAP, CCBRS    

    AVP Operational Risk Manager

     




    Original Message


  • 6.  RE: Monitoring Frequency: based on inherent or residual risk?

    Posted 11-30-2022 07:43 AM
    Hi Natalia,  GM

    ongoing monitoring (OGM) frequency is set on inherent risk.  It is consistent, unless the service changes.  Also Residul Risk is a snap shot of control strength and controls are dependent on people, budgets, technology and a vendors overall strategic objectives.  Therefore, a vendor's control framework is fluid. 

    Also, if you use residual risk, you could overlook high risk vendors (not have them on annual OGM), since their residual risk may end up with a  low rating.  In that case, high risk vendors may be set to a 3 year OGM frequency. Certainly, this would catch the attention of Regulators.

    Regards, John - happy to chat
    Original Message