Hello,
I have mine set to every 12 months unless there are changes then it is completed earlier. I do not change the timeframe when it takes longer to get the documents. I keep my reviews within the contract termination timeline as well. This way if there are drastic issues, they can be addressed prior to contract renewals. This allows for enough time to cancel as well.
Thanks,
| Kelli Shoup | Technology Support Lead/Information Security Specialist |
|
|
|
| The Farmers Bank |
|
|
|
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
Original Message:
Sent: 4/10/2024 7:15:00 PM
From: Kelly Pickle
Subject: RE: Ongoing Monitoring - Next Review Date
We just recently changed our Policy to state "once per calendar year" vs. annually to deal with the issue of how long it takes to get docs from some vendors. We also have a vendor do the ongoing due diligence reviews for most of our higher risk vendors and they start those reviews in April of each year. So, this policy change was also made to accommodate this schedule. If we find that we won't be able to complete a DD review on time, we would notify the Board.
Original Message:
Sent: 04-10-2024 04:45 PM
From: Anonymous Member
Subject: Ongoing Monitoring - Next Review Date
This message was posted by a user wishing to remain anonymous
We have a schedule set for 10 months out of the year for every department. For a department that only has a couple of vendors to be reviewed, and we find that maybe one vendor is late with sending us their due diligence we move the whole department to a different month. For other departments, like IT that have so many vendors to review, I complete the vendors we have docs for and report them to the board along with a list of which vendors could not be completed and why. Once they are completed, I send the same list to the board again but this time with a part 2 showing the vendors that previously weren't completed.
Knowing how long it takes to gather financials for some vendors we have made sure they are scheduled towards the end of the year in Oct or Nov.
Original Message:
Sent: 04-10-2024 03:40 PM
From: Anonymous Member
Subject: Ongoing Monitoring - Next Review Date
This message was posted by a user wishing to remain anonymous
Hello! Does ongoing monitoring need to be completed within the same calendar year of the next scheduled review date or by the actual date of the next scheduled review? For example, I have a high risk vendor who needs to be reviewed annually. We started their annual review April 2023, but it took quite awhile to get the required / proper documentation from them, so the 2023 reviews were just finalized in Feb 2024. Should their next review date be April 2024 or should I just try to have those completed by year end since high risk vendors are on an annual cadence?
Thanks in advance for your help!