Due Diligence and Ongoing Monitoring

Hello. I have been working in risk and TPRM for a few years but have a new role and it is at a far larger Credit Union than I have history with. 

It has grown very fast so many processes are being reworked. There is currently no RFP process and I need to develop a full procurement workflow. I would love to have some discussion about your work flows (when you get project management or InfoSec involved, do you use more than one questionnaire, what criteria do you consider if an RFP is needed and that list goes on:)

We are not ready to require a business impact or benefit analyses before executive approval, but I am thinking once they have funding and have had demos, once they narrow it down to 3 vendors and it meets a $ threshold or impact requirements then they need to send the same RFP to all potential vendors that has the infrastructure/regulatory questions but they can fill out the service questions on their own.     

Once we get each questionnaire back I would maybe send it to department SMEs for their technical review and ratings. 

I'm just kind of thinking out loud but I need write this ASAP so I would appreciate any policies, questionnaires or conversation you are willing to provide. 

Music to my ears. We have found different groups that handle due diligence work within a theme for best interest of company, or just the business unit (i.e., within the purview they work). This includes contract review, finance, business associate agreement tracking (HIPAA), confidentiality, cybersecurity due diligence, IT feasibility review, etc. and of course the business units need for the product/service and how it meets their and company objectives to executives, regulators, industry requirements, best practices, etc. 

A major driver regardless of spend is the presence of nonpublic data (NPI) access, storage, processing, transfer, etc. as defined by our regulator's cybersecurity requirements for our industry. While Finance may have already done their SOC1 reviews, as the vendor selection process progress, any presence of NPI triggers a collaboration between Contracts and IT Cyber Due diligence. For IT, we rank the vendor by the NPI into five tiers, and have the strictest review (SOC2 report, company analysis, review of controls and public security, customer interviews, research), and the top two NPI tiers have a detailed cybersecurity questionnaire which we update based on public discovery or NDA-covered analysis of their SOC2 reports so we can present for signature to an executive responsible for security and authorized to affirm if they have the ability to protect CIA of our data.  We repeat this for each of the vendors that make it to the pre-contract stage. A likely outcome has us supply of confidence rating (a term a peer on this forum uses), and give feedback on SLA or contract terms to Contracts team and business unit. 

I acknowledge the importance of business units not cutting corners and having 2-3 finalists before due diligence or contract negotiations start. In one case, there was a hard lesson learned years back, where a department had a single vendor they worked on requirements with for over 8 months only to bring it for contract review and fail the Legal and Cybersecurity due diligence due to a sizable portion of the services and their network being tied into a disallowed country per our Federal government guidance. That vendor was dropped from consideration -- but without the solution owner having two other vendors -- the business unit had to restart their entire vendor selection process to meet their goals.

I'd be curious and interested on what you or anyone else decided on solving your procurement workflow after the initial contract. This is helpful as we are always assessing how we look at IT spend to budgeted and coming up with rating system to drive the frequency of our vendor reviews beyond contract end dates to drive when to start a new RFP process, to go out to competitive bid, to seek alternatives due to performance (service or payment admin issues); and to see if we can improve external services used as technical and business changes.