If they have just been acquired, likely they continue to work on combining operations, policies and procedures. For many of the controls, there may not yet be an impact.
I would suggest at minimum a financial review of the acquiring entity to make sure they appear stable with operations likely to continue. I would additionally add that entity to your OFAC process if you are a bank. Finally I would do some high level due diligence looking at reputation, any issues/complaints for acquiring entity.
It probably makes sense to complete the next full review off cycle next 12 months versus next 24. That will allow time for any consolidation of or changes to operations, policies or procedures to be completed so you can level set your review and assessment of the risk based on new structure.
Shelly
------------------------------
Shelly Chase
AVP Operational Risk
------------------------------
Original Message:
Sent: 10-26-2022 11:16 AM
From: Anonymous Member
Subject: Vendor acquired after assessment was completed
This message was posted by a user wishing to remain anonymous
Hello,
Recently we completed our risk assessment and due diligence on one of our vendors (Moderate vendor - RA & DD every other year). However, 3 months later they agreed to be acquired by another company.
So, my question is:
1 - Go back and complete a risk assessment and due diligence on the new company,
2 - Wait for the transaction to be completed, and then complete a risk assessment and due diligence on the new company
3 - Wait until the next review cycle in 2 years?
Everybody's input is greatly appreciated.