Due Diligence and Ongoing Monitoring

Hello, our financial institution recently began using Venmonitor (Daily Refresh and Point in Time) for our critical vendors. I was wondering for those of you who have used it before if you could please share some best practices. 

Hello Angelica! 

Happy to assist! I do have a follow up question for you, just so I can better understand your ask. Are there any best practice types you are specifically wanting to know? This could be around notification consumption, how to read/understand the data, when to use Venmonitor™, etc. Knowing this will aide me making sure I point you in the right direction. 

In the interim, a few typical best practices I would recommend, would be: 

1. When to use Daily Refresh VS. PIT - Typically your critical/high risk vendors would be what you use your Daily Refresh for. PIT is a great option to use when onboarding a Vendor, or maybe one of your moderate or low risk vendors have an incident and you want to do a pulse check on them, the PIT option is a great way to do that. 
2. Sending a questionnaire - this could be prompted if Venmonitor™ scores drop below a certain threshold, that your organization deemed acceptable. 
3. Deeper due diligence reviews - depending on the Venmonitor™ scores, you may decide that additional due diligence is needed, and could then take advantage of the Venminder Control Assessments, to perform that deeper level review or perform those internally. 
4.  Unresponsive vendors - If you have a stubborn vendor that won't provide due diligence, Venmonitor™ is a great resource to use to evaluate those unresponsive vendors. This falls inline with interagency guidelines pages 36-37.

I'd love to hear how others are utilizing Venmonitor™, also.

Hello, our financial institution recently began using Venmonitor (Daily Refresh and Point in Time) for our critical vendors. I was wondering for those of you who have used it before if you could please share some best practices. 

Hi Ashley, 

Yes, I was looking for more information surrounding how to go through the results and understanding the data. For example, the increase in a rating what does that mean for us and the vendor etc.  Also, proactively communicating with our vendors about changes and how to dive deeper and conduct the necessary due diligence. 

 Where would I go to locate the interagency guidelines that you mentioned?

Thank you, 

Original Message:
Sent: 02-26-2024 10:02 AM
From: Ashley Stang
Subject: Venmonitor

Hello Angelica! 

Happy to assist! I do have a follow up question for you, just so I can better understand your ask. Are there any best practice types you are specifically wanting to know? This could be around notification consumption, how to read/understand the data, when to use Venmonitor™, etc. Knowing this will aide me making sure I point you in the right direction. 

In the interim, a few typical best practices I would recommend, would be: 

1. When to use Daily Refresh VS. PIT - Typically your critical/high risk vendors would be what you use your Daily Refresh for. PIT is a great option to use when onboarding a Vendor, or maybe one of your moderate or low risk vendors have an incident and you want to do a pulse check on them, the PIT option is a great way to do that. 
2. Sending a questionnaire - this could be prompted if Venmonitor™ scores drop below a certain threshold, that your organization deemed acceptable. 
3. Deeper due diligence reviews - depending on the Venmonitor™ scores, you may decide that additional due diligence is needed, and could then take advantage of the Venminder Control Assessments, to perform that deeper level review or perform those internally. 
4.  Unresponsive vendors - If you have a stubborn vendor that won't provide due diligence, Venmonitor™ is a great resource to use to evaluate those unresponsive vendors. This falls inline with interagency guidelines pages 36-37.

I'd love to hear how others are utilizing Venmonitor™, also.

Hello, our financial institution recently began using Venmonitor (Daily Refresh and Point in Time) for our critical vendors. I was wondering for those of you who have used it before if you could please share some best practices. 

Angelica,

I have linked 2 articles for reading the data and understanding the scoring/weighting from our support center as I think you'll find these helpful:

• Venmonitor Rating Methodology
• Exploring the Venmonitor Data

You can find the Interagency Guidance here.

To determine the impact of the weighting on your organization, you need to determine the level of risk that is acceptable and the actions that need to be taken in case of non-acceptable elevated risk levels. One example of such an action could be conducting more intensive due diligence. For instance, if the Argos score indicates vulnerability, you may decide to initiate a Financial Review. Similarly, if a cyber alert is received from any of the partners due to a data breach, you may decide to send a questionnaire, open an issue to monitor the situation, conduct a contract review, and incorporate additional clauses or modify existing ones to ensure that the vendor is managing and storing data in a secure manner.

I'd like to also note that Venminder is a reseller of the full partner solutions should you want to explore any direct login options. Hope all of this information helps! I'd love to hear from other members if anyone has additional Venmonitor™ best practices to share.

Hi Ashley, 

Yes, I was looking for more information surrounding how to go through the results and understanding the data. For example, the increase in a rating what does that mean for us and the vendor etc.  Also, proactively communicating with our vendors about changes and how to dive deeper and conduct the necessary due diligence. 

 Where would I go to locate the interagency guidelines that you mentioned?

Thank you, 

Original Message:
Sent: 02-26-2024 10:02 AM
From: Ashley Stang
Subject: Venmonitor

Hello Angelica! 

Happy to assist! I do have a follow up question for you, just so I can better understand your ask. Are there any best practice types you are specifically wanting to know? This could be around notification consumption, how to read/understand the data, when to use Venmonitor™, etc. Knowing this will aide me making sure I point you in the right direction. 

In the interim, a few typical best practices I would recommend, would be: 

1. When to use Daily Refresh VS. PIT - Typically your critical/high risk vendors would be what you use your Daily Refresh for. PIT is a great option to use when onboarding a Vendor, or maybe one of your moderate or low risk vendors have an incident and you want to do a pulse check on them, the PIT option is a great way to do that. 
2. Sending a questionnaire - this could be prompted if Venmonitor™ scores drop below a certain threshold, that your organization deemed acceptable. 
3. Deeper due diligence reviews - depending on the Venmonitor™ scores, you may decide that additional due diligence is needed, and could then take advantage of the Venminder Control Assessments, to perform that deeper level review or perform those internally. 
4.  Unresponsive vendors - If you have a stubborn vendor that won't provide due diligence, Venmonitor™ is a great resource to use to evaluate those unresponsive vendors. This falls inline with interagency guidelines pages 36-37.

I'd love to hear how others are utilizing Venmonitor™, also.

Hello, our financial institution recently began using Venmonitor (Daily Refresh and Point in Time) for our critical vendors. I was wondering for those of you who have used it before if you could please share some best practices.