Third party risk management is a constant cycle of dotting the I’s and crossing the T’s. With oversight guidelines from regulators, there’s plenty of material about what vendor managers should be doing to effectively manage their vendors.
To review, here are 5 key fundamentals:
- Pre-contract due diligence
- Risk assessments
- Ongoing monitoring
- Annual assessments
- Board oversight responsibility
Review Vendor Documentation
Let’s focus on the annual assessment function. Much attention has already been made regarding the importance of organizing and performing the annual assessment but as with any discipline, the mindset of “you don’t know what you don’t know” is one to keep at the forefront. Experience has shown that by the time you do need to know what you don’t know; the proverbial horse may have already left the barn.
Here at Venminder, we specialize in reviewing all types of documentation for our clients. These include reviews of SOC reports, financial statements, business continuity, disaster recovery and regulatory compliance requirements specific to the vendor type. Each review is performed by a subject matter expert in each category. Your organization should be reviewing these same documents or outsourcing the help.
Based on the many reviews we’ve conducted, we have created a list of common red flags as items to be aware of when performing your own assessments.
12 Red Flags in Vendor Reviews
Here are several red flags to watch out for:
- SOC report is “qualified” – this means there was a control objective which was not implemented or being followed by the organization
- SOC report exceptions without a response by management; or, the response doesn’t address remediation
- SOC report is for a vendor who would store/process/transmit data and there are no/or few data center controls or mention of a subservice provider
- Business Continuity Planning (BCP)/Disaster Recovery Planning (DRP)/Business Impact Analysis (BIA) - one of them - doesn’t exist
- BCP/DRP never tested in any way
- The recovery time objective (RTO) and response period objective (RPO) was tested, not met and no remediation response
- A vendor who stores personally identifiable information (PII) and doesn’t have an executive overview of a penetration test available
- Oversharing - A vendor who provides unredacted penetration test results (Sharing the most sensitive data an organization can have as it tells you which intellectual property, which vulnerabilities to exploit and what information you’ll get)
Specifically related to regulatory compliance, here are more red flags to watch out for:
- No record of staff training
- No mention of complaint management and tracking or remediation
- No oversight of fourth party vendors
- Lacks evidence of board approval of existing vendor management activities
Remember, at the end of the day, it’s your responsibility to protect your organization and its customers.
Have you made any of these common errors before? Download this infographic to see.