Third party risk management is a constant cycle. With oversight guidelines from regulators, there’s plenty of material about what vendor managers should be doing to effectively manage their vendors.
To review, here are 5 critical elements:
- Pre-contract due diligence
- Risk assessments
- Ongoing monitoring
- Annual assessments
- Board oversight responsibility
Review Vendor Documentation
First, let’s review the annual assessment function. Much attention has already been made regarding the importance of organizing and completing annual assessments, but as with any discipline, the mindset of “you don’t know what you don’t know” is one to keep at the forefront. Experience has shown that by the time you do need to know what you don’t know it may be too late.
Here at Venminder, we specialize in reviewing all types of documentation for our clients. These include reviews of financials, contracts, SOC reports, policy and program documentation and business continuity and disaster recovery plans. Each review is performed by a subject matter expert in each category. Your organization should be reviewing these same documents or outsourcing the help to experts, if needed.
Based on the many reviews we’ve conducted, we have created a list of common red flags as items to be aware of when performing your own assessments.
12 Red Flags in Vendor Reviews
Here are several red flags to watch out for:
- SOC report is “qualified” – Meaning a control objective wasn’t implemented or being followed by the organization
- SOC report exceptions without a response by management; or it could be that the response doesn’t address remediation
- SOC report is for a vendor who would store, process or transmit data and there are no/or very few data center controls or mention of a subcontractor
- Business Continuity Planning (BCP)/Disaster Recovery Planning (DRP)/Business Impact Analysis (BIA) is missing
- BCP/DRP were never tested
- The recovery time objective (RTO) and response period objective (RPO) was tested, but not met or mitigated
- A vendor who stores personally identifiable information (PII) and doesn’t have an executive overview of a penetration test available
- Oversharing - Sharing an organization’s confidential data that shares insight regarding intellectual property, which vulnerabilities to exploit and what information you’ll get.
Specifically related to regulatory compliance, here are more red flags to watch out for:
- No training of staff
- No mention of complaint management, complaint tracking or remediating complaints
- No fourth party oversight
- No evidence of board approval of existing vendor management activities
Remember, at the end of the day, it’s your responsibility to protect your organization and its customers.
Have you made any of these common errors before? Download this infographic to see.