With all the rapid changes, and regulations becoming more stringent at the prudential regulators, there’s an expectation that your third party risk management program is evolving too. When you sit back and look at the third party risk big picture, there’s a lot to manage, right? It would be helpful if someone could give you a checklist and say, “Okay. Here is your list of due diligence requirements for every single vendor you do business with. Just always request these documents and you’re golden.” I fully understand how much easier that would make it. However, unfortunately, it can’t be that way because not all vendors are the same. They’re not all created equal.
So, with all these expectations, and with so much to review, request and manage in so little time, what can one do? I’m here to share some insight regarding why you need to treat each vendor uniquely, some helpful tips to do so and how to ensure proper due diligence is being done.
Not All Vendors Are Created Equal
Third party due diligence can’t be a check-the-box activity. This is because adequate due diligence is tailored to the product or service being provided. If it’s not, then you’re not properly addressing risk.
Here are a couple of other reasons all vendors aren’t created equal:
- Not every vendor will have the same documentation. For example, the landscaping company won’t have a business continuity (BCP) and disaster recovery plan (DRP), so there’s not really a point in requesting it. Conversely, it would be a poor decision to not request and review a critical vendor’s plan, like your core processor.
- Vendors often offer multiple products/services. In this case, you could be using one vendor for two or three different services. For example, if you’re using Jack Henry for core processing, check imaging and card advisory services, each service needs its own set of due diligence performed, and depending on the nature of the service, the oversight will vary. Some services require increased oversight.
It Can Go South Quickly
Your organization can be put in a position of substantial risk if you choose to treat all vendors the same. Let’s keep going with the business continuity and disaster recovery example. I know of an organization that neglected to gather ALL of their network security provider’s business continuity and disaster recovery plans. Just so happens that the vendor wasn’t properly testing the plans at least annually.
When a disastrous event impacted the network security provider’s operations, it trickled to the organization using them. The network security provider was down for more than 2 days as the plan they had in place did not work – which is a huge deal! Had the organization reviewed all of the BCP/DRPs, they’d probably realized that the vendor failed to appropriately test and would have requested controls be strengthened. And, with testing more frequently, the vendor would have likely realized they had a faulty plan in place.
How You Can Make It Easier
Believe it or not, you can make the entire due diligence process slightly less daunting by creating strong processes. Here are four recommendations:
- Outline due diligence requirements in your vendor management policy and program documentation.
- Create a model due diligence checklist that includes the types of documents you must request from every vendor. We call these foundational documents. It’s items like the tax ID #, secretary of state check, OFAC check, etc.
- Also, create helpful checklists that can be referenced that list due diligence requirements for vendors in different risk categories (i.e., high, moderate, low, critical, non-critical).
- Develop and understand any unique due diligence requirements for different company types.
Implementing these best practices should help tremendously. Be sure to set up alerts or reminders to review and update due diligence. It’s so important to continuously monitor vendors in order to protect your organization.
Remember, even if you have two vendors that provide similar services, it doesn’t mean that both vendors have proper controls in place. Trust but verify!
Make sure that you are handling due diligence properly. Download the eBook.