Q&A from Third-Party Risk Management Bootcamp

During our recent three-day Third-Party Risk Management Bootcamp September 14-16, we had a lot of GREAT questions come in and wanted to compile and share the answers. Below you'll find third-party risk management questions and answers posed during Day 1, Day 2 and Day 3 sessions.

To skip to a specific session, click the links below.

Session 1: Inherent Risk & Criticality Assessment and Due Diligence & Residual Risk Determination on Vendors

Session 2: Vendor Selection & Contract Management and Ongoing Monitoring

Session 3: Vendor Cybersecurity Preparedness and Understanding Vendor SOC Reports

Session 4: Vendor Business Continuity Management

Session 5: Red Flags in Vendor Financial Health

Session 6: Third-Party Risk Management Exam and Audit Prep

Day 1

SESSION 1: Inherent Risk & Criticality Assessment and Due Diligence & Residual Risk Determination on Vendors

Led by Venminder’s Hilary Jewhurst, Third-Party Risk Evangelist and Advocate, where she provided an overview of the third-party risk management lifecycle and discussed the importance of understanding inherent risk and criticality. She also covered the fundamentals of vendor due diligence and residual risk.

Q1: What are the components of the exit strategy? Do you have any template for creating exit strategy?

Answer: Your exit strategy should consider the following:

• • BCP considerations should the termination not go to plan
  • Contract terms
  • Conditions of termination
  • Notice to vendor
  • Any penalties for early termination
  • Replacement strategies (use another vendor, bring it in house, discontinue the product or service). If moving in house consider if resources are available, including recruiting budget, employees, equipment, managers, etc. If using another vendor is an option, note if the vendor is identified or if an RFP will be required.
  • Timeline for onboarding a new vendor, transitioning to an existing vendor or bringing in house, including ramp up requirements, training, testing etc.
  • Timeline for notifying existing vendor and ramp down
  • Return of data or assets
  • Record keeping
  • Stakeholders’ roles and responsibilities
  • Any upstream or downstream dependencies on the process, product or service

While we don't have a template to share at this time, the above should help you build a fairly robust exit strategy.

Q2: Do all the vendors need to sign the ethical code of conduct? If the vendor refuses to sign, then what is the necessary action? Also, can the ethical code of conduct be merged with the vendor registration form?

Answer: I recommend that every vendor signs a contract code as a condition to do business with your organization. You need to ensure that the requirements included in the code of conduct are straightforward and apply broadly to all vendors. More specific requirements should be captured in the contract.

Merging the code of conduct into the vendor registration is the best way to ensure the vendor will sign it. However, consider those prominent vendors (banks, Google, AWS, and the like) who typically don’t participate in using the portal, due diligence questionnaires, etc. Most of the time, you can only do business with them if you use their contract. In those situations, you will have to have a documented exception.

For those vendors not in the category above, I would ask for a written statement as to why they will not sign the code of conduct. You can evaluate the reasons and make an exception if there is a legitimate and acceptable rationale for refusal to sign. Be wary of vendors who do not agree to sign a code of conduct.

Q3: Who in the TPRM lifecycle is responsible for assessing inherent risk?

Answer: Typically, the vendor owner is responsible for providing the details for an inherent risk assessment that is usually automated by applying a scoring mechanism. In other cases, risk, procurement or TRPM may conduct the actual assessment.

Q4: Who should assess whether the vendor's insurance is sufficient or not? Is it finance, legal or vendor management? What do you take into consideration?

Answer: Usually, insurance minimums and types are determined through risk, legal and finance. However, each engagement has unique liability types and amounts that should be considered based on many factors, including the costs of compensating injured consumers and customers, paying legal fees or fines, and the cost of lost product, uptime, throughput or production.
When it comes to the types of insurance, a general liability policy will not cover an information security breach that requires cyber insurance. Many other considerations factor into what types and amounts of coverage are necessary. Many organizations do not understand what sufficient coverage entails and therefore are insufficiently covered.

My advice is to work with the insurance company from which your organization purchases its coverage. They should be willing to advise on types and amounts of coverage or methods to get the correct number.

Q5: Is there a suggested tiering list for the criticality of a vendor such as critical, high, medium and low?

Answer: Remember that criticality is not a risk rating. Instead, it’s a label that identifies a vendor as critical to business operations. Without critical vendors, the business comes to a standstill. You may have many high-risk vendors that are not critical. Almost without exception, your critical vendors will also be high risk. To keep things standardized and straightforward, a risk tiering system should only need high, moderate and low levels.

Q6: Do you have guidance to offer regarding the optimal way to establish "cutoff points" for low/moderate/critical tiers as part of the inherent risk assessment?

Answer: Remember that criticality is not a risk rating, but it’s a label that identifies a vendor as critical to business operations. In other words, the business comes to a standstill without its critical vendors. Risk tiers, however, speak to the specific risks inherent in the activity. While the actual cutoffs in each tier vary in each organization, I would give this piece of advice. If your vendor has connectivity to your systems, interfaces with your customers or has access to customer data, no matter what, they should be considered high risk.

Q7: Should we revise the rating after the due diligence is performed? For example, what if we do an initial classification of a vendor and the vendor is rated as high risk?

Answer: The answer is most decidedly no. Inherent risk ratings are the only risk ratings used when speaking about the risk or determining what risk management activities are necessary. After completing due diligence, you can determine residual risk, which should only be used to indicate how confident you are in the controls or if more work must be done before your organization can accept the risk.

Q8: Our company considers any vendor with access to sensitive data as a critical vendor. Is this a unique approach?

Answer: While not unique, the approach may be excessive. Let me explain why. Any vendor with access to sensitive data should be high risk and critical if any of the three questions below are answered "yes".

• • Would the sudden loss of this vendor cause significant disruption to your organization?
  • Would that disruption impact your customers?
  • And, if the time to recover those operations exceeded 24 hours, would there be an immediate negative impact?

Your critical vendors are the ones that truly impact your ability to operate. However, many organizations also incorporate these considerations:

• • Are significant financial investments, resources and time required to implement the third-party relationship and manage the risk?
  • Would there be a material impact to the organization's operations or resources to engage an alternate third party or if the outsourced activity must be brought in-house?
  • Could the third-party vendor failure negatively impact your reputation and brand?
  • Could the third-party vendor failure attract regulatory scrutiny or result in enforcement actions, including fines?

The last bullet resonates with me as to why your organization might consider those vendors critical. Does anything change in your TPRM requirements if a vendor is deemed to be critical? You may have many high-risk vendors that are not critical. Almost without exception, your critical vendors will be high risk also. Your high-risk vendors should have the most robust due diligence, contracting standards and monitoring, no matter what. But those high-risk vendors that are also critical might have additional considerations related to operational resiliency. For example, they may need to be incorporated in BCP exercises while others may not.

Q9: How do we handle something like "lawn care service company?" Not critical, but perhaps a good idea to document and store just in case.

Answer: All vendor relationships should be documented, risk assessed and managed in proportion to their risk. That means the lawn care company will go through an inherent risk assessment and probably rate low, which is more or less the end of it. It’s really up to your organization how much monitoring to do (if any) after that.

Q10: Does vendor management need to be involved at all in the RFP process?

Answer: That is entirely up to your organization. However, I do feel like TPRM should provide a list of requirements to be included in the RFP, such as the requirement to undergo due diligence, remediate findings, participate in regular performance reviews and provide updated documentation and information on periodic basis.

Q11: Where should the third-party risk management ideally reside in the overall organization? Should it be the sourcing team where the overall vendor lifecycle resides, the enterprise risk management that’s responsible for the overall risk oversight, or someone like a cyber security team responsible for arguably the most significant risk of all?

Answer: If only there were a perfect answer to this one. This is handled differently across organizations. In my opinion, the ideal place for TPRM to sit is within the enterprise risk function. That alignment usually works exceptionally well as third-party risk is RISK, after all. The alignment to risk usually improves TPRM’s visibility while messaging to the organization that the TPRM practice is an important one.

Q12: What if the vendor can provide read-only copies of documents or reviews through WebEx only?

Answer: That situation does occur. When this is the case, there should be a person designated to document the review in writing as the subject matter experts evaluate the documents. If the vendor allows it, the review can be recorded as an audio file. Your documentation is essential when the vendor provides none.

Q13: How do you tie in vendor risk assessments to business continuity planning? Business continuity and third-party risk management are separate functions in our organization.

Answer: While they may be separate functions, vendor BCP is an element of risk that must be accounted for, especially when that vendor is critical. Those responsible for your organizational BC/DR must have visibility to the BC/DR plans, tests and results for those vendors on which your organization has material operational dependencies. The best advice is to talk your internal BCP team.

Q14: What would you do to find out if there are litigation or judgments?

Answer: It depends entirely on the circumstances. If you do see something questionable, it is best to seek advice from your legal department.

Q15: Is a documented residual risk analysis suggested for low and insignificant risk vendors?

Answer: No, you only have to think about residual risk after due diligence. Since many relationships require no to little due diligence, residual risk won't be a factor.

Q16: How do you determine who should be the "vendor/relationship owner"? Is this usually reserved for senior management, or is this sometimes dispersed amongst department heads?

Answer: Suppose there is any question about who owns the relationship and is therefore responsible for TPRM activities. In that case, it’s best to approach the department management using the vendor. When there are multiple departments, that decision may fall to senior leadership.

Q17: How are customer and vendor screenings different?

Answer: KYC (know your customer) is the screening method used to identify the customer's identity, correct contact information, and determine if they could be on a sanctions list or involved in illegal activity.

Vendor due diligence includes those same verifications but also investigates the vendor's control environment.

Q18: It was suggested that residual risk is a measure of controls effectiveness, and that it isn’t advisable to use residual risk “scores” to determine ongoing monitoring. For my team, we use residual risk scores to determine frequency of ongoing assessments (quarterly/semi-annual/annual) to ensure the controls’ effectiveness is still valid (or improved). Any reactions to this approach?

Answer: Yes, I would advise against that approach. As an example, let's suppose you have a high-risk vendor that seems to have excellent controls, as noted during their initial due diligence. So, you move that vendor from high risk to medium risk. Let's also suppose that high-risk vendors go through an annual risk review annually. In contrast, medium-risk vendors are reviewed every two years. Moving to the monitoring schedule of a medium-risk vendor, completely disregards the reason the vendor was high risk in the first place. Assume they were high risk because they had access to data. Now consider all the recent breaches and cyberattacks potentially affecting that vendor. But, you’re not reviewing them this year because of a point-in-time assessment from last year. The controls were satisfactory at the time, but can you be sure they still are? What happens if there is a breach? Could you justify your decisions? Some food for thought.

Q19: What is the most efficient way to initiate due diligence for existing vendors (that have been with our organization for years) that have never gone through the cycle before?

Answer: This is quite common, but the best approach is to notify the vendor owner of the requirement and provide any additional information they need to get started. Issue the due diligence questionnaire and document requests as you typically would. If something undesirable is discovered during the due diligence, you will have to address it ASAP. You may need to request a risk approval from senior leadership until the vendor is in compliance, or you may need to terminate the contract.

Q20: What is your opinion on TPRM program exclusions for entities such as state or other government agencies (Department of Motor Vehicles, Housing Agency)? No money is exchanged, no power to negotiate, but service is provided.

Answer: It depends on your relationship to those entities; if you’re exchanging sensitive data or there are regulatory requirements that must be met in the course of that relationship then I do recommend putting them in scope. However, assume it’s something like a tax collection board, or a judge. In those cases, you’re not in a business relationship but rather responding to a legal requirement. Whatever you decide, make sure you can document and defend your rationale if it should come up in an audit or exam.

SESSION 2: Vendor Selection & Contract Management and Ongoing Monitoring

Led by Venminder President Kelly Vick, where she provided details pertaining to what should be considered in vendor selection and vetting. She also gave an overview of best practices for contract management, SLA management and continued vendor due diligence and ongoing monitoring.

Q1: Can you please share a sample third party due diligence policy?

Answer: Here is a link to a sample policy. Hopefully, this will be helpful.

Q2: We usually obtain signed non-disclosure agreements (NDAs) from vendors prior to starting a relationship. Should we also provide our own NDA to vendors?

Answer: It would be a good idea to have your own standard mutual non-disclosure agreement (MNDA) that addresses the confidentiality, term and other language that’s most important to your organization. You can also lead with this MNDA knowing that sometimes it might be accepted and other times it won’t. Our experience is both – we lead with ours and we also accept many others.

Q3: Is there a benefit in placing specific service descriptions and pricing information into a statement of work following the contract, which has higher level terms? It makes sense if the vendor offers multiple services, but are there any reasons why this wouldn’t be the case?

Answer: I think there are more reasons to include the specific descriptions and pricing in the statement of work (SOW ) than not. The SOW is the document that’s detailing the specific purpose of the relationship so this is the one document that should detail it out – the description of what is being purchased/delivered, the responsibilities of all parties, the pricing, the term, etc. The SOW will reference the master agreement where the legal terms are maintained. But the purpose of the relationship is not generally covered in the master agreement.

Q4: Can you define the requirement for an ethical code of conduct? Is this considered a legally vetted document?

Answer: A code of ethics sets out a company's ethical guidelines and best practices to follow for honesty, integrity, and professionalism. There isn’t a boilerplate Code of Conduct or Code of Ethics that everyone must follow. It would be up to each company to have their Code of Ethics reviewed by a legal professional that has specific experience in their line of business or their industry.

With the fairly new environmental, social, and governance (ESG) standards and other social responsibility laws, including modern slavery, there’s more and more emphasis on Code of Conduct policies being a part of contract negotiations and vendor due diligence.

Q5: Do regulators require you to have physical/soft copies of artifacts in your evidence library?

Answer: I’m not certain of actual regulatory requirements across all industries, but it’s a best practice to have hard copies of documents which are needed in times of business impacting events, even in the case of system unavailability. Examples of hard copy documents I can think of would be a business continuity plan, disaster recovery plan, emergency response plan, incident response plan, call trees and often key standard operating procedure books for operational support. So, with this, I would say, not all require hard copies, but those that are critical during business impacting events or system unavailability, should be kept as hard copies. Also, NIST is a great resource for this.

Q6: How is a service level agreement (SLA) different than a contract?

Answer: The SLA does not include the specific terms of the contract – the purpose of the contract is to define what’s being delivered, the pricing, the terms, the effective and termination dates, and any other commitments as part of that engagement. The SLA only details out the expectations of what is being delivered and what happens if the expectations are not met.

Q7: I need to do vendor screening from scratch. Where should I start?

Answer: Here are some steps to follow that will put you on the right track.

Step 1: I would suggest you start with sending a questionnaire to each of your vendors. This questionnaire should be short but have enough questions to capture the information important to you to properly vet your vendor, including basic profile information. Within the questionnaire, you should ask for artifacts or documents so that you can review the vendor’s controls and validate some of the responses. The types of documents you request would be determined by the type of data to which they will or will not have access.

Step 2: From there, you can perform a simple risk assessment to determine the inherent risk of the product/service.

Step 3: Review the questionnaire and documents provided by the vendor to determine how the risks that you identified in step 2 can be mitigated by their controls.

Step 4: Determine the next steps for each vendor (easiest when done by vendor type or category). For example, consider when to request updated documents, when to conduct the next risk assessment, when to evaluate specific controls, how often to review their performance, etc.

This can seem overwhelming, but once you have a process outlined and each step documented, it should flow well. There are tools and solutions that will help with all of this. Below are 2 links to resources in our community that might be of interest. There’s many more like these.

• • Vendor Vetting: 19 Things You Should Be Doing
  • Guide to Onboarding a New Vendor

Q8: Are there concerns if my organization (as the third-party processor) does not have clear SLAs in our contracts with our customers? Or would we wait for our customers to require formal SLAs in place?

Answer: In my opinion, you would certainly wait for your customers to ask!

Q9: What, if anything, can be done about a vendor who never responds, especially to due diligence document requests? Any tips?

Answer: There are some vendors that just won’t respond – your communications vendor (i.e. AT&T, Verizon) for example. The lack of response is not unusual for large companies due to the number of due diligence requests made; they cannot possibly service them all. There are two strategies you can use to try to obtain the necessary information.

First, your business line owner will likely have a relationship with a representative of the company. If that’s the case, instruct the business owner to work with their rep and get the documents, or at least arrange a meeting with the vendor so that you can review the necessary documents if they’re unwilling to provide a copy. Meeting your risk requirement is part of the service they should provide to your organization.

If that fails, you can try searching the internet for policies and other information required for due diligence. Search terms should include the name of the organization and the document you are seeking. For example, “Big Bank privacy policy or SOC II type II report.” Often, you’ll be able to get at least some of the information or instructions on requesting or accessing it. Keep in mind that public companies must disclose their financials.

More tips can be found in this blog post and this blog post.

Q10: If SLAs were missing in first vendor contract, how can we include them during contract extensions?

Answer: If the vendor is asking you as the client to extend term, then you should be willing to ask for something from the vendor in return. You can also pull the "examiner card" and state that during your last exam, you were called out or cited for not having SLAs in place with your critical vendors (or some message like this). If you are in a highly regulated industry and this is a critical vendor, that’s likely to happen. I see this happen routinely. When we are working with current customers during renewal time, they often redline the renewal agreement, including asking for SLAs. So, it’s your right as a customer to ask for them.

Q11: How often should a site visit be performed on a vendor to validate the expected controls are in place?

Answer: For your most critical vendors with greatest access to NPI, this should be done on an annual basis and should likely coincide with the most current SOC audit.

Q12: Who is responsible for keeping up with the third-party insurance agreements on a yearly basis?

Answer: That will be dependent upon how third-party risk management (TPRM) is set up within each organization. Some are centralized and others are decentralized.

If centralized, then requesting certificates of insurance and monitoring the expiration dates should rest with the TPRM team. They would also likely be responsible for gathering all documents, ensuring risk assessments are completed, requesting assessments be completed on the vendor’s controls, etc.

If decentralized, then it will likely fall to the vendor owner or the person in the company who has the direct relationship with each vendor. In this scenario, each vendor owner would be responsible for all the things listed above. As you can imagine, the more successful TPRM programs are centralized because there is someone (or multiple people) shepherding the process along.

Q13: Who should be addressing deficiencies found in the due diligence report – the vendor owner or vendor management?

Answer: Both. It should ultimately rest with the vendor owner; however, there will likely be times when the vendor owner may not a subject matter expert that can understand the findings and deficiencies so that’s where vendor management comes in. Hopefully, there are some subject matter experts with this team for this purpose.

Q14: Should you require a new contract to be signed when the vendor was acquired by another company?

Answer: That will depend on the assignment language within the contract. If the contract allows for the assignment to any successor-in-interest, whether by merger, stock or sale of assets, then a new contract is not required. The assignment language may still allow this happen but might require prior written consent. And then some might prohibit it altogether and, in that situation, a new contract would be necessary. One point, assuming the assignment is allowed based on the language in your current contract, you should certainly request a new contract on the new company’s “paper” at renewal. And as a safeguard, when faced with this situation, it’s certainly recommended to consult with legal counsel.

Day 2

Session 3: Vendor Cybersecurity Preparedness and Understanding Vendor SOC Reports

Led by Venminder’s Lisa-Mae Hill, Information Security Operations Manager, who shared what to review on your vendors’ cybersecurity and the different types of vendor SOC reports to be reviewing.

Q1: Do you have any recommendations for the best resources to keep up with happenings in the cybersecurity space?

Answer: Here's the list: thecyberwire.com, wired.com, cnbc.com/cybersecurity, US-CERT (which is the department of homeland security’s Computer Emergency Readiness Team), FFIEC Cyber site, NIST, darkreading.com, krebsonsecurity.com, SANs, ISC2, tripwire.com, thehackernews.com, securityweekly.com, csoonline.com, infosecurity-magazine.com, nakedsecurity.sophos.com, threatpost.com, darknetdiaries.com, SANS Internet Stormcenter Daily Network, recordedfuture.com, Cyber Work, blackhillsinforsec.com, CYBER, Professor Messer's Security+ Study Group, Palo Alto Networks Unit 42 blog

Q2: What kind of vendor services require cyber security insurance? 

Answer: Cybersecurity insurance is really designed to help cover the cost to recover from a data breach, virus, or other cyberattack. So, anyone that processes, stores or transmits sensitive data should consider cyber insurance. 

Q3: Is there a typical timeframe that Type 2 SOCs should cover? (i.e. , quarter, year, etc.) 

Answer: You should typically see 6-12 months though some companies have done quarterly; 6-12 months is what you should expect to see. 

Q4: We have a few vendors whose products are critical to our business because there are few, if any, alternative suppliers of their "super widgets." Since these vendors do not access, process, transmit or store confidential data, SOC2 does not seem to apply.  Should we ask them for a SOC for supply chain? 

Answer: A SOC for supply chain is really designed to describe how the larger organizations and middle market organizations are evaluating and monitoring their supply chain risks. Understanding the type of product or service they are providing would help better answer, but at a minimum you would want to ensure they have practices in place that protect the integrity and availability of the resource. That helps ensure that a loss or compromise of the item is unlikely. For more specific information, I would just need to better understand what the product or service is. 

Q5: Is it safe to rely solely on a SOC review to assess the cybersecurity effectiveness of a third party? 

Answer: This really depends on the criticality and risk involved and what the service/product is.  It also depends on resources. A SOC is a good place to start. It’s important to first define your expectations and what you would expect to see then determine if the SOC they provide covers that.  

Q6: How often should you ask for an updated SOC? Should it be part of annual due diligence? 

Answer: Yes, annually is the best bet, but you should also consider the cycle of the vendor’s reporting. So, if they do 2 six-month audits a year, you should request both of those SOC reports as 1 will only cover 6 months of a year. 

Q7: How do companies handle subservice provided by AWS where the supplier indicates AWS reports are not available for clients? 

Answer: AWS has several SOC reports that should be readily available for review. You may need to dig deeper with your vendor OR reach out to AWS directly and discuss with them as your fourth party. 

Q8: When should an organization look for subservice organization SOC reports, rather than relying solely on third-party oversight? 

Answer: You want to review your vendor’s subservice SOCs when that subservice performs a service to your vendor that’s critical to you or creates risk for you. For example, if your vendor processes and/or stores your information and uses a subservice as a data center, we would recommend a review of that DC subservice as they have access to you or your customers’ data.  

Q9: If a technical vendor does not have their own SOC and only provides their subservice SOC report, is it acceptable or should we require the vendor to perform an independent audit? 

Answer: You wouldn’t be able to rely on just your vendor’s subservice SOC report as that really only covers the controls at your fourth party. If your vendor doesn’t have a SOC, you can request their policies and procedures for review or request that they complete a questionnaire to gain insight into their practices.

Q10: Where would the CUEC's be listed? Are they only found in the SOC?   

Answer: CUEC’s should be in the SOC. Unfortunately, there’s no requirement for them to be listed in any specific place. You can find them under a heading in the narrative (section three), right before the testing of controls, or sometimes right IN the testing section underneath each control they apply to. If there are no CUEC’s it’s usually notated clearly in section three. 

Q11: How much detail should the management response include? 

Answer: Ideally, management’s response should cover what they are doing to remediate the finding AND mitigate it from happening again, OR it should cover why they’re willing to accept the risk it presents.  

Q12: Is it possible to have a complimentary control listed that does not apply to us? 

Answer: Absolutely, part of reviewing them should be tossing out those that don’t apply so you can focus on the ones that do! 

Q13: What is your view on bridge letters? 

Answer: Bridge letters add value if they are used to bridge the gap between SOC audits. In other words, it refers to the downtime between when an audit is issued, and when the next audit is issued. A bridge letter is not valuable if it’s being used in lieu of the next period’s audit. You want to make sure that the span of time covered in a bridge letter makes sense and isn’t being used to make up for the lack of consistent auditing.

Q14: How does the SOC 2 Type 2 track CUECs from the service provider’s fourth parties?

Answer: I rarely see shared responsibility covered and I have to extend the reviews.

SESSION 4: Vendor Business Continuity Management

Led by Venminder’s Aaron Kirkpatrick, CISO, where he shared the procedures your vendor needs to have in place to handle a business impacting event and what to expect during audits and exams.

Q1: Should a vendor's business continuity (BC) plan be reviewed PRIOR to beginning a new relationship, as part of due diligence?

Answer: For critical vendors, yes. You should understand their practices and the key items discussed during the webinar such as RTO, RPO and that testing is being performed. For non-critical vendors, but those with higher inherent risk around availability, I would strongly recommend knowing at least those key points as well.

Q2: We have many different vendors, and some may be regulated (e.g. financial institutions). Would you treat the critical vendor process the same or would you require less information (e.g. if a vendor was ISO 22301 certified)?

Answer: If a vendor can provide you with an ISO 22301 certificate, I would be pretty confident in that vendor’s environment. You’ll still want to know the details we addressed in the webinar such as RTO and RPO, but passing that audit should give you a good amount of reassurance that the vendor has a decent control environment around BC/DR. For those that are regulated, I would still request information from them. To use your example, we work with financial institutions or all sizes, and we’re often surprised about their level of control environment maturity.

Q3: Would you create an inherent score and a residual score framework to tier where the vendor falls? If so, can you explain how you would go about this?

Answer: Yes. You’ll need to do inherent score framework to determine whether, and to what extent, you care about the vendor’s availability and continuity of operations. And you’ll want to do a residual score framework to know that the controls demonstrated by the vendor are sufficient for your organization’s needs, such as having their RTO and RPO fall within your own commitments.

Q4: What are some resources for staying up to date on regulatory guidance for BCM?

Answer: Here are a few resources on BCM: continuitycentral.com, thebci.org, csoonline.com, drj.com

Q5: Apart from these excellent sessions, do you recommend any training courses on third-party risk management, that cover these topics?

Answer: I don’t really know of any outside of our own content… If you'd like to attend future webinars, you can monitor our events page here and to grab any of the hundreds of eBooks/infographics/checklists/etc. we create, you can check out our resources library here.

Q6: Can you share some basic templates for business impact analysis that could be used as a starting point?

Answer: We recommend referencing ready.gov's guidance around business impact analyses which can be found here. Through this link you'll also see a template for a BIA questionnaire with some guidance around impacts and recording those impacts. Some more mature organizations will go through a much more in-depth process outlining the types and levels of 10's of scenarios and specific risk-based impacts. I don't have a specific example to share/recommend, but if you search for ("business impact analysis" filetype:xlsx), that will return many samples to use. Use caution though as you would be downloading potentially malicious files, so you should pay attention to where the file is coming from and that you have anti-malware enabled and don't enable macro use of the downloaded file.

Day 3

SESSION 5: Red Flags in Vendor Financial Health

Led by Venminder’s CFO, Ramin Zacharia, where he provided a presentation covering the importance of vendor financial health in TPRM and red flags you should be watching for as we head into 2022.

Q1: Often private entities are hesitant (or refuse) to share their financial statements. Do you have any recommendations on how to gain comfort with the vendor from a financial health standpoint?

Answer: If a private vendor refuses to provide you any financial information, you can ask for a financial health letter from their CFO or management team that speaks to high-level metrics, such as their revenue, profitability, cash/liquidity and funding. If they don’t provide this information, you can try to put together a very short questionnaire with pointed questions on the vendor’s revenue range, liquidity range, profitability (i.e., are you profitable or unprofitable) and whether it has enough solvency to remain a going concern/in operation for at least the next 15 months. If they don’t answer this, suggest a call with their team or try to find a credit report from a public database, such as Dun & Bradstreet or Argos.

Q2: How can you manage risks arising from the vendor's financial information? What mitigation strategies are you suggesting?

Answer: If your team discovers red flags or risks after reviewing a vendor’s financial performance (i.e., the company has liquidity issues, issues with litigation, etc.), your immediate next step should be to work with the vendor and follow up to find out what remediation they have put in place to alleviate or address these red flags. Often, the vendor will work with you once you have identified these concerns, as the risks may jeopardize their business relationship with organizations such as yours. Once this is complete, you can decide on whether the details or mitigations provided by the vendor to address the risk are sufficient or insufficient. If they are sufficient, monitor the vendor and perform regular reviews (at a minimum, annually). If they are insufficient, begin to look for other vendors that perform or provide a similar service or product to replace the vendor and look to exercise any opt-out clauses or contractual terms that allow you to exit the relationship if you believe the vendor is at-risk of providing the contracted service.

Q3: How do you determine what controls to put in place to mitigate risk if a supplier is critical in poor financial health?

Answer: First, you should start by immediately addressing the red flags or financial risks you have identified following your review of the vendor. This includes having a call or set of discussions with the vendor to get your findings to them and allow them to address them as they see fit. You should document these requests or follow ups and responses you make and receive, as they can be important as your examiner looks for them or if you need to exercise an opt-out of the vendor’s contract. Depending on the responses that the vendor provides to your organization on the rationale behind the poor financial health or what they are doing to mitigate these concerns, you can determine whether your organization accepts the risks or not. If you accept the risks, you can move forward and monitor the vendor, performing a review on a regular basis (at a minimum, on an annual basis). If you do not accept the risks and explanation, you can begin to look for a new vendor to provide the same or similar service. For this new vendor, you want to make sure you put in contractual obligations, such as their team providing you financial statements or a statement on financial health you can use to monitor/review their financial health and how they may add risks to your overall organization.

Q4: What's the most efficient way to perform litigation searches?

Answer: For a public company, if the legal/litigation is material, you will be able to quickly find these details within the vendor’s 10-K annual filing or 10-Q quarterly filings. This can be as simple as searching through the financial filings and compiling any details that speak to litigation in the filings. For a private company, if you receive audited financial statements, these will typically include material disclosures on any legal or litigation matters, so reading through the footnotes of the audited financials will be the quickest way. Otherwise, the best and most efficient way is to just ask the vendor directly in your questionnaire around litigation/pending legal matters. Making this part of your diligence questionnaire process is a best practice that can help alleviate these risks and concerns on your organization.

Q5: If your critical vendor has been purchased by another large vendor, do you now need to look at the vendor who purchased, or just your direct vendor?

Answer: This entirely depends on the acquisition and the structure of the new combined entities. If the acquired company will be a subsidiary of a larger company and will still have its own financial statements (happens at times when both the target and the acquirer are private companies), you can review the vendor that was just acquired. If, however, the vendor is acquired and consolidated into the acquirer’s financial statements, it would be only possible and prudent to assess the new acquirer, as their financial health will be indicative of the overall business and your direct vendor, which is now under that company’s umbrella. The latter is more typical based on our experience, given acquired companies are folded into the companies that acquire them.

Q6: Would it be acceptable to skip 2020 financials due to the pandemic blip?

Answer: We would NOT recommend skipping 2020 financials in your financial review and diligence process, as it was a critical year for many vendors and organizations. Depending on the business and which industry they operate in, this year can indicate how severe the pandemic was and continues to be on the vendor. It can also be a good practice to see how a vendor has improved or plans to improve its operations of performance after a potentially challenging year if you properly review their 2020 financial performance.

Q7: If a company is in a lawsuit, what kind of questions should we ask them to help determine the impact that lawsuit could have on their financial health?

Answer: You can ask them if they have properly accrued or put aside the necessary funds to cover off any future losses or litigation costs. You can also ask them what the magnitude or amount of legal costs or losses they believe may arise as part of the matters. Additionally, you can ask them where the lawsuits or legal matters stand, and when they expect them to be resolved. It is also important to ask them whether they are aware of any other litigation or legal matters that are outstanding against them, and what they are doing to remediate any of them.

Session 6: Third-Party Risk Management Exam and Audit Prep

Led by Venminder’s Hilary Jewhurst, Third-Party Risk Evangelist and Advocate, where she shared how to prepare for an exam or audit as well as tips and tricks and wrapped up the sessions by recapping some key takeaways.

Q1: What resources do you recommend as a "must have" regarding TPRM regulations?

Answer: The actual guidance documents and supplemental documents provided by the regulator as well as the exam priorities for that year.

Those are the only must haves, but it’s always necessary to do an internet search for expert guidance or summaries.

Q2: Can you point me to a good summary document related to the proposed interagency TPRM guidance (July press release)?

Answer: I can share the blog I wrote on this very subject - Banking Agencies Proposed Risk Management Guidance for Third-Party Relationships.

Q3: We have a vendor who has multiple products. Do we need to do a full assessment on the vendor and each product? Does each product get a different kind of assessment?

Answer: Yes, you must do an assessment on each engagement with the vendor. The inherent risk assessment looks at the risk in the product or service, which sets the foundation for your TPRM activities. Due diligence determines if the proposed vendor has sufficient controls to manage the risk in the product or service. Keep in mind that if you’ve already done extensive due diligence with your vendor, you likely won’t have to re-do the whole process, but there may be a risk attribute in the product or services that was not previously considered. In that case you may have to so some additional due diligence in relationship to that product or service.