When to Review Vendor Information

Due diligence is essential when onboarding a new vendor. After all, due diligence is the process that initially enables an organization to determine if a vendor has the necessary controls to mitigate identified risks. But, what happens after initial due diligence? How does an organization confirm that a vendor's risk controls and performance remain satisfactory throughout the vendor relationship?

What Vendor Information to Review

Even after you’ve performed initial due diligence and the vendor is onboarded, there’s plenty of items that still need to be re-reviewed on a regular basis. Reviewing the following items will ensure that your organization remains aware of any issues so they can be addressed quickly:

• Inherent risks: When preparing for vendor reviews, the best place to start is to confirm that the risks initially identified as part of the inherent risk process are the same. If the vendor products or services, or volumes, have either changed, expanded or scaled back, you’ll need to consider that as part of your vendor review. New or emerging risks may need additional controls that weren’t necessary before.
• Vendor provided documentation: Documentation and other information provided by the vendor should be reviewed to ensure that it is current and complete. Items like SOC reports and insurance certificates expire, and internal vendor policies have been reviewed or updated within the last two years.
• Sufficiency of controls: Like due diligence, subject matters experts (SMEs) should review vendor controls and assess if they’re satisfactory, providing written reports detailing their evaluation. SMEs should also review any mitigation evidence and confirm that the issue is closed.
• Vendor performance: Confirm compliance with contractual service level agreements (SLAs) and key performance indicators (KPIs). Consider any proactive vendor improvements or innovations as part of the review.
• Vendor issues or incidents: If the vendor has had any incidents (breach, outage, business interruption, negative news story, etc.), details of the incident, response, and outcome should be reviewed. Open vendor issues along with their associated remediation plan, progress towards closure and timing should be incorporated into the review.

When to Review Vendor Information

Risk and criticality are the primary factors when determining how often to formally review your vendors. Remember, you must review both the vendor's risk and performance periodically.

Let's take a look at recommended review routines:

• Formal risk reviews: Many regulations, as well as best practices, dictate that critical and high-risk vendors must undergo a formal risk review at least annually. Moderate vendor risk reviews can be spaced as much as two years apart. When it comes to low-risk vendors, every three years is sufficient, or there may not be enough risk to justify a formal review.
• Performance-based reviews: Frequent, proactive performance reviews enable your organization to recognize emerging issues and remediate them before they become serious problems. As such, it’s recommended that critical and high-risk vendors should have performance reviews quarterly. Moderate-risk vendors should have performance reviews twice a year or, depending on the product or service, annually. And, since most low-risk vendors are transactional, performance reviews aren’t always necessary and are at your organization's discretion.
• Event or issue-driven reviews: Certain vendor events may warrant a more frequent review of the vendor's risk or performance. For example, a vendor who has experienced a data breach should be subject to expanded and more frequent risk reviews until your SME can confirm their controls appropriately mitigate the risk. Likewise, a vendor with declining performance should have more frequent reviews until the issues are resolved and expected service levels resume.
• Regulatory-focused reviews: Regulatory requirements can change or expand. When this happens, it’s essential to identify which of your vendors are subject to the requirement and organize a review to verify their compliance at the first possible opportunity.

What if a Vendor Problem Surfaces?

Vendor reviews can confirm that all is well and that there are no urgent risks or performance issues to resolve. In that case, you can continue to follow your regular risk and performance processes and review schedules. But, what happens if problems have been surfaced through the vendor review process?

Here are some suggested actions to take when facing these situations:

• Collaborate with your subject matter expert to determine the severity of the issue and its potential impacts: If you notice insufficient or missing controls, this is the first step. Suppose the issue is severe and the vendor is classified as critical or is high-risk. In that case, you should inform senior management (and possibly the board), apprising them with the details of the issue, any remediation plans and a timeline for correction. In some cases, there may be a need to solicit a formal risk acceptance from senior leadership until the problem is fixed. No matter the vendor's risk level or criticality, issues should be documented and tracked until they're resolved.
• Review the vendor contract: When you discover a performance decline or failure, it's recommended to review your contract. Your contract may have specific remedies in place to help address the situation. In addition, make sure the vendor understands the issue and can respond with a root cause analysis (what went wrong and why) and a timebound performance improvement plan. Track the vendor's progress until the expected performance returns.

Timely, well-planned, and documented vendor reviews ensure that your ongoing monitoring processes are substantive. Not only are they a regulatory requirement for many industries and a best practice, but are a valuable risk management tool as well.