Creating a step-by-step system to evaluate and review your vendor due diligence documentation can ease the burden of vendor oversight while ensuring all vendors are monitored appropriately and thoroughly.
Consider these five tips for performing vendor due diligence with ease.
Step 1: Determine Relationship Significance
One way to determine relationship significance is by creating a standardized list of questions designed to guide you through evaluating the importance of the vendor relationship. These questions might look something like:
- Does the vendor store, process, or transmit confidential information on behalf of the bank?
- If the vendor went out of business, would the bank be negatively affected?
- Does the vendor open or access covered accounts on behalf of the bank?
- Does the vendor pose risks that could significantly affect earnings or capital?
In this example, if the answer to any of these questions above is "yes," then you may wish to rank the vendor relationship as "Significant" or "Critical." Conversely, if the answer is "no," then the vendor relationship could be "Insignificant."
Step 2: Determine Which Due Diligence Documents Should be Requested
Next, you must determine what due diligence documentation you will need to evaluate and manage the risk of the vendor relationship. You can do so by using the same set of questions you created to determine the relationship significance. For example:
- If the vendor stores confidential data on behalf of your bank, you should request the vendor's SOC Report/SSAE18.
- If the vendor going out of business could negatively affect your bank, you should request the vendor's financial statements and Business Continuity Plan.
- If the vendor opens or accesses a covered account on your behalf, you should request the vendor's identity theft prevention program.
Having a formal process to determine what due diligence documents you need will help you streamline the process and ensure all key risk areas are evaluated.
Step 3: Analyze the Due Diligence Documentation
Once you have gathered the required due diligence documents it is critical to do a thorough review. To ensure your review is consistent and exhaustive, use predefined, and tailored review templates. Templates can be found through information sharing organizations, industry pier groups, or within vendor management software. Here are downloads to three sample review templates:
Step 4: Request Follow Up Information If Needed
After reviewing a vendor's due diligence documentation, you may need to obtain additional information for clarification. Prepare an email with questions to ask your vendor, including:
- A list of additional documentation and/or information needed.
- Contact information for where the vendor should send the additional documentation.
- The due date for when you require the documentation.
If you are not using a software tool to easily gather and request due diligence information, consider using the following features in your email client to improve the process.
- Use the "Request a Read Receipt" option to ensure the email is read.
- Use the "Save Sent Item To" option to create a folder of sent requests.
Step 5: Ongoing Oversight
Reviewing vendor due diligence documentation (vendor oversight) is not a one-time task, but an ongoing risk management process. To keep up with the various documents you gather from your vendors, consider creating a secure file location where this information can be housed. Ensure you have access to those documents, as needed, but also ensure the information is stored in a location only authorized individuals can access.
Many of the documents will require designated review timeframes, such as monthly, annually, etc. When you need to obtain the newest copy of certain documents, set reminders for yourself on your calendar at least 30 days in advance of the date you wish to receive the new version. This way, you have ample time to contact the vendor and gather the latest copy.
To take your program to the next level, consider subscribing to a vendor management software application. Visit our blog about Top Vendor Management Software Features to Consider Before You Buy.