Third Party Risk Management

Asking Appropriate TPRM Due Diligence Questions

You need to ask appropriate questions to measure residual risk for different types of vendors and for different products from a vendor. These questions cover the topics in OCC Bulletin 2013-29 and NCUA Supervisory Letter. These documents lay out the topics to be considered. Questions can easily be derived from each of the topic discussions.

As you begin to create questions, it may be useful to put “gating” questions before topical questions. For instance, a gating question for insurance might be whether you received the vendor’s Certificate of Insurance (COI). If you did receive the COI then you can ask questions about the kinds of insurance and whether the insurance amount was appropriate for the services provided and the importance (inherent risk, or criticality) of the vendor’s product to your institution. If you did not receive a COI, then asking these questions is not relevant, and other questions about how this issue is being mitigated may be relevant.

The process of creating questions naturally grouped by the topics in OCC Bulletin 2013-29 and NCUA Supervisory Letter results in your baseline questionnaire. This baseline questionnaire is the questionnaire you can use for all of your vendors and products as a starting point.

Now you will need to review your questions from three perspectives to generate your final questionnaire(s). The first perspective is inherent risk. Your due diligence should be broad and deep – covering all topics very thoroughly and in detail – for vendors with products of high inherent risk, such as your core provider. Your due diligence can be narrower and shallower – covering appropriate topics at appropriate detail – for vendors with products of lower inherent risk. This leads you to having as many baseline questionnaires as levels of inherent risk you measure.

The next perspective is validating that the questions in your baseline questionnaire are appropriate for different vendor/product types. Asking, answering, and risk rating the correct set of questions for a vendor and their product allows you to determine the correct risk and issues to mitigate through performing due diligence about the correct set of topics. Vendors that supply and service ATMs may need different questions answered than vendor that supply your core processing. The entire domain of questions may not be different; in fact, most of the questions may be the same. And there may be additional questions for the ATM vendor beyond the baseline questionnaire and additional questions for the core processing vendor beyond the baseline questionnaire. And these two sets of extra questions may be different.

The final perspective is determining which questions are specific to the vendor and which questions are specific to the product the vendor supplies. For example, financial questions are about the vendor. If you have five products from one vendor, you only need to answer financial questions once. Service Level Agreement (SLA) questions are typically product-based, as there are different SLAs for different products. You now have two baseline questionnaires, one for the vendor and one for the product, for each inherent risk.

The good news is VendorPoint handles all of these issues for you. VendorPoint comes loaded with due diligence questionnaires. These questionnaires have gating questions and are organized by topic. The questions are flagged so that vendors are asked the correct depth and breadth of questions. Additional questions can easily be added to handle different vendor and product types. And further, VendorPoint separates vendor and product questions allowing your personnel to spend exactly as much time on completing the assessments as is needed. All of these lead to greater efficiency in completing your due diligence assessments. Please let us know if you are interested in learning how VendorPoint can make your third party risk management program efficient and effective.