Having your vendors answer due diligence questions allows you to focus your time servicing your customers. The vendor answers most questions and uploads their current due diligence package in your current third party risk management system. You then quickly answer the remaining small number of questions and verify the vendors answers using the cross-reference to their due diligence package they have provided. And you are back addressing the most important part of your business: making sure your clients have the products and services they need.
You will need to let the vendor’s contact who will be answering question know what is expected of them. You may have to add this task to your contract with the vendor on your next renewal. Let the vendor know that they will be logging in and answering questions. Provide all of the log in information they need. Let them know they will be uploading their due diligence package documents to your third party risk management system.
Two important points that will really minimize your institution’s time spent on due diligence is to ask the vendor to indicate the document(s) and page number(s) they used to answer the question as part of the answer. Also ask the vendor to indicate mitigation options and who can undertake them (i.e., the vendor and/or the institution) for any answer they feel will yield a high risk as part of the answer. These two pieces of information will minimize your answer validation time, provide insight into actions that can be taken to minimize risk, and will make audits and exams even easier.
To prepare, identify topics that vendors can answer. These might include topics such as Corporate Due Diligence, Country Risk, Financial Due Diligence, Identity Theft, Quality Of Service/Service Level Agreement, Security, UDAP, and Verification and Validation. There may be others. And you may not want to include the topics listed above. Review your policies and evaluate where you can get objectively verifiable answers.
Note that a whole topic does not need to be answered by the vendor. There may be questions that are appropriate for the vendor to answer while there may be other questions that you prefer to answer. These questions you might prefer to answer may include judgement questions. Again, review your policies and evaluate where you can get objectively verifiable answers.
Next, configure your third party risk management system to get the vendors answers. Ideally, this includes all of the following steps. You will want to set up a user in your third party risk management system with appropriate access and restrictions. Then you will configure your third party risk management system’s workflow so that the vendor can only answer questions and only answer the questions you want them to answer. You will want to provide access so that the vendor can upload their due diligence package documents. And you will want to make sure the vendor receives notifications when they have questions to answer. You should include yourself on these notifications so that you can be aware of which vendors are being asked to complete due diligence and which have completed that task.
With this configuration, your vendor contact will be notified when they have work to do. They will log in and complete the work, answering questions and uploading their due diligence package documents. The appropriate personnel from your institution will then log in to answer the remaining questions, review the vendor’s answers using the cross-listing provided, provide residual risk ratings for all questions and sign-off on all questions. These tasks may not be completed by the same personnel at your institution, and all of these tasks will be completed. During the vendor answer review, the vendor’s answer will be directly changed if it is not correct/acceptable or the third party risk management system’s workflow can be triggered to send the question back to the vendor contact to be updated with comments about what needs to be changed and why.
Asking your vendors to answer appropriate due diligence questions in and upload their due diligence package documents to your third party risk management system allows you to spend more time making sure you are providing your customers with the products and services they need. Having due diligence document cross-listing makes your answer validation easy. Having mitigation options allows you to define a path forward and take action to mitigate risk. All of this makes audits and exams much easier.
Fortrex can help with all of this. Please contact us so we can show you how.