Using a risk-based vendor due diligence approach solves this problem. It focuses your effort where it’s most beneficial, which happens to coincide with the areas emphasized by regulatory guidance. Here are the four key steps to a risk-based vendor due diligence checklist: 1. Pull the most recent list of all your vendors. 2. Classify them by definitive “risk-based” categories: general vendors, confidential/sensitive data vendors and strategic vendors. 3. Perform the appropriate level of due diligence as described below for those risk categories. 4. Repeat the due diligence at appropriate intervals (for strategic vendors, no less than annually). 2. General Vendor Due Diligence: Quick and Painless Any time you contract with an outside vendor, investigate the following factors and ensure all corresponding documentation is stored in a safe place, like a dedicated vendor management repository: • Business Impact Analysis: Ask yourself: what happens to your organization if something happens to this vendor, i.e., they go out of business or lose a key subcontractor? • Business Type and Status: Determine if the vendor is a legal entity and type: corporation, LLC or sole proprietorship. • Insurance: Confirm the vendor has general liability insurance, and if any specialty insurance is needed. • Contract: Develop a written, enforceable agreement. • Service Level Agreements: Ensure that both parties have agreed on how performance will be measured. • Relationship Owner: Identify the employee who will own this relationship and monitor performance. • Confidentiality Statements: This typically occurs when proprietary information will be shared with the vendor, i.e., details about an upcoming product launch shared with a graphic designer or freelance writer. This level of due diligence is sufficient for vendors in the General category, which likely make up most of your vendor list. 3. Confidential/Sensitive Data Vendor Due Diligence: Extra Cautious Vendors that have access to your confidential or sensitive data should be placed in the Confidential/ Sensitive Data category. In addition to completing the tasks for General vendors, you must conduct enough additional due diligence on these vendors to understand whether they can protect your data to the level required by the Gramm-Leach Bliley Act, including: • Third-party Audit • Additional Insurance • Bonding • Specific Contract Language • Confidentiality Agreements • Information Security • Business Continuity and Disaster Recovery • Employee Background Checks • Additional Questions • Vendor’s Due Diligence While these additional tasks will require more time, remember that this level of vendor due diligence is only needed for a finite group. 4. Strategic Vendor Due Diligence: Ensure Your Business Viability and Continuity These vendors are those without whom your institution could not operate. They perform a critical product, channel, operational or technological function. The strategic category usually consists of the fewest vendors, providing an inverse equation: the least number of vendors require the most due diligence. In addition to the Confidential/Sensitive Data and General information collected above, you should collect the following: • Financial Soundness • Ownership of the Company • Contract Protections • Continuous Relationship Monitoring • Capacity • Legal and Compliance Issues • Mergers or Acquisitions • Corporate Image, News and Social Media • Alternative Vendor on Deck continued on page 16 With increased reliance on third parties for these services, as well as increased scrutiny from examiners, auditors and even leadership teams and boards of directors, this pressure is more significant than it’s ever been. January • February 2022 15
RkJQdWJsaXNoZXIy MTIyNDg2OA==