Investment due diligence procedures for third party risk management

Recently we hosted a webinar with Robin Hodgkins, President of Castina LLC and former CISO John Rizzulo, now President at Rizzulo GRC. One of the topics they looked into was the correct investment due diligence procedures needed to effectively manage risk when engaging third party vendors. Here are a few of the highlights:

A Full Lifecycle Perspective

The most important thing to remember when creating investment due diligence procedures to manage third party vendor risk is that they need to span the full lifecycle of your involvement with that vendor.

Most organizations front load their due diligence activity, concentrating on the beginning of the relationship. Our experts argue convincingly that not only is having an investment due diligence procedure that spans the full vendor lifecycle best practice, it is in fact now a regulatory requirement.

The Vendor Lifecycle:

Step 1: Relationship Planning

Your investment due diligence procedures start well before you talk to any particular third party vendor. You need a documented plan for managing third party relationships, that outlines the steps to be taken when it comes to selection, onboarding, management and termination. It should also outline time frames involved at each step and the respective obligations of both your organization and that of the third party.

Step 2: Selection and Due Diligence

You need to be organized and structured for this part of the process. There’s no sense in reinventing the wheel each time with your due diligence questionnaire and losing any consistency between one questionnaire and the next.

You should start with a master framework of questions that will be addressed to all prospective third party relationships and build in the capability for this master structure to be tailored to different types of providers. By having a set questionnaire for a particular type of provider, you can make an accurate comparison between different providers, rate their answers and allocate a risk score to each.

Step 3: Contract Negotiations

All the expectations and responsibilities you agree with a third party vendor during your due diligence investigation must make it into the legal language of your contract in order to be enforceable. Regulators will ask to see copies of your contracts and if the due diligence responsibilities of the vendor are not included, this will count against you.

Make sure all the specifics are covered, for example if they hold sensitive data on your behalf, where will it be stored, for how long, how will it be protected, when will it be destroyed, how will you retain access to it, what’s the contingency plan and what are the timeframes around notifications in case of a breach?

Step 4: Ongoing Monitoring

Firstly, you need to assign someone to manage this workload. They need to have enough subject matter expertise to know if something is amiss. And their responsibilities (what to check, how often and to what degree of detail, plus what action is to be taken in case of issues being identified) need to be documented policy.

What you are looking for here is has there been any material change since the contract was signed? Has the data center moved? Has the team size or structure changed? Have the services the vendor provides changed or expanded in any way? Each change can be risk scored and an appropriate degree of monitoring or action ascribed based on that assessment.

Step 5: Termination

Preparation for termination begins at contract negotiation. Terms surrounding contract termination should be detailed and transparent at this stage. You then need to build the monitoring of these into your ongoing management plan, so you are prepared for the termination window and terms before the need arises.

You should have a contingency plan in place as part of the contract that will allow a smooth and easy transition to a new provider where relevant. This plan should also cover the issues surrounding your organization gaining/retaining possession of the information the vendor holds on your behalf and when they will destroy that information that they retain.

Hopefully this brief overview of the investment due diligence procedures you need to effectively manage risk when engaging third party vendors across the full lifecycle illustrates why simply doing due diligence during vendor selection is no longer sufficient.

Want to know more about this critical area? The IMDDA webinar “What are Today’s Asset Managers Due Diligence Obligations?” reveals the full story, listen to the recording here: