Ongoing Monitoring Programs Contents • Monitoring Program Basics • Monitoring Program Mechanics Monitoring Program Basics • Key component of Vendor Resilience program: o This is the set of compensating controls that support a o o o o firm’s policy Each firm’s program will be unique for its needs It will be one of the areas that will be reviewed by auditors and regulators regularly Needs to be consistently applied for all third-parties across the firm using a repeatable process The firm will need to retain documentation to support the monitoring program which are also going to be reviewed by auditors and regulators as part of their controls reviews. Monitoring Program Mechanics • Each firm will need to look at their Vendor Portfolio as well as the risk groups that would be involved in reviews in order to develop their monitoring program o No two firms will have the same program but they do share common components o Risk groups can include BCP/DR, Insurance, Credit, Information Security, Technology Operations, etc. • Program design will need to factor in the needs of the risk groups in order to create a repeatable assessment process. o Ideally, the program should leverage the work and artifacts collected in the initial third-party assessment that were performed as part of onboarding. • Spend the time to walk through the process with test cases and adjust accordingly before rolling it out. Monitoring Program Mechanics • A key component that drives how a third party is monitored is their aggregate risk to the firm o Please refer to the Third Party Risk Categorization document under the due diligence folder for more information on Risk Assessment o Critical/Important third-parties should be reviewed annually, with the remaining third-parties at least bi-annually • As part of the monitoring program, the aggregate risk should be re-evaluated to ensure that any changes in the firm’s relationship with each third-party are reflected in their rating o If services were added or dropped, the value of a contract has changed, etc. Monitoring Program Mechanics • If a firm is completely new to this or aren’t sure what to do, find a like firm who has a program and see if they’ll consider doing a best practices information sharing session. o There are also specialized consultants in this area that you can contract with • An automated workflow/rules based process is recommended to standardize the reviews o Can be done internally using tools such as SharePoint, Lotus NOTES or can be externally hosted with a number of vendors in this space. • Putting this process in place will require the investment of people’s time and should be treated as a full project with a plan, deliverables and a project manager. Monitoring Program Mechanics • The program should be evaluated on an annual basis to ensure that it meets the needs of the firm and adjust accordingly • An administrative function will be needed to oversee the execution of the program to ensure things don’t fall through the cracks. • Many firms use their Vendor Management Offices for this • Reporting and risk identification/remediation tracking is key! Firms need to spend a lot of time in this area.