Ongoing Monitoring Programs
Contents
• Monitoring Program Basics
• Monitoring Program Mechanics
Monitoring Program Basics
• Key component of Vendor Resilience program:
o This is the set of compensating controls that support a
o
o
o
o
firm’s policy
Each firm’s program will be unique for its needs
It will be one of the areas that will be reviewed by
auditors and regulators regularly
Needs to be consistently applied for all third-parties
across the firm using a repeatable process
The firm will need to retain documentation to support
the monitoring program which are also going to be
reviewed by auditors and regulators as part of their
controls reviews.
Monitoring Program Mechanics
• Each firm will need to look at their Vendor Portfolio as well
as the risk groups that would be involved in reviews in
order to develop their monitoring program
o No two firms will have the same program but they do share
common components
o Risk groups can include BCP/DR, Insurance, Credit, Information
Security, Technology Operations, etc.
• Program design will need to factor in the needs of the risk
groups in order to create a repeatable assessment process.
o Ideally, the program should leverage the work and artifacts
collected in the initial third-party assessment that were
performed as part of onboarding.
• Spend the time to walk through the process with test cases
and adjust accordingly before rolling it out.
Monitoring Program Mechanics
• A key component that drives how a third party is monitored
is their aggregate risk to the firm
o Please refer to the Third Party Risk Categorization document
under the due diligence folder for more information on Risk
Assessment
o Critical/Important third-parties should be reviewed annually,
with the remaining third-parties at least bi-annually
• As part of the monitoring program, the aggregate risk
should be re-evaluated to ensure that any changes in the
firm’s relationship with each third-party are reflected in
their rating
o If services were added or dropped, the value of a contract has
changed, etc.
Monitoring Program Mechanics
• If a firm is completely new to this or aren’t sure what to do,
find a like firm who has a program and see if they’ll
consider doing a best practices information sharing session.
o There are also specialized consultants in this area that you can
contract with
• An automated workflow/rules based process is
recommended to standardize the reviews
o Can be done internally using tools such as SharePoint, Lotus
NOTES or can be externally hosted with a number of vendors in
this space.
• Putting this process in place will require the investment of
people’s time and should be treated as a full project with a
plan, deliverables and a project manager.
Monitoring Program Mechanics
• The program should be evaluated on an annual basis to
ensure that it meets the needs of the firm and adjust
accordingly
• An administrative function will be needed to oversee the
execution of the program to ensure things don’t fall
through the cracks.
• Many firms use their Vendor Management Offices for this
• Reporting and risk identification/remediation tracking is
key! Firms need to spend a lot of time in this area.