Are You Asking the Right Questions – Vendor Assessments

Vicky Kagler, T. Rowe Price, discusses in a time of static budgets, the need to perform extensive assessments of vendor’s BC/DR capabilities has stretched BC staffs to the limit.  The typical BC due diligence questionnaire is bloated with ineffectual and redundant questions that ultimately fail to provide the information your staff needs to properly perform an assessment.  Furthermore, Programs need an internal mechanism to understand the context of the vendor’s impact to the firm.  Learn how T Rowe Price’s BC Program worked with their Vendor Management Office to institute a concise , smart set of questions that provide the basis of an effective vendor BC/DR assessment.

The Challenge
  • Increased reliance on outsourcing
  • How to assess different business models?
  • Who can you partner with to get to the facts?
  • Vendor Mgmt provides structure
  • Relationship Manager to be sure the business is engaged
  • So many vendors…….. So little time…….
  • Regulatory requirements
What is Wrong with Today’s DDQ’s and RFP’s?
  • Incorrect Nomenclature
  • Redundant/Compound Questions
  • Incomprehensible Questions
  • Valueless Questions
  • Inappropriate Questions
Just to name a few….
Incorrect Nomenclature
  • Please describe your firm’s business continuation plan including, but not limited to:
  • Protection and recovery of your firm’s human, information, and physical assets; Oversight structure and process
  • Maintenance of offsite facilities
  • Describe how the firm communicates the BCP to staff
  • Notification during a BC event or the plan documents?
Redundant /Compound Questions that repeat things and go on and on…
  • Do you have an incident management program, approved and overseen by management that includes incident response and data breach plans including: investigation, escalation, forensics, data gathering and reporting forms, disciplinary action, legal action, actions taken to prevent recurrence and feedback into the information security management system?
  • Does your firm maintain documentation regarding incidents and data breaches (issues, root cause, outcomes, remediation, etc.)?
  • Does your firm’s incident response plan include response to ransomware or a hacker?
  • Please describe any tests of this program. Please describe any situation where your program has been implemented. Describe the results and changes made as a result of such testing or implementation
Incomprehensible Questions
  • Describe any changes made to the plan since the last questionnaire response.
  • How is Business Continuity Risk assessed and monitored in your firm?
  • If you were forced to leave the main location, where would you go to complete ‘today’ operations?
Valueless Questions
  • Do you have a Business Continuity/Incident Response/Disaster Recovery plan?
  • Do you involve external consultants to run your crisis management exercises?
Inappropriate Questions
  • What are the key technology systems utilized in managing the Portfolio including but not limited to: trading, compliance, risk analysis, portfolio analytics, portfolio management, personal trading monitoring, including insider trading?
  • Have there been any changes to these systems since the date of the last questionnaire response or are any contemplated?
Why does everyone keep doing it this way?
  • Not created by the company’s BC Team
  • Borrowed questions
  • We’ve always done it that way
  • It looks very thorough
  • CYA
But is it helping your business?
Where does good vendor oversight start?
  • Vendor Management Program/Office
  • Business Unit ownership
  • Executive Sponsor
  • Vendor Relationship Manager
  • Subject Matter Expert analysis

 

Please follow and like us:
4250

Similar Articles

Leave a Reply

Top
RSS2k
Follow by Email4k
Facebook10k
Twitter5k
LinkedIn2k