vendorduediligence_compliancechecklist.1
TRANSCRIPT
-
8/2/2019 VendorDueDiligence_ComplianceChecklist.1
1/5
Vendor Due Diligence Risk Assessment - Page 1 of 5
Vendor Risk Assessment
Decision Factors High Risk
(3 points)
Medium Risk
(2 points)
Low Risk
(1 point)
Member/CustomerInformation
Sharing
Non-PublicInformation Shared
Only PublicInformation Shared
No informationshared
InformationConfidentiality
No vendor contract orcontract lacks
confidentiality clause
Contract includesconfidentiality clause
Vendor has noconfidentialinformation
OperationalReliance
Critical disruptionwould cause
significant impact
Disruption of serviceMAY cause impact
Only providesservices that wouldnot impact or areeasily replaced
OperationalReplacement
Vendor serviceswould be difficult to
replace
Vendor services caneasily be replaced
with another vendor
Staff is easily able totake over operational
functions or functionsdo not need to becompleted daily
FinancialInstitution
Reputation
Potential impact on[Institution] reputation
is likely
Potential impact on[Institution] reputation
is moderate
No impact on[Institution] reputation
Financial Impact Impact to [Institution]& its
Members/Customersswould be significant
Impact to [Institution]& its
Members/Customersswould be moderate
Impact to [Institution]and its
Members/Customersswould be minimal
RegulatoryExposure
Vendor must be incompliance with all
appropriateregulations
Minimal regulatorycompliance required
No regulatorycompliance required
ExpenditureAmount
Capital expenditureexceeds $50,000
annually
Capital expenditureless than $50,000
annually
Servicing vendor only
Total Risk Points: 17 - 24 points Ongoing annual due diligence required12 -16 points Periodic review & service assessment as needed< 12 points Initial due diligence sufficient
Management reserves the right to adjust a company down or up one level if management believesthe company presents a greater/lesser risk than determined by the scoring matrix
www.continuity.net
-
8/2/2019 VendorDueDiligence_ComplianceChecklist.1
2/5
Initial Risk Assessment Form
Vendor Name:
Purpose:
Directions:
Rate this vendor on a scale of 3 (highest/greatest risk) to 1(least/no risk) for eachcategory listed below calculate the sum of the ratings. Submit this form with Vendor DueDiligence Report.
Category Rating Comments
Information Sharing
Information Confidentiality
Operational Reliance
Operational Replacement
[Institution] ReputationFinancial Impact
Regulatory Exposure
Expenditure Amount
Overall Risk Level
Total Risk Points: 17 - 24 points Ongoing annual due diligence required12 -16 points Periodic review & service assessment as needed< 12 points Initial due diligence sufficient
The Vendor Oversight Committee and Management reserve the right to adjust a company down orup one level if management believes the company presents a greater/lesser risk than determinedby the scoring matrix.
-
8/2/2019 VendorDueDiligence_ComplianceChecklist.1
3/5
APPENDIX BVendor Due Diligence Report
Vendor Name:
Date:
Question CommentPlanningWhy are we looking at this proposed activity,product or service?How is the activity, product or service consistentwith [INSTITUTION] values, risk tolerances andbusiness strategies?
Address the risks of the activity, product orservice as defined below: High, Moderate orLowLoss of capital if the activity, produce or servicefails?Loss of Member/Customer confidence if the
activity, produce or service fails?Costs associated with training existing orattracting new personnel?Costs associated with investing in requiredinfrastructure?
Return on InvestmentsAttach or list a projection of how the activity,product or service will affect revenue, expenses,and net income.
Are the profit projections and assumptionsprovided by the vendor fully understood? Listany concerns or questions.
Attach a cost benefit analysis for any activity,
product or service that does not generateincome.
Financial ReviewAttach a copy of financial statements or a SAS-70 report from the vendor
Attach or summarize the results of a financialreview of any prospective vendor that isconsidered mission critical.Based on the financial review, is the companyunder-capitalized or showing weak earnings?Consult a licensed CPA as necessary.
Background CheckList or attach at least three (3) client (current
and former) references provided by the vendor.List the dates these references were contactedand if there are any issues mentioned that needto be addressed.List or attach any background informationgathered from listservs, the Better BusinessBureau, FTC, etc.
-
8/2/2019 VendorDueDiligence_ComplianceChecklist.1
4/5
Legal ReviewAny contract or service agreement should be considered negotiable
A vendors refusal to negotiate any of the Legal Review items requires review by [Institution]counsel or Board of Director approval prior to acceptance.
Review the following items in the proposed contract or service agreement.Definitions Changes Required (Y/N/NA)
Pay special attention to how terms are definedto make sure the contract or service agreementmeets expectations. i.e. if customer service isrequired by [INSTITUTION] 7 days a week,make sure the vendors business hours areconsistent with the requirementLength of Term Changes Required (Y/N/NA)Make sure the length of term is appropriate forthe product being offered. Short-term contractsand service with automatic renewals arepreferred over long-term obligations.Payment Terms Changes Required (Y/N/NA)Setting a payment schedule based onexpectations being met is preferred. Neveragree to pay a vendor in full until the product orservice is fully installed and working to[INSTITUTION] expectations.Confidentiality Agreements Changes Required (Y/N/NA)
All contracts or service agreements withvendors that have access to anyMember/Customer information will be requiredto protect Member/Customer confidentiality.Confidentiality agreements must extend beyondthe life of the contract for at least 5 years. Thecontract or agreement must also include aprovision the vendor will never sell anyMember/Customer information.
Warranties Changes Required (Y/N/NA)Warranties are vendor statements andrepresentations about what the product, service,or activity are intended to do. Make sure thecontract or service agreement states what theproduct, service or activity is supposed to do. Ifit references any documentation, make sure[INSTITUTION] has the documentation prior tosigning.Choice of Law/Venue Changes Required (Y/N/NA)Choice of Law refers to the state law a court willapply to any legal dispute. This is negotiable butunder no circumstances will Maryland or Virginia
be acceptable for any software or technologyagreements. The laws in these states arefavorable to the vendor.Choice of Venue refers to the state WHERE anycourt hearing will be held. Any contract orservice agreement will require New York to bethe Choice of Venue.
-
8/2/2019 VendorDueDiligence_ComplianceChecklist.1
5/5
Vendor Due Diligence Risk Assessment - Page 5 of 5
Legal Review continuedLimitations of Liability Changes Required (Y/N/NA)Defines the liability of the vendor if somethinggoes wrong. Verify the liability is at least morethan the amount [INSTITUTION] will spendduring the life of the contract or service
agreement. Any contract or service agreementwill require no limitation of liability for willfulmisconduct or gross negligence.Technology Agreements Changes Required (Y/N/NA)Pay close attention to when software ortechnology is deemed accepted by[INSTITUTION]. i.e. is it accepted when itsdelivered?Require a special warranty that software will notcontain any illicit codes or time bombs that couldbe used to remotely shut down a system in theevent of a dispute with the vendor.Installation and Training Changes Required (Y/N/NA)Check to see if training and installation of theproduct, service or activity will affect the cost ofthe original product.
Insurance ReviewDetermine if any changes are required to[INSTITUTION]s insurance coverage.
Are any changes to errors and omissionscoverage, property and casualty coverage andfraud and dishonesty coverage required?
Completed by: Date:
Approved by: Date:
www.continuity.net