vendorduediligence_compliancechecklist.1

8/2/2019 VendorDueDiligence_ComplianceChecklist.1

1/5

Vendor Due Diligence Risk Assessment - Page 1 of 5

Vendor Risk Assessment

Decision Factors High Risk

(3 points)

Medium Risk

(2 points)

Low Risk

(1 point)

Member/CustomerInformation

Sharing

Non-PublicInformation Shared

Only PublicInformation Shared

No informationshared

InformationConfidentiality

No vendor contract orcontract lacks

confidentiality clause

Contract includesconfidentiality clause

Vendor has noconfidentialinformation

OperationalReliance

Critical disruptionwould cause

significant impact

Disruption of serviceMAY cause impact

Only providesservices that wouldnot impact or areeasily replaced

OperationalReplacement

Vendor serviceswould be difficult to

replace

Vendor services caneasily be replaced

with another vendor

Staff is easily able totake over operational

functions or functionsdo not need to becompleted daily

FinancialInstitution

Reputation

Potential impact on[Institution] reputation

is likely

Potential impact on[Institution] reputation

is moderate

No impact on[Institution] reputation

Financial Impact Impact to [Institution]& its

Members/Customersswould be significant

Impact to [Institution]& its

Members/Customersswould be moderate

Impact to [Institution]and its

Members/Customersswould be minimal

RegulatoryExposure

Vendor must be incompliance with all

appropriateregulations

Minimal regulatorycompliance required

No regulatorycompliance required

ExpenditureAmount

Capital expenditureexceeds $50,000

annually

Capital expenditureless than $50,000

annually

Servicing vendor only

Total Risk Points: 17 - 24 points Ongoing annual due diligence required12 -16 points Periodic review & service assessment as needed< 12 points Initial due diligence sufficient

Management reserves the right to adjust a company down or up one level if management believesthe company presents a greater/lesser risk than determined by the scoring matrix

www.continuity.net


2/5

Initial Risk Assessment Form

Vendor Name:

Purpose:

Directions:

Rate this vendor on a scale of 3 (highest/greatest risk) to 1(least/no risk) for eachcategory listed below calculate the sum of the ratings. Submit this form with Vendor DueDiligence Report.

Category Rating Comments

Information Sharing

Information Confidentiality

Operational Reliance

Operational Replacement

[Institution] ReputationFinancial Impact

Regulatory Exposure

Expenditure Amount

Overall Risk Level

Total Risk Points: 17 - 24 points Ongoing annual due diligence required12 -16 points Periodic review & service assessment as needed< 12 points Initial due diligence sufficient

The Vendor Oversight Committee and Management reserve the right to adjust a company down orup one level if management believes the company presents a greater/lesser risk than determinedby the scoring matrix.


3/5

APPENDIX BVendor Due Diligence Report

Vendor Name:

Date:

Question CommentPlanningWhy are we looking at this proposed activity,product or service?How is the activity, product or service consistentwith [INSTITUTION] values, risk tolerances andbusiness strategies?

Address the risks of the activity, product orservice as defined below: High, Moderate orLowLoss of capital if the activity, produce or servicefails?Loss of Member/Customer confidence if the

activity, produce or service fails?Costs associated with training existing orattracting new personnel?Costs associated with investing in requiredinfrastructure?

Return on InvestmentsAttach or list a projection of how the activity,product or service will affect revenue, expenses,and net income.

Are the profit projections and assumptionsprovided by the vendor fully understood? Listany concerns or questions.

Attach a cost benefit analysis for any activity,

product or service that does not generateincome.

Financial ReviewAttach a copy of financial statements or a SAS-70 report from the vendor

Attach or summarize the results of a financialreview of any prospective vendor that isconsidered mission critical.Based on the financial review, is the companyunder-capitalized or showing weak earnings?Consult a licensed CPA as necessary.

Background CheckList or attach at least three (3) client (current

and former) references provided by the vendor.List the dates these references were contactedand if there are any issues mentioned that needto be addressed.List or attach any background informationgathered from listservs, the Better BusinessBureau, FTC, etc.


4/5

Legal ReviewAny contract or service agreement should be considered negotiable

A vendors refusal to negotiate any of the Legal Review items requires review by [Institution]counsel or Board of Director approval prior to acceptance.

Review the following items in the proposed contract or service agreement.Definitions Changes Required (Y/N/NA)

Pay special attention to how terms are definedto make sure the contract or service agreementmeets expectations. i.e. if customer service isrequired by [INSTITUTION] 7 days a week,make sure the vendors business hours areconsistent with the requirementLength of Term Changes Required (Y/N/NA)Make sure the length of term is appropriate forthe product being offered. Short-term contractsand service with automatic renewals arepreferred over long-term obligations.Payment Terms Changes Required (Y/N/NA)Setting a payment schedule based onexpectations being met is preferred. Neveragree to pay a vendor in full until the product orservice is fully installed and working to[INSTITUTION] expectations.Confidentiality Agreements Changes Required (Y/N/NA)

All contracts or service agreements withvendors that have access to anyMember/Customer information will be requiredto protect Member/Customer confidentiality.Confidentiality agreements must extend beyondthe life of the contract for at least 5 years. Thecontract or agreement must also include aprovision the vendor will never sell anyMember/Customer information.

Warranties Changes Required (Y/N/NA)Warranties are vendor statements andrepresentations about what the product, service,or activity are intended to do. Make sure thecontract or service agreement states what theproduct, service or activity is supposed to do. Ifit references any documentation, make sure[INSTITUTION] has the documentation prior tosigning.Choice of Law/Venue Changes Required (Y/N/NA)Choice of Law refers to the state law a court willapply to any legal dispute. This is negotiable butunder no circumstances will Maryland or Virginia

be acceptable for any software or technologyagreements. The laws in these states arefavorable to the vendor.Choice of Venue refers to the state WHERE anycourt hearing will be held. Any contract orservice agreement will require New York to bethe Choice of Venue.


5/5

Vendor Due Diligence Risk Assessment - Page 5 of 5

Legal Review continuedLimitations of Liability Changes Required (Y/N/NA)Defines the liability of the vendor if somethinggoes wrong. Verify the liability is at least morethan the amount [INSTITUTION] will spendduring the life of the contract or service

agreement. Any contract or service agreementwill require no limitation of liability for willfulmisconduct or gross negligence.Technology Agreements Changes Required (Y/N/NA)Pay close attention to when software ortechnology is deemed accepted by[INSTITUTION]. i.e. is it accepted when itsdelivered?Require a special warranty that software will notcontain any illicit codes or time bombs that couldbe used to remotely shut down a system in theevent of a dispute with the vendor.Installation and Training Changes Required (Y/N/NA)Check to see if training and installation of theproduct, service or activity will affect the cost ofthe original product.

Insurance ReviewDetermine if any changes are required to[INSTITUTION]s insurance coverage.

Are any changes to errors and omissionscoverage, property and casualty coverage andfraud and dishonesty coverage required?

Completed by: Date:

Approved by: Date:

www.continuity.net

vendorduediligence_compliancechecklist.1

Documents