Vendors do certain activities on behalf of us (Companjon). As a regulated entity, we need to ensure that the outsourced services met a certain standard. Vendor reviews are put in place as a control mechanism to identify deviations to the set standard and correct them before any major breaches happen. For instance, if we outsource our claims processing, we need to ensure that employees of the vendor company do not have access to any additional data about the customer than what they need for adjudicating claims, and leavers access to our system is revoked on time.
When should the vendor review be done?
Based on a criticality of the services performed by our vendors, they are categorised into 4 categories. Category 1 vendors are reviewed annually (every 12 months), Category 2 every 18 months, while Category 3 and 4 every 24 months.
You can see the next review date for your vendors on the corresponding vendor record. You will also get a reminder 60 days before the vendor review is due to kick start the process.
How do I do the vendor review?
1. Tools:
Vendor review requires careful audit of services performed by the vendor and filling out a vendor review questionnaire.
You can access it here
Or you can create a vendor review directly on Hubspot by going to the vendor record and clicking 'Add Vendor Review' on the right sidebar:
Note: If you have all the information ready, then the online form will come in handy. If you want to start the process and fill information as and when you receive it (over a few days), then creating a vendor review on Hubspot is easier as all your progress will be saved.
Once you click on 'Create Vendor Review', a blank review will be created under the vendor, which is opened automatically:
Click on the 'Questionnaire' Tab in the center pane and view all questions
You should answer all questions as part of the review (refer the table at the end of this page to understand the questions with some examples). Please provide the completion date and RG status only after completing the entire review.
2. Artifacts to be considered:
Please review the below documents during the vendor review as these help you understand what has been contractually agreed with the vendor along with the initial assessments done/arrangements in place to identify breaches effectively:
- Contract on Ironclad (if you do not have access, please reach out to the legal team)
- Latest Due Diligence and Criticality Assessments: You can find them uploaded on the vendor record in Hubspot:
- Any BCP/audit reports (if available)
3. Questionnaire Guide:
Please use the guide below to understand every question in the review form:
| S.No | Question | Description | Useful Hints/Templated Responses | Examples |
| 1 | Vendor Name | Select vendor name from the dropdown Note: If the vendor is missing from the list, contact Brinda for support. |
"Wise," "HubSpot," "Peak3" | |
| 2 | Name of Vendor Representative that provided input into the annual review form | Write down the name(s) of vendor SPOCs who provided any inputs for the review. If there are multiple persons, add their names in a comma separated manner | Jane Doe, John Smith | |
| 3 | Please list all relevant SLAs/KPIs and confirm whether they have been met. Highlight any instances of SLA non-compliance |
Refer to the contract and review the agreed SLAs/KPIs. Confirm if they have been met and highlight any breaches.
|
The Relationship Owner should refer to the vendor’s contract stating the key KPI’s, deliverables and summarise the vendor’s performance. e.g. vendor contracted to do X vendor performance was Y If any of the KPI’s have been missed, provide some commentary as to why and what is being done to address any issues. The Relationship Owner should provide a high level summary of what monitoring is in place e.g. we have a monthly call, MI is produced by the vendor |
SLA for 99.9% uptime met; response time SLA breached twice in Q2 |
| 4 | Please list any material changes within the Service Provider that might impact the Company or its customers |
List any changes in the vendor's structure, ownership, or processes that could impact Companjon or its customers.
|
The Relationship Owner should refer to the contract or summary of work and say the vendor is required to XYZ…. and they are doing something material different, the Relationship Owner should describe and confirm that the contract has been updated to reflect this. |
Vendor acquired by new parent company or Support outsourced by vendor to another external team (i.e. Subcontractor) |
| 5 | Please list any known risks or issues within the Service Provider that may adversely impact on the Company or its customers | List any known operational or financial risks related to the vendor. This information may be available publicly, notified by vendor as a press release/announcement or disclosed to you during the audit. |
The Relationship Owner should review the Risk Assessment in the Due Diligence file and confirm if the risks have been mitigated or new risks identified. The Relationship Owner should obtain a new Credit Safe report and note if any new risks have been identified, the report should be uploaded to the vendor record. |
Delay in regulatory reporting or Financial health concerns due to a major customer loss |
| 6 | Please list any contractual changes done during the review period | Review contract on Ironclad to see if any amendments are made to the existing contract or any new contracts signed with the vendor. List down any contract changes made during the review period. | The Relationship Owner should state that the contract has been reviewed, looking at expiry dates etc. and it is still aligned to the services that the vendor is providing or if there has been a material change, confirmation that the contract has been updated to reflect the change in services. | Extended contract duration by 12 months; updated payment terms |
| 7 | Please provide details of any regulatory breaches by the Service Provider in the review period | Provide details of any regulatory breaches during the review period. This information may be available publicly, notified by vendor as a press release/announcement or disclosed to you during the audit. |
Template Response - As of xx date, there are no publicly reported regulatory breaches involving <insert vendor> during the review period. The company has maintained compliance with applicable regulations and standards. |
Fine of £20,000 by CBI due to insufficient data protection measures
|
| 8 | How does the Service Provider’s Disaster Recovery or Business Continuity plan adequately cover the provision of business-critical services to Companjon Services DAC and its customers? | Review the latest Due Diligence for information on the vendor’s business continuity plans. Check with the vendor SPOC if any DR tests have been conducted during the review period and if any issues have been identified. Provide details on how the vendor ensures service continuity. Note: This might not be relevant for all vendors and is primarily for critical vendors who store/process our data |
Template Response - <insert vendor> function from <e.g. details of IT security infrastructure> and everything they require to support us is cloud based. Their platforms either sit in Microsoft or Amazon Data centres who guarantee 99.99% uptime. |
Peak 3 - Annual DR test completed successfully, fallback site established |
| 9 | Please list any Data Protection concerns or control weaknesses identified within the Service Provider | Understand how our data is protected by the vendor and list any identified data protection issues or control weaknesses. Note: This might not be relevant for all vendors and is primarily for critical vendors who store/process our data |
Template Response - There are no significant data protection concerns or control weaknesses identified within the Service Provider. Data protection is robustly addressed through a combination of ……..provide details of what the vendor rely on to keep data secure.
|
Access revocation not done on time after employee departures. Google Cloud provides strong data protection controls. This includes encryption at rest and in transit, as well as secure multi-zone architecture. <vendor> enhances data protection by encrypting all customer data. This encryption ensures that data can only be decrypted by users with the appropriate access rights. |
| 10 | Please list any reviews/audits relevant to the Service Provider during the period | If you have regular reports shared by the vendor or periodic meetings for monitoring purposes, list down outcome of such reviews. Also, check with the vendor SPOC if any any audits or reviews have been completed during the review period and list their details. |
The Relationship Owner should include here details of the monitoring they have in place with the vendor, this should be appropriate for the category of the vendor and the services they provide. For example, a cat 1 vendor that provides important services may send weekly performance MI, the Relationship Owner has monthly calls and meets their contact on at least an annual basis. |
Sixsentics - Monthly review meetings on services performed and metrics held periodically. No major issues have been identified during these meetings. Enterprise Bot - ISO 27001 re-certification audit completed in Jan 2025 |
| 11 | Have you reviewed the Due Diligence and updated it (if necessary)? | Due Diligence must be reviewed during the audit and updated if necessary. If you have not reviewed it as part of the audit, you need to specify why this has not been done. | The Relationship Owner should mark yes or no and add some commentary to say the DD file has been reviewed and the performance was in line with what was set out in the file or if there have been any changes, provide a high-level summary. | No, as the Due Diligence was updated last month when project XXX was implemented and no changes have happened since this. |
| 12 | Have you reviewed the Risk Assessment and updated it (if necessary)? | Criticality Assessment must be reviewed during the audit and updated if necessary. If the criticality category has changed, follow the approval process with the EMT sponsor and Head of Compliance. Update the Due Diligence and upload the updated document in HubSpot. If you have not reviewed it as part of the audit, you need to specify why this has not been done. |
Yes, no changes to the chosen criticality level. | |
| 13 | Please select current RAG Status for the vendor based on completed review | Select the current RAG (Red, Amber, Green) status based on the review. | Red (R): Major breach, significant impact | |
| Amber (A): Remediation needed | ||||
| Green (G): No issues, all standards met | ||||
| 14 | Please detail reason for choosing the above RAG status | Provide the reason for selecting the RAG status. | Red due to SLA breaches in Q3; requires immediate remediation. | |
| 15 | How many follow-up actions have been identified during the review? | List the number of follow-up actions identified during the review. These actions could be on the vendor end or Companjon. Once you provide a number here, you have to provide details of what the action is, who owns it and by when the action will be completed. |
1 Action: Enterprise bot to share periodic SLA reports on the services performed highlighting the system uptime, DR activities planned. Due on 31 Mar 2025 | |
| 16 | Review Completion Date | Enter the date when the review was completed. Please fill this field only after all questions are answered. | 01/02/2025 |
Note: If you want to upload the updated DD/DPIA or Creditsafe report on Hubspot, please open the vendor record -> Actions -> View all properties -> Search for Due Diligence/DPIA/Creditsafe and upload:
I have submitted the review, what happens next?
Once you submit a review (i.e. provide a review completion date), a review task is automatically created for the EMT sponsor. If they have any questions/feedback, they will leave a comment on Hubspot tagging you. Head of Compliance will also review the same and raise any questions via Hubspot. Please turn on notifications from Hubspot to receive such emails and answer any questions raise to get the review signed off.