Risk Assessments

 View Only
  • 1.  Risk Rating

    This message was posted by a user wishing to remain anonymous
    Posted 05-05-2020 09:56 AM
    This message was posted by a user wishing to remain anonymous

    Not sure if this has been discussed before.

    Do you all do risk rating (high,med,low) for your vendors every year on all your vendors regardless of rating or do you just do the high risk and medium risk vendors yearly.


  • 2.  RE: Risk Rating

    This message was posted by a user wishing to remain anonymous
    Posted 05-05-2020 10:14 AM
    This message was posted by a user wishing to remain anonymous

    Yes.

    Vendor are potentially rated as High, Medium and Low based on the inherent risk assessment, and review control posture on periodic basis to measure the risk posture of supplier and control effectiveness.




  • 3.  RE: Risk Rating

    Posted 05-06-2020 12:45 PM

    We rate Vendors as Critical, High, Medium, Low; or Excluded and perform a "full review." The full review consists of a comment from the Vendor Owner, speaking to their satisfaction with the vendor and their products / services; a Review Questionnaire and a Vendor Risk Assessment; and we perform financial and information security, etc. reviews throughout the year, depending on when we on boarded the vendor or received the document. For High Risk or Critical Vendors, we perform the "Full Vendor Review" annually; Moderate – Biennial; Low – Triennial; and those that are "excluded" are not part of the Review schedule. We also have "Generic" vendor categories that we assess depending on their assigned risk level. ie. Generic Exterior Facilities Vendors. We assign risk rating and have the owner complete one Review for all vendors that fall into that Generic category.

     

    Laura Ashley Bylo, VPA

    Vendor Program Analyst, Risk Management

    Hartford Courant Top Workplace – 2012-2019 – #1 Large Employer in 2017 & 2019

    Forbes 2019 World's Best Banks, ranking 4th in the United States

    image001.png@01D57860.7681CFB0

     






  • 4.  RE: Risk Rating

    This message was posted by a user wishing to remain anonymous
    Posted 05-05-2020 10:15 AM
    This message was posted by a user wishing to remain anonymous

    ​We review high risk every year, medium risk every other year and low risk only at contract renewal.


  • 5.  RE: Risk Rating

    Posted 05-05-2020 10:22 AM
    We conduct annual risk assessments on all of our Critical vendors, regardless of any previous risk rating.  From there, we conduct risk assessments at the product level, not the vendor level.  All those vendor products rated as a HIGH risk are reviewed annually, MEDIUM every two years and LOW every three years or at contract time.


  • 6.  RE: Risk Rating

    Posted 05-05-2020 10:25 AM
    We review our third party vendors accordingly:

    • High - Yearly
    • Medium High - Every Two Years
    • Medium - Every Three Years
    • Medium Low & Low - Change of Scope/Services



  • 7.  RE: Risk Rating

    This message was posted by a user wishing to remain anonymous
    Posted 05-05-2020 11:06 AM
    This message was posted by a user wishing to remain anonymous

    We review the inherent risk based on below. Of course some individual assessments could be annual, every two or three years regardless of Inherent Risk Rating (HIPAA is always annual if in scope; Country Risk is one time or if a change in offshore risk characteristics, etc.). Inherent Risk Assessments can be relaunched if any change in scope of services.

    • High - Annually
    • Medium - Every 2 Years
    • Low - Every 3 Years



  • 8.  RE: Risk Rating

    Posted 05-06-2020 10:42 AM

    Similarly to some of the others who have replied, we risk rate our vendors/products when we complete their regular risk assessment on a cycle according to criticality and/or inherent risk. 

    • Critical vendors' products (regardless of inherent risk rating), High, and Moderate-High risk products - Annually
    • Moderate risk products - every 2 years
    • Low-Moderate, and Low risk products - every 3 years
    If something has changed with the vendor or the product, the risk rating from the inherent risk assessment may change accordingly. For example, if we migrate an in-house system to a cloud based solution, even if it is the same product from the same vendor, the risk rating may increase to a higher level putting that vendor/product on a different cycle. Hopefully, we in vendor management will be made aware of that type change before the fact and will complete an assessment as if it were a new product.