Risk Assessments

 View Only
  • 1.  Completion of Third Party Risk Assessments

    This message was posted by a user wishing to remain anonymous
    Posted 05-17-2021 09:26 AM
    This message was posted by a user wishing to remain anonymous

    We are reviewing our operational processes and are determining the best area to send out the annual third party risk assessments.  Does anyone have other areas (such as a Procurement area) send their third party annual assessments or does it primarily remain the responsibility of your VMO or IT Risk teams?  If you use other areas, how did you come about that process and recommend it with processes changes?


  • 2.  RE: Completion of Third Party Risk Assessments

    Posted 05-17-2021 09:54 AM

    Separation of duties. 

    We keep roles and responsibilities separated. Finance, procurement, and compliance are all separate functional groups with a role to play in the process. Risk assessment is part of compliance and works with finance and procurement to develop an accurate picture of the risk each supplier presents to the organization. 

    It is a little extra work but it is worth it. 




  • 3.  RE: Completion of Third Party Risk Assessments

    Posted 05-17-2021 03:39 PM
    Our process starts with Vendor Management initiating a task to the Relationship Manager to review the vendor updating demographic information and updating the risk ranking.
    When the Relationship Manage completes that step, depending upon criticality, a task goes to the vendor contact to provide requested information and reports such as SOC and financials.
    The Relationship Manager reviews the supplied items to ensure they cover the product or service provided. Internal specialists review the SOC and financials.
    When necessary Legal is brought into the process to review the contract.
    Finally, Vendor Management does one final overall review of the process ensuring all steps were completed sufficiently.


  • 4.  RE: Completion of Third Party Risk Assessments

    This message was posted by a user wishing to remain anonymous
    Posted 05-17-2021 07:35 PM
    This message was posted by a user wishing to remain anonymous

    We outsource the execution of our external vendor assessment process and have a small internal team dedicated to reviewing assessment results and managing the TPRM lifecycle.  We are considered an arm of the overall Corporate Risk Management Team.  For the day to day work, we are closely aligned to Procurement, but we also require our Info Sec team to review and approve all IT Security related concerns.  Initially I believe our TPRM function was established in response to NYDFS.  But because we want to assess vendors across multiple risk domains (not just IT), it wasn't appropriate for the entire TPRM function to reside under IT Security.  Our Procurement team did not have the risk expertise or the bandwidth to implement TPRM, so we were formed under Risk Management.