Our process starts with Vendor Management initiating a task to the Relationship Manager to review the vendor updating demographic information and updating the risk ranking.
When the Relationship Manage completes that step, depending upon criticality, a task goes to the vendor contact to provide requested information and reports such as SOC and financials.
The Relationship Manager reviews the supplied items to ensure they cover the product or service provided. Internal specialists review the SOC and financials.
When necessary Legal is brought into the process to review the contract.
Finally, Vendor Management does one final overall review of the process ensuring all steps were completed sufficiently.
Original Message:
Sent: 05-17-2021 09:53 AM
From: Mark Eden
Subject: Completion of Third Party Risk Assessments
Original Message:
Sent: 05-17-2021 09:19 AM
From: Anonymous Member
Subject: Completion of Third Party Risk Assessments
This message was posted by a user wishing to remain anonymous
We are reviewing our operational processes and are determining the best area to send out the annual third party risk assessments. Does anyone have other areas (such as a Procurement area) send their third party annual assessments or does it primarily remain the responsibility of your VMO or IT Risk teams? If you use other areas, how did you come about that process and recommend it with processes changes?
Separation of duties.
We keep roles and responsibilities separated. Finance, procurement, and compliance are all separate functional groups with a role to play in the process. Risk assessment is part of compliance and works with finance and procurement to develop an accurate picture of the risk each supplier presents to the organization.
It is a little extra work but it is worth it.