This message was posted by a user wishing to remain anonymous
We use a qualitative risk model to support our Vendor Management Program (VMP) today. There are various benefits to this but we are considering the use of a quantitative model as well to support our program as we believe presenting risk in a dollar format will better resonate with senior management.
We are struggling to identify a standard which captures all risk associated to TSP services which can be implemented to all of the TSPs in our Program (for example cost of data breach and the number of records they have, total costs for services provided, using the difference between inhouse costs and external costs to provide service, etc.). Can someone provide guidance on what cost standards they have found most beneficial to adequately capture risks for the quantitative model, and how they use both quantitative and qualitative methods to support their VMP, or how they converted from the qualitative to the quantitative methods?
Thank you in advance