Risk Assessments

 View Only
  • 1.  Consultants

    This message was posted by a user wishing to remain anonymous
    Posted 04-16-2021 01:36 PM
    This message was posted by a user wishing to remain anonymous

    Are your firms performing regular vendor risk assessments on consultant relationships?  If so, are you using a more streamline version of your risk questionnaire?  Any other tips or best practices would be appreciated.


  • 2.  RE: Consultants

    Posted 04-22-2021 04:08 PM
    Hi, and thanks for this question! 

    Consultant relationships often go overlooked in VRM not only because of the type of relationship it is, which can be sensitive in nature, but also because of who the business owners would be, engaging in this relationship. However, I do think it is entirely appropriate to conduct due diligence for these engagements, but absolutely be sure to customize your efforts for the engagement at hand. Have a conversation with those internal personnel about the information that will be shared, how it will be shared, and furthermore, how it will be protected appropriately. Try to keep sensitive data in house or onsite whenever possible. Also, have a conversation with the consultant company about what they'll be doing with that data and be sure the protection and disposal of that information is considered in the contract. Also, it is entirely appropriate to validate the validity of the organization, and ensure that appropriate background checks to include a validation of credentials has been conducted for all personnel that will be providing services to you. 

    As for regularity, I would say it might be more appropriate to conduct due diligence at the onset of each particular engagement or assessment, rather than on a periodic bases. 

    Hope this helps, but I would love to hear more feedback about what others have experienced in these situations. 

    Thank you! 
    Nicole