ATTENTION: The information in this message may be legally privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender by telephone and delete or destroy any copy of this message.
Original Message:
Sent: 12/3/2020 1:30:00 PM
From: Dave Howe
Subject: RE: Do you use a Financial Threshold for which vendors will be reviewed?
Ah, the group of "why am I looking at these folks" vendors.
My rule of thumb is tied to NPI.
If they don't have or use it, then they are on a 3 year cycle, and the main review is OFAC and contracts [if they exist]. Keep them simple, and not too often because they are low risk. [i.e. very similar to Michelle Chase's approach.]
That way, the most time is spent on vendors that actually have or use data that needs extra protection.
Basic categories of Low Risks would be retail or utilities, in my opinion.
There is certainly a conversation to have about utilities being Low Risk but Critical, but that's probably for a different thread.
I suspect the idea of $$ being an objective measure is appealing, but there are plenty of lower cost vendors that are pretty risky, while some high cost retailers are minimally risky.
Original Message:
Sent: 12-03-2020 01:14 PM
From: Michelle Chase
Subject: Do you use a Financial Threshold for which vendors will be reviewed?
We don't use a financial threshold but instead base vendor review on a two factor risk analysis looking at operational risk (importance to business, ability to easily replace etc) an data risk (amount and scope of NPPI etc).
Every vendor has a risk analysis performed and the risk rating for each factor determines the specific documentation requirements- low risk=lower requirements. We have found this to be helpful to ensure internal consistency across business units as well as for internal and external audit. Its also helpful to ensure we achieve the correct balance of time spent in review and documentation gathering with the actual risk being managed.
Original Message:
Sent: 12-03-2020 12:09 PM
From: Anonymous Member
Subject: Do you use a Financial Threshold for which vendors will be reviewed?
This message was posted by a user wishing to remain anonymous
This is a very good point David. Thanks for responding.
I know our program is in the beginning stages and I think the real question we are asking is how do we rule out all of the vendors of NO INTEREST? Right now I receive every single vendor that we pay money to and even if they are of no interest, I touch it and it's a waste of time. It's added to our vendor database and documents are requested and reviewed if any are received. I need a basic list of questions to rule out vendors like this. I think that is what they are trying to accomplish with the annual spend question.
Any suggestions would be much appreciated.
Original Message:
Sent: 12-03-2020 11:13 AM
From: Dave Howe
Subject: Do you use a Financial Threshold for which vendors will be reviewed?
The threshold that I've used in the past isn't precisely the spend number, but a pre-spend number.
If the vendor or service requires an up front cost prior to receipt of the service or product, then I think there is an argument that there is at the very least financial risk there.
I wouldn't go so far as to say it would be a determining factor for Critical versus non-Critical, but would say it can play a role in determining High/Medium/Low.
The tricky part with determining a threshold for that is that the company's fiscal strength would need to play a heavy part.
$25,000 might be a large prepayment for one, and chump change for another.
Original Message:
Sent: 11-25-2020 11:58 AM
From: Anonymous Member
Subject: Do you use a Financial Threshold for which vendors will be reviewed?
This message was posted by a user wishing to remain anonymous
We are re-evaluating our criteria for which vendors should be reviewed. Wondering if others use Annual Spend as part of the criteria and if so, how did you determine what threshold ($$$ amount) to use.
Thanks.