Risk Assessments

 View Only
Expand all | Collapse all

Do you use a Financial Threshold for which vendors will be reviewed?

  • 1.  Do you use a Financial Threshold for which vendors will be reviewed?

    This message was posted by a user wishing to remain anonymous
    Posted 11-25-2020 12:13 PM
    This message was posted by a user wishing to remain anonymous

    We are re-evaluating our criteria for which vendors should be reviewed.  Wondering if others use Annual Spend as part of the criteria and if so, how did you determine what threshold ($$$ amount) to use.  

    Thanks.


  • 2.  RE: Do you use a Financial Threshold for which vendors will be reviewed?

    Posted 12-01-2020 10:14 AM

    Excellent question.  While expenditure is certainly one component of the risk assessment for any vendor, it is only one component or one question in one category.  IMHO, using a dollar amount to determine a vendor's criticality or level of risk doesn't get you where you want to go. It can actually lead you in the wrong direction. I like to use the three questions below to determine if a vendor is critical. 

    3 Questions to decide if it is a critical vendor:

    1. Would the sudden loss of this third party cause a significant disruption to our business?
    2. Would the sudden loss impact our customers/members?
    3. Would the time to restore service without this vendor be greater than one business day or greater than our organization's business continuity plan requires? Is your vendor's Recovery Time Objective (RTO), Recovery Point Objective (RPO), or Maximum Tolerable Downtime (MTD) greater than your organizations?
    Any vendor that has access to your organization's information, your customer's information or your organization's employees information is a high-risk vendor and should be handled accordingly.

    Spend is normally dictated by the board and usually referred to as spending limits or spending authority.

    Does anyone else have thoughts on the subject?


  • 3.  RE: Do you use a Financial Threshold for which vendors will be reviewed?

    Posted 12-01-2020 04:04 PM
    I agree with Gordon's approach. We do not incorporate vendor spend into our evaluation of RISK. The cost to lease a large fleet of vehicles could be expensive, but what is the risk with that vendor?

    As an insurance company we look at the nature or type of of the information being exchanged along with the volume and method. Does the vendor have access to our environment, physical or system. We look at the product or service being provided and its impact if altered or not provided. Does the vendor provide a product or service that directly impacts the financial statements. Is the vendor regulated or provided a regulated service. Our last factor is replacement difficulty.


  • 4.  RE: Do you use a Financial Threshold for which vendors will be reviewed?

    This message was posted by a user wishing to remain anonymous
    Posted 12-02-2020 12:15 PM
    This message was posted by a user wishing to remain anonymous

    Thank you Gordon.  This was very helpful and will be useful going forward as we try to mature our process.

    Appreciate you taking the time to reply.  I've found this forum very helpful and value feedback from those with more experience than myself.  I wish others contributed more often as I haven't been able to find other forums specifically addressing TPRM.  Thanks again.


  • 5.  RE: Do you use a Financial Threshold for which vendors will be reviewed?

    Posted 12-03-2020 11:13 AM
    The threshold that I've used in the past isn't precisely the spend number, but a pre-spend number. 
    If the vendor or service requires an up front cost prior to receipt of the service or product, then I think there is an argument that there is at the very least financial risk there.
    I wouldn't go so far as to say it would be a determining factor for Critical versus non-Critical, but would say it can play a role in determining High/Medium/Low.

    The tricky part with determining a threshold for that is that the company's fiscal strength would need to play a heavy part.
        $25,000 might be a large prepayment for one, and chump change for another.


  • 6.  RE: Do you use a Financial Threshold for which vendors will be reviewed?

    This message was posted by a user wishing to remain anonymous
    Posted 12-03-2020 12:54 PM
    This message was posted by a user wishing to remain anonymous

    This is a very good point David.  Thanks for responding.  
    I know our program is in the beginning stages and I think the real question we are asking is how do we rule out all of the vendors of NO INTEREST? Right now I receive every single vendor that we pay money to and even if they are of no interest, I touch it and it's a waste of time.  It's added to our vendor database and documents are requested and reviewed if any are received.  I need a basic list of questions to rule out vendors like this.  I think that is what they are trying to accomplish with the annual spend question. 
    Any suggestions would be much appreciated.


  • 7.  RE: Do you use a Financial Threshold for which vendors will be reviewed?

    Posted 12-03-2020 01:14 PM
    We don't use a financial threshold but instead base vendor review on a two factor risk analysis looking at operational risk (importance to business, ability to easily replace etc) an data risk (amount and scope of NPPI etc).
    Every vendor has a risk analysis performed and the risk rating for each factor determines the specific documentation requirements- low risk=lower requirements.  We have found this to be helpful to ensure internal consistency across business units as well as for internal and external audit.  Its also helpful to ensure we achieve the correct balance of time spent in review and documentation gathering with the actual risk being managed.



  • 8.  RE: Do you use a Financial Threshold for which vendors will be reviewed?

    Posted 12-03-2020 01:30 PM
    Ah, the group of "why am I looking at these folks" vendors.

    My rule of thumb is tied to NPI.
        If they don't have or use it, then they are on a 3 year cycle, and the main review is OFAC and contracts [if they exist]. Keep them simple, and not too often because they are low risk. [i.e. very similar to Michelle Chase's approach.]

    That way, the most time is spent on vendors that actually have or use data that needs extra protection.

    Basic categories of Low Risks would be retail or utilities, in my opinion.
        There is certainly a conversation to have about utilities being Low Risk but Critical, but that's probably for a different thread.

    I suspect the idea of $$ being an objective measure is appealing, but there are plenty of lower cost vendors that are pretty risky, while some high cost retailers are minimally risky.


  • 9.  RE: Do you use a Financial Threshold for which vendors will be reviewed?

    Posted 12-03-2020 02:42 PM
    I would never base importance on financial spend. When I give presentations on this topic I often give two of my favorite examples:
    1) In the tech world, many major tech companies use a service that costs ~$50K/year to file corporate taxes. It seems trivial, but if the corporations fail to file there are financial penalties.
    2) When JP Morgan had a breach several years back (I wrote a LinkedIn article on this) the third party that JPMC spent ~$50K/year to manage their charitable donations (giving online). That vendor had no security controls. So you log into JPMC and then if you <click> to give a donation, it jumped to a third-party site that had almost no security measures. Millions of accounts were stolen in the clear for 4-5 months until the stolen data was being acted upon.
         

     

     

    ATTENTION: The information in this message may be legally privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited.  If you have received this message in error, please immediately notify the sender by telephone and delete or destroy any copy of this message.

     







  • 10.  RE: Do you use a Financial Threshold for which vendors will be reviewed?

    This message was posted by a user wishing to remain anonymous
    Posted 12-03-2020 03:40 PM
    This message was posted by a user wishing to remain anonymous

    Hi Keith, That article you linked is pretty scary. Thanks for sharing. What would you recommend as a better approach if the financial spend isn't the route to take? Wouldn't it be potentially overwhelming to have a full security review for every single vendor (particularly in large companies where there could be hundreds of them)?


  • 11.  RE: Do you use a Financial Threshold for which vendors will be reviewed?

    This message was posted by a user wishing to remain anonymous
    Posted 12-03-2020 06:01 PM
    This message was posted by a user wishing to remain anonymous

    I would concur with Keith's input. I would never base an inherent risk scoring on spend. I would gather the information though and utilize it as a trigger for a financial review as someone else alluded to if the payment terms are pre-paid and the amount is material to your Company.


  • 12.  RE: Do you use a Financial Threshold for which vendors will be reviewed?

    This message was posted by a user wishing to remain anonymous
    Posted 12-03-2020 04:23 PM
    This message was posted by a user wishing to remain anonymous

    Been following this thread, and there is a lot of good info here.  However, if you have a policy such as no NPI/PII or proprietary company data is shared, the services are not critical to operations, and the dollar-value threshold is less than a low threshold (i.e. $5k, so as to exclude things like vendors used for bereavement gifts, business lunches, dry cleaning, etc.), would it be prudent?


  • 13.  RE: Do you use a Financial Threshold for which vendors will be reviewed?

    Posted 12-03-2020 09:52 PM
    During the onboarding process, we look at the use case and determine the Risk to the product or service as well as the impact should something go wrong. Business continuity is fine but again, it is part of the equation. Access to confidential information is important but you must look at what all information they have responsibility to manage. What makes this vendor more critical to that vendor might just be that they are an important part of your keystone product or service. And yes, spend may factor in. 

    It is more work but try to build this into that product or service. The question is not really is this a critical vendor by category but what would happen should this vendor fail, how could this vendor fail and our product or service be damaged? Keith describes the horrific endgame scenarios that really happened to some savvy risk managers. Both were tail events that frankly are extremely hard to even catch before disclosure, much less predict during the onboarding process or annual review.

    There are some great ideas here. The thing I would add is don't limit your evaluation of a vendor to a checklist. Make sure your Product Owners understand that they are responsible for the Risk introduced by their favorite partner. Expand your risk assessment to include the use case and try to expand your field of vision as to all the places your supplier will touch. Make sure that your Executives understand the Risk that is being built into a product or service. Through the use case, try and find the hidden flaw. 

    I am aware of what I am saying. No Risk Manager has this luxury of time and scope so trade offs are made. The best we can do is just try to anticipate as best we can. Trying to rely on a single set of parameters with the same weight to evalute your suppliers will lead to disappointment.