Risk Assessments

 View Only

Welcome to the Risk Assessments Community. Here you will find the latest discussions and resources that can help you in this area. Use this community to discuss anything about doing vendor risk assessments. Note: You will need to Sign In to join in the discussions and access resources. 

About Third-Party Risk Assessments: The risk assessment process is a fundamental foundation of a well-managed third-party risk program. A disciplined approach and repeatable process can lay a firm basis for better informed due diligence, structured ongoing monitoring, and meaningful impact in mitigating concerns introduced by your organization's third parties. Taking it a step further, understanding how to mitigate inherent vendor risk is crucial to determining if the benefits of the outsourced product or service outweigh the risk posed.

Latest Discussion Posts

  • Hello, We also use individual risk area scores (we have 10 risk areas we assess) instead of an aggregated risk score or tiering for similar reasons. This allows us to focus on specific risks and managing them and assures they aren't tiered low or high ... More

  • Consider changing the overall risk for the assessment to be highest risk domain. Using your example, the Very High domain would be the reported risk for the vendor. This is the methodology we use to rate the overall risk in our program. This conservative ... More

  • Agree re using IRR to set cadence. Amongst other bits, if it takes 2 months to complete RR due diligence n this is a critical vendor service, you would be reassessing IR every 14 months , 2 months past a typical 12 month cycle ------------------------------ ... More

  • I welcome other thoughts, but I disagree with using residual risk to schedule reassessments. The inherent risk in doing business with whatever vendor is being evaluated, should be the foundation for frequency, almost by default of the word itself. ... More

  • Hi, we are in the process of rolling out our comprehensive program and have some internal discussions as well as with our consultants. Our consultants strongly recommend to use residual risk to trigger reassessment frequency (seems logical) but they ... More

Polls