Latest Discussions

Catch Up on the Latest Discussions
Network. Collaborate. Connect. 

This community provides a space where professionals in the industry can access third party risk management resources, and more importantly, interact with each other through discussion boards. You’re able to network, share stories, ask questions, receive feedback from others to help overcome your own challenges and more. 

Latest Discussions List

  • Profile Picture

    RE: Due Diligence for Federal Government Entities

    This message was posted by a user wishing to remain anonymous First, I'm not sure what you mean by "level classification," but I do empathize with the struggle that comes with trying to treat contracts with government entities like any other. Unfortunately, ...

  • Yes, I'd request as much information as reasonably available. Certainly, all of the things like a reputation risk check, history of data breaches, articles of incorporation all come to mind - additionally, I'd request copies of their business continuity ...

  • We are reevaluating our vendors level classification and I would to know how are other agencies treating federal government entities like Fanny Mae, VA, or your State Housing authorities. These are agencies that store and process our customer's NPI and ...

  • Posted in: Risk Assessments

    I'm curious as to what even defines "smaller vendors" in your world? Are you referring to yearly spend and if so, would you mind sharing what that amount is? We use $5,000 as our first threshold. Thanks, Bob Sent from my Verizon, ...

  • Profile Picture

    Small Vendor Security assessments

    Posted in: Risk Assessments

    This message was posted by a user wishing to remain anonymous ​​We use a questionnaire with close to 100 for our security risk assessments. Its quite an exhaustive list for our smaller vendors. Some of our critical vendors are 5 men shops and don't ...

  • Profile Picture

    vendors and cloud software assessment (AWS)

    This message was posted by a user wishing to remain anonymous I have a vendor hosting an application in the cloud and due to the "shared cloud responsibility", I'm wondering if requiring reports (i.e. output of trusted advisor, is IAM used?, cloudtrail ...

  • Hello Mark and welcome to the wonderful world of Vendor Management! I'll try to answer your questions with our practices below: We are early in our formal Vendor Risk Management process. As we roll out our ongoing vendor oversight and monitoring ...

  • Hi! We have a process in place which is similar to what you describe. For document reviews, such as SOC reports, and information security items, we partnered with various stakeholders (like internal audit, information security) to identify thresholds ...

  • Hello! We do have a vendor management policy and standard which provide guidelines for when the RFI/RFP process should be used. There are a variety of factors which could trigger the RFP process, such as overall cost (select a threshold, for example ...

  • We are early in our formal Vendor Risk Management process. As we roll out our ongoing vendor oversight and monitoring tasks we will request specific reports be provided from our critical ranked vendors. The report requests will vary based on the which ...

    1 person likes this.
  • Profile Picture

    When to use an RFP?

    I am formalizing Penn National Insurance's Vendor Management policy. I was asked to add guidelines around when an RFP (Request for Proposal) should or should not be used. Does your organization have a formal vendor management policy or vendor selection ...

  • Profile Picture

    RE: Whitelisting

    This message was posted by a user wishing to remain anonymous Following- We are also trying develop a similar question/questions for our questionnaire.

  • Profile Picture

    Whitelisting

    This message was posted by a user wishing to remain anonymous I'm curious if anyone has any due diligence questions regarding IP Whitelisting that they ask their third party vendors. If you do, please share, your questions or any other thoughts about ...

  • Profile Picture

    RE: Resellers

    ​Agreed - the waters can be very murky. When working with my internal vendor owners, I often use an example of buying sneakers. I can purchase Nike sneakers from Macys or Foot Locker. In most cases Macys and/or Foot Locker are just delivering the ...

  • ​I would also like to receive your spreadsheet of the standard items to request from low risk vendors. Thank you.

  • Profile Picture

    Quantitative Risk Models

    Posted in: Risk Assessments

    This message was posted by a user wishing to remain anonymous We use a qualitative risk model to support our Vendor Management Program (VMP) today. There are various benefits to this but we are considering the use of a quantitative model as well to ...

    2 people like this.
  • Profile Picture

    RE: Resellers

    This is a tough one, and in the various times I've encountered this issue, I think the results and outcome have all been different. The trickiest parts are figuring out if the SaaS vendors are willing to work with you directly and also how you track the ...

  • Posted in: Risk Assessments

    We are working on beefing up our enterprise level risk management. That includes working on risk assessing ACTIVITIES versus just the vendor/product. Does anybody else assess risk at an activity level with an actual answered assessment?

  • Thank you very much. This is very helpful.

  • Good question. Non-bank lenders seem to have this problem because secondary market investors, brokers, dealers, et al can all easily be replaced with one phone call. I've had some success in the past using a very short due diligence questionnaire. ...