Christine,
Thank you for your response. We have a set frequency for reassessing risk. We do not tier or rate vendors as high, moderate, low - instead we assign a risk rating of high, moderate, or low inherent (and then, residual) risk for 10 separate ...