Risk Assessments

Hi all,

We are ready with Policy , procedure , questionnaire & vendor list. We are all set to start the assessment for the listed vendor.

Could anyone help us on the check list or how to start the auditing of each vendor.

Thanks in advance
Srinivasa

Hi,

I recommend looking at the vendors in your organization's portfolio.

Start by determining which vendors are critical.

Remember: This activity requires consideration of the following 3 questions:

• Would the sudden loss of this third party vendor cause a significant disruption to our business?
• Would the sudden loss impact our customers?
• If the vendor service is disrupted, would there be a negative impact on our operations if time to restore service required more than 24 hours?

Then, look at each vendor with an eye towards Inherent risk.  The exercise is called a Risk Assessment.  Best practice involves assigning a risk rating ranging from Low, Moderate, or High (note this is not the same as classifying as Criticality).

Make sure to evaluate each vendor based on Inherent risk domains, including Business Continuity, Compliance, Concentration, Country, Cyber, Financial, Interest, Legal, Operational, Reputational, Strategic, and Transactional Risk.

The results of the Risk Assessment yield a risk rating that drives Due Diligence deliverables including the level of rigor for due diligence and the cadence for reviews.

I look forward to what others are doing!