Risk Assessments

I've recently been assigned to establish a broader RFP process and its criteria that all business units will follow every three years.  So it's different than IT vendor due diligence (liked Venminder's onboarding, ongoing, offboarding lifecycle) which is driven by nonpublic information that is shared, accessed or housed, and the entire organization's support of a security posture that is similar to our own. 

If anyone can share their guidance, what criteria should be established to identify the vendors of products and services that require a complete reconsideration every three years?  

I really hope to hear back to get a feel for the categories, and then set up training on obvious categories so business unit leads can self-manage this process.  A longer term goal will to organize the registry of all vendors as we all embrace the process and are sure the products and services to meet business objectives is the best possible, best available in the market and we re-affirm from the best source that embraces our security posture and is willing to augment it with their own to disclose inherent risks and work mutually to get to lowest possible residual risks. 

FYI - I've started to gather the 'pockets' of vendors and service providers to see what natural criteria makes sense and is practical (some other discussions speak to cost of monitoring vs cost of service, etc. which is a great point of view). outside of IT and some rankings are natural (what was our spend over last three years, utilities that are sole source (power, water, etc.), who we pay by check, which corporate cards are used to pay vendor subscriptions, etc.

Important but exceptionally taxing process. I'd offer these thoughts as the most important criteria. If nothing else, strongly encourage against implementing such a comprehensive process for EVERY vendor. If you do, I'd rotate and do 1/3 every year. Typically, the goal of such a process is to benchmark Vendor A against competitors B, C and D.

Criteria:
1) Only critical vendors;

2) Conduct in lieu of annual DDQ but

3) Consider using annual DDQ but including other questions relevant to the proposal process; (I'm presuming the process is called RFP rather than RFI for a distinct reason);

4) Consider how you'll benchmark B, C and D without including them in such a process; (which is a reason why....)

5) Should be limited to critical vendors - it creates a lot of work.

These are the basics. We don't do it often because it is arduous. 

Final suggestion: Don't develop a process that you can't implement. Start slow and build it up.

Original poster:

Thanks for your response.   I liked your use of "arduous" as it certainly is a demanding process.  All the other points are appreciated.

My real question is exploring "1) Only critical vendors" -- and what is the criterial used to determine that.