Our relationship managers go through a risk assessment and risk ranking process for each vendor. Our risk ranking matrix includes eight risk factors:
- Personal or Health Information
- Business Information
- Access to Internal Environment
- Business Criticality
- Materiality to Operation
- Materiality to Financials
- Regulatory Noncompliance
- Replacement Difficulty
Each risk factor can be assigned a degree of risk of No Impact, Moderate or Critical. The relationship manager answer a series of questions which determines the degree of risk for each risk factor and the overall risk level.
Currently we do not capture the risk mitigation for each risk factor ranked moderate or critical in our vendor management system. I am thinking of starting that. Do you capture the risk mitigation strategy for your vendors? If yes, do you capture at the risk factor level or at the overall vendor level? If you capture that information, will you share the general categories with me?
I am thinking about providing a multi-select list in our vendor management system, LogicManager. The multi-select list could include options such as: encryption, contractual terms, access restrictions managed internally, and lastly an "other" option that will permit free-form text.
Thank you for sharing.
------------------------------
Mark Ewert, CPCU, CIC
Director Vendor Management
Penn National Insurance
------------------------------