Hello David,
I think you have a good method of risk rating your vendors based on NPI access and I can understand the challenge of assessing such a large volume of vendors each year. I'm curious about your statement of re-categorizing your vendors and scoring on the lower end of the spectrum. It sounds like you'll categorize some vendors as high risk and others as low or moderate risk, even though they all have the same access to NPI. I wouldn't recommend this approach because categorizing or risk rating your vendors is most effective when it's consistent.
For example, if you share NPI with "Law Firm ABC" and "Independent Agency XYZ", both of these vendors would be considered high risk and should be re-assessed at least annually. This typically involves your vendor owner reviewing the inherent risk questionnaire and updating if necessary. Risk re-assessments help ensure that nothing has changed in the relationship and can alert you to any due diligence that needs to be updated.
I don't know what your due diligence process looks like, but you mentioned that you send each of these vendors a short questionnaire every year. I'm wondering if this is something new that the vendor completes or if they can simply review their already completed questionnaire and confirm that their answers are the same. Similarly, most other due diligence documents don't need to be requested every year, unless they have expiration dates. This might help make your process a little more manageable.
Ongoing monitoring of a large vendor inventory is a very common challenge but there are many solutions and tools that can help your team handle some of these time-consuming tasks. I hope my answer provides some clarity on this situation and I'm interested to find out how other members are handling a lot of high-risk vendors.
Original Message:
Sent: 09-11-2024 11:39 AM
From: David Medina
Subject: Categories of Vendors
When we categorize our vendors, we typically base it on whether or not we share NPI data with a vendor or not. If we do share NPI data, they are put in a critical or high-risk category.
As an insurance company, we work with hundreds of law firms and independent agencies. Since we do share NPI data of our customers with these types of vendors, they are listed as high-risk and we send them a short questionnaire to complete each year.
I'm curious if anyone else is in this same scenario and how they handle this type of ongoing monitoring with so many vendors. We are thinking re-categorizing them and only having those vendors that score on the lower end of the spectrum be assessed each year, while the others on an every other year basis.
Thank you in advance for your input on this matter.