This message was posted by a user wishing to remain anonymous
Hi all,
I'm interested in how peer organizations are approaching two areas within their third-party risk programs:
-
Critical Vendor Definition:
How does your organization define a "critical" vendor? Are you using a formal set of criteria (e.g., services support a 0-48 hour business process)?
-
Re‑Assessment Frequency:
How frequently are vendors re‑assessed, particularly those deemed critical?
- Are critical vendors reviewed annually, biennially, or based on another cadence?
- Do you differentiate reassessment timelines by vendor tier or inherent risk (e.g., Critical = Inherently High)?
- Are there any triggers (e.g., incidents, material changes) that drive off-cycle reassessments?
Appreciate any insights. Thank you!
-------------------------------------------