Respected Forum members,
While understanding various content on due diligence(DD), this question suddenly came into my mind. Not sure if this is very basic ones or not!!
Consider a situation that there is no concept of tagging a vendor critical/non critical basis some criteria in the target operating model of TPRM, instead of that to identify severity of the relationship inherent risk score is used for entire process.
In above situation, While carrying out inherent risk assessment, if low/medium risk rating gets computed then will there be any need going for DD/ computing residual risk score?
Is there any generic guidelines available which talks about DD applicability in such cases?
I hope I have understood your question correctly. There are a couple of things here to think about.
1. As a best practice (and regulatory requirement), it is important to identify which of your third parties are critical to your operations and your customers. The label "critical" is meant to distinguish the subset of vendors on whom your organization is most dependent for normal operations, regulatory compliance, or customer support. All third parties should be labeled as critical or non-critical. These third parties require the most robust due diligence and risk and performance monitoring. They also may be subject to specific contract requirements related to their uptime, availability, data protection, breach notification, etc. Critical vendors should also be included in your organizational Business Impact Analysis (BIA) for business continuity purposes.
2. Risk ratings such as High, Moderate, and Low are used to identify the types and amounts of risks in the engagement. Those risks include things like operational, legal compliance, information security, financial, etc.
3. Due Diligence should be based on the amount of risk in the engagement; the higher the risk, the more extensive due diligence you must do. Every engagement has at least some risks, so a minimum of baseline due diligence is required for even low or moderate-risk engagements
4. It is up to your organization if you choose to utilize residual risk scores or not. Residual risk scores are used to validate whether the controls presented in due diligence are sufficient or if more or different controls or risk management techniques are necessary.
Those are the considerations I think are worth your attention, but I would love to hear from other members also.
I have provided the following resource for you as well.