Original Message:
Sent: 09-04-2024 04:43 PM
From: Christi Osburn
Subject: Frequency of determining criticality
Christine,
Thank you for your response. We have a set frequency for reassessing risk. We do not tier or rate vendors as high, moderate, low - instead we assign a risk rating of high, moderate, or low inherent (and then, residual) risk for 10 separate risk areas. For risk, we re-assess annually for high risk, every 3 years for moderate risk, and every 5 years for low risk.
What I am trying to determine if what others do in terms of criticality classification. Is this just a one-time classification that only changes if product/scope changes? Or do organizations have a process/frequency where they look at all current non-critical vendors to confirm that has not changed?
Does that make sense?
Thank you,
Christi
Christi Osburn
Vendor Management Program Manager |
|
|
|
Original Message:
Sent: 9/4/2024 4:01:00 PM
From: Christine Kitamura
Subject: RE: Frequency of determining criticality
Hi Christi,
The frequency of risk re-assessments should align with both the inherent risk level and criticality. Here's the frequency we recommend:
- Critical and High Risk: At least annually, but reviews may be more frequent if there have been issues such as declining performance or a data breach
- Moderate: Every 18-24 months, depending on the product or service type
- Low: Every three years, or at contract renewal
So, for any non-critical vendor, consider the inherent risk level to determine when to re-assess. If that vendor is non-critical and high risk, it should still be assessed annually. If that vendor is non-critical and moderate risk, you can re-assess every 18-24 months.
I hope this helps and I'm interested to see if other members follow a similar strategy.
Original Message:
Sent: 08-28-2024 01:57 PM
From: Christi Osburn
Subject: Frequency of determining criticality
Hello,
I have taken a few of our webinars through Venminder. We have implemented a critical vendor classification. We completed it for our existing vendors and it's now part of our onboarding process for new vendors.
We ask vendor managers to ask for a new assessment if the product or service changes.
We review our critical vendors annually, and part of that is to confirm they remain critical.
Here is where I need some feedback from others, how often do you assess your non-critical vendors to determine/confirm if they are critical?
Thank you,
Christi Osburn
PEMCO Mutual Insurance Company