Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Frequency of determining criticality

    Posted 08-28-2024 02:05 PM
    Hello,
    I have taken a few of our webinars through Venminder. We have implemented a critical vendor classification. We completed it for our existing vendors and it's now part of our onboarding process for new vendors.
    We ask vendor managers to ask for a new assessment if the product or service changes.
    We review our critical vendors annually, and part of that is to confirm they remain critical.
    Here is where I need some feedback from others, how often do you assess your non-critical vendors to determine/confirm if they are critical?
    Thank you,
    Christi Osburn
    PEMCO Mutual Insurance Company


  • 2.  RE: Frequency of determining criticality

    Posted 09-04-2024 04:04 PM

    Hi Christi,

    The frequency of risk re-assessments should align with both the inherent risk level and criticality. Here's the frequency we recommend:

    • Critical and High Risk: At least annually, but reviews may be more frequent if there have been issues such as declining performance or a data breach 
    • Moderate: Every 18-24 months, depending on the product or service type
    • Low: Every three years, or at contract renewal

    So, for any non-critical vendor, consider the inherent risk level to determine when to re-assess. If that vendor is non-critical and high risk, it should still be assessed annually. If that vendor is non-critical and moderate risk, you can re-assess every 18-24 months.

    I hope this helps and I'm interested to see if other members follow a similar strategy.




  • 3.  RE: Frequency of determining criticality

    Posted 09-04-2024 04:54 PM
    Christine,
    Thank you for your response.  We have a set frequency for reassessing risk. We do not tier or rate vendors as high, moderate, low - instead we assign a risk rating of high, moderate, or low inherent (and then, residual) risk for 10 separate risk areas. For risk, we re-assess annually for high risk, every 3 years for moderate risk, and every 5 years for low risk.
    What I am trying to determine if what others do in terms of criticality classification. Is this just a one-time classification that only changes if product/scope changes? Or do organizations have a process/frequency where they look at all current non-critical vendors to confirm that has not changed?
    Does that make sense?
    Thank you,
    Christi 
    Christi Osburn
    Vendor Management Program Manager






  • 4.  RE: Frequency of determining criticality

    Posted 09-05-2024 10:31 AM

    Hi Christi,

    Thanks for the clarification. I now understand that you don't provide an overall risk rating, but rather assign each risk a separate rating.

    In that case, I would recommend re-assessing for criticality at least annually. You should also re-assess if anything changes with the product/service, and if you purchase a new product/service from that vendor.

    I hope this helps.




  • 5.  RE: Frequency of determining criticality

    Posted 26 days ago

    Hi Christi,

    Question: how often do you assess your non-critical vendors to determine/confirm if they are critical?

    Answer: We do not reassess vendor criticality unless there is some sort of change in service that would trigger such an event.

    I redo risk assessments on a set timeline based upon vendor criticality, but I wouldn't regularly re-evaluate that vendors criticality unless some substantial change occurred.