This message was posted by a user wishing to remain anonymous
We determine third-party risk reviews based on the classification we have given to specific third-party. We have High, Medium and Low risk classifications. A classification is given based on the risk of losing them, their importance to the business, the availability of an alternative solution, etc. At a minimum:
- High Risk - reassessed annually, at a minimum
- Medium Risk - reassessed every 2 years, at a minimum
- Low Risk - may or may not be reassessed
Risk assessments are also done on contract/agreement renewal.
I hope this helps.
Original Message:
Sent: 02-21-2024 11:51 AM
From: Karmin Thompson
Subject: Frequency of risk assessments
We are a financial institution and risk rate our in scope vendors both initially and in an ongoing fashion. We are debating on what cadence we need to reperform the risk assessment as part of our ongoing monitoring, outside of any other consideration such as a service change or assessment template change. Assuming no change to service or the risk assessment template, I am curious how frequent others may risk rate their in scope vendors and on what criteria, if any.