Policy, Program and Procedures

 View Only

  • 1.  Inherent risk questionnaire/Vendor categories

    Posted 10-25-2022 09:58 AM
    Hello everyone, we're looking at expanding beyond our single Inherent Risk Questionnaire. We'd like to tailor them to vendor categories. Would anyone care to share some examples, ideas, or best practices?

    Thanks in advance,

    Amie J


  • 2.  RE: Inherent risk questionnaire/Vendor categories

    Posted 10-28-2022 02:43 PM
    Hi Amie.

    If you do want to implement this, it is best to keep the lines very basic. Where Due Diligence is risk-based and can be very tailored to,
    1. product/service
    2. the domains triggered, and
    3. risk level
    Inherent Risk should be pretty consistently assessed to ensure risk ratings/tiers are identified appropriately. Some simple lines in the sand to create 2-3 Inherent Risk Assessments could be:
    • Critical / non-critical
    • Technology / non-tech
    • Confirmed Data Involvement or not (PHI, PII, etc.)

    I hope that is helpful, but I would love to hear from other members on this topic.