At our CU, we also conduct on-going monitoring based on the inherent risk assessment. We have tiers 1-7. Tiers 1 & 2 (critical & GLBA vendors) are annually. Tiers 3-6 (moderate/infrastructure/government/professional vendors) are biennial and tier 7 is an annual collection of COIs and contract reviews.
Our ongoing monitoring and annual/biennial review determines how often the residual risk assessment is completed and captures any monitoring results/findings.
Original Message:
Sent: 05-27-2025 02:13 PM
From: Tara Murray
Subject: Inherent risk vs. Residual risk based ongoing monitoring frequency
Hi, at the Credit Union we do ours on the inherent risk. We have tiers 1-7, in which tiers 1-3 are annually, 4-6 biennial, and tier 7 is just an annual collection of COI's and contract reviews.
------------------------------
Tara Murray
Original Message:
Sent: 05-06-2025 12:19 PM
From: Anonymous Member
Subject: Inherent risk vs. Residual risk based ongoing monitoring frequency
This message was posted by a user wishing to remain anonymous
Hello! I know that similar questions have been posted in the past, but I wanted to gather some fresh thoughts on the subject. That is, it is better to perform ongoing monitoring based on the inherent risk of a vendor or the residual risk.
In previous positions, I always performed ongoing due diligence based on the residual risk of the vendor, though in my current position, we do it based on the inherent risk. I have operated under the idea that if we are going to go through the trouble of validating vendor controls and documenting those validations in a residual risk assessment, then we should be able to leverage that due diligence to change the frequency at which those reviews are required. I can see arguments on both sides of this but wanted to get some peer opinions on the subject to gauge if our program should be updated.
Thank you in advance for your opinions.