Dear Forum Members,
I am a beginner in this domain. Hence may ask very simple questions. Please help me to understand and progress:
Thanks for your response. But the query was different.
to elaborate, for a specific vendor do we have to use same set of questionnaire during inherent risk assessment, due diligence and further risk re assessment and due diligence in the monitoring phase?
If I understand your question, it sounds like you're asking if the same questionnaire should be used for all of these stages/events for a single vendor. The answer is no. Your inherent risk questionnaire is meant to determine the risks associated with outsourcing a specific service and the specifics to how that service is performed. This questionnaire should ask about what data the vendor has access to, how they access said, are they storing/hosting the data, how much data do they have, etc. It should also confirm where the data is being accessed or hosted, any regulatory risks (privacy, fraud, red flags, etc), any operational risks (business continuity/disaster recovery), and any other industry-specific risks you might have.
Your due diligence questionnaires should be focused on the vendor's control environment(s) and validating if they have acceptable controls in place to reduce the inherent risk. These could vary a bit for onboarding and ongoing due diligence, but they should mostly be asking for the same information.
Once you have your residual risk, you'll want to make sure you've documented and are actioning on any material risks you discovered. If the residual risk is still high, you may want to take additional action to further control/secure any of your company's data as it wouldn't seem to be well secured by your vendor. If you have a continuous monitoring program/solution, you'll want to ensure to keep engaged there as well.
Hopefully, this addressed your specific questions.
Thanks for the response. Is it possible to get a sample questionnaire for both inherent risk assessment and due diligence? This will help me to get much clarity by lookin at the difference.
The Third-Party Risk Association (https://www.tprassociation.org/) is a great resource if you're looking to build more knowledge/understanding of the industry. They have a template Inherent Risk Questionnaire and just released a template Information Security Questionnaire that would be used for due diligence. This should help give you a better idea of what these each would look like and the questions asked in each. You have to be a member to get access, but the standard membership is free and I believe it gives you access to the templates. These questionnaires/resources are put together by the community so they are built via input from actual practitioners doing the work. More questionnaires and resources will be released in the future as they are completed.
Hopefully, this helps provide even more clarity. The TPRA is also putting on a free virtual conference in September. You should take a look and consider registering for it. It's focused on operational risk and resilience and should have a lot of great information to help you build on your understanding.
Thanks Eric for the lead. I applied for joining the TPRA community. Let me look into the resources to gain understanding.
I have subscribed to the Third-Party Risk Association standard membership, however I cannot locate the template Inherent Risk Questionnaire and the template Information Security Questionnaire used for due diligence. Please can clarify how to find these template documents on the TRRA website.
You can et those templates in- File Share | TPRA (tprassociation.org).
Hope this helps!!
Thanks for this information, I will try the link you suggested.