Thank you for providing the example, and I just want to make sure I understand your process. It seems like your "assessment" is referring to the overall process of the inherent risk assessment + due diligence. Does this mean that the vendor contract was signed before you performed an inherent risk assessment and collected due diligence? These activities should be completed before you sign the contract, but I understand that some organizations might not follow this process if they're not heavily regulated in TPRM.
If I understood that correctly, I would recommend re-evaluating your process to ensure that the risk assessment and due diligence are performed before contract execution on all new vendor engagements.
In the example you provided above, it may be more effective to set that risk re-assessment date to a month or so before the contract renewal so you have enough time to review those due diligence documents and address any issues. And moving forward, you could keep that new re-assessment date.
And as far as documents that have expiration dates, those should always be collected whenever they expire, which might be outside of the contract renewal date and risk re-assessment date.
Here's what this whole process might look like for a new vendor:
January 2024 – You perform an inherent risk assessment on a new vendor, which results in a high-risk rating and critical classification. During the due diligence process, one of the documents they submit is an insurance certificate that is valid through June 1, 2024.
February 2024 – The vendor contract is negotiated and signed, with a term length of 12 months.
Note: Make sure you're aware of any auto-renew clauses, to allow for enough time to re-review the vendor. For example, if the contract says the something like this agreement will auto-renew for 12 months if the customer does not provide written notice of non-renewal at least 45 days in advance of the contract term expiration date. In this case, the periodic risk re-assessment should occur well before 45 days of the renewal date.
Late May 2024 – You request an updated insurance certificate from this vendor.
August 2024 – You perform a mid-term contract review.
December 2024 – You perform a periodic risk assessment on this vendor, 2 months before the contract auto-renew date. If the vendor owner determines there are changes to the vendor engagement, you may need to collect additional due diligence. From there, you can make decisions about renewing the contract or letting it expire.
Original Message:
Sent: 08-28-2024 01:56 PM
From: Anonymous Member
Subject: Reassessment cadence doesn't align to contract renewals
This message was posted by a user wishing to remain anonymous
Thank you both. We have that same cadence.
As an example, lets say a contract was signed in February 2024, but missed assessment and so the assessment was completed after contract execution in May 2024. I'm thinking I should move the reassessment in May 2025 to February 2025.
Most often there's no conflict between security documentation expiration and contract renewal aligning, but what if there were. Would you generally choose 30 days prior to contract renewal over security documentation expiration or the other way around?
Original Message:
Sent: 08-28-2024 12:09 PM
From: Anonymous Member
Subject: Reassessment cadence doesn't align to contract renewals
This message was posted by a user wishing to remain anonymous
Great question. We handle this issue by coordinating assessments based on vendor risk. Our approach aligns with the cadence Chritine mentioned:
- Critical and high-risk vendors: At least annually
- Moderate-risk vendors: Every 18 months to two years
- Low-risk vendors: Every two to three years, or before contract renewal
The only difference is that our review dates are based on two factors: when their security documentation expires, and 30 days prior to contract renewal. We use a GRC tool to manage this process, which provides us with reminders and information on upcoming renewals list to ensure we stay on top of things. Additionally, in the event of security incidents (e.g., with platforms like Snowflake or MoveIT), we can send out impact questionnaires. This is another way we meet our continuous monitoring requirements.
Original Message:
Sent: 08-23-2024 11:20 AM
From: Anonymous Member
Subject: Reassessment cadence doesn't align to contract renewals
This message was posted by a user wishing to remain anonymous
Hi. I was contemplating if I should post this topic in Program, Policies, Procedures, but I think it'll be best here.
Our reassessment cadence of third parties don't align with renewals. I think the root cause is because assessments are being completed after execution of contracts. These continue to not align as we continue to reassess based on assessment date and not contract execution/renewals. I think I answered my own question here, but I'm not sure if my approach is the general consensus. It would be to identify contract renewal dates across the board and then reassess to match those dates and not to the date the assessment happened. If this is the approach you would take, how do I have leaders align to this since they don't want to?
Thank you for your input!