We keep ours very simple. We have an initial risk assessment and an annual one based on various elements and how integrated/dependent we are on the vendor. We use the following:
1. Criticality
2. Dependence
3. Financial Commitment
4. Performance
5. Regulatory Impact
6. Business Impact
7. Supply Chain
We have just begun developing our vendor management program and are starting slow and we thought this was a good start. I would be interested in any feedback if anyone has any.
Original Message:
Sent: 11-01-2022 08:30 AM
From: Jeremy Pelkey
Subject: Watch List
Hello,
We are exploring options on enhancing our 3rd party watch list, as our threat intelligence monitoring identifies/communicates risk, we are curious how other organizations frame this type of monitoring.