Hello!
Some standards that we use in our current program - of course all subject to the vendors participation and ability to meet deadlines.
We kick off assessment with a due date 30 days out
Waiting on vendor as you have described
Once assessment is submitted and deemed acceptable (no missing parts) we allow our internal team 2 weeks to review before we sync up to discuss.
If Critical/high risk the assessment is then forwarded for peer review which can take another 2 weeks
Follow ups or findings plan may take collaboration and can add another week or 2.
The goal is to turn it around within 2 to 4 weeks depending on the vendor's risk ranking.
We have had longer time frames but can also shorten timeframes as well. For example when the contracts are bein rushed for pricing or critical need we adjust to meet the business goals.
Further - the risk ranking and services provided can vary and determines the amount of scrutiny is assumed during my review phase. I may spend only a few hours on a LOW risk vendor and any where from 1-3 days on a HIGH or CRITICAL risk vendor.
Hope this helps.
Original Message:
Sent: 04-22-2021 02:02 PM
From: Anonymous Member
Subject: How long should a risk assessment take from end to end?
This message was posted by a user wishing to remain anonymous
Thank you for your response. Looks like the bulk of the time is spent "waiting" for a response.
How much time is actually spent "touching" the assessment itself? If the waiting time were taken out of the equation, how long should it take?
Thanks
Original Message:
Sent: 04-21-2021 01:04 PM
From: Anonymous Member
Subject: How long should a risk assessment take from end to end?
This message was posted by a user wishing to remain anonymous
More than six weeks, in my experience. Internal and external questionnaires are sent at the same time with a 2-4 week deadline. More often than not, the deadlines are not met. Once the questionnaires come back, we extract data from them and input them into the risk assessment. We have multiple subject matter experts that all take different lengths of time to conduct their sections of risk analyses. The final approval from upper management may take another two weeks for them to review and submit.
Original Message:
Sent: 04-21-2021 09:59 AM
From: Anonymous Member
Subject: How long should a risk assessment take from end to end?
This message was posted by a user wishing to remain anonymous
Hello
How long should/does a vendor risk assessment take from end to end? And what should/does it cost in dollar terms?
I am just getting started so any benchmarks you can provide will be very useful.
Thank you