Risk Assessments

 View Only
  • 1.  How long should a risk assessment take from end to end?

    This message was posted by a user wishing to remain anonymous
    Posted 04-21-2021 12:01 PM
    This message was posted by a user wishing to remain anonymous

    Hello

    How long should/does a vendor risk assessment take from end to end? And what should/does it cost in dollar terms?
    I am just getting started so any benchmarks you can provide will be very useful.

    Thank you


  • 2.  RE: How long should a risk assessment take from end to end?

    This message was posted by a user wishing to remain anonymous
    Posted 04-21-2021 01:18 PM
    This message was posted by a user wishing to remain anonymous

    More than six weeks, in my experience. Internal and external questionnaires are sent at the same time with a 2-4 week deadline. More often than not, the deadlines are not met. Once the questionnaires come back, we extract data from them and input them into the risk assessment. We have multiple subject matter experts that all take different lengths of time to conduct their sections of risk analyses. The final approval from upper management may take another two weeks for them to review and submit.


  • 3.  RE: How long should a risk assessment take from end to end?

    This message was posted by a user wishing to remain anonymous
    Posted 04-22-2021 02:16 PM
    This message was posted by a user wishing to remain anonymous

    Thank you for your response. Looks like the bulk of the time is spent "waiting" for a response.
    How much time is actually spent "touching" the assessment itself? If the waiting time were taken out of the equation, how long should it take?

    Thanks


  • 4.  RE: How long should a risk assessment take from end to end?

    Posted 04-22-2021 03:21 PM
    Hello! 

    Some standards that we use in our current program - of course all subject to the vendors participation and ability to meet deadlines.

    We kick off assessment with a due date 30 days out
    Waiting on vendor as you have described
    Once assessment is submitted and deemed acceptable (no missing parts) we allow our internal team 2 weeks to review before we sync up to discuss.
    If Critical/high risk the assessment is then forwarded for peer review which can take another 2 weeks
    Follow ups or findings plan may take collaboration and can add another week or 2.

    The goal is to turn it around within 2 to 4 weeks depending on the vendor's risk ranking. 

    We have had longer time frames but can also shorten timeframes as well. For example when the contracts are bein rushed for pricing or critical need we adjust to meet the business goals.

    Further - the risk ranking and services provided can vary and determines the amount of scrutiny is assumed during my review phase. I may spend only a few hours on a LOW risk vendor and  any where from 1-3 days on a HIGH or CRITICAL risk vendor.

    Hope this helps.


  • 5.  RE: How long should a risk assessment take from end to end?

    This message was posted by a user wishing to remain anonymous
    Posted 04-22-2021 04:09 PM
    This message was posted by a user wishing to remain anonymous

    A somewhat existential question. How many assessments do you have? How many people are responsible for them? How many questions do you ask? How many are you trying to do each year? What level of detail do you expect your reviewers to use? Are you including follow-up questions developed from the first responses? Not trying to be difficult, but scope is an awfully important part of the question that you're asking. 

    If the question only is : ballpark, what do you expect? 3-4 months.


  • 6.  RE: How long should a risk assessment take from end to end?

    This message was posted by a user wishing to remain anonymous
    Posted 04-26-2021 01:16 PM
    This message was posted by a user wishing to remain anonymous

    Thats a fair point. Its hard to have a one size fits all for these.
    I've seen vendors management products post numbers like 15 hrs spent per assessment (actual time spent on the assessment , not including waiting time) and I was wondering if that is a good benchmark.