Risk Assessments

 View Only
  • 1.  Critical and High-Risk Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 01-05-2022 10:03 AM
    This message was posted by a user wishing to remain anonymous

    Do you treat your critical and high-risk vendors the same? I'm wondering if other organizations take a similar or same approach when requesting due diligence from these vendors. If you implement different controls or request different documents based on criticality versus high risk can you share some examples?


  • 2.  RE: Critical and High-Risk Vendors

    Posted 01-05-2022 10:44 AM

    We treat them the same as far as High or Critical but then further that based on what they do for us.  For instance if PII is involved we ask for their SOC reports and audit results.  If they are critical operations, we want to see backups and Disaster Recovery.

     

    Jamie Sumter

    IT Risk Management Lead

    Clarios






  • 3.  RE: Critical and High-Risk Vendors

    Posted 01-06-2022 09:10 AM
    We take a similar approach to what Jamie describes.  Operational criticality is just one risk measure that we use when evaluating third party relationships.  Data privacy risk (assess to NPPI and volume of NPPI) is another as is types of services provided, location of the third party (outside US) and service delivery (on prem versus off prem).

    Our due diligence review process assigns different requirements to different risks to customize the requirements to that specific relationship using a matrix.

    Shelly

    ------------------------------
    Shelly Chase
    Senior Risk Analyst Officer
    ------------------------------



  • 4.  RE: Critical and High-Risk Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 01-06-2022 01:17 PM
    This message was posted by a user wishing to remain anonymous

    Shelly, Could you share the matrix you use for due diligence review based on risk?? Thanks!


  • 5.  RE: Critical and High-Risk Vendors

    Posted 01-06-2022 05:12 PM
    We use the matrix a couple of different ways, one is in the direct due diligence we request and the 2nd is in the specific questions we ask of our internal and external partners.  Our TPRM is virtual and we have workflows created that govern requirements based on specific risks- this will add or omit questions/data points based on certain key risk measures: amount of annual spend, cloud based (on prem/off prem), foreign based, nature of services provided etc

    The due diligence required is more straightforward and is based on operational criticality and data risk.  We basically went through all of our due diligence requirements and determined for what level of operational criticality and/or data risk each due diligence artifact would be required.  Operational Criticality we have 3 levels: critical, material and minor and Data Risk we have 3 levels: high, moderate and low

    Hope the additional detail is helpful, 
    Shelly



    ------------------------------
    Shelly Chase
    Senior Risk Analyst Officer
    ------------------------------