We use the matrix a couple of different ways, one is in the direct due diligence we request and the 2nd is in the specific questions we ask of our internal and external partners. Our TPRM is virtual and we have workflows created that govern requirements based on specific risks- this will add or omit questions/data points based on certain key risk measures: amount of annual spend, cloud based (on prem/off prem), foreign based, nature of services provided etc
The due diligence required is more straightforward and is based on operational criticality and data risk. We basically went through all of our due diligence requirements and determined for what level of operational criticality and/or data risk each due diligence artifact would be required. Operational Criticality we have 3 levels: critical, material and minor and Data Risk we have 3 levels: high, moderate and low
Hope the additional detail is helpful,
Shelly
------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------
Original Message:
Sent: 01-06-2022 10:50 AM
From: Anonymous Member
Subject: Critical and High-Risk Vendors
This message was posted by a user wishing to remain anonymous
Shelly, Could you share the matrix you use for due diligence review based on risk?? Thanks!
Original Message:
Sent: 01-06-2022 09:10 AM
From: Michelle Chase
Subject: Critical and High-Risk Vendors
We take a similar approach to what Jamie describes. Operational criticality is just one risk measure that we use when evaluating third party relationships. Data privacy risk (assess to NPPI and volume of NPPI) is another as is types of services provided, location of the third party (outside US) and service delivery (on prem versus off prem).
Our due diligence review process assigns different requirements to different risks to customize the requirements to that specific relationship using a matrix.
Shelly
------------------------------
Shelly Chase
Senior Risk Analyst Officer
Original Message:
Sent: 01-05-2022 10:02 AM
From: Anonymous Member
Subject: Critical and High-Risk Vendors
This message was posted by a user wishing to remain anonymous
Do you treat your critical and high-risk vendors the same? I'm wondering if other organizations take a similar or same approach when requesting due diligence from these vendors. If you implement different controls or request different documents based on criticality versus high risk can you share some examples?