When it comes to vendors, sometimes we can get distracted by trying to customize our TPRM approach to the product or service types. But this should not be necessary as your standardized processes for identifying, assessing, and managing risks should help you determine the right levels of due diligence, risk re-assessment, risk and performance monitoring, and contract structure for every potential vendor.
Your inherent risk assessment should be able to help your organization understand where the risks are by asking standardized questions. Your due diligence should be based on the risks present. So here are two examples.
- Does the vendor have access to sensitive or confidential information? If yes, your due diligence will need to include an evaluation of the vendor's cybersecurity controls, policies, and independent third-party audits, such as a SOC2 Type2 report.
- Will the vendor need unescorted access to our facilities? If yes,your due diligence might include evidence of background checks, the vendor's privacy policy and employee training.
Where there is a risk, there should also be control. It doesn't matter what type of vendor it is; it is all about the risks present in the product and service. And the higher the risks, the more intensive your due diligence efforts are. The caveat is that the due diligence must be relevant to the risks presented. This approach works for every type of vendor. And prevents you from second-guessing how to manage the relationship.
So for your architect and environmental site assessors, put them through an inherent risk assessment. It should be clear how to handle the relationship once you can identify the risks.
I hope that helps, but I would love to hear from other members on this topic.
Original Message:
Sent: 01-17-2023 12:10 PM
From: Lauren Sobczak
Subject: Building Architects, Environmental Phase I/II Assessments
Hi
Looking to see how others might have incorporated Building architects/environmental site assessors (phase I/II assessments) into their 3rd party framework? If they are considered in scope, how are they being managed, and what type of due diligence would be conducted on them?
Would love to hear what others have done.
Thank you!