Risk Assessments

We are a financial institution and risk rate our in scope vendors both initially and in an ongoing fashion.  We are debating on what cadence we need to reperform the risk assessment as part of our ongoing monitoring, outside of any other consideration such as a service change or assessment template change.  Assuming no change to service or the risk assessment template, I am curious how frequent others may risk rate their in scope vendors and on what criteria, if any.  

We determine third-party risk reviews based on the classification we have given to specific third-party. We have High, Medium and Low risk classifications. A classification is given based on the risk of losing them, their importance to the business, the availability of an alternative solution, etc. At a minimum:

• High Risk - reassessed annually, at a minimum
• Medium Risk - reassessed every 2 years, at a minimum
• Low Risk - may or may not be reassessed

Risk assessments are also done on contract/agreement renewal.

I hope this helps.

We are a financial institution and risk rate our in scope vendors both initially and in an ongoing fashion.  We are debating on what cadence we need to reperform the risk assessment as part of our ongoing monitoring, outside of any other consideration such as a service change or assessment template change.  Assuming no change to service or the risk assessment template, I am curious how frequent others may risk rate their in scope vendors and on what criteria, if any.  

We determine third-party risk reviews based on the classification we have given to specific third-party. We have High, Medium and Low risk classifications. A classification is given based on the risk of losing them, their importance to the business, the availability of an alternative solution, etc. At a minimum:

• High Risk - reassessed annually, at a minimum
• Medium Risk - reassessed every 2 years, at a minimum
• Low Risk - may or may not be reassessed

Risk assessments are also done on contract/agreement renewal.

I hope this helps.

We are a financial institution and risk rate our in scope vendors both initially and in an ongoing fashion.  We are debating on what cadence we need to reperform the risk assessment as part of our ongoing monitoring, outside of any other consideration such as a service change or assessment template change.  Assuming no change to service or the risk assessment template, I am curious how frequent others may risk rate their in scope vendors and on what criteria, if any.  

We are a financial institution and risk rate our in scope vendors both initially and in an ongoing fashion.  We are debating on what cadence we need to reperform the risk assessment as part of our ongoing monitoring, outside of any other consideration such as a service change or assessment template change.  Assuming no change to service or the risk assessment template, I am curious how frequent others may risk rate their in scope vendors and on what criteria, if any.  

The cadence for also depends on your risk appetite and available resources. In our organization, we have a single risk manager overseeing a growing portfolio of third parties. Risk thresholds are defined by Tiers, with Tier 3 representing moderate risk and being the largest group. Initially, we conducted due diligence during onboarding and annually for Tier 1 to Tier 3. However, last year, we adjusted this frequency of Tier 3 to every other year unless there is elevated residual risk identified through monitoring. After careful analysis, we realized that little had changed apart from updating information and completing questionnaires annually.   If you consistently encounter the same type of low risk during each review and gather identical but updated information without any substantial changes in the risk, then the risk level remains unchanged.  As a result, we obtained approval to update the cadence to every other year, allowing us to allocate more time to managing higher risk profiles.

We are a financial institution and risk rate our in scope vendors both initially and in an ongoing fashion.  We are debating on what cadence we need to reperform the risk assessment as part of our ongoing monitoring, outside of any other consideration such as a service change or assessment template change.  Assuming no change to service or the risk assessment template, I am curious how frequent others may risk rate their in scope vendors and on what criteria, if any.