Policy, Program and Procedures

I'm new in a role and our TRPM is just getting started. The company has a tool for vendor risks and risk assessments. However, the data in that tool isn't the best. The prior system for risk assessments was spreadsheets, and that data got loaded with incomplete information so there is no vendor tiering. Then because the tool is connected to our financial system, any vendor/entity that we have paid through AP has had a record created in the tool. We are now working through it to determine which vendors actually need risk assessments on. What criteria we should use? Our policy states risk assessments will be done on vendors we are contracting with. Is that inline with best practices and what others are doing? 

My big questions are should anyone we've ever paid be considered in our inventory. If yes, then what are the typical criteria we can use to treat them differently, as it doesn't seem feasible to do risk assessments on everyone. 

Any help would be greatly appreciated or if someone would be willing to connect offline for further discussions!

Thank you! 

I too am interested in others response to this as out internal audit team feels that a complete listing of all active vendors does not exist and our efforts to derive at such a listing does not go far enough.  They believe that we should ensure that no vendor payment is made unless the vendor is through our VM process and if an invoice comes through and the vendor is not listed, the vendor-owner should be notified, and efforts immediately taken to enter the vendor in our system of record for future montioring.. We have listed in our policy an extensive list of vendors that are exempt, but they still feel every vendor we pay should be documented in our system.  What are others houghts?

Original Message:
Sent: 12-20-2023 11:40 AM
From: Anonymous Member
Subject: Inventory vs Risk Assessment

This message was posted by a user wishing to remain anonymous

I'm new in a role and our TRPM is just getting started. The company has a tool for vendor risks and risk assessments. However, the data in that tool isn't the best. The prior system for risk assessments was spreadsheets, and that data got loaded with incomplete information so there is no vendor tiering. Then because the tool is connected to our financial system, any vendor/entity that we have paid through AP has had a record created in the tool. We are now working through it to determine which vendors actually need risk assessments on. What criteria we should use? Our policy states risk assessments will be done on vendors we are contracting with. Is that inline with best practices and what others are doing? 

My big questions are should anyone we've ever paid be considered in our inventory. If yes, then what are the typical criteria we can use to treat them differently, as it doesn't seem feasible to do risk assessments on everyone. 

Any help would be greatly appreciated or if someone would be willing to connect offline for further discussions!

Thank you!