When it comes to risk rating or tiering your vendors, it is important to individually assess each product and service they provide to identify the inherent risks. Based on your question and provided visual, it is unclear if you have a separate inherent risk assessment for all your vendors. There are two primary reasons inherent risk assessments are essential. First, they provide a systematic way to inventory all risks by category (operational, cybersecurity, compliance, financial, legal, etc.) and to determine the amount of each risk that is present. Secondly, the information regarding the risk types and amounts should inform the documentation you would need to collect in due diligence. For example, any vendor accessing, processing, transmitting, or storing PII (sensitive data) would require evaluating and verifying their cybersecurity and privacy, operational resilience (BCP/DR), and compliance controls.
To effectively audit your vendors, you need to understand the risk types and amounts in the product or service types provided to your organization. For example, TransUnion is typically engaged to provide credit scores for your customers. This product or service has several associated risk categories (cybersecurity, privacy, compliance, etc.) and would be typically regarded as a high-risk (or tier one.) However, Transunion provides a variety of products and services, including fraud prevention and marketing services. So, without knowing definitively what they are doing for your organization, it would be difficult to determine their actual risk level or what controls must be evaluated.
I have included this link that will lead you to two resources that can provide additional information.
Vendor Inherent Risk Sample Questions and Next Steps and Sample Questionnaire
I hope this is helpful, but I would love to hear from other members on this topic.
Original Message:
Sent: 12-27-2023 11:43 AM
From: Anonymous Member
Subject: Tier 2 Vendors
This message was posted by a user wishing to remain anonymous
Hello!
2024 will be my first year performing an annual audit on our Tier 2 vendors. My question is should the following vendors be ranked Tier 2 or could they be moved to a lower tier? External Auditing Companies (10-D, AGH, etc.), Zoom, Transunion, Western Union. Also, under the new guidance what documents should I request for Tier 2 vendors? (Ex: Financials, BCP, COI, etc.) I have attached our current Tier Ranking Visual.