Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Top 10 Vendors

    Posted 06-21-2022 07:51 AM
    Hi Team
    I would like some suggestions to identify top 10 vendors from our existing vendors. How can we define this.
    --
    Kind regards,
     

    Vinod G

    Vendor Risk Manager

     



  • 2.  RE: Top 10 Vendors

    Posted 06-21-2022 09:35 AM

    There needs to be a little more detail than "top 10".

     

    You could use dollars spent with a vendor.

    You could use Criticality – there should be a handful of vendors that are deemed critical [i.e. if they went away, your business will be in a very bad way]

     

    Those are probably the two main options, depending on the need.

     

    Thanks,

          Dave

     

    David Howe, CCUFC

    Chief Information Officer

     

     

     

     




    Original Message


  • 3.  RE: Top 10 Vendors

    Posted 06-21-2022 10:07 AM
    I would agree with Dave, you need to define what you mean by Top 10.  To do that you need to go back to how you are measuring risk related to third parties- spend ($) and criticality to operations as Dave points out are 2 of the most common measures of third party risk.  Depending on your industry, the type of volume of customer information that is handled, processed or stored by a vendor might also be an appropriate risk measure.  

    Shelly

    ------------------------------
    Shelly Chase
    AVP Operational Risk
    ------------------------------

    Original Message


  • 4.  RE: Top 10 Vendors

    Posted 06-21-2022 10:43 AM

    We have a fairly new Vendor Management Program (in its first year).  We established criteria to define different levels of risk for our organization (see chart below).   Each vendor is then classified into its appropriate risk tier, each of which carries different levels of due diligence.  This has been our starting point and so far the vast majority of vendors fall into Tier 3, with a minimal number classified as Tier 1.  You could call our Tier 1 vendors our "Top 10".

     

    I hope this helps.

     

    Rose Rotonda

    Business Continuity & Strategic Planning Officer

    Ohio Public Employees Retirement System



    -----------------------------------------
    CONFIDENTIALITY NOTICE:
    -----------------------------------------

    The Ohio Public Employees Retirement System intends this e-mail message, and any attachments, to be used only by the person(s) or entity to which it is addressed. This message may contain confidential and/or legally privileged information. If the reader is not the intended recipient of this message or an employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that you are prohibited from printing, copying, storing, disseminating or distributing this communication. If you received this communication in error, please delete it from your computer and notify the sender by reply e-mail.




    Original Message


  • 5.  RE: Top 10 Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 06-21-2022 10:40 AM
    This message was posted by a user wishing to remain anonymous

    Hi - You need to categorise your supplier base from all the risk angles - spend, your dependency on them, their strategic worth to you, their cyber risk profile, their geo-political risk, their credit rating. It's a lot of work but once you've done it you'll have a good understanding of your supplier landscape and be able to implement the appropriate risk treatment measures to address the risks they present to you.
    Original Message


  • 6.  RE: Top 10 Vendors

    Posted 06-22-2022 08:39 AM
    Hi Vinod- 

    You need to define "top ten"- Top ten spend? Performance? Most Risk? Access to data?  Vendminder has a really good webinar coming up on Risk Assessments.
     At my institution we weight certain questions on our risk assessments to stratify the population and determine risk tier from highest Risk (enterprise critical Tier 0) to High Risk Tier 1, Moderate Risk Tier 2 and low Risk tier 3.  Our due diligence frequency is based on the risk Tier for we each has an applicable suite of due diligence associated.  From that process we are able to identify top ten vendors from a variety of categories- For example top ten high risk, top ten spend, top ten compliance risk, top ten difficult to replace vendors.....
    I hope that helps!

    ------------------------------
    Jenn Wilkinson
    Vice President
    Strategic Vendor Management
    Cenlar FSB

    ------------------------------

    Original Message