Risk Assessments

Hello fellow third party professionals,

We are laying the foundation for our third party tiering (critical, high, medium, low) and the corresponding initial assessment criteria/cadence; and subsequently the reassessment criteria as well. I have two main questions: 

1) How do other organizations manage the initial third party assessment process versus the reassessment process? Are they the same or different? If they are different, what specifically influences the differences (i.e. additional control questions?) 

2) For vendors which fall into the low tier, what does your organization do to manage the risk? 

These are great questions, but I first want to clarify what you said about third-party tiering. High, medium/moderate, and low are typically used as a tier system, but critical shouldn't be used as a risk rating. Criticality is a classification, or a way of identifying vendors that would have a significant operational impact on your organization or customers if the vendor failed. Each vendor should be given a risk rating PLUS a criticality classification:

• Vendor A is high-risk and critical
• Vendor B is high-risk and non-critical
• Vendor C is low-risk and non-critical

Now to answer the first question. The initial third-party assessment process generally includes the following activities:

• Asking the vendor owner to complete a standardized inherent risk questionnaire. This might be a questionnaire your organization develops itself, or an existing one that's appropriate for your organization. This identifies the types and amounts of inherent risk associated with a vendor's product or service.
• Asking the vendor to complete a vendor risk questionnaire. This might be something like a SIG questionnaire, SIG Lite, or NIST questionnaire if you're assessing a vendor's cybersecurity practices.
• Collecting and reviewing a vendor's due diligence documents that are commensurate to the vendor's inherent risk and criticality. This provides your organization with evidence of the vendor's risk practices and control environment.

The risk re-assessment process may involve the same activities, with a few slight variations:

• Asking the vendor owner to review the standardized inherent risk questionnaire and verify that the answers are still correct. If there are any changes, that should initiate a new round of due diligence. Some examples of changes might be that the vendor is providing a new product/service to your organization, the cost has increased or decreased, or the business need for this vendor has evolved since you first signed the contract.
• Asking the vendor to recertify or validate that the vendor risk questionnaire they already completed is still accurate.
• Reviewing the vendor's due diligence documents to verify that they're still valid and up-to-date. Certain documents like insurance certificates or testing results can expire or become invalid, so you'll want to make sure that you have the most current information.

For low-risk vendors, it's recommended to re-assess risk every three years, or at the contract renewal period. This involves doing a due diligence review of baseline documents such as the vendor's business license, tax ID, credit report, and a negative news search.

I hope this information is useful and I welcome any additional thoughts from other members.