Why You Need To Perform Vendor Risk Assessments
Even the smallest of companies will typically work with dozens of vendors, many of which play an important role in your company's success. Not all vendors are created equal — a select few will be critical in nature and those vendors should be monitored & managed throughout the relationship.
Banks & credit unions face regulatory concerns
Financial institutions must show regulators that they have a process in place for identifying, documenting & managing their third party risk exposure.
Lets you manage your time better
By knowing who your high-risk vendors are, you know where to focus your time & energy — whether it's in the form of formal diligence and performance reviews or just more communication and interactions with the vendor.
What Makes A Vendor High-Risk Or Critical?
- The vendor performs a critical business function
- Your company is highly dependent on the vendor
- The vendor cannot be easily replaced by another vendor or in-house
- The vendor has access to non-public confidential information
- The vendor has internal issues — e.g. financial, leadership, operational concerns
- The vendor is increasingly providing poor performance, support, etc.
Examples Of Vendor Risk Questions...
The following are real risk assessment questions used by our existing customers:
- Does the vendor store, access, transmit, or perform transactions on sensitive member information?
- Is there a documented policy for business continuity and disaster recovery?
- Do all employees and contractors sign agreements that pertain to non/disclosure, confidentiality, acceptable use or code of ethics upon hire?
- Does the vendor have face-to-face contact with the consumer?
- Is there potential for significant cost or financial loss?
- Does the company use a independent third party to review the information security program?
How Can VendorRisk Help?
Supports multiple ways of assessing risk
VendorRisk allows risk to be determined by several methods:
Questions & answers
Answer a series of customized questions — the total point value is then compared against your risk level point thresholds to arrive at the vendor's risk level.
Select individual risk levels in a grid format to arrive at the vendor's overall risk level.
If you use another program or method to assess risk, you can manually select the risk level in VendorRisk and you'll still be able to reap the benefits of receiving email reminders of upcoming reviews, running reports, etc.
Lets you customize your risk levels
By default VendorRisk uses "Low", "Medium" and "High", but you can easily customize those risk levels to fit your current risk approach. Current customers use other levels such as "Not critical", "Moderately critical" and "Critical" or tiers, such as "Tier 1", "Tier 2", etc.
Automates the scheduling of risk reviews
By entering a "next review date" and the review frequency, VendorRisk will notify you ahead of time that a risk review is due. When you complete the review, it will then automatically set the "next review date" to the appropriate date in the future.
Supports the review process
If your company policy is that all completed vendor risk reviews need to be approved by a review committee (even if just one person), then you can establish review committees in VendorRisk and when a risk review is marked as completed, then the review committee will receive an email with instructions to view the completed form. The committee can then approve or reject the review.
Receive automated email reminders for...
- Upcoming risk reviews
- Risk reviews that need to be approved by you
- Risk reviews that were just approved/rejected
Examples of reports you can run, save & export...
- All risk assessments you conducted in the past year
- All risk assessments that resulted in a "High" risk level
- All completed risk assessments conducted by the IT Department in the past 6 months