Some organizations can have hundreds of vendors, and risk assessing all of them can be a battle. You might not have all the resources you need to do a full risk assessment on all of them and frankly - you don't have to. Here are three tips for third party assessments that will help keep you on track for your organization's security and your regulatory visits.
Determine which vendors actually need to be assessed
Your gardener and your core provider aren't on the same playing field when it comes to the amount of inherent risk they impart on your organization. Determining whether a vendor is considered "high risk" is based on a few factors:
- Are they a new vendor for your organization?
- Do they have a material financial effect on your organization?
- Do they perform a critical function?
- Do they store, access, or transmit sensitive customer information?
- Do they market financial products or services?
- Do they perform subprime lending or card payment transactions?
- Do they increase risk to earnings or capital?
Answering yes to any of the above questions should imply to you that the vendor needs to be assessed. Your gardener? They don't fit the bill, so while they should be on a centralized list of vendors, they shouldn't be assessed - least of all annually.
Start with high risk vendors first
As you're figuring out where to start with your assessments, tighten up your scope. Starting with your highest risk vendors will mean you're protecting and assessing the third party providers that could do the most damage if something went wrong, which better protects your bottom line and your reputation. As you complete your high risk vendors, move to your medium risk providers.
Be realistic with your monitoring and assessment frequency
The key is spending the time and budget where it's needed most, and "where it's needed" can be measured with inherent risk. Just as you determined who needs to be assessed, and how they should be prioritized, you can use their risk rating to determine how often monitoring activities should be completed, checked, and assessed.
The higher your risk for a third party provider, the more often you'll want to check in on them to ensure they're following through with their contractual obligations. You'll also want to revisit them often because the needs of your organization can change the vendor relationship, and their potential impact on your security. Expect to assess your high risk vendors annually, while your low risk providers probably don't need to be revisited for 2-3 years.
Do you have more questions about third party risk? Read our article, "Ways Your Current Vendor Management Program Might Be Hurting Your Organization" to learn more about how you can increase the effectiveness of your third party risk management program.