Available on
Podcast Transcript
Hi - my name is Kelly with Venminder.
In this 90-second podcast, you’re going to learn if you have to risk rate every vendor.
We help our clients on a daily basis determine the vendors that need to be included in their vendor oversight and how to best assess risk.
So, does every single vendor have to be risk rated? In short, yes, but if for some reason you choose to not risk rate a vendor you do have to identify the vendors who should be written out of your third-party risk scope and document why.
Sometimes a vendor may not pose enough risk to an organization to make it needed to actively monitor; therefore, some organizations choose to write certain third parties out of scope.
If you choose to do that, you may want to consider these sorts of questions as a determining factor:
- Are they a government agency?
- Are they a utility company?
- Based on your policy, do they fall below a certain threshold dollar amount?
- Are they an office supply or food delivery company?
- Are they a licensing company?
- Is the spend so minimal or such a limited one time use that it’s below any reasonable risk threshold?
If you answer yes to one of these questions, then it’s likely the vendor may not pose enough risk to the organization to be actively monitored.
How does one begin scanning a vendor list to determine this?
Step 1 is to reach out to Accounts Payable for a fresh vendor list to review.
Step 2 is based on the questions we mentioned earlier, go ahead and remove any of the vendors that don’t need to be actively managed.
Step 3 is to bucket the remaining vendors into categories like processors, marketing agencies, cloud storage providers, etc. Those are the ones that you’ll risk rate.
I hope you found this helpful.
Thanks for tuning in; catch you next time!
