Do I Have to Risk Rate Every Vendor?
Risk rating your vendors is important, but do you have to rate all of them?
Sometimes a vendor may not pose enough risk to an organization to make it needed to actively monitor; therefore, some organizations choose to write certain third-parties out of scope. In this 90-second podcast, we will cover the steps you need to take to determine the vendors that need to be included in your vendor oversight and how to best assess risk.
Hi - my name is Kelly with Venminder.
In this 90-second podcast, you’re going to learn if you have to risk rate every vendor.
We help our clients on a daily basis determine the vendors that need to be included in their vendor oversight and how to best assess risk.
So, does every single vendor have to be risk rated? In short, yes, but if for some reason you choose to not risk rate a vendor you do have to identify the vendors who should be written out of your third-party risk scope and document why.
Sometimes a vendor may not pose enough risk to an organization to make it needed to actively monitor; therefore, some organizations choose to write certain third parties out of scope.
If you choose to do that, you may want to consider these sorts of questions as a determining factor:
- Are they a government agency?
- Are they a utility company?
- Based on your policy, do they fall below a certain threshold dollar amount?
- Are they an office supply or food delivery company?
- Are they a licensing company?
- Is the spend so minimal or such a limited one time use that it’s below any reasonable risk threshold?
If you answer yes to one of these questions, then it’s likely the vendor may not pose enough risk to the organization to be actively monitored.
How does one begin scanning a vendor list to determine this?
Step 1 is to reach out to Accounts Payable for a fresh vendor list to review.
Step 2 is based on the questions we mentioned earlier, go ahead and remove any of the vendors that don’t need to be actively managed.
Step 3 is to bucket the remaining vendors into categories like processors, marketing agencies, cloud storage providers, etc. Those are the ones that you’ll risk rate.
I hope you found this helpful.
Thanks for tuning in; catch you next time!
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources and more to your inbox.