Learn how to build a Third Party Risk Assessment Process

Categorise your vendors based on their importance to your business.  Think about:

• Are they are an essential part of your core business?
• Are they a nice to have?
• Do they process your sensitive data?
• Do they your sensitive data?

Once you have worked that out then tier them ideally into no more than 3 categories e.g. Tier 1, Tier 2 and Tier 3.  Each tier represents the sensitivity of data that they process for you. Based off that you can decide which vendors require a more thorough due diligence process than others. 

Sounds obvious but so many businesses do not formerly define what their risk tolerance levels are.  This is the amount or risk the business can afford to tolerate before it becomes a major problem.

This could be compliance, monetary, brand and trust related.

Create an Authority to Operate Process.  The purpose of this is to ensure that all the required internal stakeholders in the business have signed off on the use of technology and the associated risks / tolerance levels have been communicated and understood by all parties.

This should be really simple to operate and not cause roadblocks.

Monitoring your vendors should be a continual process and carried out in as near real time as possible.  Annual Third Party Risk assessments are ok but they are a snapshot in time and nothing more than a litmus test.  So invest in automation and tooling to deliver continuous monitoring of your core vendors.  These are the ones that if something critical happened could cause damage to your business.