Our bank just went through development of a Vendor Management Program that required us to complete risk assessments on our vendors; we completed them for each individual vendor. It was suggested to us, although all vendors play an important role, some are deemed more critical than others and we need to really address the risk associated with those critical vendors. We completed a thorough risk assessment on all critical vendors and have plans to complete them for other vendors in upcoming months.
I think the third party risk assessment Jack provided is a great start in determining overall third party risk to the bank and then more steps would be taken to further assess the more “critical” vendors that may be driving the “moderate” to “high” categories.
I thought the templates you have developed so far will work pretty well.
Only have two thoughts for you to consider:
In previous IT/Vendor Management training we were told that we could also classify our vendors as “regulated” and thus minimize the due diligence we were required to perform. The logic was that they are examined by regulators enforcing the GLBA. Credit bureaus, as well as other banks, would be in this category.
Also, I didn’t notice where annual expenditure was a factor in the due diligence process. You might want to factor that into the analysis (or consider establishing a $$ threshold).