Phase 2 of VRM: Classification
Now that you’ve completed your vendor inventory, it’s time to classify them according to the risk they pose on your organization. Third-party classification is about rating your third-party providers according to the amount of inherent risk they present to your organization. The term”inherent risk” isn’t necessarily in everyone’s vocabulary, so let’s explain what it is. Inherent risk is the amount of risk that your vendor poses to your company based strictly on how you intend to use them. It’s a very simple process to classify your third-party providers according to inherent risk. The point in doing this is to make sure we only spend your valuable time, and the valuable time belonging to your partners, on the risks that really matter.
Inherent Risk Questionnaire
The classification process starts with the Inherent Risk Questionnaire. This is a simple questionnaire that is completed by the person within your organization who is responsible for the third-party relationship. This is usually the person who relies on the third party to complete certain tasks on behalf of your organization, or it’s the person who arranged for using the third party in the first place.
The questionnaire is very simple and straightforward, consisting of less than 10 questions.
VENDFENSE is very flexible and meant for all organizations. We pre-populate the system with default inherent risk questions to include in the Inherent Risk Questionnaire; however, we can also include custom questions.
Third-party providers are classified according to the inherent risk they pose to your organization. The classification is automatic, based on objective criteria defined and built into the SecurityStudio Classification Scoring System. The responses provided in the Inherent Risk Questionnaire lead to a classification of High, Medium, or Low. You could choose different words or different classifications, depending on your needs. The point is that the classification criteria should be objective, be a representation of inherent risk, and the classification levels you choose should be simple and logical.
A very important reason for classifying vendors according to inherent risk is to support the reasoning that not all vendors should be subjected to the same level of scrutiny because not all vendors pose the same amount of inherent risk.
High and Medium Impact
High and Medium impact (or inherent risk) third parties require additional review. The third parties that were classified as High or Medium impact are moved into processing at Phase 3 – Third-Party Risk Assessment.
Low impact third parties are not a significant concern for most organizations. The processing of Low impact third parties is done after the classification. Low impact third parties are usually not reviewed again until the next cycle (quarter, semi-annual, annual, etc.)
In some cases, the percentage of third parties who are Low impact risk is as high as 80%. This is important to note. If an organization has 1,000 third parties that they work with, as many as 800 (or more) of these third-parties don’t need any further review beyond the initial inherent risk classification. This also means that there are 800 less questionnaires to keep track of and 800 less third parties that we need to secure. Also important is the fact that we have demonstrated our due diligence by ensuring that all third parties were classified according to objective criteria.
Once the Classification step is complete, you’re ready to start Phase 3 of VRM – Assessment.