Author: GRC Practice Director, Alex Hollis.
In this Third Party Risk Management blog series, Alex Hollis will guide you through developing effective information gathering for third parties using five key steps to the formulation of a third party questionnaire. The third-party risk management webinar is available on-demand via BrightTALK here.
In this third installment, he discusses understanding thresholds needed to make decisions, setting the expected level and being clear on what the minimum accepted level might be…
The final part of requirements is to understand the threshold which must be achieved for each of the elements.
Again, this is often overlooked as part of the process. Without knowing the threshold you need to reach to make a decision, you risk not being specific in terms of what you need and also leave the determination to the person carrying out the third-party review. If you have more than one person doing reviews, you will then have issues of consistency.
As well as setting the expected level, also be clear on what the minimum acceptable level might be. For example, would you allow the third party a grace period to add missing controls, assuming there are compensating controls?
Here is a simple framework for putting together the requirements:
At this stage, it is more than likely that you will have gaps knowing what information is needed and the threshold that would be accepted. But having identified the decisions, we can move to research.
In March 2019 we hosted a free third-party risk management webinar taking you through the five key steps to the formulation of a third party questionnaires. Hear from Alex Hollis, SureCloud’s GRC Practice Director as he discusses efficient and effective information gathering from third parties.
Discover the next blog in the third-party risk management series here, where we will cover approaches for both internal and external research needed for approaching questionnaires, comparing qualitative vs quantitative routes.
To view the previous blogs in the series click here.
See you next week!
A.