Classify your vendor's risk using the Vendor Register
Knowing which third party vendors are critical to your software business is essential to preparing for potential disruptions and determining the level of oversight necessary. However, many companies lack consistency in how they profile, tier and categorise their vendors.
Risk profiling, sometimes referred to as risk classification, is calculated based on a vendor’s services to your company. Certain vendors pose a greater risk. For example, your data centre provider will have a higher profiled risk than the design app your UX team use, since it holds more sensitive data and is critical to your day to day operations.
Once you have profiled a vendor and classified the risk they pose, you can determine the level of scrutiny applied. For low risk vendors, a periodic self-assessment may be sufficient, but for high risk vendors you may wish to continuously monitor their compliance posture.
A vendor’s risk profile is initially determined as part of the procurement process. They should be reassessed on a regular basis to ensure the vendor remains in the correct tier.
Calculating a vendor’s risk profile
Key areas you can use to determine the risk profile include:
-
Services provided
-
Types and volume of data handled
-
Location (geopolitical factors)
-
Industry (compliance factors)
Vendor Profiling Questionnaire
To help build the vendor profile, try answering the following questions:
-
What service(s) does the vendor provide?
-
How essential are these services to your company’s operations?
-
Is this service likely to be used for a short or longer term?
-
Is this the only vendor that provides this service?
-
Does the vendor have access to sensitive or confidential data?
-
What volume of data will the vendor have access to?
-
What would the impact be if the vendor had a data breach?
-
Does the vendor require access to your network or any of your internal systems?
Many companies use a vendor assessment/questionnaire to help determine the criticality of service being provided. A vendor profiling questionnaire can be sent straight from Adoptech, making it quick and easy for both parties. Chat with a member of our team for assistance by clicking on the Intercom icon in the bottom right.
Risk Classifications
Your company should agree how to classify vendors and apply that consistently. Within Adoptech there are 5 risk tiers are available:
Under this approach, each vendor is assigned to a tier indicating their criticality to the business. The scale goes from 1 (lowest risk) to 5 (highest risk).
This table is provided as an example. We suggest you define your own categories and provide specific examples that will help your team to consistently classify vendors. A template is available to help you with this, please chat with a member of our team by clicking on the Intercom icon in the bottom right.
Risk |
Criticality |
Risk Factors |
5 |
Critical |
|
4 |
High |
|
3 |
Medium |
|
2 |
Low |
|
1 |
Very Low |
|