Assessing Risks for Third-Party Vendors
Through the Vendor Risk Management area, you can determine the amount of risk that a third-party vendor presents to your business. This can be achieved by using the Risk Scoring function. Let's look at the example below:
In this example, we have a added a third-party vendor imaginatively called 'Example Vendor'. This vendor has no assigned value for the Total Risk Score, and no answers for the Vendor DDQ (Due Diligence Questionnaire). Selecting Risk Scoring will open a new window.
This new window will ask for name and email address of the vendor owner (the person taking responsibility) and then ask for information such as the vendor's credit score, reputational risks, geopolitical risk, and legal/contractual risk. Once submitted and you refresh the page, a new button will replace Risk Scoring, called Request DDQ.
Selecting this button will send a questionnaire to the email address associated with this vendor, prompting them to answer questions about their cybersecurity and compliance. Once the vendor answers these questions, they will appear in the Vendor DDQ Response Details area. See the example below:
Once you have completed the risk scoring, and the due diligence questionnaire has been answered, the platform will then assign a numerical value to the vendor, indicating the overall risk this vendor poses to your business. As shown in the example below, this a vendor has been given the value of 68, which is high risk. Using this scoring, you can demonstrate to auditors, assessors and stakeholders that you acknowledge the risk posed by vendors to your organisation, and that you have then taken the necessary steps to address or mitigate these issues.
In this example, we have a added a third-party vendor imaginatively called 'Example Vendor'. This vendor has no assigned value for the Total Risk Score, and no answers for the Vendor DDQ (Due Diligence Questionnaire). Selecting Risk Scoring will open a new window.
This new window will ask for name and email address of the vendor owner (the person taking responsibility) and then ask for information such as the vendor's credit score, reputational risks, geopolitical risk, and legal/contractual risk. Once submitted and you refresh the page, a new button will replace Risk Scoring, called Request DDQ.
Selecting this button will send a questionnaire to the email address associated with this vendor, prompting them to answer questions about their cybersecurity and compliance. Once the vendor answers these questions, they will appear in the Vendor DDQ Response Details area. See the example below:
Once you have completed the risk scoring, and the due diligence questionnaire has been answered, the platform will then assign a numerical value to the vendor, indicating the overall risk this vendor poses to your business. As shown in the example below, this a vendor has been given the value of 68, which is high risk. Using this scoring, you can demonstrate to auditors, assessors and stakeholders that you acknowledge the risk posed by vendors to your organisation, and that you have then taken the necessary steps to address or mitigate these issues.
Updated on: 01/05/2025
Thank you!