So you’ve done your initial INHERENT risk rating of your vendor and then conducted your due diligence to determine the RESIDUAL risk and you’re comfortable doing business with the vendor so you sign a contract. A year from now you plan to conduct the periodic review. But a number of things might have occurred from the time you signed that contract that impact the vendor’s risk rating prior to the periodic review. Are you monitoring your vendor on an ongoing basis to keep on top of significant events?

  • Data Breaches
  • Failed DR Tests
  • Failure to meet SLA’s
  • Disruptions that required longer than the RTO contractually agreed to
  • Laws suits or Enforcement Actions
  • Mergers or Acquisitions that change the vendor’s strategic direction

But not every issue effecting risk rating is a negative one. If you expanded the services that the vendor provides to you, you must conduct another risk assessment. What if a new service now gives the vendor access to sensitive data whereas there previously was none? OR perhaps you discontinued services and the vendor no longer has access to sensitive data. Have you reassessed the vendor’s risk and placed it on a new periodic review schedule? What if the vendor has been acquired by a foreign company and data is now being sent offshore or, those in another country have access to it? The issue of Country (Political) Risk and data privacy issues should be a huge concern which should drive the reassessment of risk. Thus, risk ratings are not static and can be effected by multiple factors which is why you need to monitor your vendors on an ongoing basis! Significant changes to significant vendors should be presented to your Risk Committee, if you have one, and to the Board since the Board needs to be aware of changes to significant vendor relationships. Learn more at