What department typically owns the Third Party due diligence/assessment process?

Third Party Risk Management (TPRM)

Procurement14%

Operational Risk46%

Audit18%

Vendor Risk Management 10%

Cybersecurity10%

Legal2%

83 PARTICIPANTS

1.3k views

Content you might like

Certificates of Insurance (COI): Collecting from Suppliers for Risk Mitigation • Does your company collect COIs annually from your suppliers? • What criteria do you use to determine from which suppliers to collect COIs annually? Are there industry benchmarks for this?

Does your security awareness training address files shared over communications platforms like Microsoft Teams?

Yes80%

No18%

Other (comment below)1%

View Results

What models are in place for risk partners based in Line 2? What are the jobs to be done? How do they operate? What does the structure/operating rythms look like?

Read More Comments

Have you patched the critical vulnerability in SAP Internet Communication Manager, CVE-2022-22536?

Yes47%

Patching is in progress29%

No19%

Other (please specify in the comments)2%

View Results

A common challenge in our risk-tiering framework for suppliers is that even the lowest risk tier still requires processing.
Has anyone implemented a "not relevant" risk tier in their model?
This tier would apply to vendors posing genuinely negligible security risk.