Transcript
When you’re conducting a risk assessment, be sure to include your third parties, your vendors, your partners. This supply chain that you rely upon is very important to consider. If we’re too focused on the risk that we have and we forget about the third parties that we rely upon, we’re missing a very big, impactful area that we need to consider in our risk assessment. When you document those risks about your third parties you want to think about what kind of requirements you have for them to participate in that risk assessment. You might expect to receive from them some type of report or result of their own risk assessment- you might find that contained in an audit report or some other evidence that they provide. Too often I see organizations just have a checklist or questionnaire where they ask their third parties, “Have you done an annual risk assessment?” and the third party merely says yes. But we don’t take the next step and ask for the evidence and actually review those results so that we can understand the risks that they’re facing. For a critical vendor it can be very important for you to know how to incorporate how you’re going to deal with the risks that they are facing because you have to put measures in place in order to protect yourself against some threat being realized against them. Be sure to include your supply chain in your next risk assessment.