Centrally document third parties and their risk attributes. Document the results of assessments and track issues in a risk registry.
Tracking of third-party risk, their inherent risks and business context is a pre-requisite to managing third-party risk. Tracking of issues is necessary to understand third-party residual risk and to resolve issues.
Track vendors, their risk attributes, business context, and issues in a central system. The system should support analysis and reporting.
|Maintain procurement records that can be readily analyzed.||Common||70%|
|Track third-party risk in a central database.||Common||50%|
|Track third-party issues in a risk registry.||Common||50%|
|Track third-party residual risk, factoring inherent risk rating with assessment performance.||No Data||No Data|