Third Party Risk Management: Validating responses from vendors?
I am designing a 3PRM (Third-Party Risk Management) process in a FS company, and I'm curious about how other companies validate their supplier questionnaires.
The system I'm anticipating is (after I've issued supplier questionnaires, and received the responses) dividing up the responses for degrees of validation.
I'm considering three tiers:
Tier 1: Suppliers that can be assured based purely on their questionnaire responses: that is, given the level of risk to the company, we don't require anything more than the answers to the questionnaires (plus copies of any certifications that they claim to have, such as ISO27001, etc)
Tier 2: Suppliers that we require additional evidence in order to be assured that they are secure: that is, we might need to see (for example) copies of the policies that they claim to be upholding, plus evidence that they are being upheld, etc.
Tier 3: Suppliers will require a site visit to verify their responses: that is, suppliers that represent a sufficient risk that we need to be certain that they are secure, by checking it for ourselves.
My questions would be:
What criteria should we use to distinguish between these three tiers? What sort of benchmarks or cut-offs would be appropriate (based on risk to the company, the kinds of service being supplied, etc)?
What kinds of evidence would be reasonable to ask for in relation to Tier 2 suppliers?
