How Often Should Supplier Risk Assessments Be Conducted?

How Often Should Supplier Risk Assessments Be Conducted?How Often Should Supplier Risk Assessments Be Conducted?
Rebecca KappelRebecca Kappel Staff asked 6 months ago

1 Answers
Rebecca KappelRebecca Kappel Staff answered 6 months ago

Supplier Risk Assessment Frequency

The NIST Cybersecurity Framework (CSF) guidance suggests the following practices for supply chain risk assessment management:

Further Reading: The Definitive Guide to Supply Chain Risk Assessments 

  • Test and Assessment Period for New Suppliers:

      • New suppliers should enter a test and supplier risk assessment period to evaluate their capabilities and compliance with various requirements before actively joining the supply chain.
      • In high-risk areas, suppliers might undergo a series of pilots before fully integrating into the supply chain.
  • Survey Alignment for Tier 1 Suppliers:

      • Tier 1 suppliers are required to provide their suppliers with the same survey that the Original Equipment Manufacturer (OEM) requires of them. This implies a consistent approach to assessing and managing risks across the supply chain tiers.
  • Establishment of Approved Vendor Lists:

      • Approved vendor lists are established for manufacturing partners, indicating a pre-approved list of suppliers that meet specific criteria. This helps ensure that only vendors meeting certain standards are engaged in the supply chain.
  • Quarterly Reviews of Supplier Performance:

      • Quarterly reviews of supplier performance are conducted among a stakeholder group. This suggests a regular supplier evaluation risk rating to monitor and evaluate supplier performance risk systems on an ongoing basis.
  • Annual Supplier Meetings:

    • Annual supplier meetings are conducted to ensure that suppliers understand the customers’ business needs, concerns, and security priorities. These meetings provide a forum for communication and collaboration between customers and suppliers.

Based on the practices outlined in the guidance, the frequency of supplier risk assessments can be inferred as follows:

  • New suppliers undergo assessments during a test and assessment period.
  • Tier 1 suppliers and their downstream suppliers undergo regular assessments through surveys.
  • Quarterly reviews of supplier performance indicate ongoing, frequent assessments.

The specific frequency for each type of assessment may vary based on the organization’s risk management strategy, the nature of the supply chain, and the criticality of the goods or services provided by the suppliers. It’s important to adapt the frequency based on the organization’s risk appetite.

Related Content

 Data Subprocessor

 Data Subprocessor

What is a Data Subprocessor? A Data Subprocessor is a third party engaged by a Data…
Threat-Based Risk Assessment

Threat-Based Risk Assessment

What is a Threat-Based Risk Assessment? Threat-Based Risk Assessment is an approach that incorporates real-time threat…
Semi-Quantitative Risk Assessment

Semi-Quantitative Risk Assessment

Various methodologies are employed to identify, evaluate, and mitigate risks. Among these methodologies, semi-quantitative risk assessment…
Skip to content