How Often Should Supplier Risk Assessments Be Conducted?

How Often Should Supplier Risk Assessments Be Conducted?How Often Should Supplier Risk Assessments Be Conducted?
Rebecca Kappel Staff asked 3 months ago

1 Answers
Rebecca Kappel Staff answered 3 months ago

Supplier Risk Assessment Frequency

The NIST Cybersecurity Framework (CSF) guidance suggests the following practices for supply chain risk assessment management:

Further Reading: The Definitive Guide to Supply Chain Risk Assessments 

  • Test and Assessment Period for New Suppliers:

      • New suppliers should enter a test and supplier risk assessment period to evaluate their capabilities and compliance with various requirements before actively joining the supply chain.
      • In high-risk areas, suppliers might undergo a series of pilots before fully integrating into the supply chain.
  • Survey Alignment for Tier 1 Suppliers:

      • Tier 1 suppliers are required to provide their suppliers with the same survey that the Original Equipment Manufacturer (OEM) requires of them. This implies a consistent approach to assessing and managing risks across the supply chain tiers.
  • Establishment of Approved Vendor Lists:

      • Approved vendor lists are established for manufacturing partners, indicating a pre-approved list of suppliers that meet specific criteria. This helps ensure that only vendors meeting certain standards are engaged in the supply chain.
  • Quarterly Reviews of Supplier Performance:

      • Quarterly reviews of supplier performance are conducted among a stakeholder group. This suggests a regular supplier evaluation risk rating to monitor and evaluate supplier performance risk systems on an ongoing basis.
  • Annual Supplier Meetings:

    • Annual supplier meetings are conducted to ensure that suppliers understand the customers’ business needs, concerns, and security priorities. These meetings provide a forum for communication and collaboration between customers and suppliers.

Based on the practices outlined in the guidance, the frequency of supplier risk assessments can be inferred as follows:

  • New suppliers undergo assessments during a test and assessment period.
  • Tier 1 suppliers and their downstream suppliers undergo regular assessments through surveys.
  • Quarterly reviews of supplier performance indicate ongoing, frequent assessments.

The specific frequency for each type of assessment may vary based on the organization’s risk management strategy, the nature of the supply chain, and the criticality of the goods or services provided by the suppliers. It’s important to adapt the frequency based on the organization’s risk appetite.

Related Content

Audit Management Software

Audit Management Software

What is Audit Management Software? Audit management software is the cornerstone of organizations’ efficient audit oversight,…
Vendor Framework

Vendor Framework

What is a Vendor Framework? In today’s turbo-charged business world, we’re all about connections, which means…
AI Governance

AI Governance

What is AI Governance? AI governance refers to the comprehensive principles, policies, and practices that guide…
Skip to content