Question: Are third-party risk and compliance updates presented to leadership periodically?
Objective — Why This Matters
Most breaches involve suppliers. Leadership needs regular visibility to vendor risk and actions to cut exposure.
Maturity Levels (0–5)
0 — Unaware
No vendor risk reporting.
No vendor risk reporting.
1 — Ad Hoc
Only on big incidents.
Only on big incidents.
2 — Defined
Quarterly list of critical vendors + risk ratings.
Quarterly list of critical vendors + risk ratings.
3 — Managed
Trends, open findings, expiring assurances.
Trends, open findings, expiring assurances.
4 — Integrated
Contractual remedies and re-classification decisions.
Contractual remedies and re-classification decisions.
5 — Optimized
Continuous monitoring and joint exercises reported.
Continuous monitoring and joint exercises reported.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Build a spreadsheet of high-risk vendors with owners. |
| 1 → 2 | Add risk score, last review date, next action. |
| 2 → 3 | Include assurance evidence (certs, SOC2), open issues and due dates. |
| 3 → 4 | Track contract clauses/breach reporting; escalate overdue vendors. |
| 4 → 5 | Integrate continuous monitoring feed and drill results. |
People / Process / Technology Enablers
- People: Vendor owners; procurement; legal.
- Process: Quarterly TPRM review.
- Technology: Register (sheet/TPRM tool); dashboard.
Evidence Required
- Latest vendor risk register.
- Leadership deck section; actions from reviews.
- Assurance evidence store.
Metrics / KPIs
- % high-risk vendors with current assurance.
- Number of overdue vendor actions.
- Time to remediate critical findings.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Register | Spreadsheet | Keep it tight; filterable. |
| Evidence | Drive/Repo | Folder per vendor. |
| Monitoring | RSS/Google Alerts | For public incidents. |
Common Pitfalls
- “Set and forget” after onboarding.
- No owner for each vendor.
- Missing sub-processor visibility.
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO 27036 / ISO 27701 | Vendor governance |
| DPDP | Sec 8 duties of processors |
| NIRMATA Scoring | GL-Q10 expects periodic leadership reporting + actions. |