security

Sample – Vendor Security and Risk Management Review Matrix

October 21, 2012

Sample – Vendor Security and Risk Management  Review Matrix

Vendor: Name of Vendor with address and contact information
Vendor Owner: Name the owner or owners of the relationship
Review Date: Report Date: Date contract received Final report date
Applicable Vendors, Partners and Affiliates: Name any pass through vendor relationships critical to SLA, to include their services.
Service or Product Summary: Summarize service, function or product.
Risk Analysis Operational Risk – Operational Risk considers the impact that a vendor or service provider relationship may have on the clients ability to provide high quality and timely services to members, to include data integrity and the confidentiality of company and member information. 

Compliance – Compliance Risk considers the impact that a vendor or service provider relationship may have as it relates to contract risk, regulatory compliance or other legal liability. 

Strategic – Strategic Risk relates to the value of the service or product being considered, and evaluates the relationship in terms of its contribution to business line goals and objectives. Evaluations may consider cost/benefit, risk/reward and its ties enterprise strategies. 

Reputation – Reputation Risk relates to actions or perceived actions on the part of the client that cause member dissatisfaction, departure, or adverse media attention, ultimately diminishing consumer trust and confidence or causing a loss in market share.

 Comment on Operational, Compliance, Strategic, and reputation risk exposure caused by the relationship.
Questions  List outstanding questions for discussions and secondary analysis.
Recommended Risk Mitigation   Based on response, list recommended risk mitigation actions.
Risk Acceptance  Note any outstanding questions or risks that are identified but will not be mitigated.  The contract owner is responsible for making final decisions regarding risk acceptance.  However, if risks are believed to be material, risk management reserves the right to escalate this document to the Director of Risk Management for further action.
Contract owner Signature