Digital Content
- Unlimited access to peer-contribution articles and insights
- Global research and market intelligence reports
- Discover iNFRont Magazine, an NFR publication
- Panel discussion and presentation recordings
Suppliers should be vetted at the pre-contract stage to ensure they meet the firm's risk appetite.
Regular re-assessment of suppliers is necessary, with the frequency and depth based on the level of risk presented.
Re-assessment should be triggered by material changes to services or significant incidents.
Due diligence should evaluate the design and operational effectiveness of suppliers’ policies and procedures, including information security, operational resilience, and data protection.
Suppliers must have adequate controls for service performance monitoring and issue management.
Firms should regularly review and update their due diligence and assurance policies to address emerging risks and new regulations.
Findings from due diligence should inform ongoing performance monitoring, particularly for critical suppliers.
Assessors should have appropriate training, risk domain expertise, and experience with relevant controls.
Third-party assessors can provide unbiased evaluations and best practice recommendations when in-house capacity is limited.
Pooled audits can be cost-effective for medium to high-risk suppliers but may lack relevance to specific services or industries.