In this article:
Creating Portfolios enables you to organize organizations you wish to monitor into customizable categories. Here are some of the ways our customers organize their Portfolios:
When thinking of how to organize your third-party relationships, it’s important to consider which risks apply to which third parties. Not all vendors, partners, suppliers, etc. are created equal and your relationships bring on different types of risk. A key component of a successful third-party risk management program is tiering. Creating Portfolios that align with your vendor tiers will enable your organization to understand the risks of your various relationships and properly align due diligence activities.
Organizations typically tier their business relationships into 4 different categories:
- Tier 1 or Mission Critical Vendors
- Tier 2 or High Criticality
- Tier 3 or Medium Criticality
- Tier 4 or Low Criticality
Mission Critical Vendors
These organizations pose the greatest risk and require the most comprehensive due diligence.
These organizations may not require assessments as extensive as mission-critical organizations, but they still pose a high risk to your organization - making it important to understand and identify vendors’ policies, procedures, and architecture.
These organizations will receive more selective and less frequent assessments compared to High Criticality vendors. It’s important to understand the controls in place that are designed to protect your company from risk.
These organizations don’t have access to sensitive information or connectivity to systems/networks, however, it’s useful to understand your full ecosystem and the potential risk they may pose.
Potential future vendors, partners, suppliers, etc can be added to a Portfolio to help teams find answers to the following questions:
- When deciding between vendors, who pose the least risk?
- Do we need to find an alternative vendor?
- Do we need a vendor to improve their cybersecurity posture before we sign a contract?
- Do we need to incorporate maintaining a certain letter grade into the contract to ensure the upkeep of cybersecurity protocols?
Organizations often want to understand how they compare to other organizations in the same industry across various attributes, including cybersecurity posture. Your potential clients may be considering who poses the least risk when making buying decisions. In order to help monitor the competitive landscape, you can create a Portfolio of your competitors.
Organizations need to perform proper due diligence of M&A targets and their vendor ecosystem to understand the cyber risk that is assumed after the transaction is closed. By creating a Portfolio of potential acquisition targets, it helps M&A teams gain visibility and helps with the due diligence process. Additionally, you can utilize Portfolio Access Controls to keep this Portfolio private and only give the M&A team access.