Vendor Risk Assessment

A risk assessment of a vendor is a common procurement/compliance exercise that CAUDIT members typically undertake individually. Risk assessments are being requested:

• to enable institutions to assess the risks of vendor offerings and solutions, protecting CAUDIT members, institutions and vendors.
• to provide efficiencies for institutions and vendors through one third party risk assessment administered and maintained by AHECS, through CAUDIT.
• to provide an external view and validation of the assessment

Is there a cost for this risk assessment?

There is no cost for the risk assessment to vendors that are providing or renewing an offer to CAUDIT members.

What sort of information should a vendor supply?

• The risk assessment tool asks a number of initial questions to direct the vendor to complete only the relevant sections of the assessment.
• Provision is made for the vendor to explain/provide detail regarding their responses.
• Where supporting documents are not available via publicly accessible website links the vendor can provide copies of these documents along with the completed risk assessment. Any supporting documents that are provided are securely stored and made available through authenticated access to CAUDIT members only.

How is the risk assessment delivered?

The risk assessment is a self-reported spreadsheet based tool that is available to download and complete.

How often should the risk assessment be completed/updated?

The risk assessment should be completed/updated using the latest version available for download. It should be completed when a vendor begins engaging with CAUDIT to provide sponsorship, partnership or value to CAUDIT members, and should be updated on an annual basis.