Third-party assessment states

Draft

An external assessment record is opened in the Draft state.

• Assessment template: A set of external questionnaires and document requests that are auto-generated based on IRQ responses. Alternatively, an administrator could manually specify the questionnaires and document requests.
• Risk rating: The overall risk rating that is auto-generated based on IRQ responses.
• Owner: The owner is the person who owns an assessment for audit purposes and monitors and manages overall assessment processes. Owners are responsible for confirming that the assessment is completed in a timely fashion by the third party, reviewing their responses, and creating and resolving issues. To drive the assessment to its completion, owners are notified when an assessment reaches a particular milestone. The owner must have the TPR manager or TPR assessor role.

Submitted to third party

The questionnaires and document requests for the assessment have been sent to the third-party contact. Internal stakeholders await responses.

Responses received

After contacts at the third party have completed all questionnaires and document requests, your internal third-party risk team reviews and analyzes the responses. The team might return particular questions for follow-up, clarification, or missing answers.

Generating observations

When all responses are completed, the system can auto-generate issues for incorrect answers.

Third-party contacts respond to issues. Your internal third-party risk team makes a final determination to accept the responses or remediate the issues.

Finalizing with a third party

Your third-party risk team reviews all assessment data. In some cases, the team resets the assessment to the Draft state to restart the assessment life cycle.

Closed

When all data is acceptable, the assessment is complete and a member of the team closes the assessment. If the engagement will be contracted, the Closed state initiates the contract risk process.