Categorizing vendors and other third parties by inherent risk scores and impact is optimal for keeping track of which companies need to be checked in on or need extra communication. One way of doing this can be by using the following tiers:


Tier 3: Low Risk & Low Criticality → (Focus Little Effort)
Tier 2: Medium Risk & Medium Criticality → (Focus Moderate Effort)
Tier 1: High Risk & High Criticality → (Focus Majority Effort)

CALCULATING INHERENT RISK SCORES
Assigning each third party an inherent risk score can be used to efficiently categorize and prioritize vendors. When giving each vendor a risk score, Vetzu can assess them by reflecting on the following:


1. Does the vendor have access to proprietary or confidential business information?
2. Does Vetzu share personal data with the vendor​?
3. Does Vetzu share sensitive personal data with the vendor​?
4. Does Vetzu share personal data across borders​?
5. Does the vendor serve a critical business function/s?

ASSESSING IMPACT
The impact is another significant factor that can be used to categorize vendors. Consider the following when assessing a vendor’s impact on Vetzu:


1. The impact of unauthorized disclosure of information​
2. The impact of unauthorized modification or destruction of information​
3. The impact of disruption of access to the vendor/information​