API Q1-9 Critical Supppliers 5.6.1.2 and Risk Assessment

J

Jac3LLC

Question about 5.6.1.2 and risk assessment.

We have 4 or 5 suppliers that we would classify at Critical -
There is little substitute available if they were to have a dis for whatever reason:

1. They either sell specialized material and stock for us,

2. The products we buy are proprietary to that particular company (patents in force).

3.The supplier has in their possession a set of tooling that we own such as foundries, and we do not have a second.
 

Ronen E

Problem Solver
Moderator
Question about 5.6.1.2 and risk assessment.

We have 4 or 5 suppliers that we would classify at Critical -
There is little substitute available if they were to have a dis for whatever reason:

1. They either sell specialized material and stock for us,

2. The products we buy are proprietary to that particular company (patents in force).

3.The supplier has in their possession a set of tooling that we own such as foundries, and we do not have a second.

What is the question?
 
J

Jac3LLC

I guess that would help. We identified them and indentified the risks associated specific to each. Must we address what we would do if we had a business interruption with them?
 

Ronen E

Problem Solver
Moderator
I guess that would help. We identified them and indentified the risks associated specific to each. Must we address what we would do if we had a business interruption with them?

I don't have the wording in front of me, but - Risk Assessment is about understanding how serious the various risks are; If elements of risk mitigation and risk acceptability are also included (I guess they are), then you must take action to bring down any unacceptable risks. Having alternative suppliers is a way to deal with some risks; if this is impossible or impractical then you have to find other ways.

Cheers,
Ronen.
 
Help during our API audit non-conformance regarding our Procedure is not adequate to define the criteria for re- evaluation of non critical suppliers
 
S

smohanarangan

Help during our API audit non-conformance regarding our Procedure is not adequate to define the criteria for re- evaluation of non critical suppliers
Hi,

You can have below subject added in your process/standard document. That would provide enough overview on what process your company will adopt for what type of vendor.

1. Matrix for vendor classification Tier with assessment approach
2. Vendor types and definitions (eg.
Secure Disposal Vendor, Contracting/Labor Vendor, Application Provider, Infrastructure Hosting, Colocation Facility Vendor, Data Handling/Processing, Managed/Security Vendor, Data Storage Vendor, Maintenance Vendor, Human Resource Vendor,
Software Vendor, Professional Services Vendor and Legal Counsel)
3. Matrix for assessments requirement (Y/N) for above vendor types like
NDA, Contract/Agreement, Assessment via Questionnaire, Technical Assessment, Penetration Testing, Additional Requirement etc

I hope info is helpful.

Regards,

Shans
 
Top Bottom