Doug’s pretty sure that he’s doing the right thing following the Sourcing Process, so takes his RFP to market. Through that process, a vendor is selected. However, as the onboarding process progresses and Doug starts to complete his risk assessments, a number of Information Security Policy and Standards non-compliance issues are discovered.
If Doug had engaged DPG for additional clarity on the Information Security Policy and Standards before issuing the RFP, he could have improved coverage of security considerations, which would have led to better and safer business outcomes.

Doug’s glad he contacted Jamie when he did. Even though he was adhering to CBA’s supplier governance policies and frameworks and was aware of some security considerations to include in the RFP, Jamie gave him some additional suggestions. This helped him assess the suppliers’ ability to comply with the Information Security Policy and Standards before a vendor was selected, and collect the right information to complete his risk assessments.

Yes, that is correct. Once you have confirmed this information with your supplier, engage DPG, Line 1 Risk and Enterprise Procurement and Partnerships (EPP) to ascertain if a risk assessment needs to be revised or updated. Jamie explains to Doug the importance of maintaining situational awareness to ensure good supplier governance at all times.
