If you’ve worked in third-party risk management for any period of time, you’ve certainly been asked, “Have you done a risk assessment?” It’s a question asked so many times that it has probably lost its impact, but a well-written risk assessment is essential to fulfilling one of your obligations in the regulatory guidance on effective risk management.
It can be an overwhelming task – where do you start? We’ll go through the components of risk assessments to walk you through what you need to do.
Component 1: Determining Business Impact and Regulatory Risk
First, you should determine the vendor’s business impact risk and the vendor’s regulatory risk impact on the organization.
Determining business impact risk helps you better understand if the vendor is critical or non-critical. There’s really a quite simple methodology to determining the business impact risk. All you need to do is ask yourself the following three questions. If you answer “yes” to any of the following, then the vendor is critical:
- Would the sudden loss this third-party vendor cause a disruption to our organization?
- Would such a loss have an impact on our organization’s customers?
- Would the time to recover normal operations exceed one business day or be greater than 24 hours?
Quick Tip: As a general rule of thumb, only 10-12% of an organization’s third parties are critical from a business impact standpoint, but if they’re critical, then they require special consideration. Often, that means developing a set of contingency plans and more rigorous monitoring.
Determining regulatory risk takes into consideration the primary categories of risk, plus others. These are strategic risk, reputation risk, operational risk, transaction risk, financial risk, regulatory risk and other risks like interest rate, country, price and more. Answering questions to determine if these types of risks exist will lead you to your second vendor risk rating which often consists of a low, medium or high-risk rating scale.
Now, you’ve completed the first step in the process. You’ve determined two risk ratings, which is a critical component of risk assessments. To reiterate, as it’s extremely important, the first is if the vendor is deemed critical or non-critical and the second rating is the regulatory risk rating – often low, medium or high risk.
Component 2: Inherent Risk – What Is It?
You’ve probably heard the phrase “never judge a book by it’s cover” upon first meeting someone new. This basically means that your first impression of someone may not always be accurate or could change. Well, funny enough, in vendor risk management there’s a first impression risk score known as inherent risk.
Inherent risk is the risk that immediately strikes you when you first see the third party. It’s truly kind of like your first impression that immediately strikes you when you meet someone new. So, for example, if you’re performing your vendor due diligence and immediately notice that their financials are declining year-over-year, or they’re involved in pending litigation, then there’s likely a high financial risk posed to your organization.
Component 3: Mitigating the Inherent Risk
There’s some good news regarding the first impression risk aka inherent vendor risk. Many times, you can mitigate the inherent risk which means you can take steps to reduce the risk present by implementing stronger controls and processes. Mitigating controls helps you gain comfort around the vendor and determine what steps you can take to lessen the risk to your organization.
Here are 2 tips to mitigate controls:
- Review the vendor more frequently. For example, if it’s a high financial risk vendor, then you may increase the frequency of reviews to more than annually, such as quarterly.
- Write specific requests into the contract. If possible, you can contractually obligate the vendor to commit to sending specific due diligence requests or add additional requirements into the contract.
Component 4: The Residual Risk
Now, you’ve mitigated the inherent risk by strengthening controls and requests and are comfortable with the level of risk posed to your organization by using the outsourced vendor’s product or service. You may even be able to drop their risk rating a level so, for example, from high-risk to a medium-risk vendor. This is known as your residual risk. It’s the risk that you’re left with after mitigating the risk and it should be one that makes you feel good about moving forward with the vendor.
Quick Tip: The residual risk should never be more than the inherent risk. It should always be equal to or less than the inherent risk.
Component 5: Aggregate Results and Document Everything
In the final phase of the vendor risk assessment process, be sure to document the inherent risk, mitigating controls and the residual risk for each category of risk. Then aggregate them to an overall set of scores. And, create a reader friendly risk assessment report for every third-party vendor you’re actively managing.
By including these components in your risk assessment process, you’ll build the fundamental foundation of a well-managed third-party risk program.
Use this mini guidebook to dive deeper into vendor risk assessments. Download the eBook.