Writing a risk assessment document for the first time or the thousandth time can be a daunting task. People often struggle with how much there is to consider.
So, let’s narrow the focus and go through the different types of risk.
2 Overarching Fundamental Vendor Risk Types
The first two risk types are fundamental risk categories to know. They are:
- Business Impact Risk – for both critical and non-critical: this is related to service disruption
- Regulatory Risk – for both high, moderate and low risk: this is related to how your company complies with regulatory guidance
Each Risk Type is Tailored to the Vendor
Beyond the first two types, there are 7 more. And, each risk type needs to be tailored to the third party you’re dealing with. For example, an outsourced call center would have different concerns associated with it than the telephone company your company uses.
As far as regulatory risk goes, there are # most common vendor risk types to consider in your vendor risk assessment:
- Strategic Risk. Strategic risk is the risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the institution's strategic goals.
Ask yourself: Is this vendor going to operate in a manner consistent with our company’s practices?
- Reputation Risk. Reputation risk is the risk arising from negative public opinion. Third party relationships that result in the following ways are examples of what could harm reputation:
- Dissatisfied customers
- Interactions not consistent with company policies
- Inappropriate recommendations
- Security breaches resulting in the disclosure of customer information
- Violations of law and regulation
Ask yourself: Does this vendor have a history of unresolved complaints? Are they in the news in a bad way often?
- Operational Risk. Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Third party relationships often integrate the internal processes of other companies with your company's processes and can increase the overall operational complexity.
Ask yourself: Does the vendor have a mature business continuity program?
- Transaction Risk. Transaction risk is the risk arising from problems with service or product delivery. Your company is exposed to transaction risk when a third party fails to perform as expected by customers or your company due to reasons such as:
- Inadequate capacity
- Technological failure
- Human error
And, if you don’t have an effective business resumption plan and appropriate contingency plans, you’ve increased your transaction risk.
Ask yourself: Can I expect the vendor to perform as planned? Can they provide service level reporting to support their performance?
- Credit Risk. Credit risk is the risk that a third party, or any other creditor necessary to the third party relationship, is unable to meet the terms of the contractual arrangements with the company or to otherwise financially perform as agreed. The basic form of credit risk involves the financial condition of the third party itself. Some contracts provide that the third party ensures some measure of performance related to obligations arising from the relationship, such as loan origination programs. In these circumstances, the financial condition of the third party is a factor in assessing credit risk.
Credit risk also arises from the use of third parties that market or originate certain types of loans, solicit and refer customers, conduct underwriting analysis or set up product programs for the financial institution. You must monitor third party activity and ensure credit risk is understood and remains within board-approved limits.
Ask yourself: What is the anticipated loss rate and how have they performed against that threshold?
- Compliance Risk. Compliance risk is the risk arising from violations of laws, rules or regulations, or from noncompliance with internal policies or procedures or with the institution's business standards. This risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies or ethical standards.
For example, some third parties may engage in product marketing practices that are deceptive in violation of Section 5 of the Federal Trade Commission Act, or lending practices that are discriminatory in violation of the Equal Credit Opportunity Act and the Federal Reserve Board's Regulation B. Additionally, the ability of the third party to maintain the privacy of customer records and to implement an appropriate information security and disclosure program is another compliance concern.
Liability could potentially extend to the financial institution when third parties experience security breaches involving customer information in violation of the safeguarding of customer information standards under FDIC and Federal Trade Commission regulations. Compliance risk is exacerbated when an institution has inadequate oversight, monitoring or audit functions.
Ask yourself: Is there a sound set of policies and procedures? How have they performed in recent audits?
- Other Risks. The types of risk introduced by a company’s decision to use a third party cannot be fully assessed without a complete understanding of the resulting arrangement. Therefore, a comprehensive list of potential risks that could be associated with a third party relationship is not possible. In addition to the risks described above, third party relationships may also subject the financial institution to liquidity, interest rate, price, foreign currency translation and country risks.
Once you have identified, all of the categories you want to address, list them in whatever template you are using for your risk assessment process. The scoring for regulatory risk is different than business impact; rather than assigning a critical or non-critical rating, regulatory risk is generally broken into tiers like high, medium and low, based on answers to a series of questions.
These questions should be compiled from either subject matter experts around your organization or by using industry standardized questionnaires available from companies like Shared Assessments or in an automated software platform that you either built yourself or that you acquired from a third party like Venminder.
These questions should allow you to determine an objective and consistent method of assigning risk. Once you have determined the answers and assigned the score, you’ve arrived at an Inherent Risk score.
To learn more about a proper risk assessment process, download our whitepaper.