9 Regulatory Risk Types Involved in a Vendor Risk Assessment

This blog has been updated for accuracy. To read the updated version, click here.

Writing a risk assessment document for the first time or the thousandth time can be a daunting task. People often struggle with how much there is to consider.

So, let’s narrow the focus and discuss the different types of risk.

2 Fundamental Regulatory Vendor Risk Types to Know

The first two risk types are fundamental risk categories to know. They are:

1. Business Impact Risk – Determines if the vendor is critical and non-critical to business operations. This is specifically related to service disruption.
2. Regulatory Risk – Determines the vendor’s risk rating – typically high, moderate or low risk – and is related to how your organization complies with regulatory guidance.

Remember, each vendor should have a business impact level and regulatory risk rating.

Tailor Risk to the Vendor

Beyond the first two types, there are seven more. And, each risk type needs to be tailored to the third party vendor you’re dealing with. For example, an outsourced call center would have different concerns associated with it than the shred company your company uses.

As far as regulatory risk goes, these are the seven most common vendor risk types to consider in your vendor risk assessment:

1. Strategic Risk. Strategic risk is the risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the organization's strategic goals.
   
   Ask yourself: Is this vendor going to operate in a manner consistent with our organization’s practices?
   
   
2. Reputation Risk. Reputation risk is the risk arising from negative public opinion. Third party relationships that result in the following ways are examples of what could harm reputation:

• • Dissatisfied customers
  • Interactions not consistent with company policies
  • Inappropriate recommendations
  • Security breaches resulting in the disclosure of customer information
  • Violations of law and regulation
  • Customer complaints

Ask yourself two questions:

• • Does this vendor have a history of unresolved customer complaints?
  • Are they in the news in a negative way often?

3. Operational Risk. Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Third party relationships can integrate the internal processes of other companies with your company's processes

Ask yourself: Does the vendor have a mature business continuity and disaster recovery program?

4. Transaction Risk. Transaction risk is the risk arising from problems with service or product delivery. Your organization is exposed to transaction risk when a third party fails to perform as expected by customers or your organization due to reasons such as:

• • Inadequate capacity
  • Technological failure
  • Human error
  • Fraud

Keep in mind, if you don’t have an effective business resumption plan and appropriate contingency plans, you’ve now increased your transaction risk.

Ask yourself 2 questions:

• • Can I expect the vendor to perform as planned?
  • Can the vendor provide service level reporting to support their performance?

5. Credit/Financial Risk. Credit risk, also referred to as financial risk, is the risk that a third party, or any other creditor necessary to the third party relationship, is unable to meet the terms of the contractual arrangements with the organization or to otherwise financially perform as agreed. The basic form of credit risk involves the financial condition of the third party itself. Some contracts provide that the third party ensures some measure of performance related to obligations arising from the relationship, such as loan origination programs. In these circumstances, the financial condition of the third party is a factor in assessing credit risk.
   
   Credit/financial risk also arises from the use of third parties that market or originate certain types of loans, solicit and refer customers, conduct underwriting analysis or set up product programs for the organization. You must monitor third party activity and ensure credit risk is understood and remains within board-approved limits.

Ask yourself 2 questions:

• • What is the anticipated loss rate?
  • How have they performed against that threshold?

6. Compliance/Regulatory Risk. Compliance risk, also referred to as regulatory risk, is the risk arising from violations of laws, rules or regulations, or from noncompliance with internal policies or procedures or with the organization's business standards. This risk exists when the products or activities of a third party aren’t consistent with governing laws, rules, regulations, policies or ethical standards. 
   
   For example, some third parties may engage in product marketing practices that are deceptive in violation of Section 5 of the Federal Trade Commission Act, or lending practices that are discriminatory in violation of the Equal Credit Opportunity Act and the Federal Reserve Board's Regulation B. Additionally, the ability of the third party to maintain the privacy of customer records and to implement an appropriate information security and disclosure program is another compliance concern. 
   
   Liability could potentially extend to the organization when third parties experience security breaches involving customer information in violation of the safeguarding of customer information standards under FDIC and Federal Trade Commission regulations. Compliance/regulatory risk is exacerbated when an organization has inadequate oversight, monitoring or audit functions.

Ask yourself 2 questions:

• • Is there a sound set of policies and procedures?
  • How have they performed in recent exams or audits?

7. Other Risks. The types of risk introduced by an organization’s decision to use a third party cannot be fully assessed without a complete understanding of the resulting arrangement. Therefore, a comprehensive list of potential risks that could be associated with a third party relationship is not possible. In addition to the risks described above, third party relationships may also subject the organization to the following risk types:

• • Liquidity
  • Interest rate
  • Price
  • Foreign currency translation
  • Country risks

Once you've identified, all of the categories you want to address, list them in whatever template you’re using for your risk assessment process. The scoring for regulatory risk is different than business impact; rather than assigning a critical or non-critical rating, regulatory risk is generally broken into tiers like high, medium and low, based on answers to a series of questions.

These questions should be compiled from either subject matter experts (SMEs) around your organization or by using industry standardized questionnaires available from companies like Shared Assessments – they provide the SIG and SIG Lite questionnaires – or in an automated software platform that you either built yourself or that you acquired from a third party like Venminder.

These questions should allow you to determine an objective and consistent method of assigning risk. Once you've determined the answers and assigned the score, you’ve arrived at an Inherent Risk score. Inherent risk means your “first impression” risk. From here, you’re on your way to begin mitigating, aka reducing, the risk the third party present to your organization.

To learn more about a proper risk assessment process, download our whitepaper. 

This blog has been updated for accuracy. To read the updated version, click here.