1 (888) 836-6463 CONTACT US
Risk Assessment

Am I supposed to risk rate EVERY vendor?

Nov 9, 2016 by Branan Cooper

The simple answer is “yes”. If they fall within the scope of your third party risk management program – and remember, your scope should be well documented on who is included and, just as important, who isn’t included… and why.

For those that are in your scope, yes, you should do some form of risk rating – now, whether you do a full write up with a risk assessment template is up to the parameters of your program. For example, if you determine that a vendor presents very minimal risk – a quick low risk and a note as to why is probably sufficient. And, you probably don’t need to look at it again until it’s up for contract renewal, unless something changes.

On the other hand, if the vendor is critical – think of your core processor – then, yes, absolutely, do a full risk assessment and update it annually. If the vendor is high risk from a regulatory perspective, same answer – and keep close tabs on it from an ongoing monitoring perspective.

To determine if they should be considered critical, ask 3 basic questions:

1). Would a sudden disappearance of this vendor cause a material disruption to your financial institution?

2). Would the disappearance impact your customers?

3). Would the time to recover be greater than 24 hours or one business day?

If the answer to any of these is "yes," then they must be considered critical.

Risk assessments prevent problems

Risk assessments are one of the most difficult parts of the job and there is not one single universal template or approach. However, the time and effort put into risk assessments are absolutely worth it in preventing an unexpected problem and properly protecting your institution from unnecessary risk.

And, if you ever need assistance with risk assessments or just a handy tool, Venminder has a helpful risk assessment module in our software. We just released the Risk Assessment 2.0 version. It includes:

  • Inherent risk calculator
  • Mitigating controls
  • Residual risk calculator
  • Pre-loaded risk questionnaires
  • Customizable questionnaires
  • Peer collaboration
  • Weighted questions
  • Approval workflow

Request a demo to learn more. 

 Writing an Effective Risk Assessment Whitepaper

Branan Cooper

Written by Branan Cooper

Branan has nearly 30 years of experience in the financial services industry with a focus on the management of operational and regulatory processes and controls—most notably in the area of third party risk and operational compliance. Branan also serves as an industry thought leader. He's a member of InfraGard and the Professional Risk Management Industry Association (PRMIA). And, he was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Resource Network (GSRN).

Follow Branan Cooper

Subscribe to the Venminder Blog