The simple answer is “yes”. If they fall within the scope of your third party risk management program – and remember, your scope should be well documented on who is included and, just as important, who isn’t included… and why.
For those that are in your scope, yes, you should do some form of risk rating – now, whether you do a full write up with a risk assessment template is up to the parameters of your program. For example, if you determine that a vendor presents very minimal risk – a quick low risk and a note as to why is probably sufficient. And, you probably don’t need to look at it again until it’s up for contract renewal, unless something changes.
On the other hand, if the vendor is critical – think of your core processor – then, yes, absolutely, do a full risk assessment and update it annually. If the vendor is high risk from a regulatory perspective, same answer – and keep close tabs on it from an ongoing monitoring perspective.
To determine if they should be considered critical, ask 3 basic questions:
1). Would a sudden disappearance of this vendor cause a material disruption to your financial institution?
2). Would the disappearance impact your customers?
3). Would the time to recover be greater than 24 hours or one business day?
If the answer to any of these is "yes," then they must be considered critical.
Risk assessments prevent problems
Risk assessments are one of the most difficult parts of the job and there is not one single universal template or approach. However, the time and effort put into risk assessments are absolutely worth it in preventing an unexpected problem and properly protecting your institution from unnecessary risk.
And, if you ever need assistance with risk assessments or just a handy tool, Venminder has a helpful risk assessment module in our software. We just released the Risk Assessment 2.0 version. It includes:
- Inherent risk calculator
- Mitigating controls
- Residual risk calculator
- Pre-loaded risk questionnaires
- Customizable questionnaires
- Peer collaboration
- Weighted questions
- Approval workflow