How to Set a Risk Appetite Framework for Third-Party Relationships

Have you heard the terms “risk appetite framework” or “risk appetite statement,” but aren’t sure what they are or how they relate to third-party risk management? In this blog, we’ll explore exactly what a risk appetite is, how it’s developed through a risk appetite framework, and the purpose of a third-party risk appetite statement.

Understanding the Purpose of a Third-Party Risk Appetite Framework

Every organization that utilizes outsourced products and services provided by third-party vendors is exposed to certain risks. Regardless of the organization's size, it must be willing to take calculated risks to grow and remain competitive. These risks could include launching new products, entering new markets, or investing in new technologies. While there are potential downsides to taking risks, well-calculated ones can lead to significant rewards and long-term benefits for the organization. But how do organizations decide which third-party risks are acceptable and which are not?

As a best practice, the level of tolerable risk for the organization is usually determined through what’s known as a risk appetite framework. A third-party risk appetite framework is the methods, tools, and internal structures used to identify the level of risk an organization is comfortable accepting in pursuit of its goals and objectives through its use of third parties to deliver products and services to the organization or its customers.

To ensure safe and responsible decision-making, it's important for organizations to develop and follow a risk appetite framework. While some organizations are comfortable having an overall risk appetite framework that applies to all aspects of their business and operations, many organizations realize that the risks associated with using third parties may need a more tailored approach and develop a separate third-party risk appetite framework. 

Here’s what should be included in a third-party risk appetite framework:

1. Governance and oversight – Governance and oversight are the processes and structures put in place to ensure an organization's third-party risk appetite is effectively defined, communicated, and monitored. This includes the roles and responsibilities of key stakeholders, such as the board of directors, senior management, and the third-party risk management function.
2. Standardized definitions of risks – An organization’s overall risk appetite statement will generally include risks found in the SCORE model: strategic: strategic, compliance, operational, reputational, and economic risks. A third-party risk appetite statement should also include risks relevant to third parties, such as compliance, information security, cybersecurity, business continuity, or concentration risk. 
3. Standardized levels of risk appetite – Clear and standardized levels of risk appetite may look like the following:
   
   
   • Risk seeking – Open to aggressive risk taking
   • Risk tolerant – Willing to tolerate more than normal risk
   • Risk neutral – Strive for more balanced risk taking
   • Moderately-risk averse – Exercise caution in taking risks
   • Risk averse – Minimize risk as much as possible
4. Defined risk appetite – Thresholds indicate the level of risk that an organization is willing to take. These limits are defined in terms of risk appetite metrics and are used to monitor the organization's risk exposure. 
5. Risk metrics – These are quantitative measures used to assess an organization's risk tolerance. These metrics can include financial ratios, key performance indicators, and risk scores, among others.
6. Authorization guidelines for risk-taking at various levels – It’s important to clearly identify who has the authority to accept risks based on their size and type. For minor third-party risks, it may be appropriate for the business unit to decide to take on some risk to achieve their objectives. However, in the case of significant risks that could have a major impact on the entire organization, only the board and senior management should have the authority to determine if those third-party risks are acceptable.
7. Employee communication and training – To establish an effective third-party risk management culture, it’s essential that employees understand their roles in managing risks. This can be achieved through regular communication and training.
8. Risk reporting – Third-party risks are constantly changing and evolving. Regular reporting is necessary to ensure the organization accurately captures its risk universe and keeps its risk-taking within the approved risk appetite.

Developing a Third-Party Risk Appetite Statement

Every organization has its own unique quantitative and qualitative thresholds that determine its risk appetite. For instance, if an organization operates in a heavily regulated industry, it might have an exceptionally low appetite for compliance risk, which is especially true for third-party relationships that provide products and services subject to specific laws and regulations. On the other hand, a technology company that is looking for innovative and new solutions may be willing to accept more financial losses while pursuing research and development. This could lead to choosing a third party that offers a relatively new and untested product. A third-party risk appetite statement guides an organization on the risks present and the risks that may be taken in the selection, use, and management of third parties.

An effective third-party risk appetite statement typically includes the following:

• Your corporate values, which state your willingness to accept and mitigate certain risks. 
  
  Example third-party risk appetite phrasing: “XYZ Organization will act in accordance with the third-party risk appetite statement to ensure the use of third-party vendors and providers that offer products or services to our organization or customers on our behalf aligns with the organization's strategic goals and objectives, protects organization and customer data and assets, complies with all rules, laws, and regulations, and safeguards the organization’s reputation and brand.”
• A clear description of your organization's overall attitude and approach to risk.  
  
  Example third-party risk appetite phrasing: “The organization understands its duty to manage risks associated with third-party relationships and takes responsibility for it. To do this effectively, the organization considers various factors such as regulatory requirements, industry best practices, and customer expectations. Moreover, the organization takes into account its internal goals, available resources, and the need to identify, manage, and monitor third-party risks effectively. The organization has set the acceptable level of risk for each risk domain and determined the level of authority necessary for taking these risks."
• The methods your organization will use to implement your risk appetite. 
  
  Example third-party risk appetite phrasing: “XYZ Organization relies on essential third-party risk management principles, such as identifying, assessing, managing, and monitoring third-party risks, risk prioritization and transparency, and effective communication and reporting. The consistent application of inherent risk assessments, risk-based due diligence, third-party risk controls, and monitoring the risk and performance of third parties is required."
• The types of risks your organization will assess. 
  
  Example third-party risk appetite phrasing: “The organization identifies and manages ten categories of third-party risk for a safe and sound business. Managed third-party risk categories include business continuity, compliance and legal, concentration, cyber and information security, financial or economic, geopolitical, operational, reputational, strategic, and transactional risk.”
• A risk appetite scale that categorizes your risk appetite into different levels, such as risk seeking, risk tolerant, risk neutral, moderately risk adverse, or risk adverse, as described earlier. 
• Your organization’s maximum capacity for various types of risk. Your organization may have varying levels of risk appetite for different types of risk. 
  
  Examples of varying third-party risk appetite levels:
  
  
  • Cybersecurity – Risk Adverse: “The organization is dedicated to maintaining a high level of cybersecurity across all third-party vendors we work with, which should be on par with our own security standards. We will only collaborate with vendors who can demonstrate their commitment to cybersecurity and have implemented appropriate security measures to safeguard our data. We will not engage with vendors who do not meet our cybersecurity standards, and we will take all necessary steps to ensure our data remains protected at all 
    times.”
  • Financial Risk – Risk Neutral: “The organization has a moderate level of willingness to accept uncertain outcomes in order to accomplish the organization’s mission, goals, or strategic objectives. The organization is willing to assume certain financial risks related to our third-party relationships, but only if they are deemed to be justifiable and sound.”
  • Strategic Risk – Risk Tolerant: “When it comes to developing new products or services, the organization may have a higher level of strategic risk tolerance. XYZ Organization may be willing to take calculated risks in order to pursue opportunities that have the potential to yield significant returns. By being more accepting of some strategic risks, the organization may be more likely to explore innovative ideas and invest in projects that have the potential to drive growth and revenue.”
    
    
• A risk appetite matrix table that maps your risk appetite levels to different risk categories, such as strategic, operational, financial, or reputation risk.
• A periodic review and update of your third-party risk appetite statement to reflect any changes in your internal or external environment.

Third-party risk appetite frameworks provide the structure and methods to define the organization’s general approach to third-party risk, and the levels and types of risks considered. The risk appetite statement should be formally documented and periodically reviewed to provide the best possible guidance for risk taking and management across the organization.