(270) 506-5140 CONTACT US
Risk Assessment

Why Must I Risk Rate EVERY Vendor?

Apr 19, 2017 by Branan Cooper

There's a question I get asked often - "Why must I risk rate EVERY one of my vendors?" Many times at conferences and in follow up to webinars, this is a popular question, because I think it drives so much confusion and a fear of unnecessary work.

Short Answer

The easy, short answer is: “Because the regulatory guidance and prudent business practices dictate it.”

Long Answer

The more comprehensive answer is...necessary because the guidance and sound businesses dictate risk rating every vendor, regardless of the degree of risk present.

How to Risk Rate

For every active vendor that falls in your active inventory, you should do some level of a risk assessment. Obviously, for some, there may be very little risk at all, but you should at least document it, even if it's a very cursory review.

For others, you’ll want to do a very comprehensive risk assessment, this would involve:

  1. Thorough due diligence:
    Asking experts from around your company and learning as much as you can about the company before engaging in a business relationship.

  2. Robust ongoing monitoring:
    Robust reporting and service level agreements, supported by evidence obtained through mystery calling, call center listening, and reviewing independent audits are just a few easy examples.

What to Do With the Risk Ratings

Once you determine the risk rating, particularly if they're critical and/or high risk vendors, make sure you have a thorough understanding of where the risks lie and how best to manage them.

Risk ratings provide insight to contract term considerations. What you learn in the due diligence and risk rating processes may lead you to additional contract requirements, such as obligations to disclose material issues, provide regular reporting, advance approval of significant new third parties and rights to terminate if these obligations are not met.

From time to time, you’ll want to update the risk assessment, particularly noting any changes and, if significant, include them in your reports to senior management and the board to update risk ratings as needed. It is all about the risks and how best to control them.

And for additional help in assessing the risk of your vendors, download our risk assessment whitepaper

Writing an Effective Risk Assessment Whitepaper

Branan Cooper

Written by Branan Cooper

Branan Cooper is the Chief Risk Officer at Venminder. Branan has nearly 30 years of experience in the financial services industry with a focus on the management of operational and regulatory processes and controls—most notably in the area of third party risk and operational compliance. Branan leads the Venminder delivery team as the third party risk management subject matter expert in residence. Branan also serves as an industry thought leader. He's a member of InfraGard and the Professional Risk Management Industry Association (PRMIA). And, he was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Resource Network (GSRN).

Follow Branan Cooper

Subscribe to the Venminder Blog