Hi I'm Branan Cooper, I’m the Chief Risk Officer here at Venminder. And welcome to Third Party Thursday.
Today we are going to talk a little bit about Risk Assessments. One of the most frequent questions we get asked is, "am I supposed rate EVERY single vendor?"
The simple answer is yes, if they fall within the scope of your third party risk management program. Remember, your scope should be well-documented on who’s included - and just as important, who’s not included and why, but for those within your scope you should do some form of a risk assessment.
If you do a full write up with a Risk Assessment template, it's up to the parameters of your program. For example, if you determine a vendor represents very little risk, a quick low risk rating and a notice why is probably sufficient. And then you don’t need to look at it again until it's up for contract renewal, unless something changes.
On the other hand, if the vendor is critical, and perhaps think of your core processor, then yes do a full Risk Assessment and update it annually. If the vendor is high risk from a regulator perspective, the same answer holds true and keep close tabs on it from an ongoing monitoring perspective.
Risk Assessments are one the most difficult parts of the job and there’s not one single universal template or approach, however, the time and effort put into risk assessments are absolutely worth it in preventing an unexpected problem and properly protecting your institution from unnecessary risk.
I'm Branan Cooper and thank you for listening! If you haven't already, subscribe to the Third Party Thursday series.