Welcome to this week’s Third Party Thursday! My name is Stephanie DellaCamera and I’m the Client Support Operations Manager here at Venminder.
Let’s talk about one of my absolute favorite topics – risk assessments. It's one of the significant pillars of third party risk management and is tied closely to every other activity you are going to perform.
In this video, we’ll talk in detail about some best practices on doing a risk assessment, including the two pronged approach, determining criticality risk and documenting analysis.
The best practice I hear discussed a lot, is a two pronged approach. You want to slice a risk assessment into two fundamental branches. One of these is Business Impact risk and the other is the various regulatory risk categories such as strategic, operational, credit, reputation and transaction risk, and those are just to name a few.
I should also mention country risk since the protection of your customers’ data is especially a concern when one of your third parties uses an offshore service provider. Just Remember, that once you’ve assigned your Business Impact risk, for those you have deemed critical third parties, you will need an exit strategy.
The regulatory risk drives more due diligence and also how much or how frequent your monitoring should be. Business impact is rated as Critical or Non Critical, while each of the regulatory risk categories are rated as High, Moderate or Low… and you should use some objective questions to determine and assign that risk rating.
There are some pretty good tools out there, like Shared Assessment’s SIG and SIGLite questionnaires that incorporate hundreds of questions.
Now, Back to Business Impact risk. You know, it’s interesting when you compile your list of vendors and your lines of business are quick to claim that nearly all of their vendors are critical, so you need to help them with the definition.
Ask yourself these 3 questions:
1. Would a sudden loss of the vendor cause a material disruption to your business?
2. Would it cause an impact to your customers?
3. Would the time to recover be greater than a business day?
If you answered “yes,” to any of these, you should call them a critical vendor and consider any additional steps you want to take. For example: contractual commitments, notification timeframes or developing exit strategies.
It’s also a best practice to make sure to keep senior management and your board informed when there are significant change in criticality rating or major events with one of your critical third parties… things like a data breach are obvious, but a sudden downturn in earnings or departures of key executives should be items reported to your board as well.
You can have a Critical vendor from a business impact perspective who is Low risk from a regulatory perspective – for example, think of the phone company. They’re vital to your business but probably not much of a regulatory risk.
On the other hand, you can have Non Critical High risk vendors – think of the shred company – they’re easy to replace but have all sorts of access to your customer information. So, again, we have Business Impact risk on one side and all the categories of regulatory risk on the other.
Finally, make sure the actual risk assessment is documented, not just the scores you arrived at but the questions, analysis, and thought process that went into it. That way, you have something to look back on as your assessment of their risk may change in the future or even to just compare and contrast when looking for issues among similar providers.
More mature programs may also look at both the initial or inherent rating. For example, the rating of a category, as you first analyze it and then apply mitigating controls to lower or at least control the risk more carefully resulting in a residual risk.
All these practices are certainly in place for the larger institutions and more mature programs, but the baseline of making sure you are doing some level of risk assessment and thoroughly documenting your analysis are really the key points.
One of the real challenges we all face is that there is no universal template, no form 1040 like you use in taxes, it’s all up to the institution to define what they want it to look like. We’ve seen reports from highly analytical grids that look like a kids report cards to a lengthy narrative that looks like a memo with numerous sections.
Finally, one huge cautionary statement, as I know it sometimes causes front line managers to freak out – a High risk rating is not a bad thing – some people feel like if a company is deemed to be a high risk overall, perhaps we shouldn’t be doing business with them. And that’s not the case at all! In fact, you would reasonably expect a company that has extensive access to your customers’ data to be a high risk – think of your core processor or your outsourced call center… I’ve literally had hundreds of discussions with managers on why High risk ratings does not, at all, mean it’s a bad thing.
It probably does mean you want to check on them more frequently or will require additional documentation, but it doesn’t mean you need to walk away from the relationship. Just document why it’s a high risk, identify what steps you can take to mitigate those risks, and who is responsible for ensuring it’s done.
Individual accountability is always a good idea, particularly if that follow up activity sits outside of your team.
So there you have it, those are some best practices on doing a risk assessment.
As always, thank you for watching! If you haven’t already, please subscribe to the Venminder Third Party Thursday series.