Hi everyone, below you'll find the risk assessment related questions that were asked last week during Venminder's Third Party Risk Management Bootcamp! The live online event was three days, 6 sessions and 11 presentations long, covered by nine experts. A lot of great information was covered, so the team thought it would be helpful to share here what those questions were along with the answers. Feel free to chime in if you have any further answers or comments. And, if you're interested in viewing the recordings, you'll find the link on the Program Improvement library page.
Q: Do you find that most banks are having a separate category for critical activity providers or is just the highest level in their risk calculation?
A: Yes, definitely, I most certainly would. I define Critical and High risk far differently… in my mind, the two have little two do with one another. Critical is business continuity; High is regulatory risk.
Q: What best practice guidance can you provide with regards to maintaining an inventory of all/critical vendors (which can be a real challenge!)?
A: This resource should help with that.
Q: What is business impact risk vs. regulatory risk?
A: Business impact risk is the risk of disruption to normal operations because of the loss of a key vendor and determines if the vendor critical or non-critical. Regulatory risk is assessing categories of risk like strategic, operational, compliance and more to determine a risk rating. The rating scale is usually low, medium or high risk.
Brittany Padgett
Community Manager
Third Party ThinkTank