Risk Assessments

 View Only
  • 1.  Risk Assessment Questions

    Posted 03-17-2020 04:18 PM
    My Credit Union is in the process of further developing our vendor management program.  I'm looking to the community to share what they use for Risk Assessment questions.  I've found a lot of guidance when it comes to risk assessments but nothing with examples of questions for financial institutions.

    Thank you in advance!


  • 2.  RE: Risk Assessment Questions

    Posted 03-17-2020 05:38 PM
    A general risk assessment would likely serve at least as a starting point prior to beginning any vetting vendor management activities.  Beyond the general, any questions would likely be tailored to the institution and what services and how they are providing them to you.

    Some general questions:

    • Information Sharing
      • Shared directly or indirectly
      • Only public information
      • No information
    • Operational Reliance
      • Critical disruption cause significant impact, financial, operational
      • May impact financial
      • Service disruption would not impact financial, operation, servicing, etc.
    • Operational Replacement
      • Replacement would be difficult
      • Easily replaced
      • Member staff could take over or tasks do not need completed daily
    • Regulatory Exposure
      • Failure would cause sever impact in Your company's ability to meet regulatory guidelines
      • Cause moderate impact
      • minimal impact
    • Reputation Risk
      • Severe reputation damage
      • Moderate
      • no reputation damage
    • Legal Impact
      • Legal action likely
      • Legal action possible
      • Legal action not likely
    • Financial Impact
      • Set tiers relative to your institutions risk appetite (i.e. 100K impact; 75k; 50k)
    Determine an appropriate risk weighting for each area, and any controls you have in place to mitigate potential weaknesses. Define for each tier how you are making the determination of which bucket you are putting them in so it is easily repeatable by anyone.


  • 3.  RE: Risk Assessment Questions

    Posted 03-18-2020 07:35 AM
    This is great information.  I really appreciate the help :)


  • 4.  RE: Risk Assessment Questions

    Posted 03-27-2020 02:40 PM
    ​Where do you account for concentration risk?  Do you have concentration risk questions within your risk assessment, or do you use some alternative method for assessing concentration risk?


  • 5.  RE: Risk Assessment Questions

    Posted 03-18-2020 06:00 AM
    ​Hi, Dawn.  There are a number of 'sourcing options' beginning with commercial question repositories (like the KY3P and TruSights of the world: https://advisory.kpmg.us/content/dam/advisory/en/pdfs/transforming-third-party-risk-management.pdf or https://advisory.kpmg.us/content/dam/advisory/en/pdfs/tprm-utilities-whitepaper.pdf
    Kpmg remove preview
    View this on Kpmg >
     ) or the framework of the SIG (Shared Assessments).  Probably the most important thing is to determine and agree upon all of the critical areas to be addressed and THEN derive the question set that your institution deems to be essential for your TPRM program.

    Funny thing. I interviewed to work in your building a few years back.  Give Mike G my best regards!

    ------------------------------
    L. Beachy
    ------------------------------



  • 6.  RE: Risk Assessment Questions

    Posted 03-18-2020 07:34 AM
    Thank you for the information :)