A general risk assessment would likely serve at least as a starting point prior to beginning any vetting vendor management activities. Beyond the general, any questions would likely be tailored to the institution and what services and how they are providing them to you.
Some general questions:
- Information Sharing
- Shared directly or indirectly
- Only public information
- No information
- Operational Reliance
- Critical disruption cause significant impact, financial, operational
- May impact financial
- Service disruption would not impact financial, operation, servicing, etc.
- Operational Replacement
- Replacement would be difficult
- Easily replaced
- Member staff could take over or tasks do not need completed daily
- Regulatory Exposure
- Failure would cause sever impact in Your company's ability to meet regulatory guidelines
- Cause moderate impact
- minimal impact
- Reputation Risk
- Severe reputation damage
- Moderate
- no reputation damage
- Legal Impact
- Legal action likely
- Legal action possible
- Legal action not likely
- Financial Impact
- Set tiers relative to your institutions risk appetite (i.e. 100K impact; 75k; 50k)
Determine an appropriate risk weighting for each area, and any controls you have in place to mitigate potential weaknesses. Define for each tier how you are making the determination of which bucket you are putting them in so it is easily repeatable by anyone.
Original Message:
Sent: 03-17-2020 04:18 PM
From: Dawn Moreau
Subject: Risk Assessment Questions
My Credit Union is in the process of further developing our vendor management program. I'm looking to the community to share what they use for Risk Assessment questions. I've found a lot of guidance when it comes to risk assessments but nothing with examples of questions for financial institutions.
Thank you in advance!