Risk Assessments

 View Only

Welcome to the Risk Assessments Community. Here you will find the latest discussions and resources that can help you in this area. Use this community to discuss anything about doing vendor risk assessments. Note: You will need to Sign In to join in the discussions and access resources. 

About Third-Party Risk Assessments: The risk assessment process is a fundamental foundation of a well-managed third-party risk program. A disciplined approach and repeatable process can lay a firm basis for better informed due diligence, structured ongoing monitoring, and meaningful impact in mitigating concerns introduced by your organization's third parties. Taking it a step further, understanding how to mitigate inherent vendor risk is crucial to determining if the benefits of the outsourced product or service outweigh the risk posed.

Latest Discussion Posts

  • Profile Picture

    RE: Concentration Risk

    By: Linda Tuck Chapman , Third Party Risk Institute Ltd. , one month ago

    Concentration risk insight enables risk-informed decisions whether concentrations are acceptable, but it is not necessarily a case for change. More

  • Profile Picture

    Concentration Risk

    By: Anonymous Member , one month ago

    This message was posted by a user wishing to remain anonymous Looking for inspiration and practical methods to assess and monitor concentration risk with third parties e.g. when it relates to: Over-reliance to one vendor for critical services ... More

  • Profile Picture

    RE: Risk reassessments - structure

    By: Christi Osburn , 3 months ago

    Hello, We also use individual risk area scores (we have 10 risk areas we assess) instead of an aggregated risk score or tiering for similar reasons. This allows us to focus on specific risks and managing them and assures they aren't tiered low or high ... More

  • Profile Picture

    RE: Risk reassessments - structure

    By: Greg Schmeisser , 3 months ago

    Consider changing the overall risk for the assessment to be highest risk domain. Using your example, the Very High domain would be the reported risk for the vendor. This is the methodology we use to rate the overall risk in our program. This conservative ... More

  • Profile Picture

    RE: Risk reassessments - structure

    By: John Peck , 3 months ago

    Agree re using IRR to set cadence. Amongst other bits, if it takes 2 months to complete RR due diligence n this is a critical vendor service, you would be reassessing IR every 14 months , 2 months past a typical 12 month cycle ------------------------------ ... More

Polls

Most Active Users List