Risk Assessments

Hi All,

I newly took over vendor management for my financial institution. I am working with existing templates and forms but do not love the ones I have been given and am looking at ways to make them better.  The current annual risk assessment in place has categories for strategic, reputation, operational, transaction, credit, and compliance.  First off, I think not all risk verticals are being captured. Secondly, the results are an inherent and residual risk based on a question. More often then not, the risks come out low/low and it seems like the low inherent is already addressing controls (example, low inherent if the vendor has provided their SOC 2). Does anyone have any tips or templates I can leverage to revamp this?

Thanks in advance!

Hi,

Even though you are new to your role, you have spotted a real problem here. First, inherent risk assessments should be regularly updated to account for new and emerging risks. Inherent risk assessments should only ever account for the raw risk that occurs with a product or service naturally and before ANY controls are considered. The methods for calculating the risks to provide an inherent risk rating should also be reviewed and updated periodically. Certain risks should be weighed more heavily than others; for example, cybersecurity risks should be weighed more heavily than reputational risks.  As a partner activity to your inherent risk assessment, it must be determined whether that engagement will also be considered critical to your organization. So, when an inherent risk assessment is complete, it should tell you both the types and amounts of risks present in the engagement and help you scope your due diligence. The inherent risk and criticality also determine the frequency and intensity of TPRM management activities and routines for the duration of the vendor engagement.

Risk-based due diligence should require evidence of controls for the risks identified in the inherent risk assessment. Only after those controls are reviewed and assessed by a qualified subject matter expert is it possible to determine the residual risk of the engagement. So, to use your example, a vendor merely providing a SOC2 doesn't reduce risk at all. The controls listed in the report must be verified to determine if they would effectively reduce those risks' likelihood, occurrence, severity and impacts. That is what residual risk is all about. Likewise, the review of the SOC2 could prove that sufficient controls are in place. So the residual risk remains unchanged; remember, residual risk is only ever to be used to determine if the remaining risks of the vendor engagement are within your organization's risk appetite or if more or different controls are necessary before you begin or continue a relationship with the vendor. I would like to suggest these risk assessment and due diligence resources for you.

6 Steps of an Inherent Risk Assessment and Sample Inherent Risk Questionnaire

10 Types of Vendor Risk to Monitor

Due Diligence Checklist for Low, Moderate and High-Risk Vendors

And these two because you are new in your role, and they contain a lot of valuable information!

31 Vendor Risk Management Best Practices in 2024

Top 21 Third-Party Risk Resources for Beginners

I hope this information is helpful, but I would still love to hear from other members too.