Risk Assessments

 View Only
  • 1.  Frequency of risk assessments

    Posted 02-21-2024 12:09 PM

    We are a financial institution and risk rate our in scope vendors both initially and in an ongoing fashion.  We are debating on what cadence we need to reperform the risk assessment as part of our ongoing monitoring, outside of any other consideration such as a service change or assessment template change.  Assuming no change to service or the risk assessment template, I am curious how frequent others may risk rate their in scope vendors and on what criteria, if any.  



  • 2.  RE: Frequency of risk assessments

    This message was posted by a user wishing to remain anonymous
    Posted 02-21-2024 01:08 PM
    This message was posted by a user wishing to remain anonymous

    We determine third-party risk reviews based on the classification we have given to specific third-party. We have High, Medium and Low risk classifications. A classification is given based on the risk of losing them, their importance to the business, the availability of an alternative solution, etc. At a minimum:

    • High Risk - reassessed annually, at a minimum
    • Medium Risk - reassessed every 2 years, at a minimum
    • Low Risk - may or may not be reassessed

    Risk assessments are also done on contract/agreement renewal.

    I hope this helps.




  • 3.  RE: Frequency of risk assessments

    Posted 02-21-2024 06:52 PM

    We do the same.

     






  • 4.  RE: Frequency of risk assessments

    Posted 02-22-2024 09:29 AM

    Thank you Cheryl Turner and the other individual for your timely and helpful responses!




  • 5.  RE: Frequency of risk assessments

    Posted 02-22-2024 03:03 PM

    The cadence for also depends on your risk appetite and available resources. In our organization, we have a single risk manager overseeing a growing portfolio of third parties. Risk thresholds are defined by Tiers, with Tier 3 representing moderate risk and being the largest group. Initially, we conducted due diligence during onboarding and annually for Tier 1 to Tier 3. However, last year, we adjusted this frequency of Tier 3 to every other year unless there is elevated residual risk identified through monitoring. After careful analysis, we realized that little had changed apart from updating information and completing questionnaires annually.   If you consistently encounter the same type of low risk during each review and gather identical but updated information without any substantial changes in the risk, then the risk level remains unchanged.  As a result, we obtained approval to update the cadence to every other year, allowing us to allocate more time to managing higher risk profiles.




  • 6.  RE: Frequency of risk assessments

    Posted 02-22-2024 03:24 PM

    Thank you Premika Mishra for your comments.  Greatly appreciated.