The question is how you are defining Tier 1 and Tier 2. Critical is typically a category; you can assign high, medium, and low risk to vendors in that category. If, for some reason, Tier 1 and Tier 2 are category-based designations, then they would also be able to be high, medium, and low, such as Tier 1 being money movement vendors and Tier 2 being data delivery vendors. However, suppose they are genuinely defined as inherent risk levels. In that case, you should be less worried about aligning the risk score to the bank but determining how the original score was determined and seeing what decision points in both your assessment and the bank are different. Then, either trust one or the other or make changes to capture items you or the bank may have missed.
The inherent risk is just a way to determine your due diligence level to reach the ultimate goal of residual risk.
Also, make sure you compare apples to apples and that the bank score is not residual when you are using inherent risk. This could significantly skew the score comparison.
Original Message:
Sent: 06-04-2024 04:33 PM
From: Megan Feeney
Subject: Industry Research Info Sharing
I have been on a crusade to get inherent risk assessments completed on all current vendors, if they weren't done at onboarding before my time here. Several of them came back as LOW, but the vendor themselves are Tier 1 and critical or Tier 2 vendors. How can I get the inherent risk score to more closely align with the level the Bank has deemed these vendors/products to be?
Original Message:
Sent: 6/4/2024 3:11:00 PM
From: Hilary Jewhurst
Subject: RE: Industry Research Info Sharing
Hi,
When faced with unique situations like this, it's best to rely on your standardized inherent risk assessment. By methodically answering the questions in your inherent risk assessment, you should be able to determine the specific types and amounts of risks present. This information will help you determine the scope of your due diligence.
I would also advise caution even if these folks promise anonymization of your organization. If the study involves direct competitors, there is a good chance that you - or they - may be able to identify each other due to employees who have left for or come from other organizations, industry gossip, or other identifiers. Additionally, if your organization is not comparable in size to the other participants in the study, it might be fairly easy to identify each other. Even if those risks are minimal, I would still strongly recommend ironclad non-disclosure agreements that have been reviewed by your legal team. Also, ensure that there is a demonstrable benefit for your organization before sharing any information; while benchmarking is great, you may not want to risk revealing your organization's strategic plans. I hope that helps, and I would love to hear other members weigh in.
Original Message:
Sent: 05-29-2024 05:30 PM
From: Anonymous Member
Subject: Industry Research Info Sharing
This message was posted by a user wishing to remain anonymous
Hello! Wondering if anyone has ever run into a "vendor" they provide information to that is compiled as well from other companies, anonymized and then shared with all those companies in return, for a fee. Sort of like an industry case study or industry research and knowledge share. We will be providing confidential company strategy information, no PII or customer data just company strategic plan/internal use only information, that the vendor will then compile, anonymize and provide to us along with other similar industry companies that shared the same information. How or what sort of due diligence would you complete in this situation? Our typical information security and operational risk questions don't necessarily seem to fit this scenario. How have or how would you do due diligence review for this type of engagement?