This message was posted by a user wishing to remain anonymous
Thanks for this information, I will try the link you suggested.
Original Message:
Sent: 08-15-2023 11:59 PM
From: Aiswarya Dwivedy
Subject: Queries on Risk monitoring & residual risk
Hi,
You can et those templates in- File Share | TPRA (tprassociation.org).
Hope this helps!!
Regards,
Aiswarya
------------------------------
Hi
Original Message:
Sent: 08-14-2023 01:05 PM
From: Anonymous Member
Subject: Queries on Risk monitoring & residual risk
This message was posted by a user wishing to remain anonymous
I have subscribed to the Third-Party Risk Association standard membership, however I cannot locate the template Inherent Risk Questionnaire and the template Information Security Questionnaire used for due diligence. Please can clarify how to find these template documents on the TRRA website.
Original Message:
Sent: 07-28-2023 10:26 AM
From: Eric Rosendaul
Subject: Queries on Risk monitoring & residual risk
Aiswarya,
The Third-Party Risk Association (https://www.tprassociation.org/) is a great resource if you're looking to build more knowledge/understanding of the industry. They have a template Inherent Risk Questionnaire and just released a template Information Security Questionnaire that would be used for due diligence. This should help give you a better idea of what these each would look like and the questions asked in each. You have to be a member to get access, but the standard membership is free and I believe it gives you access to the templates. These questionnaires/resources are put together by the community so they are built via input from actual practitioners doing the work. More questionnaires and resources will be released in the future as they are completed.
Hopefully, this helps provide even more clarity. The TPRA is also putting on a free virtual conference in September. You should take a look and consider registering for it. It's focused on operational risk and resilience and should have a lot of great information to help you build on your understanding.
Original Message:
Sent: 07-28-2023 12:49 AM
From: Aiswarya Dwivedy
Subject: Queries on Risk monitoring & residual risk
Dear Eric,
Thanks for the response. Is it possible to get a sample questionnaire for both inherent risk assessment and due diligence? This will help me to get much clarity by lookin at the difference.
Please help
Regards,
Aiswarya
Original Message:
Sent: 07-27-2023 11:36 AM
From: Eric Rosendaul
Subject: Queries on Risk monitoring & residual risk
Aiswarya,
If I understand your question, it sounds like you're asking if the same questionnaire should be used for all of these stages/events for a single vendor. The answer is no. Your inherent risk questionnaire is meant to determine the risks associated with outsourcing a specific service and the specifics to how that service is performed. This questionnaire should ask about what data the vendor has access to, how they access said, are they storing/hosting the data, how much data do they have, etc. It should also confirm where the data is being accessed or hosted, any regulatory risks (privacy, fraud, red flags, etc), any operational risks (business continuity/disaster recovery), and any other industry-specific risks you might have.
Your due diligence questionnaires should be focused on the vendor's control environment(s) and validating if they have acceptable controls in place to reduce the inherent risk. These could vary a bit for onboarding and ongoing due diligence, but they should mostly be asking for the same information.
Once you have your residual risk, you'll want to make sure you've documented and are actioning on any material risks you discovered. If the residual risk is still high, you may want to take additional action to further control/secure any of your company's data as it wouldn't seem to be well secured by your vendor. If you have a continuous monitoring program/solution, you'll want to ensure to keep engaged there as well.
Hopefully, this addressed your specific questions.
Original Message:
Sent: 07-27-2023 01:26 AM
From: Aiswarya Dwivedy
Subject: Queries on Risk monitoring & residual risk
Thanks for your response. But the query was different.
to elaborate, for a specific vendor do we have to use same set of questionnaire during inherent risk assessment, due diligence and further risk re assessment and due diligence in the monitoring phase?
thanks
Aiswarya
Original Message:
Sent: 07-26-2023 08:36 AM
From: Gene Fox
Subject: Queries on Risk monitoring & residual risk
- For us, it comes down to how our technology scores the risks - we have to have one questionnaire with conditional questions based upon the services that are provided to ultimately derive the total risk score. But, to answer the question, there should be question sets that are based specifically on the third-party, the services it provides (technology, cloud, fair lending, consulting, legal, etc.) and how they will complete the services (US based employees, US contractors, off-shore resources, etc.)
- Once the residual risk is ascertained, you should be monitoring for emerging risks (market, interest rates, social unrest, political, legislative, etc.), events (cyber, disaster, etc.), third-party specific risks (poor financial reports, being acquired, regulatory actions, complaints, etc.), contract monitoring, insurance expiration monitoring, new services that are added without going through a new due-diligence/risk assessment - just to name the most important.
Original Message:
Sent: 07-26-2023 12:30 AM
From: Aiswarya Dwivedy
Subject: Queries on Risk monitoring & residual risk
Dear Forum Members,
I am a beginner in this domain. Hence may ask very simple questions. Please help me to understand and progress:
- During onboarding and ongoing stage, is it suggested to use the same vendor risk questionnaire during inherent risk assessment, vendor due diligence, contract review and further risk re-assessments. Or different questionnaire is supposed to be used in all these vital events?
- Post obtaining the residual risk rating what are the succeeding activities as a TPRM managers we are supposed to carry out.