Policy, Program and Procedures

Hi All,

I'm in the financial services industry and am drafting our TPRM risk appetite statements.  I've designed our approach so that it is very binary (go/no-go) pre-onboarding for new services and much more qualitative for services that are in the ongoing monitoring phase.  For example, we have no appetite to onboard a residually critical services or we have no appetite to execute a contract prior to completing the onboarding due diligence process. Once the service is live in our environment, I'm proposing a more qualitative approach, looking for outliers within a service category, country of provision or vendor/subcontractor concentration to initiate a conversation with 1 LoD on why a service, vendor or third-party portfolio of services is in or out of appetite.

Does this approach make sense and is it inline with the rest of the industry?  Does anyone have any suggestions on alternative approaches?

I look forward to any feedback/advice you can provide.

Thank you!

Hi there,

When creating a risk appetite, it is important to define how it will be integrated and influence everyday decisions. It sounds like you are taking that approach with pre-onboarding vs. ongoing monitoring and are generally on the right track. As you develop your TPRM risk appetite, it's important to remember that Third-party risk should easily integrate into your enterprise risk inventory. The board, audit and risk committee, finance committee, and risk assurance committee can monitor and manage the company's risk profile using risk appetite statements.

I advise working closely with your enterprise risk management team to ensure that your TPRM risk appetite is compatible with and reflects your organization's risk appetite methodology. An elaborate risk appetite should not be built only to be dismantled due to its inability to contribute to larger risk management and reporting initiatives.

I hope that is helpful, but I would also like to hear from other members.