Risk Assessments

 View Only

  • 1.  Risk reassessments - structure

    Posted 02-09-2025 05:45 AM

    Hi, 

    we are in the process of rolling out our comprehensive program and have some internal discussions as well as with our consultants. Our consultants strongly recommend to use residual risk to trigger reassessment frequency (seems logical) but they also suggest using aggregated risk score and our internal stakeholders insist on using individual risk domain score to avoid missing reassessment for a high or very high risk that needs reassessment. If you have 5 risk domains at low and medium but only one very high, your aggregated risk would not reflect that properly. 

    What are others doing in this space? Thanks for your feedback



  • 2.  RE: Risk reassessments - structure

    Posted 02-09-2025 01:07 PM

    I welcome other thoughts, but I disagree with using residual risk to schedule reassessments.

    The inherent risk in doing business with whatever vendor is being evaluated, should be the foundation for frequency, almost by default of the word itself. Residual risks are computed after evaluating the artifacts and/or questionnaire responses you have at that time, which could change from year to year, depending on how things are going with the vendors security posture at the time.  

    So, my rationale is that the inherent risks of the types of data being shared, how connectivity occurs (or doesn't), and dependence on the vendor, etc, is a better gauge for frequency of review.  Now, inherent risk can change too, if the vendor relationship changes.  I just think it's a safer bet on the determination for cadence.




  • 3.  RE: Risk reassessments - structure

    Posted 02-10-2025 07:24 AM

    Agree re using IRR to set cadence.  Amongst other bits, if it takes 2 months to complete RR due diligence n this is a critical vendor service, you would be reassessing IR every 14 months , 2 months past a typical 12 month cycle



    ------------------------------
    John peck
    ------------------------------

    Original Message


  • 4.  RE: Risk reassessments - structure

    Posted 02-10-2025 09:18 AM

    Consider changing the overall risk for the assessment to be highest risk domain. Using your example, the Very High domain would be the reported risk for the vendor.

    This is the methodology we use to rate the overall risk in our program. This conservative overall scoring approach is part of our rationale for using residual risk for reassessment frequency.

    Our TPRM program uses residual risk to schedule reassessment frequency, with built in overrides for Critical Activity vendors (Annual). The system allows for manual overrides to the schedule. 



    ------------------------------
    Greg Schmeisser
    Dir. Corp. Contracts & Procurement
    First Merchants Bank
    ------------------------------



  • 5.  RE: Risk reassessments - structure

    Posted 02-12-2025 07:52 AM

    Hello,

    We also use individual risk area scores (we have 10 risk areas we assess) instead of an aggregated risk score or tiering for similar reasons. This allows us to focus on specific risks and managing them and assures they aren't tiered low or high which could create extra work or lack of work.

    We use inherent risk to determine our frequency. I am trying to get my ahead around requesting due diligence annually based on inherent risk, if for example, it took us a while to complete the due diligence request and it has only been 8 months. Working with our Steering Committee to document our process more specifically. We also ask our vendor relationship owners to ask for a new inherent risk assessment/questionnaire if the scope of the product or service changes with a vendor.