Risk Assessments

We are looking to consolidate a siloed TPMR process at financial services company in Europe. As we build out policy and processes, we are looking to add a requirement for the Business to use a third-party assessment/inherent risk check. 

Looking to see if anyone has any guidance/learning in this space.

- At what stage in the process should an inherent risk assessment be conducted? (e.g. prior to on boarding (all third parties?), prior to contract (conduct one for every contract/work order with the third party – there can be many contracts under a Master Agreement), etc.)
- Types of third party typically excluded from this check
- Types of contracts typically excluded from this check
- Types of services typically excluded from this check

The inherent risk assessment should be one of the first activities for any new third party. It should be conducted first to determine the scope of due diligence and how to manage that third party during its lifetime. Inherent risk assessments should always be completed before any contract execution.

It is also important to review and risk assess each product or service the third party provides as they carry different types and amounts of risk.

As for the types of vendors (products and services that should be excluded) This is up to your organization and should be in line with the specific regulatory guidelines you follow.

We published a blog post on this topic in June of this year. It is very comprehensive and may be very helpful in answering some of your questions.

https://www.venminder.com/blog/vendors-out-scope-third-party-risk

Please remember that whatever decisions are made, you must document your in/out of scope requirements and your justification for any excluded categories.

I hope that is helpful, but I would love to hear from other members, especially those who may have experience with European regulatory guidance.