Risk Assessments

 View Only
  • 1.  Risk assessment

    Posted 01-10-2021 09:31 AM

    Hi All,

    Happy New Year!
    Is there a list of services outsourced by a financial institution which is out of scope for risk assessment like telephone and utility bills,statuatory and regulatory services,softwares and licenses,
    temp staff hiring?

    Thanks!



  • 2.  RE: Risk assessment

    This message was posted by a user wishing to remain anonymous
    Posted 01-13-2021 09:08 AM
    This message was posted by a user wishing to remain anonymous

    Hi Payal, 

    Thought I don't have a list - I always refer back to my main set of inherent risk questions... For example -
    1. Does the vendor or product align with strategic goals?
    2. Does this product or service in any way impact clients and/or customers?
    3. Will the vendor have direct access to clients and/or customers?
    4. Is sensitive data being accessed by this vendor?
    5. Will / does this vendor in any way host or store NPI or PII of employees, clients or customers?
    6. Will/does vendor have unescorted physical access to facilities?
    7. Does the vendor have access to or process any PCI (payment card industry) data?
    8. Does the vendor process financial transactions on our behalf, or on behalf of our customers or employees?
    9. Do we rely on this product or service in order to maintain compliance with any regulatory guidance?
    10. Will any services provided by vendor be supported by any location outside the continental United States?
    11. Will/does this product or service require an expense of over $50,000 within a single year?
    12. Does this product or service provide or support a significant revenue stream?
    13. Would a disruption in service cause a material impact to us or our clients/customers?
    14. Is this a technology-related service that will in any way require integration with our Network?
    15. Is the product or service a newly launched or emerging technology product?
    16. Will/does the vendor have access to our network?
    17. Will this product or service be accessed via the internet?
    If there's no way a service type would ever really have an inherent risk based on these sort of questions, they can be scoped out, for the most part. I know there is a lot of gray area. I have seen justification for scoping out regulatory services, telephone and utility companies, and some types of software licenses and subscriptions. Aside from the utilities, I get wary about making it a rule to bucket an entire 'category' as out of scope, mostly because of how things can be interpreted by different people. I always  like to make sure things come across my plate to at least make a risk-based determination and ultimately scoping out if warranted, with documented justification.


  • 3.  RE: Risk assessment

    Posted 01-13-2021 09:44 AM

    Can someone provide a general list of types of services that are always critical besides the core processor?  

    I would think you would also have IT network service providers. 

     

     

     

    Merritt Wofford, Esq

    Assistant Vice President

    Security Officer, Heritage Southeast Bank and

                                       Heritage Bank, Division of Heritage Southeast Bank

     

    Facilities, Projects and Vendor Management




  • 4.  RE: Risk assessment

    Posted 01-13-2021 12:04 PM
    ​Hello Merritt,

    Critical may be defined different depending on the organization. 

    For my organization, "Critical" is any Third Party Provider that provides any service or product designated by our Systems and Technology committee as critical for continued operations for purposes of safety and soundness laws.  Generally, these are vendors whose services support our ongoing operations and have a RTO of less than 24 hours.  Further, we include a financial consideration, any vendor whose annual expenditure exceeds $2 million is also considered a critical service provider.

    Many vendors in our critical services category are technology, however, some providers, we utilize multiple products, meet the financial consideration.  

    Rachel Kenyon
    Division Third Party Risk Management Senior Analyst
    CRVPM IV


  • 5.  RE: Risk assessment

    Posted 01-13-2021 12:39 PM
    Hello Merritt,
    I agree with Rachel, the definition of critical may vary by organization.  
    We separate Risk & Criticality.  For us, critical is defined as a vendor that provides products or services of which any extended disruption would cause the company a substantial loss of existing business.  Our current critical vendors are approved by our oversight committee.

    Melissa Madigan, CRVPM IV
    Empower Federal Credit Union


  • 6.  RE: Risk assessment

    This message was posted by a user wishing to remain anonymous
    Posted 01-13-2021 12:49 PM
    This message was posted by a user wishing to remain anonymous

    ​Thanks Rachel.   Is $2 million an arbitrary number that is re-visited each or why did you draw line there and not 3 or 1?


  • 7.  RE: Risk assessment

    Posted 01-13-2021 01:00 PM
    Yes, $2 million is the current threshold established by our risk governance committee and board of directors.  This is reviewed at least annual in accordance with our organizations TPRM Policy.

    Rachel ​

    ------------------------------
    Rachel Kenyon
    Division Third Party Risk Management Senior Analyst
    CRVPM IV
    ------------------------------