Risk Assessments

 View Only

  • 1.  Classifying Findings/Gaps - Risk Levels

    This message was posted by a user wishing to remain anonymous
    Posted 11-03-2021 08:18 AM
    This message was posted by a user wishing to remain anonymous

    As part of the vendor risk management program enhancement, I am working on defining risk levels for High, Medium, and Low findings. Would anyone mind sharing some examples of their definitions? Thanks in advance!


  • 2.  RE: Classifying Findings/Gaps - Risk Levels

    This message was posted by a user wishing to remain anonymous
    Posted 11-03-2021 05:00 PM
    This message was posted by a user wishing to remain anonymous

    Below are the definitions our financial institution uses:

    • High Risk Rated vendors, generally, are relationships where the vendor's product or service (i) may have a material impact on the Bank's revenues and expenses; (ii) performs critical functions or functions that are under greater regulatory scrutiny; and/or (iii) stores, accesses, transmits, or performs transactions on a significant amount of customer, employee or proprietary non-public information ("NPI").
    • Medium Risk Rated vendors, generally, are relationships where the vendor's product or service (i) may have a significant (but not material) effect on the Bank's revenues and expenses; (ii) performs less critical functions for the Bank; and/or (iii) has limited or controlled access to customer, employee or proprietary NPI.
    • Low Risk Rated vendors, generally, are relationships where the vendor's product or service (i) has minimal or no impact on the Bank's revenues and expenses; (ii) performs non-critical functions for the Bank; and/or (iii) has limited or no access to customer, employee or proprietary NPI.

    Original Message