Risk Assessments

 View Only

  • 1.  Risk Assessment Weightings

    Posted 10-29-2025 12:09 PM

    Good morning,

    We are currently in the process of revamping our inherent risk assessment. As part of our process improvements, we are evaluating the weighting assigned to each risk category and sub-questions.

    We've identified that our current setup may be inadvertently driving down overall risk scores. For example, a vendor that we believe should be rated as Medium risk - due to the volume of sensitive data shared - may end up scoring as Low or Low-Moderate risk after the assessment, because other categories and sub-questions dilute the score of higher risk areas.

    Below are our current risk categories and their weightings:

    • Strategic: 10%
    • Reputational: 5%
    • Operational: 16%
    • Transactional: 16%
    • Compliance: 10%
    • Financial: 10%
    • Business Continuity: 10%
    • Cybersecurity: 18%
    • Legal: 5% 

    We would greatly appreciate it if anyone is willing to share how they are structuring their risk category and sub-question weightings - perhaps even a template that has worked well for your financial institution.

    Thank you in advance for your time and responses!



  • 2.  RE: Risk Assessment Weightings

    Posted 10-29-2025 07:03 PM

    Third party risk appetite statements.  I wrote a long answer but it didn't show up.  I'm going to wait 24 hours, if it doesnt I'll rewrite it.

    -------------------------------------------

    Original Message


  • 3.  RE: Risk Assessment Weightings

    Posted 10-30-2025 11:32 AM

    Dallas, (Cool Name, I'm boring Dan)

    TLDR - put in a risk appetite statement that says if they have sensitive data or access to the company than the inherent risk is automatically a high.  Below I put the weight inherent risk I've used working with banks.  It works pretty well but like I'm saying you are averaging risk and without a third party risk appetite statement that says "If they have sensitive data or access they are automatically high inherent risk" it gets very frustrating and I haven't found a way to show current risk for worst scenarios.

    Details:

    Your current model is averaging risk rather than controlling it.
    When all categories carry roughly equal weight, low-risk areas (like financial stability or legal exposure) mathematically dilute high-risk areas (like data sensitivity or system integration).  Even if they aren't equal weight like above, you minimize one to prove your point with certain circumstances with another which skews the other categories of risk.  like lowering reputation to add to cybersecurity.  

    In practice, that means a vendor could host nonpublic information in the cloud - but still be rated "Low" overall because they scored well in unrelated domains.

    That's a governance solution not a formula flaw.

    Define a risk ceiling.

    I'd introduce a "risk ceiling logic" rather than trying to constantly rebalance weights.

    Policy-Level Solution (Risk Appetite Statement)

    Add a sentence like this to your Third-Party Risk Appetite Statement:

    "Vendors that store, transmit, or process customer nonpublic information (NPI), personally identifiable information (PII), or confidential business data shall be rated as at least High inherent risk, regardless of compensating controls or other risk factors."

    ### I would do the same thing for MFA capabilities if its SaaS and if they have access directly to the network through site to site vpn or any other way where a third party with inside access to your network could laterally move an attack from their network to yours"

    This does two things:

    • Moves data access from being just a scoring factor to being a determinant of minimum inherent risk.

    • Prevents false "Low" ratings caused by category weighting math.

    That single statement creates an objective boundary condition for your scoring model.

    a. Adjust Weightings

    You can rebalance slightly - but only after you define your ceiling rule.
    Here's a weighting distribution I've seen work well for financial institutions:

    Category Suggested Weight  Notes
    Cybersecurity 25% Security posture directly impacts confidentiality, integrity, and availability.
    Compliance 15% FFIEC, GLBA, PCI, HIPAA, etc.
    Operational 15% Process maturity, change control, and access management.
    Business Continuity 10% Recovery and resiliency testing.
    Reputational 10% Public exposure, brand risk, media sensitivity.
    Strategic 10% Vendor alignment to core mission and service dependency.
    Financial 10% Long-term viability.
    Legal / Contractual 5% Jurisdiction, liability, indemnification, etc.

    That brings security and compliance to the forefront - where most of your inherent risk resides.

    b. Apply Conditional Overrides

    Implement logic that says:

    • If vendor processes sensitive data -> Minimum inherent risk = High

    • If vendor has system or network connectivity -> Minimum inherent risk = Medium (I would most likely make this HIGH)

    • If Vendor doesn't have MFA capabilities -> Minimum inherent risk = Medium inherent risk

    • If vendor provides only physical goods or marketing materials -> Use weighted score normally (This is just an example)

    This combination of weighted scoring + conditional ceilings prevents under classification while preserving quantifiable measurement for known risk.

    After implementing changes: I would do this in risk/it steering or audit committee during your presentation to explain the new model with 1 or 2 to get everyone on board.  

    1. Re-score 5–10 existing vendors you know should be Medium or High risk.

    2. Validate that your results align with your intuitive and regulatory expectations.

    3. Document this recalibration as a governance enhancement - not a model overhaul - to show examiners and auditors continuous improvement.

    Sorry for the book but I went through this exact thing with two institutions and it does get frustrating until you create that risk appetite statement.