Risk Assessments

Hello TPRM community,

Background: I work for a community Bank. 

 I am curious as to how much weight do you put on your risk categories when conducting your risk assessment within venminder or any other tool, and why?

For example, we place 20% weight for Operational, Cyber and Business continuity categories. However, we don't particularly have a good rationale. 

How does everybody else decide?

Thanks, and Happy New Year to everybody.

Our risk sections are equal in weight, with the exception of the reputational risk, which is the highest percentage. The reputational risk questions address the vendor's access to our customers' HIPPA, SSN, biometrics, and other personal identifying information as well as if the vendor has direct contact with the customer. Our risk assessment has been a collaborative effort with input from all departments within the company.