Risk Assessments

View Only

Back to discussions

Expand all | Collapse all

Risk Rating Scale

1. Risk Rating Scale

0 Like
Tim Barthold
Posted 08-23-2022 03:32 PM
Hi Everyone,
I'm curious how many risk levels are used in your TPRM programs (e.g., 3 levels - L/M/H, 5 levels - L/ML/M/MH/H) and whether you purposely aligned the TPRM risk levels with your company's ERM risk levels. Also, do you have any lessons learned now that you've gone in that direction?

My company doesn't have an ERM program yet, and we are building out the TPRM program first. My instinct tells me to establish a 5-tier rating system and set it as the enterprise taxonomy.

Thanks!
Tim
2. RE: Risk Rating Scale

0 Like
Bradley Martin
Posted 08-23-2022 06:38 PM
Hey Tim... good to see ya!

I've tried to convince CROs to have one Risk Framework for the entire Org. That way everyone is on the same page when we're talking about Risk. Plus, your examiners will appreciate the enterprise-wide alignment. I would also add, if you have 5 risk tiers, you should consider 5 Contract Effectiveness measures. It makes it easier from a math perspective. I have "Effective; Mostly Effective, Fair/Partially Effective; Needs Improvement and Ineffective / No Control"

Don't forget to define Impact; Likelihood; Rate of Occurrence; Complexity of Risk...
and if you use a Linear approach, you should add a note for Management... Mine says:

Note: This is a linear based scale 5x5. It establishes 25 potential Residual Risks. One should carefully consider the Control Effectiveness, as many controls can likely see improvements in both design and execution. Therefore, an Effective control score should be significantly rare and when one rates as such, Management is encouraged to challenge the rating.

And one last thing... by definition, the Residual Risk can not Exceed the Inherent Risk. I've seen programs that make the mistake in their calculation as they want to take a conservative approach and want to use a weighted risk rating; as opposed to a linear rating. But if you go that route, you need to explain more... :-) I'm trying to keep it simple...

Good Luck!

------------------------------
Bradley Martin
------------------------------

Original Message
3. RE: Risk Rating Scale

0 Like
This message was posted by a user wishing to remain anonymous
Posted 08-23-2022 07:25 PM
This message was posted by a user wishing to remain anonymous

In the recent How to Classify Who is a Critical Vendor Webinar Hilary touched on establishing risk levels. As you develop your own risk methodology consider how your oversight would differ for example if you used a risk rating of moderate versus moderate/high. If the oversight isn't more robust maybe there isn't added value in the additional risk ratings.

Original Message
4. RE: Risk Rating Scale

0 Like
Tim Barthold
Posted 08-24-2022 04:33 PM
Thanks for the feedback on risk ratings! I love the variety in responses.

Before moving over to the hospitality industry, I had been in banking for 23 years at a small, medium, and large FI. Previously I would have set up an ERM risk framework with five risk levels, which are calculated based on impact and likelihood of the underlying risks, with control effectiveness in there. Then I would have set five third-party risk tiers. That decision would have mostly been based on the direction of the industry and the large FI's. However, I'm now facing an interesting challenge to keep it simple, since we aren't regulated much at all in hospitality, outside of OSHA and such. I really like the point of stepping back and questioning what due diligence or monitoring activities would be performed on a medium vs. medium-high third party. It can seem like splitting hairs at time. However, if the third-party filtering or segmentation process is good, perhaps you can weed out third parties that provide de minimis risk, leaving a smaller number to spread across three ratings.

Hey Bradley! I recall meeting you at the FSR vendor management conferences... I'm back in TPRM and excited.

Thanks all.

Tim Barthold

Director of Compliance and Operational Risk

Original Message
5. RE: Risk Rating Scale

1 Like
L Beachy
Posted 08-24-2022 08:29 AM
| view attached
Information Classification: ll General

I have always held to the opinion that a 3-level system was not granular enough and that 5 levels was something that most operational managers could conceptually understand and embrace. I also disliked the subjective ambiguity of 'H, M,L' frameworks - since Board members, auditor, and managers all came from differing perspectives!

Since risk rating and metric information should ideally be assessed as close to its source as possible, it was important to me that non-risk managers be able to buy into the program. In a prior position (with general operational risk responsibilities), I developed this rubric as a reference for managers to use in their assessment decision making as part of the program. By incorporating numeric values, I could then leverage the scalar nature of the ratings with spreadsheet or database math to help me with the enterprise goals of the program.

I hope that helps!

Lee Beachy

Original Message
6. RE: Risk Rating Scale

0 Like
Tracey Campbell
Posted 08-25-2022 08:27 AM
Thank You so much for sharing, Lee!! This model definitely helps to eliminate much of the subjective information, to make for a more consistent rating! Excellent work!

Original Message
7. RE: Risk Rating Scale

0 Like
Mark Ewert
Posted 08-24-2022 01:16 PM
I setup up our vendor risk management program with three tiers, Critical, Moderate and No Impact. Trying to identify what it means to be in-between Critical and Moderate or Moderate and No Impact made no sense to me so I didn't add those levels.

Will you be treating vendors in the LM or MH levels any differently? If you can quantify the differences, then go with a 5-tier rating.

------------------------------
Mark Ewert, CPCU, CIC
Director Vendor Management
Penn National Insurance
------------------------------

Original Message
8. RE: Risk Rating Scale

0 Like
Jutta Codori
Posted 08-24-2022 01:49 PM
We did it the same way. We used Critical, Significant and Insignificant.

Jutta Codori | Senior Administrative Officer, SVP

CATALYST BANK

Original Message
9. RE: Risk Rating Scale

0 Like
Melissa Madigan
Posted 08-24-2022 01:47 PM
The system that is currently in place at our FI is tiered not only on Risk, but also Criticality. So we have Mission Critical, Essential & Non-Essential for Criticality & High, Medium, Low risk- which is based on NPPI & network access. The vendor can be any combo of Criticality & Risk Rating.

Original Message
10. RE: Risk Rating Scale

0 Like
Jutta Codori
Posted 08-24-2022 04:32 PM
Correct. I was not clear on my first response.

Significance of vendor is Critical, Significant and Insignificant. Risk Rating is High, Medium, Low or Insignificant. Significant can have a risk rating of High, Medium or Low. Critical is always High and Insignificant usually carries a risk rating of Insignificant.

Jutta Codori | Senior Administrative Officer, SVP

CATALYST BANK

Original Message

Risk Assessments

Risk Rating Scale

Tim Barthold08-23-2022 03:32 PM

Bradley Martin08-23-2022 06:38 PM

Anonymous Member08-23-2022 07:25 PM

Tim Barthold08-24-2022 04:33 PM

L Beachy08-24-2022 08:29 AM

Tracey Campbell08-25-2022 08:27 AM

Mark Ewert08-24-2022 01:16 PM

Jutta Codori08-24-2022 01:49 PM

Melissa Madigan08-24-2022 01:47 PM

Jutta Codori08-24-2022 04:32 PM

1. Risk Rating Scale

2. RE: Risk Rating Scale

3. RE: Risk Rating Scale

4. RE: Risk Rating Scale

5. RE: Risk Rating Scale

6. RE: Risk Rating Scale

7. RE: Risk Rating Scale

8. RE: Risk Rating Scale

9. RE: Risk Rating Scale

10. RE: Risk Rating Scale