Conducting an Initial Risk Assessment Including Risk Scoring and Risk Classification
Once you have your initial data about the third party, it is time to assess the risk and assign a risk classification to each vendor or third party. You will need to be methodological in your approach as regulators are expecting to see a robust, well designed structure. A risk assessment can be conducted in many ways including manual classification with documentation on why you have taken a particular risk view, to questionnaires to third parties with scoring, to more robust scoring using a risk matrix with a weighting of factors.
Risk assessment is different for every business but there are some fundamentals that apply to all organizations. Typically, you will be monitoring for larger red flag issues. While this may differ by industry, your common sense assessment will generally include the following:
Type of service being provided
Access to internal data involved in providing the service
Nature of data set involved (client confidential, private data, financial transactions, identifiers, passwords, etc.)
Data and information security expectations (related to nature of data)
Financial standing of the vendor
The size of the contract
History of the relationship
Identifying the beneficial owners of the third party business
Location (country or region) where services are provided from or where the firm is headquartered. Some jurisdictions have looser regulations, a noted tendency to corruption in the market, opaque business practices or a lack of enforcement of good corporate governance
The strategic importance of the third party to your business or service proposition
Risk scoring is the process of giving a value to the level of risk a third party represents. The total risk score is built on multiple values. Depending on your model, the structure and content of the total score may be a complex process but it is essential if you are to deliver an accurate assessment that will protect the organization. The MCO solution delivers the risk score through our Risk Transparency Matrix (patent pending) which allows an organization to evaluate a vendor on anywhere between 1 to 10,000 data points!
This initial risk classification will typically deliver a small number of levels of assessment of the third party such as low, medium and high. Others segment into low, medium, high and critical classifications. The solution should be able to grow as often you will want more sensitive classifications as the of the third party risk management program matures. The initial classification during the setup process would typically determine the degree of ongoing due diligence and monitoring within the program. Higher risk classifications may also initiate a deep dive assessment of the vendor.
Once you have assessed, scored and classified your third parties, you will then want to implement your ongoing due diligence and monitoring processes.
Risk scoring and risk assessment is only one part of an effective third party risk management program. Click below to learn more about the other essential elements of a third party vendor risk management framework.
Third party data and contracts repository
Overcoming data dispersion to create a single integrated data pool is vital.
One of the principal challenges initiating the process to more effectively
Missing third party data
It is highly probable that you will not have all the data you need from internal sources to conduct your risk assessment on the third parties. You will need to be sure that your platform is capable of gathering data from multiple external data sources.
To learn more about the different external data sources you will need, click here.
Third party due diligence
This part of the process requires deeper dives into areas of risk such as IT security, financial stability, corruption and bribery etc.
This is accomplished through multiple activities including the use of in-depth questionnaires, the screening of third parties against external databases such as World-Check, Dun and Bradstreet for financial standing and the scheduling and documenting of activities such as on-site visits, phone interviews etc.
Onboarding and terminating third parties
Onboarding of new third parties is a key process for the firm and implementing procedures to ensure that the correct third parties are on-boarded is critical.
It is an important part of your
Oversight, reporting and analytics of third parties
Good oversight delivers better management and program control.
Issue and case management of third parties
A robust solution must be able to handle and help you to resolve your issues and cases.
When you are classifying the risks and conducting due diligence you also need a robust system that can manage those occasions when a supplier or third party does not meet the standards set out in your policy documents.