Risk Rating During On-Boarding
Including third party risk rating as a strategic part of a robust risk management program provides the opportunity for early identification of the wide range of issues that ripple through both regulated and unregulated industries wherever outsourcing is present. Scoring third parties consistently was ranked as the most challenging issue in the 2017 “Development of Third Party Risk Management Practices Report.” ((“The Development of Third Party Risk Management Practices” MyComplianceOffice (MCO) and Center for Financial Professionals (CFP). 2017.))
Outsourcing brings more players to the table, inherently expanding the potential of risk for an enterprise. Outsourcing can expose the enterprise to country, strategic, financial, quality and business resiliency risks, each of which has the potential to deeply impact the outsourcer’s compliance posture, integrity, availability of information or services and, ultimately, the organization’s reputation and market position. Globally, the need for effective third party risk management extends to all verticals and is increasing rapidly as a major concern for risk managers as the business environment is perceived to be noticeably riskier in 2017. ((Executive Perspectives on Top Risks for 2017. North Carolina State University ERM Initiative and Protiviti. 2017.))
Establishing a well-designed risk rating system offers a clearer and more realistic view into third party relationships than can be achieved through piecemeal evaluations. The 2016 Shared Assessments Vendor Risk Management Benchmark Survey found that maturity levels increased significantly in 2016 for organizations focused on ensuring inclusion of a defined third party provider risk classification/rating system that includes established criteria as part of the contract review cycle. ((2016 Vendor Risk Management Benchmark Study. The Santa Fe Group, Shared Assessments Program and Protiviti, Inc. 2016.))Risk rating during due diligence provides the added benefit of setting expectations before entering into a relationship, or in the case of renewing a third party contract, re-setting expectations.
A robust risk rating system:
- Is tailored to suit the complexity and risk appetite of the organization.
- Takes into consideration the risks associated with each type of product or service and third party relationship.
To be effective, criteria for risk rating should be based on documented program parameters that are appropriate to the risk appetite the board has set for the contracting organization. ((Commonly examined key impact areas include: process criticality, concentration of services, compliance, reputation, financial, strategic, logical and physical security, business resiliency, recover time objectives and vulnerability to risk based on product/service type.
)) A risk rating system can contain as few as three rankings (e.g., low/medium/high), or may have a more refined scale. Either way, a formal risk rating will include a process that sets assessment cycles, depth and remediation expectations. Existing management systems may be leveraged to facilitate implementation.
A rigorous risk management system takes into account:
- A system for inventorying and assessment tracking for all third parties.
- Key data, systems and applications that are accessed by a third or fourth party.
- Vetting indicators of third party financial and operational stability and resiliency.
- Pre-contract requirements that are tied to a given risk rating (by service type and provider, or both).
Once instituted, risk rating should be part of the on-boarding process throughout the enterprise and be performed consistently on every potential third party. This approach allows for well-informed and timely allocation of appropriate resources toward third party oversight, reassessment need and timing and the frequency/quantity of other ongoing management activity. It also provides a measure of assurance that processes are being applied uniformly and that outsourced functions are being managed and monitored more consistently, as well as more efficiently.
By establishing a well-considered rating process, outsourcers can make better-informed decisions that support critical risk program functions. This process can also reveal significant gaps in due diligence, provide the opportunity to make processes more efficient and provide a defensible, repeatable third party assessment process. Within the Shared Assessments Program Tools, the Standardized Information Gathering (SIG) questionnaire provides a standard for risk rating third party service providers. This common-scale objectivity gives the outsourcer an enhanced capacity for maintaining regulatory compliance and a risk profile across its supply chain that mirrors its own macroeconomic, operational and strategic risk profile.
Santa Fe Group Senior Advisor, Bob Jones, has led financial institution fraud risk management programs for more than 40 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.