This is a value (metric) applied against an absolute value computed based on a systemic, consistent approach that quantifies risk in terms of loss potential, then sequences individual risks to determine how often and how thoroughly third party controls and related processes (such as disaster recovery testing) are examined and tested. A well-structured risk rating process, allows outsourcers to make informed decisions about a third parties ability to meet their expected control requirements and mitigate potential risks. This process can also reveal significant gaps in suppler selection, due diligence efforts, identify missing or deficient controls and provide the opportunity to ensure consistency across the lifecycle of the third party relationship. It will also develop a risk profile of suppliers across an organization supply chain which mirrors its own macroeconomic, operational and strategic risk profile. Assessing risk of a particular function or third party across a ranked scale (e.g., 1-5, high to low). The scale may be custom defined or developed by/for an organization to help prioritize due diligence requirements throughout the lifecycle of the third party relationship. The scale should take into account the risk of a particular activity, concentration risk, and other factors unique to the outsourcer’s needs.
