This White Pap
er from Shared Assessments discusses what Third Party Risk Rating is, what Risk Rating is needed and how an organisation can apply Risk Rating best practices as part of their Third Party Risk Management (TPRM)
Abstract
Risk rating of third party providers is an essential aspect of a comprehensive risk management program. When risk rating is based on pre-determined criteria, outsourcers can use that rating on an objective basis for identifying actual-versus-perceived risk, and for comparing third parties from a risk perspective related to specific risk areas, such as financial health, security controls and resiliency.
This objectivity informs a more effective evaluation of a Third Party’s ability to maintain a control profile that better mirrors the expectations of the outsourcing organisation. This paper discusses:
- What Third Party Risk Rating is;
- Why Risk Rating is needed; and
- How an organisation can apply Risk Rating best practices as part of their risk management
program.
A formal Risk Rating process will determine assessment cadence and enables and prioritizes the assessment depth and specific actions for those assessments. To be effective, Risk Rating must be based on documented parameters, which include scoring against the defined risk tolerance and risk appetite statement of the outsourcer. It is essential that a pre-engagement risk rating is performed on every potential Third Party to determine appropriate levels of due diligence oversight and set relevant expectations for ongoing assessments. Taking this approach allows stakeholders, including risk managers, senior executives and board members, to focus and apply appropriate resources to third party oversight. This, in turn, enables the organisation to be more effective in:
- Assigning the timing and frequency of ongoing risk management activity;
- Determining the need for and allocation of resources to reassessment; and
- Achieving better overall risk management outcomes.
Benefits of establishing a well-structured, comprehensive rating process include: focused organisational support for internal and external critical risk functions; identification of significant gaps in due diligence and control processes; and the opportunity to make control assessment processes more cost effective and efficient.
Download the full White Paper (External Link) : Risk Rating Third Parties: Optimising Risk Management Outcomes
Contact DVV Solutions
As a Shared Assessments program member and registered Assessment Firm we utilise industry-standard practices including Standardised Information Gathering (SIG) questionnaires and Agreed Upon Procedures (AUP) for onsite assessments. Learn more about how our experience and expertise can help improve your Third Party Risk Management program.
Contact Us: Complete our Contact Form
Call Us: 0161 476 8700
About Shared Assessments
As the trusted source in Third Party risk, the member-driven Shared Assessments Program has been setting the standard in Third Party risk assessments since 2005. Shared Assessments Program members work together to build and disseminate best practices, building resources that give all Third Party risk management stakeholders a faster, more rigorous, more efficient means of conducting security, privacy and business resiliency control assessments. For more information on Shared Assessments, please visit www.sharedassessments.org.