Embed Size (px)
Citation preview
Vendor Risk Management ScoringPROCESSUNITY WEBINAR
2 © ProcessUnity, Inc. All Rights Reserved.
Today’s Presenters
Ed ThomasVice President of Marketing
Gary PhippsDirector of Risk Solutions
2003FOUNDED
Risk & ComplianceSIMPLIFIED
3 © ProcessUnity, Inc. All Rights Reserved.
About ProcessUnity
Third-Party Risk Management
Policy & Procedure Management
Risk Management
Compliance Management
Risk & Compliance Automation
HQ: Concord, Massachusetts
4 © ProcessUnity, Inc. All Rights Reserved.
Agenda
• Getting grounded: key definitions• What is assessment scoring? • Why embrace a scoring methodology?• Discussion re: scoring methodology types (pros and cons)• Using ProcessUnity to automate vendor risk scoring
5 © ProcessUnity, Inc. All Rights Reserved.
Key Definitions
The probability of loss arising out of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances.
Exposure to loss remaining after other known risks have been countered, factored in, or eliminated.
The process of evaluating and approving prospective and active third parties, vendors, suppliers and/or partners. Used to measure and monitor performance for the purposes of reducing costs, mitigating risk and driving continuous improvement.
Inherent Risk Residual Risk Assessment
6 © ProcessUnity, Inc. All Rights Reserved.
Vendor Risk Scoring
Vendor Risk Scoring is the process of applying a measured and repeatable process to establish a shared opinion of the risk that is posed by the practices of an existing or would-be third party.
B84
0
5
10
Risk Score Grade
Trend
7 © ProcessUnity, Inc. All Rights Reserved.
Vendor Risk Scoring Benefits
Ensure Repeatability
EliminateSubjectivity
Validate Program Results
SaveTime
8 © ProcessUnity, Inc. All Rights Reserved.
Opportunities for Scoring in the TPRM Lifecycle
Determine Inherent Risk Scope Assessments
Rate Assessment Responses Calculate Residual Risk &Determine Review Frequency
What is the risk of the service being used? Based on the service type and inherent risk level, which questionnaire should be used?
Based on inherent risk and the rating from the most recent assessment, what is the residual risk and how often should we review this vendor?
Based on a score from assessment responses and/or issues documented from evaluated responses, how do we rate this vendor?
9 © ProcessUnity, Inc. All Rights Reserved.
Inherent RiskInherent
Risk
CRITICAL
HIGH
MEDIUM
LOW
Service Risk Criteria
Criticality
Confidentiality
PII
Transaction Volume
Service Types
Financial
Data Storage
Customer
MarketingContract Value
Reputation
+ =
Legal
10 © ProcessUnity, Inc. All Rights Reserved.
Inherent RiskInherent
Risk
CRITICAL
HIGH
MEDIUM
LOW
Service Risk Criteria
Criticality
Confidentiality
PII
Transaction Volume
Service Types
Financial
Data Storage
Customer
MarketingContract Value
Reputation
+ =
Legal
11 © ProcessUnity, Inc. All Rights Reserved.
Inherent RiskInherent
Risk
CRITICAL
HIGH
MEDIUM
LOW
Service Risk Criteria
Criticality
Confidentiality
PII
Transaction Volume
Service Types
Financial
Data Storage
Customer
MarketingContract Value
Reputation
+ =
Legal
CRITICAL
HIGH
MEDIUM
LOW
12 © ProcessUnity, Inc. All Rights Reserved.
Scoping AssessmentsInherent Risk Risk Domains
Questionnaire + Physical
Mapped Risk Domains
Questionnaire Only
Mapped Risk Domains
Questionnaire + Virtual
Mapped Risk Domains
Information Security
Financial
Reputation
Geographic
Service Types
Business Continuity
Compliance
Cybersecurity
Conflict of Interest
Identity
+
Assessment Scope
Financial
Data Storage
Customer
Marketing
Legal
+ =+
CRITICAL
HIGH
MEDIUM
LOW
13 © ProcessUnity, Inc. All Rights Reserved.
Scoping AssessmentsInherent Risk Risk Domains
Questionnaire + Physical
Mapped Risk Domains
Questionnaire Only
Mapped Risk Domains
Questionnaire + Virtual
Mapped Risk Domains
Information Security
Financial
Reputation
Geographic
Service Types
Business Continuity
Compliance
Cybersecurity
Conflict of Interest
Identity
+
Assessment Scope
Financial
Data Storage
Customer
Marketing
Legal
+ =+
CRITICAL
HIGH
MEDIUM
LOW
14 © ProcessUnity, Inc. All Rights Reserved.
Scoping AssessmentsInherent Risk Risk Domains
Questionnaire + Physical
Mapped Risk Domains
Questionnaire Only
Mapped Risk Domains
Questionnaire + Virtual
Mapped Risk Domains
Information Security
Financial
Reputation
Geographic
Service Types
Business Continuity
Compliance
Cybersecurity
Conflict of Interest
Identity
+
Assessment Scope
Financial
Data Storage
Customer
Marketing
Legal
+ =+
15 © ProcessUnity, Inc. All Rights Reserved.
Rating AssessmentsNumeric Scoring
HighQuestion Scores by
Risk Domain
Satisfactory
Risk Domain Weighting
Issue-Based Scoring
Needs Attention
Unsatisfactory
Overall Assessment
Score
Score > 85=
Score > 75 and < 85=
Score < 75=
Satisfactory
Needs Attention
Unsatisfactory
Issues Identified
(with Severity Rating)
Medium
Low
# of High, Med, Low
Issues
=0 High Issues
<3 Medium Issues
= 0 High Issues<6 Medium Issues
= >0 High Issues
+ = + =
16 © ProcessUnity, Inc. All Rights Reserved.
Pros & Cons of Assessment Rating Approaches
Numeric-Based• Pro: Limits personal
subjectivity, supports weighted averages, calculation oriented
• Con: Can create unnecessary complexity, important evidence of risk may be obscured within the larger quantitative valuation
Issue-Based• Pro: Reduced false positives,
more readily targets important risk areas, limits attention to trivia
• Con: Introduces greater subjectivity, can require higher skilled resources for due diligence review, may lead to some inconsistency across vendors
17 © ProcessUnity, Inc. All Rights Reserved.
Residual RiskResidual
Risk
Medium
Last Assessment
Rating
Satisfactory
Needs Attention
Unsatisfactory
Inherent Risk
High
Medium
Low
Review Frequency
None Prior
Satisfactory
Needs Attention
Unsatisfactory
None Prior
Not Required
Biennial
High Annual
High Annual
High ASAP
Low Triennial
Low Biennial
Medium Biennial
Medium ASAP
Low Triennial Review
=+
=+
=+
18 © ProcessUnity, Inc. All Rights Reserved.
Residual RiskResidual
Risk
Medium
Last Assessment
Rating
Satisfactory
Needs Attention
Unsatisfactory
Inherent Risk
High
Medium
Low
Review Frequency
None Prior
Satisfactory
Needs Attention
Unsatisfactory
None Prior
Not Required
Biennial
High Annual
High Annual
High ASAP
Low Triennial
Low Biennial
Medium Biennial
Medium ASAP
Low Triennial Review
=+
=+
=+
19 © ProcessUnity, Inc. All Rights Reserved.
Residual RiskResidual
Risk
Medium
Last Assessment
Rating
Satisfactory
Needs Attention
Unsatisfactory
Inherent Risk
High
Medium
Low
Review Frequency
None Prior
Satisfactory
Needs Attention
Unsatisfactory
None Prior
Not Required
Biennial
High Annual
High Annual
High ASAP
Low Triennial
Low Biennial
Medium Biennial
Medium ASAP
Low Triennial Review
=+
=+
=+
Demonstration: Scoring in ActionPROCESSUNITY VENDOR CLOUD
21 © ProcessUnity, Inc. All Rights Reserved.
Vendor Risk Scoring Benefits
Ensure Repeatability
EliminateSubjectivity
Validate Program Results
SaveTime
22 © ProcessUnity, Inc. All Rights Reserved.
RISK & COMPLIANCE…
SIMPLIFIED
DEPLOYSQUICKLY
EASY-TO-USEINTERFACE
END-USERCONFIGURABLE
CLOUD-BASED
FLEXIBLEPRICING
Business users can configure our tools to fit their programs and processes without calling IT.
SaaS-based system features automatic system updates / upgrades and includes customer support.
Point-and-click interface, dashboards, alerts and online help make our tools the easiest to use.
Most customer implementations are completed within 30 days.
Tiered pricing plans allow customers to purchase only the features, functions and licenses they need.
23 © ProcessUnity, Inc. All Rights Reserved.
Vendor Cloud Pricing
24 © 2017 ProcessUnity, Inc. All Rights Reserved.
Third-Party Risk Management
ISSUES
FINDINGS
DASHBOARDS
ASSESSMENT STATUS
Pre-Assessment Assessment Ongoing Monitoring
Schedule Your Deep-Dive Demonstrationwww.processunity.com/contact
