Smarter Awareness for Financial Services: How to Assess Third-Party Risk

18 March 2021

Posted by Justin Gibbs –


In so many aspects of life and work, we rely on the help of others. Within the financial services industry in particular, you likely rely on third parties to effectively run your operations. These vendors can help organisations reduce costs, improve productivity and deliver enhanced internal and external customer service—all very important advantages in a competitive and innovative sector.

Of course, there’s always a flip side. Working with a third party can also open your organisation to significant regulatory, financial and cybersecurity risk, as these vendor integrations often involve access to sensitive data, back-end services and source code. As these partnerships proliferate, we’re likely to see these instances remain a preferred attack vector for cybercriminals.

Take, for example, Morgan Stanley. Several years ago, the company was found to have inefficiently decommissioned two data centres. A government agency imposed a hefty fine of $60 million for the error, citing its “inadequate risk assessment and monitoring of third-party vendors and a failure to keep track of customer information.”

The lesson here: it’s critical for your organisation to properly assess any potential vendor before committing to a partnership or implementing any third-party tools or services.

The key to an effective and secure partnership with any third party is to identify the level of risk a potential vendor poses to your organisation. The best way to do this is with a robust third-party risk assessment—but it must be done right. As more organisations share data with service providers and third-parties, we’ve put together this list of five Smarter Awareness tips to optimise your assessment parameters and better protect your data and your organisation.

Identify your Organisation’s Risk Tolerance

To get the most out of your third-party risk assessment, it’s important to know how much risk you’re willing to tolerate to meet your business objectives. This will help your organisation determine your true target security state.

CSO provides a helpful roadmap for how to identify your risk tolerance (sometimes referred to as business risk appetite), including:

  • Establish clear roles— who owns this task?
  • Start big, and identify the types or buckets of problems that could jeopardise your organisation. Do this before breaking these problems down into specific scenarios.
  • Filter out the noise and limit your risk assessment to business impact. Consider a tiered system of classification from low to high to catastrophic.
  • Connect your risk tolerance to your business strategy or strategic vision.

Once your risk tolerance is identified, you can use these metrics to build an informed risk assessment that accurately reflects the goals of your business. Another beneficial outcome relates to future buy-in and resourcing. In clearly identifying your risk tolerance—and by connecting it to your business objectives and strategic goals—your technology team can provide meaning and rationale to invest money and resources into the right risk management solution.

Set Success Criteria and Classify Vendors

To effectively evaluate potential vendors, you need to determine which risk criteria pose the greatest threat to your organisation. A broad categorisation of risk might be as follows:

  • Prohibited/not tolerated
  • High risk (serious, not prohibited)
  • Medium risk (warrants additional security measures)
  • Low risk/baseline

You might also apply a more detailed rating system within each category, such as a 1 to 10 score in each category of low, medium, high and prohibited. Determining the greatest threats in a systematic way can also help determine at what level, broadly, your organisation is comfortable operating at. You of course don’t want to enter a prohibited state of risk, but could you operate at medium risk? To what extent? For how long and at what cost?

With your risk criteria you can classify vendors into different categories based on the services they provide your organisation. From here, you can strategically identify which vendors to prioritise when assessing risk. Begin with those vendors who fall into the higher tiers, such as prohibited and high risk, before moving to those vendors who present medium or low risk.

Develop a Framework for Assessing Risk

To establish a holistic view of third-party risk, create a standardised assessment framework that can be used across your entire financial services organisation. A standard framework is the best way to clearly identify and prioritise risk and to communicate the findings across different business units in a clear and actionable way. A risk assessment that no one can understand or use defeats the point of this critical business activity.

The framework will likely include key components such as risk identification, measurement, mitigation, monitoring and governance. The right framework will also depend on various drivers at your organisation including compliance and regulation, customer security requirements, IT system security risks, products and services, competitive measures, data value or even management preferences.

While a multitude of frameworks exists, it’s critical to select the right one to overcome the inherent subjectivity involved with risk assessment. A few key attributes to consider in a risk assessment framework include: a uniform scale for prioritising risks, objective evaluation criteria and a universal approach across business units.

A clear framework for assessing risk is especially critical for smaller or younger financial organisations with less mature or under-resourced risk management practices. Adopting consistent processes for third-party evaluation and onboarding will ensure greater visibility into third-party risk and foster improved decision making.

Use Technology to Your Advantage

As with so many things, the right use of technology will go a long way to improve and simplify the overall risk assessment process for you and your organisation. For example, consider using a standard online questionnaire to assess the specific risk of a potential vendor. An online assessment form, completed by the vendor, can produce better survey responses and higher quality information for a more informed decision. Wherever possible, make sure to do this early in the vendor relationship.

Online vendor portals can also be used to centralise communication with key vendors and give your organisation full visibility into vendor relations. This includes a timely view into the status of things and a clear record of your actions.

Measure the Effectiveness of your Assessment

Third-party risk assessment is a continuous process. For maximum efficacy, you must monitor how the process is working, and improve upon it. Which means re-visiting and updating your risk tolerance assessment. Has your business risk appetite changed? What risk criteria now pose the greatest threat to your organisation? What vendors need to be re-prioritised as a result?

Plan to evaluate your assessment at least annually to determine whether or not potential risks are being flagged. This evaluation might also follow any significant periods of growth or stagnation or any major pivots to your business strategy, products and services or strategic vision, or perhaps following a pandemic? As a health-check on your risk assessment process, monitor whether or not the appropriate vendor action was taken when a risk was identified. Too often, third-party risk is only considered after a vendor incident occurs.

Ready to navigate third-party risk? Contact us to schedule a 20-minute meeting with a specialist.