Author: Heather Kadavy, TPRA's Sr. Membership Success Coordinator
Whether you are a board member, shareholder, or executive management assigned to review and provide credible challenge to a report on Third Party Risk Management (TPRM) effectiveness; a TPRM Leader or member of the TPRM team conducting oversight and reporting; or business unit who owns the risk of their outsourced relationship(s), it is important that everyone understands your organization’s risk appetite and risk tolerance. This will help ensure the effectiveness of a TPRM Program and align the program to the overall Enterprise Risk Management (ERM) program.
Risk Appetite is the threshold of risk that an organization is willing to assume in order to achieve a desired result or its objectives. Risk Tolerance is the acceptable deviation from the organization’s risk appetite.
1. Understand Your Organization’s Enterprise Risks. Starting at the top – executive management under the direction of the Board of Directors typically identifies key risks and emerging factors facing their organizations. While the list may vary organization by organization, typically such risks will include but not be limited to compliance risk, credit risk, environmental risk, fiduciary risk, financial risk (e.g. interest rate risk, liquidity risk), legal risk, operational risk (e.g. transactional risk, fraud risk, information security risk), third party and supply-chain risk, Environmental Social Governance (ESG) risk, reputational risk, and strategic risk.
2. Understand Your Organization’s Risk Appetite & Risk Tolerance. Typically for each risk category, key performance indicators (KPIs) and key risk indicators (KRIs) are outlined along with a risk target. On a periodic basis (typically quarterly), each business unit provides metrics for each risk category and through analysis, the organization is able to assess if the organization's operations are aligned to their risk appetite and tolerance thresholds, as well as analyze inherent and residual risks that impact the organization. Any outliers are typically discussed and managed (either via remediation plans, risk acceptances, and/or via other avenues).
3. Understand How TPRM Risk Appetite & Risk Tolerance align to ERM. Similarly, a TPRM Program will typically base their risk appetite and tolerance metrics on those of the ERM program. This ensures all departments are speaking the same language with regards to risk and very high-risk issues are escalated to the appropriate stakeholders. This also ensures TPRM activities are and remain risk based.
To ensure your TPRM program is aligned with your ERM program, TPRM leaders should ensure:
a. The overall TPRM program considers the full threat landscape that each outsourced relationship faces. Different third parties pose different threats that typically roll up under one of the ERM umbrella risk categories.
b. Risk appetite & tolerance are known, understood, and reviewed on a regular basis. Risk appetite and tolerance may be influenced by legal, regulatory requirements, industry, corporate expectations, geography, and technology.
c. The total risk associated with an outsourced party is considered as a third party may provide your organization with several products and/or services.
4. Establish TPRM Risk Metrics for managing and monitoring outsourced relationship to ensure risks are mitigated in a timely manner. Some more common metrics linked to TPRM Program can include, but not be limited to:
Third parties in total, by risk tier, by classification, by geographic region/location, and by risk category.
Third parties by division, department/business unit, and TPRM member
Assessments past their due date
Risk acceptances and or escalations
Active continuous monitoring alerts
Service level agreements not being met
Service level agreements which do not meet corporate thresholds (e.g. RTO/RPO timelines, incident or event notification timeline requirements that do not meet corporate, legal or regulatory expectations)
Contracts signed prior to TPRM completion (e.g. due diligence)
Risk assessments incomplete or missing information
Third Parties that represent concentration risk to the organization
Emerging risks and/or threats
Whether an individual is reviewing risk appetite and tolerance from the bottom up (TPRM metrics to ERM risk appetite) or alternatively from the top down, the key take-away is that the two are aligned to ensure risk is treated similarly throughout the organization and high-risk items gain the visibility they deserve. If your organization does not have a documented risk appetite or tolerance levels, then review what types of risks your organization accepts (either through a risk acceptance process or by not addressing specific risks). This is the risk appetite your organization has indirectly implemented. Therefore, it is crucial for all TPRM members to understand how their role impacts this overall alignment with the organization's risk appetite.