Risk is something every institution deals with on a daily basis. What is inherent risk and how do you assign levels to risk to manage it for your institution? With Maple Street’s approach, you’ll find assessing and ranking risk is less complicated than you may think.
Inherent risk vs. residual risk
In simple terms, inherent risk is all possible risk associated with meeting your objective. Residual risk is the amount of risk left after management controls have been applied.
Inherent risk is established by defining the institution’s key objectives, then identifying what could go wrong to prevent you from achieving those objectives. Management also considers the nature of the risk – whether from fraud, natural events such as storms, or complex and unusual business transactions. The origin and character of the risk contributes to understanding its potential impact and likelihood of occurrence.
Types of inherent risk
- NPPI risk – Access to member non-public personal information commonly known as fraud or identify theft. This means the vendor has access to sensitive information of the institution’s members/customers, either physically or electronically. The type of sensitive information and frequency of use or encounters is important to scoring.
- Operational risk – Will the program shut down as a result from third-party relationship? Risks include interruptions to services, time and resources required to replace the third-party’s services as well as the risk impact during the transition period.
- Strategic risk – Will it impact strategy, cause downtime or upset members/customers? Strategic risk includes adverse business decisions, the failure to implement appropriate business decisions in a manner consistent with the institution’s strategic goals, or to provide an adequate return on investment.
- Concentration risk – This form of riskarises when outsourced services or products are provided by a limited number of service providers or are concentrated in limited geographic locations.
- Transaction risk – The risk of loss arising from problems with service or product delivery, such as inadequate capacity, technological failure, human error or fraud.
- Compliance risk –The risk that arises from violations of laws, regulations or from non-compliance with the institution’s internal policies, procedures or business standards. Compliance risk is heightened when an institution has inadequate oversight, monitoring or audit functions over third-party relationships.
- Financial risk – The more money involved, the more risk. This risk is based on the capital expenditure relative to the institution’s overall capital expenses.
- Legal risk – Exposure to legal events. This risk arises when a service provider exposes the institution to legal expenses and possible lawsuits.
- Reputational risk – Will this make the financial intuition look poorly to members/customers? This addresses the dimension of risk arising from negative public opinion.
Maple Street’s approach to risk ranking
Maple Street has a specific approach to understanding and mitigating inherent risk. Rather than risk ranking Vendor A vs. Vendor B, we concentrate on the nature of the risk itself, regardless of what third-party vendor is delivering the services.
Removing vendor bias – good or bad – makes for objective identification of inherent risk, resulting in better and more realistically risk-ranked vendors and prescriptive risk management for the best results for the institution.
We have proven the most accurate and effective strategy to objectively risk rank vendors is to ignore the vendor and instead focus on the contracted services each vendor is responsible for delivering. Each outsourced contracted service offers its own unique combination of exposures for inherent risk to form in varying areas and at varying levels. Focusing on the contract services when scoring allows for a more robust exploration and identification of the inherent risks.
How Maple Street risk ranks vendors
Every contract contains elements of risk. When each risk is scored, a total for all types of risk will create an inherent risk score for each contract service. Using a tiering process, the total scores for each contract service can be used to create a risk rank for the contract. The highest risk-ranked service becomes the risk rank for the contract. The contract’s risk rank then becomes the vendor’s risk rank.
This straightforward process can be duplicated for any contracted service and vendor, and can be done in five simple steps:
- Risk ranks are scored on the contract service not the vendor level
- Each risk element in the service is scored, reaching a total score
- The total score equals the risk rank tier for the service (1, 2, 3)
- When a contract service is connected to a vendor contract, it brings the risk rank with it
- The highest risk rank service for the contract equals the vendor risk rank
At Maple Street, we’re here to help. If you’re a client, here’s great news – Maple Street will perform the preliminary risk ranking of all contracts we’ve received. And more good news – if you don’t agree with our preliminary assessment, you have the flexibility to risk rank your vendors the Maple Street way using the risk rank assessment tool in CADi, our propriety software that makes short work of keeping track of your vendor contracts. Your Maple Street client success manager will be happy to walk you through it.
If you’re not currently a client, but are interested in learning how Maple Street will make risk ranking your vendor contracts faster and easier as well as how our exclusive Vendor Advantage System® will reduce vendor expenses, improve performance and manage risk, give us a call at 800-513-6839 or email mssales@maplestreetinc.com.