How to Set a Risk Appetite Framework for Third-Party Relationships
By: Hilary Jewhurst on February 6 2024
8 min read
Have you heard the terms “risk appetite framework” or “risk appetite statement,” but aren’t sure what they are or how they relate to third-party risk management? In this blog, we’ll explore exactly what a risk appetite is, how it’s developed through a risk appetite framework, and the purpose of a third-party risk appetite statement.
Understanding the Purpose of a Third-Party Risk Appetite Framework
Every organization that utilizes outsourced products and services provided by third-party vendors is exposed to certain risks. Regardless of the organization's size, it must be willing to take calculated risks to grow and remain competitive. These risks could include launching new products, entering new markets, or investing in new technologies. While there are potential downsides to taking risks, well-calculated ones can lead to significant rewards and long-term benefits for the organization. But how do organizations decide which third-party risks are acceptable and which are not?
As a best practice, the level of tolerable risk for the organization is usually determined through what’s known as a risk appetite framework. A third-party risk appetite framework is the methods, tools, and internal structures used to identify the level of risk an organization is comfortable accepting in pursuit of its goals and objectives through its use of third parties to deliver products and services to the organization or its customers.
To ensure safe and responsible decision-making, it's important for organizations to develop and follow a risk appetite framework. While some organizations are comfortable having an overall risk appetite framework that applies to all aspects of their business and operations, many organizations realize that the risks associated with using third parties may need a more tailored approach and develop a separate third-party risk appetite framework.
Here’s what should be included in a third-party risk appetite framework:
- Governance and oversight – Governance and oversight are the processes and structures put in place to ensure an organization's third-party risk appetite is effectively defined, communicated, and monitored. This includes the roles and responsibilities of key stakeholders, such as the board of directors, senior management, and the third-party risk management function.
- Standardized definitions of risks – An organization’s overall risk appetite statement will generally include risks found in the SCORE model: strategic: strategic, compliance, operational, reputational, and economic risks. A third-party risk appetite statement should also include risks relevant to third parties, such as compliance, information security, cybersecurity, business continuity, or concentration risk.
- Standardized levels of risk appetite – Clear and standardized levels of risk appetite may look like the following:
- Risk seeking – Open to aggressive risk taking
- Risk tolerant – Willing to tolerate more than normal risk
- Risk neutral – Strive for more balanced risk taking
- Moderately-risk averse – Exercise caution in taking risks
- Risk averse – Minimize risk as much as possible
- Defined risk appetite – Thresholds indicate the level of risk that an organization is willing to take. These limits are defined in terms of risk appetite metrics and are used to monitor the organization's risk exposure.
- Risk metrics – These are quantitative measures used to assess an organization's risk tolerance. These metrics can include financial ratios, key performance indicators, and risk scores, among others.
- Authorization guidelines for risk-taking at various levels – It’s important to clearly identify who has the authority to accept risks based on their size and type. For minor third-party risks, it may be appropriate for the business unit to decide to take on some risk to achieve their objectives. However, in the case of significant risks that could have a major impact on the entire organization, only the board and senior management should have the authority to determine if those third-party risks are acceptable.
- Employee communication and training – To establish an effective third-party risk management culture, it’s essential that employees understand their roles in managing risks. This can be achieved through regular communication and training.
- Risk reporting – Third-party risks are constantly changing and evolving. Regular reporting is necessary to ensure the organization accurately captures its risk universe and keeps its risk-taking within the approved risk appetite.
Developing a Third-Party Risk Appetite Statement
Every organization has its own unique quantitative and qualitative thresholds that determine its risk appetite. For instance, if an organization operates in a heavily regulated industry, it might have an exceptionally low appetite for compliance risk, which is especially true for third-party relationships that provide products and services subject to specific laws and regulations. On the other hand, a technology company that is looking for innovative and new solutions may be willing to accept more financial losses while pursuing research and development. This could lead to choosing a third party that offers a relatively new and untested product. A third-party risk appetite statement guides an organization on the risks present and the risks that may be taken in the selection, use, and management of third parties.
An effective third-party risk appetite statement typically includes the following:
- Your corporate values, which state your willingness to accept and mitigate certain risks.
Example third-party risk appetite phrasing: “XYZ Organization will act in accordance with the third-party risk appetite statement to ensure the use of third-party vendors and providers that offer products or services to our organization or customers on our behalf aligns with the organization's strategic goals and objectives, protects organization and customer data and assets, complies with all rules, laws, and regulations, and safeguards the organization’s reputation and brand.” - A clear description of your organization's overall attitude and approach to risk.
Example third-party risk appetite phrasing: “The organization understands its duty to manage risks associated with third-party relationships and takes responsibility for it. To do this effectively, the organization considers various factors such as regulatory requirements, industry best practices, and customer expectations. Moreover, the organization takes into account its internal goals, available resources, and the need to identify, manage, and monitor third-party risks effectively. The organization has set the acceptable level of risk for each risk domain and determined the level of authority necessary for taking these risks." - The methods your organization will use to implement your risk appetite.
Example third-party risk appetite phrasing: “XYZ Organization relies on essential third-party risk management principles, such as identifying, assessing, managing, and monitoring third-party risks, risk prioritization and transparency, and effective communication and reporting. The consistent application of inherent risk assessments, risk-based due diligence, third-party risk controls, and monitoring the risk and performance of third parties is required." - The types of risks your organization will assess.
Example third-party risk appetite phrasing: “The organization identifies and manages ten categories of third-party risk for a safe and sound business. Managed third-party risk categories include business continuity, compliance and legal, concentration, cyber and information security, financial or economic, geopolitical, operational, reputational, strategic, and transactional risk.” - A risk appetite scale that categorizes your risk appetite into different levels, such as risk seeking, risk tolerant, risk neutral, moderately risk adverse, or risk adverse, as described earlier.
- Your organization’s maximum capacity for various types of risk. Your organization may have varying levels of risk appetite for different types of risk.
Examples of varying third-party risk appetite levels:
- Cybersecurity – Risk Adverse: “The organization is dedicated to maintaining a high level of cybersecurity across all third-party vendors we work with, which should be on par with our own security standards. We will only collaborate with vendors who can demonstrate their commitment to cybersecurity and have implemented appropriate security measures to safeguard our data. We will not engage with vendors who do not meet our cybersecurity standards, and we will take all necessary steps to ensure our data remains protected at all
times.” - Financial Risk – Risk Neutral: “The organization has a moderate level of willingness to accept uncertain outcomes in order to accomplish the organization’s mission, goals, or strategic objectives. The organization is willing to assume certain financial risks related to our third-party relationships, but only if they are deemed to be justifiable and sound.”
- Strategic Risk – Risk Tolerant: “When it comes to developing new products or services, the organization may have a higher level of strategic risk tolerance. XYZ Organization may be willing to take calculated risks in order to pursue opportunities that have the potential to yield significant returns. By being more accepting of some strategic risks, the organization may be more likely to explore innovative ideas and invest in projects that have the potential to drive growth and revenue.”
- Cybersecurity – Risk Adverse: “The organization is dedicated to maintaining a high level of cybersecurity across all third-party vendors we work with, which should be on par with our own security standards. We will only collaborate with vendors who can demonstrate their commitment to cybersecurity and have implemented appropriate security measures to safeguard our data. We will not engage with vendors who do not meet our cybersecurity standards, and we will take all necessary steps to ensure our data remains protected at all
- A risk appetite matrix table that maps your risk appetite levels to different risk categories, such as strategic, operational, financial, or reputation risk.
- A periodic review and update of your third-party risk appetite statement to reflect any changes in your internal or external environment.
Frequently Asked Questions About Third-Party Risk Appetite Frameworks and Statements
Below are answers to frequently asked questions:
- Do I need a separate risk appetite statement and framework for third parties?
The answer depends on your individual organization, its risk culture, and maturity. Many organizations choose to have individual risk appetite statements for risk each category. Other organizations choose a single risk appetite statement to cover all risk categories and domains. The decision for one versus the other should be vetted through the appropriate channels and risk committees and be formally documented. - Do the third-party risk appetite statement and framework need to be updated?
It’s crucial to remember that third-party risks are not static; they change and evolve over time. It’s important to conduct regular reviews and updates of the third-party risk appetite and statement. A risk appetite developed a few years ago may not consider new or emerging risks, such as the use of artificial intelligence (AI) or increased cyberattacks. Your organization's third-party risk appetite may have changed due to several factors such as updated regulatory requirements, customer preferences, evolved business strategies, or the integration of recent technologies, such as AI, into your organization's internal systems or service offerings. - How detailed should my third-party risk management risk appetite statement be?
Keep in mind that when using external third-party vendors, the types and amounts of risks involved can be significant. Therefore, the third-party risk management risk appetite framework and its associated statements should be explicit enough to provide guidance on the selection, use, and termination of third-party vendors while keeping the risks in check.
Third-party risk appetite frameworks provide the structure and methods to define the organization’s general approach to third-party risk, and the levels and types of risks considered. The risk appetite statement should be formally documented and periodically reviewed to provide the best possible guidance for risk taking and management across the organization.
Related Posts
What Is Third-Party Risk Management?
Third-party risk management is the process and practice of identifying, assessing, managing, and...
How Do You Manage Third-Party Risk for a Health Organization?
Due to the extensive personal information in healthcare records, the healthcare sector remains an...
What Is Third-Party Risk? A Quick Look for Beginners
Internal and external business risks are a given for every organization, regardless of size or...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.