Managing risk models

Your organization is responsible for controlling risks that may arise from outsourcing business activities to third-parties. Organization experts analyze the different realms of risks posed by third-parties and create controls and remediation plans for each. They need to establish:

• Relevant assessments to validate risks
• Workflows to monitor the third-party life cycle
• Continuous monitoring and reporting of progress
• Remediation plans to mitigate risks

Risk models help you objectively evaluate the inherent risk of a third-party to:

• Prescribe the proportional level of due diligence
• Prescribe the appropriate process for assessing an approval decision, including ongoing monitoring and diligence renewal/refresh

Risk models are specific to a third-party type and the categories within that type to apply separate evaluation criteria to diverse types of third-parties. You can also flag questions for high risk ranking, such as flagging an organization where a sanctioned party has 50% or more ownership. Factors can be weighted to respond invoke necessary risk rating The risk assessment history which changes over time based on the risk model assigned and other factors. Details include how the relationship is categorized, the services provided, the country risk, due diligence questionnaire responses, and custom fields. changes. Models can be cloned, changed, and tested to create new models.

Steps to create a risk model

To create a model from scratch, you will complete steps in order. The steps you use will include all or some of the following steps, based on the risk factors Include assessments, questionnaires, categories, and CIP rankings, and other weighted risk factors. The weights assigned to each factor are used to calculate the risk score for the third party. you choose to include in the model.

• Create the model and add type and category: The model screens third-parties with the type (for example, vendor) and category (for example, accounting) you identify.

• Define the risk tiers: Connect your risk tiers (such as high, medium, and low) to the level of due diligence (such as internal or external investigation).

• Select risk factors: The factors you select to include in the model make up the next steps.

  • Configure the third-party category factor: Identify categories that have more and less risk.

  • Configure the Corruption Perceptions Index (CPI) factor: Identify what countries to include based on the third-party location. Set range thresholds based on country risk factors. Include unlisted countries and add country overrides, if desired.

  • Configure due diligence questionnaire factors: Score individual questions. Or you can set a default score if the questionnaire has or has not been submitted by the third-party.

  • Configure custom field factor: Set values for custom fields Custom fields can be created to use in risk models.. Set a default percentage if a field is not completed by the third-party.

• Test the risk model: View a sample of profiles and the scoring methodology for each before you publish the risk model.

• Publish the risk model: Publish the risk model. The model takes effect immediately. You cannot made modifications to the model after it is published. You can clone a model based on an existing model, change the factors, test, and publish the model. A new model overrides an existing model with the third-party types, categories, and risk tiers.

View existing risk models

You can view a list of existing risk models including the third-party type and category covered by the model. The list also includes the number of third-party profiles assigned to the model.

To view active risk models:

1. From the dashboard, left menu, select the Settings tab, Content Control, then Risk Inventory.

2. Scroll to Active Risk Models.