Extending Integrated Risk Management to Third-Party Risk

Risk-related content, including a risk framework, taxonomy/library, key risk indicator (KRI) catalog, and legal, regulatory and organizational compliance requirements

Library of pre-built industry standard content/ questionnaires, including specific compliance regulation and vendor performance content, with the capability to build your own assessment customized to your organization’s needs

Risk assessment methodology and calculation capabilities (e.g., bow-tie risk assessment)

Risk matrix that calculates risk scores based on likelihood of occurrence and impact to the business; augmented by a FAIR methodology

Policy documentation and control mapping

A unified risk model that automatically maps the information gathered from controls-based assessments to regulatory frameworks to enable clear and actionable reporting

Documentation workflow, including authoring, versioning and approval

Bi-directional document management with tasks, acceptance, and mandatory upload features

Business impact analysis

Quantify how risks change over time; with and without the application of required remediations

Audit work paper and testing management

Complete audit trail of all communications internally as well as with external parties through documentation workflow capability

Third-party control validation

Library of industry standard control-based assessments that map to whatever controls framework (e.g. CoBiT, ISO, NIST, etc.) is employed

Incident data capture

Continuously monitor cyber and business-related events of third-parties to inform immediate insights and additional assessments

Incident management workflow and reporting

Assign tasks to any one of a number of internal parties to facilitate further investigation

Root cause analysis

Include a number of outside data feeds to augment data gathering for a more complete view of risks

Crisis management

Identify workflow to address in real time any risks that could be business-impacting

Investigative case management

Maintain a record of all communications and documentation related to an identified risk for remediation

Project management functionality to track progress on risk-related initiatives, audits or investigations

Bi-directional remediation workflow to enable discussions on risk registers and completion date/cost definition

Risk control testing capabilities, such as continuous control monitoring

Perform reoccurring assessments and incorporate results from external network cyber scanning

Control mapping to risks, business processes and technology assets

Library of industry standard control-based assessments that map to whatever controls framework (e.g. CoBiT, ISO, NIST, etc.) is employed

Control mapping to legal requirements and compliance mandates

A unified risk model that automatically maps the information gathered from controls-based assessments to regulatory frameworks

Risk scorecard/dashboard capabilities

Risk register automatically populates from surveys with full audit trail and ownership of remediation

External data integration (e.g., information security vulnerability assessment data)

Snapshot and continuous vendor monitoring of vendor cyber and business risks, including feeds from outside sources, with intelligent prioritizing and risk registration

The ability to link KRIs to performance metrics

Visualize all vendors and sort by tier, risk score, category, importance to the business for better visibility

Machine learning or other artificial intelligence (AI)-enabled analytics

• Predictive modeling of risk score over time as recommended remediations are applied
• Business risk analysis utilizing analysts and inputs to address potential risks from operational, brand, financial, or regulatory changes

“What if” risk scenario analysis capabilities

Statistical modeling capabilities (e.g., Monte Carlo simulation, value at risk and Bayesian statistical inference)

Predictive analytics

Capital allocation/calculation

Fraud detection capabilities