The views and opinions expressed in this article are those of the thought leaders as individuals, and are not attributed to CeFPro or any particular organization.

By Madiha Fatima, Director, Third Party Risk Management, Angelo Gordon

How would you define ‘critical’ in a third-party risk perspective?

A robust Third Party Risk Management framework is built around the identification of your critical third parties and risk rating methodology. Defining ‘critical’ from a third party risk perspective not only is a core component of a risk management framework, but it is also required by many guidelines around the globe. While the concept of identifying critical third parties’ serves as a foundational block for a TPRM framework, there is no standard industry-wide definition firms can use to determine which third parties are critical, as critical for one firm can considerably differ from critical for another firm. A vital part of identifying your critical third parties is developing a definition of ‘critical’ based on your organization’s unique risk appetite and threshold analysis.

When developing the criteria for your critical third parties, there are few key risk principals you may consider to create an identification grid, including but not limited to: (1) impact to operational resiliency and data privacy, (2) internal and external capabilities for the services provided by the third party, (3) impact to services provided by your firm, and (4) third party disruption analysis and impact on continuity. Once you have identified the major factors impacting your firm and developed a tolerance grid showing the risk thresholds for your organization, you can identify your critical third parties based on that analysis and determine whether said parties primarily pose a higher risk from an overall risk exposure or continuity perspective.