- Vendor Preliminary Assessment
- Categorize Vendors based on Criticality & Inherent Risks
- Assess around 20+ Risk Dimensions, Potential Impact & Likelihood of occurrence
- ENGAIZ - Inherent Risk Scoring Algorithm
Any robust risk management program should consider both inherent and residual risks. Inherent Risk is the level of risk in place before any actions are taken to alter the risk’s impact or likelihood. Residual Risk is the remaining level of risk following the development and implementation of the controls or any response to the risk.
The risks included in the preliminary risk identification process are usually referred to as a “risk universe” – a listing of the risks that organization faces. These risks are typically organized by standard risk categories such a strategic, financial, operational, compliance.
The steps between the assessment of inherent risk and the final evaluation of residual risk may vary somewhat from organization to organization. ENGAIZ Third-Party Risk Management module provides you with the ability to customize the risk scoring mechanism.
The platform employs a holistic set of industry best practices for gathering and assessing critical risk domains of vendors including information technology, cybersecurity, privacy, resiliency and data security risks.
Categorize your vendor ecosystem based on criticality. It is important for your organization to know which vendor is providing a critical service which if disrupted will have internal or external impacts to your customer. Also, how difficult is it to transition or replace your current provider?
INHERENT RISK ASSESSMENT & SCORING
Inherent Risk is the level of risk in place before any actions are taken to alter the risk’s impact or likelihood. ENGAIZ has a fully customizable framework to identify and do a preliminary assessment of the various risk dimensions.
We have a customizable scoring mechanism based on likelihood of occurrence and impact.
The ENGAIZ Third-Party Risk Management module allows risk managers to initiate risk assessments automatically based on certain events or at will. The platform provides a centrally manageable dashboard to track all vendor assessments. Third-Parties will have secure vendor portal access to access and complete the assessments.
REVIEW, EVALUATE & SCORE SELF-ASSESSMENT RESPONSE
Vendor self-assessments are automatically evaluated and any exceptions are highlighted for the attention of the risk managers.
STANDARD CONTROLS & CUSTOM CONTROLS
The platform comes with a set of standard controls and also allows your organization to design and establish custom or compensatory controls.
MAP CONTROLS TO INHERENT RISKS
The Third-Party Risk Management module has the capability to map relevant controls to the inherent risks identified. This way you are fully assured that every risk identified has an associated mitigating control.
INITIATE CONTROL ASSESSMENTS
The platform has the capability to initiate Standard Control Assessments for your third-parties. This sends a notification to your vendor contacts allowing them to prepare and share key documents ahead via the secure vendor portal.
CONDUCT ONSITE CONTROL ASSESSMENTS
To ensure that controls are operating efficiently, testing and assessment of controls is usually necessary, particularly in automated processes. The testing provides confidence that controls have reduced risk to a tolerable level.
Our platform helps your vendor risk assessment teams with the testing procedures required to evaluate the effectiveness of third-party controls.
ASSESS EFFECTIVENESS OF CONTROLS
Designing of controls and establishing it is just one side of the equation whereas testing if the controls put in place are functioning effectively in controlling the risk is another side.
Our platform helps with clearly tracking all effective to non-effective controls.
RESIDUAL RISK SCORING
Residual Risk is the remaining level of risk following the development and implementation of the controls. Upon successful completion of the control’s assessment, our platform can provide a view of the residual risk levels and if they are within the organization’s tolerance limit.
REVIEW & APPROVE
Any risk that remains needs to be reviewed and approved by the business. Our platform allows for periodic reviews.
The platform obtains Cyber Security related data from third-party data and risk monitoring service providers. Get notifications on any change of risk ratings, breaches.
The platform obtains financial health data of all your key vendor partners to ensure you stay on top.
ADVERSE MEDIA INSIGHTS, PEP, SANCTIONS
The platform screens vendors and their executive management team for Adverse Media Insights, PEP and ensures they are not part of any sanctions list.
The platform screens vendors for any Adverse Media, Good and Bad press and monitors the reputation.
The platform keeps an eye on any potential economic, social and political unrest, or events in a country if the vendor provides service from a foreign country and is a Foreign Based Technology Service Provider.
According to Risk IT framework by ISACA, Key Risk Indicators (KRIs) are metrics capable of showing that the organization is subject or has a high probability of being subject to a risk that exceed the defined risk appetite.
ENGAIZ has a set of pre-defined KRIs that can be tracked.
Bring-on your own customized risk assessment kit.
We recognize that every organization has their own assessment questionnaires that is internally approved by their management.
Tired of having to deal with excel sheets? Not any more!
With the ENGAIZ Third-Party Risk Management platform, you can easily upload your assessment questionnaires, establish custom controls and leverage all the great features that ENGAIZ has to offer.
We provide you the Flexibility
Customize your Risk Assessment Questionnaires
Establish Custom Controls
Easily add a new Risk Dimension or a Regulatory body
ENGAIZ provides an Integrated Third-Party Governance and Risk Management platform.
Faster Time to Maturity
Our platform will help you accelerate the third-party governance and risk management program.
If your organization has no standard framework and best practice, our out-of-box fully customizable solution can help you get started quickly and propel you towards higher levels of maturity.
Show you are compliant to your internal and external auditors, senior management and the board.
Increase Efficiency; Cut Cost
Save resource efforts and time.
Thanks to the platforms digital and cognitive capabilities. Your organization will reduce the amount of operational challenges running a third-party risk management program.
A centralized approach to manage and mitigate risks of all your third-parties
Drive Excellence & Innovation
Move from a focus on ‘Cost Savings’ to a focus on ‘Risk Sharing’ partnerships that fosters a culture of Innovation.
We are glad to schedule an exclusive demo before you are able to experience a no-obligation free trial subscription to ENGAIZ.
Platform Overview – A Sneak Preview
ENGAIZ’s Third-Party Risk Management can help accelerate your organization TRM maturity.
Third-Party Risk Management Maturity
How mature is your Third-Party Risk Management program?
NIST is the National Institute of Standards and Technology,a unit of the U.S. Commerce Department. Formerly known as the National Bureau of Standards, NIST promotes and maintains measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards
International Organization for Standardization : ISO/IEC 27001:2013 Information technology - Security techniques - Information security Management systems – Requirements
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
EU General Data Protection Regulation (GDPR)
The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
OECD Privacy Framework
Two themes run through the updated Guidelines:
A focus on the practical implementation of privacy protection through an approach grounded in risk management, and the need to address the global dimension of privacy through improved interoperability.
The Organization for Economic Cooperation and Development (OECD) is a unique forum where the governments of 34 democracies with market economies work with each other, as well as with more than 70 non-member economies to promote economic growth, prosperity, and sustainable development.
Canadian Personal Information And Electronic Documents Act
PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.
NIST Privacy Framework
The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy.
California Consumer privacy Act
The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.
New York State Department Of Financial Services 23 NYCRR 500
Summary Of The HIPAA Privacy Rules
The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).1 The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.
Childrens Online Privacy Protection Rule (COPPA)
COPPA imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
APEC Privacy Framework
The Framework, which aims at promoting electronic commerce throughout the Asia Pacific region, is consistent with the core values of the OECD’s Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data (OECD Guidelines), and reaffirms the value of privacy to individuals and to the information society.
Federal Financial Institutions Examination Council (FFIEC), USA
The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions.
Various sections of the Handbook cover third-party risk.
The Office of the Superintendent of Financial Institutions (OSFI), Canada
The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Government of Canada, established in 1987 to contribute to the safety and soundness of the Canadian financial system. OSFI supervises and regulates federally registered banks and insurers, trust and loan companies, as well as private pension plans subject to federal oversight.
OSFI’s B10 regulation on Outsourcing of Business Activities, Functions and Processes.
The NAIC Insurance Data Security Model Law
The National Association of Insurance Commissioners is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia, and five U.S. territories.
“(1) A Licensee shall exercise due diligence in selecting its Third-Party Service Provider; and
(2) A Licensee shall require a Third-Party Service Provider to implement appropriate administrative,
technical, and physical measures to protect and secure the Information Systems and Nonpublic
Information that are accessible to, or held by, the Third-Party Service Provider. “