A risk register is a tool that records and tracks the identified risks, their probability, impact, status, and mitigation actions throughout the life cycle of a third-party relationship1. A risk register typically includes the following components2:
A unique identifier for each risk
A description of the risk and its source
A rating or grading of the risk according to a risk assessment table or hierarchy
An assessment of the impact and likelihood the risk will occur and the possible seriousness
An outline of proposed mitigation actions and assignment of risk owner
A status update on the risk and the progress of the mitigation actions
A target date for resolving the risk or closing the action A vendor inventory is a list of all the third parties that a banking organization engages with, along with relevant information such as the type, scope, and nature of the services provided, the contract terms and conditions, the performance indicators, and the risk ratings3. A vendor inventory is not a component of a risk register, but rather a separate document that supports the planning and due diligence phases of the third-party relationship life cycle. A vendor inventory may be prioritized by contract value, but also by other criteria such as the criticality of the service, the risk level of the vendor, and the strategic importance of the relationship. References:
1: Third-Party Risk Management (TPRM): Final Interagency Guidance, KPMG, June 2023
2: What Is Third-Party Risk Management (TPRM)? 2024 Guide, UpGuard, January 2024
3: Third-Party Risk Management Guidance, OCC Bulletin 2023-29, October 2023
[4]: Certified Third Party Risk Professional (CTPRP) Study Guide, Shared Assessments, 2023
[5]: Best Practices Guidance for Third-Party Risk, GARP, February 2023
