Risk Assessments: The Art of Guessing in TPRM

    Generated using DALL-E

    The postings on this site are my own and do not necessarily represent FTI Consulting’s positions, strategies or opinions.

    Welcome back to the most unpredictable show on earth! After navigating the chaos of vendor vetting, it’s time to dive into the next act of our Third-Party Risk Management circus: risk assessments, or as I like to call them, “The Art of Guessing.”

    Ah, risk assessments—those magical documents that are supposed to predict the future and protect your business from every possible catastrophe. If only it were that simple. The reality? Conducting a risk assessment is like trying to forecast the weather with a crystal ball you bought at a garage sale. Sure, you can make some educated guesses, but more often than not, you’re just crossing your fingers and hoping you’re not about to walk into a hurricane.

    The Crystal Ball Conundrum

    Let’s start with the basics: the risk assessment. In theory, it’s a comprehensive analysis of all the potential risks a vendor might pose to your business. In practice, it’s more like a game of darts where the bullseye is constantly moving, the lights are flickering, and someone just spun you around blindfolded.

    The first problem? Unknown Unknowns. That’s right, there are risks you know, risks you don’t know, and then there are those pesky unknown unknowns—the risks you don’t even know you don’t know. And how exactly are you supposed to assess those? Spoiler: you can’t. But don’t worry, you can always put down “mitigate with best practices” in your report and hope for the best.

    The Checkbox Illusion

    Next up in this farce is the illusion that more questions equal better assessments. Some companies think that if they ask enough questions, they’ll somehow cover all the bases. So, they create these monstrous questionnaires with 500 questions about everything from the vendor’s last security breach to their favorite ice cream flavor. But here’s the kicker: asking more questions doesn’t necessarily lead to better insights—it just leads to more paper (or pixels) to shuffle around.

    What’s more, these questions are often so broad or so specific that they miss the point entirely. It’s like asking a tightrope walker how many hours they’ve slept rather than whether they’ve practiced walking the tightrope blindfolded over a pit of alligators. One might be important for general performance, but the other could be critical for survival.

    The Guessing Game

    Now let’s talk about the Guessing Game—because that’s really what a lot of risk assessments boil down to. Sure, you can analyze past data, trends, and industry reports, but when it comes to predicting how a vendor’s performance (or lack thereof) will impact your business, you’re essentially making an educated guess.

    Will that vendor you’ve been eyeing survive the next economic downturn? Who knows! Will they manage to avoid the latest cybersecurity threats? Your guess is as good as mine! But, of course, in the risk assessment, you’ll phrase it as “the likelihood of significant operational disruption is low” and move on, praying that your optimistic guess doesn’t come back to haunt you.

    The Dance of Prioritization

    But wait, there’s more! Once you’ve gathered all this data (or guesses, as the case may be), you then have to prioritize the risks. This is where the dance of prioritization comes into play—a delicate waltz where you decide which risks to address now and which ones to kick down the road. It’s a bit like triage in an ER, but instead of doctors, you have risk managers, and instead of patients, you have potential disasters waiting to happen.

    The real kicker? Sometimes the most obvious risks are the ones that get ignored because they seem too big, too vague, or too improbable to deal with right now. It’s like spotting a lion in the tent and deciding to deal with it later because you’re too busy untangling the trapeze ropes. Prioritization is crucial, but it’s also where a lot of businesses stumble, focusing on the small, manageable risks while the big ones loom large and unaddressed.

    The Punchline: Why It Matters

    Here’s the punchline: risk assessments are vital, but they’re also imperfect. They’re an art, not a science—an art that requires skill, intuition, and a healthy dose of skepticism. You need to approach them with the understanding that you’re not going to get everything right, but you have to get enough right to protect your business from the most likely and most damaging risks.

    In my next post, I’ll move from the art of guessing to the reality of managing those risks day-to-day. Because while guessing might get you through the risk assessment phase, it’s solid, ongoing management that keeps the circus from burning down.

    So, grab your popcorn and stay tuned for “The Honeymoon is Over: Managing Vendor Relationships After the Deal,” where I’ll explore what happens after you’ve taken the leap and how to keep those vendor relationships from becoming a horror show. Until then, remember: in the world of TPRM, guessing is part of the game, but it’s how you manage the aftermath that really counts.

    See you next time!

    Related Tags

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You May Also Like