Third Party Engagements Risk Assessment Scoring

This topic explains third party risk assessment scoring.

On this page

Financial viability ratings

Financial viability is defined as the risk of the third party as an on-going concern. The Financial Viability Risk rating can be manually rated (High, Medium High, Medium, Medium Low, Low, None) or derived from a composite of 6 financial ratios calculated from a simple income statement and balance sheet. If the third party receives 10% or more of its revenue from 1 customer, the Financial Viability Risk rating is set to High.

Otherwise, the Financial Viability Risk rating is based on the average numeric scale across the 6 financial ratios as in the following table.

Financial Viability Risk Rating

Average Numeric Scale

High

>= 4.5

Medium High

>= 3.375

Medium

>= 2.625

Medium Low

>= 1.5

Low

< 1.5

Input examples

The following tables show an example of inputs for income statements, balance sheets for assets and liabilities, and financial ratios.

Income Statement

The following table provides an income statement example.

Income/Expense Category

Dollar Amount

Net Revenue

3,129,600.00

Cost of Goods Sold

-62,990.00

Gross Profit

3,066,610.00

Operating Expenses

-1,530,233.00

Operating Income

1,536,377.00

Net Income

1,536,237.00

Balance sheet: assets

The following table provides an balance sheet example for assets.

Assets

Dollar Amount

Cash

100,000.00

Accounts Receivable

24,000.00

Inventory

12,500.00

Other Current Assets

4,250.00

Current Assets

140,750.00

Investments

3,500,000.00

Goodwill

5,000,000.00

Plant, Property, and Equipment

20,000,000.00

Other Long-term Assets

1,000,000.00

Long-term Assets

29,500,000.00

Total Assets

29,640,750.00

Balance sheet: liabilities

The following table provides an balance sheet example for liabilities.

Liabilities

Dollar Amount

Short-term Debt

1,800,000.00

Customer Advances

300,000.00

Accounts Payable

290,000.00

Accrued Liabilities

160,000.00

Interest Payable

30,000.00

Dividends Payable

80,000.00

Current Liabilities

2,660,000.00

Lon-term Debt

5,000,000.00

Total Liabilities

7,660,000.00

Equity

21,980,750.00

Total Liabilities and Shareholder Equity

29,640,750.00

Note: If the Total Assets do not equal Total Liabilities plus Shareholder Equity, the Overall Financial Risk rating defaults to a Not Rated status. A Not Rated status is equivalent to a High Risk rating.

Financial ratios

The following table provides a financial ratios example.

Numeric Scale of Risk

5

4

3

2

1

Category

Ratios

H

MH

M

ML

L

Net Profit Margin

49.09%

< 0

< 5%

< 10%

< 15%

> 15%

Return on Assets

5.18%

< 0

< 5%

< 10%

< 15%

> 15%

Return on Equity

6.99%

< 0

> 3%

> 6%

> 9%

> 12%

Goodwill to Assets

16.87%

> 50%

> 25%

> 10%

> 5%

< 5%

Current Ratio

5.29%

< 5%

< 8%

< 12%

< 15%

> 15%

Debt to Equity Ratio

0.35%

> 1

> .75%

> .5%

> .25%

< .25%

Overall Financial Risk*

3

 

 

 

 

 

*Overall Financial Risk is the average of the risk score on these 6 ratios.

Financial viability residual risk assessment

The following table lists the financial viability residual risk assessment question.

Application

Field Name

Question Text

Values (numeric_value)

Third Party Financial Viability Assessments

Percentage of Revenue Impact

Does any 1 customer represent more than 10% of Revenue?

Yes ; No

Engagement risk ratings

The Archer Third Party Engagement use case accommodates for seven risk categories to provide your organization with a broadened perspective of the overall risk a third party or engagement presents.

The following table describes the risk categories.

Risk Category

Description

Compliance / Litigation Risk

Assesses the risk involved if a third party engagement violates laws or regulation or introduces litigation risk from product or general liability claims.

ESG Risk

Assesses the potential environmental, social, and governance impact associated with the delivery of an engagement.

Financial Risk

Determines risk introduced by an engagement through credit, market, or liquidity risk, or as a result of theft.

Information Security Risk

Assesses the amount of risk associated with the compromise or theft of customer, employee, partner information, or company intellectual property.

Reputation Risk

Generally a function of all the other risk categories, the Reputation Risk Assessment is a subjective assessment of an engagement and the other risks it introduces.

Resiliency Risk

Evaluates the risk to your organization resulting from the interruption or failure of a third party to deliver an engagement.

Strategic Risk

Evaluates the strategic importance of a third party engagement to your organization and the effectiveness of that third party in fulfilling your strategic expectations.

Each engagement-level risk assessment includes an assessment of inherent and residual risk by risk category. The overall inherent and residual risk of an engagement is determined based on the maximum value across all of engagement risk assessment categories. Risk assessments roll up to the sub-subsidiary, subsidiary, and overall third party parent company level across all third party engagements.

Assessment of Third Party Financial Viability, and both inherent and residual Reputation and Strategic Risk is performed by the customer. The inherent risk assessments of Compliance-Litigation Risk, Information Security Risk, Resiliency Risk, and ESG Risk are completed by the customer. If you have the Archer Third Party Risk Management use case licensed, the Engagement Risk Assessment questionnaire that is used to score the residual risk of each of these risk categories is automatically populated with questions for each risk category if the inherent risk score of the category is Medium-High or greater. This default can be manually overridden to suppress or force the generation of each risk category section of the third party questionnaire.

Compliance litigation risk ratings

Compliance and Litigation risk is the risk of fines, sanctions, or litigation originating from any source including professional liability, shareholder suits, and employee and general liability claims.

Compliance and Litigation Risk is assessed on an Inherent and Residual basis using a 5 point scale, where 1 = Low and 5 = High. The 5 point scale is represented as High (H) Red, Medium-High (MH) Orange, Medium (M) Yellow, Medium-Low (ML) Blue, and Low (L) Green.

The Compliance and Litigation Inherent Risk rating (IR) can be assigned manually or is derived from the above inherent risk questions completed by the assessor. IR = the maximum value answered on any of the inherent risk-related questions.

The Compliance and Litigation Residual Risk rating (RR) can be assigned manually or is based on answers supplied by the third party in the Engagement Risk Assessment questionnaire.

The percentage of questions answered correctly are factored into the rating as in the following table.

Percentage of Questions Answered Correctly

Risk Rating

>= 92%

Low

>= 84%

IR - 3

>=76%

IR - 2

>= 68%

IR -1

< 68%

IR

The Residual Risk rating can never be less than 1 (Low).

Inherent compliance and litigation risk

The following table lists inherent compliance and litigation risk questions.

Application

Field Name

Question Text

Values (numeric_value)

Engagements

Compliance/Litigation Q1

Could errors and accidents, poor quality, fraud, or bribery associated with the delivery of this engagement by the third party in any way introduce the possibility of customer, counterpart, employee, or regulatory litigation, fines, or sanctions?

Yes; No

Engagements

Compliance/Litigation Q2

Value of explicit or implied contractual obligations to customers and third parties that would have to be fulfilled in the event of errors and accidents, poor quality, or fraud in the delivery of this engagement.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); None (0)

Engagements

Compliance/Litigation Q3

​Potential impact of regulatory responses, including fines and sanctions, if errors and accidents, poor quality, or fraud  arose in the delivery of this engagement by the third party.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); None (0)

Engagements

Compliance/Litigation Q4

​Inherent risk, including regulatory response, related to third party corrupt practices.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); None (0)

Engagements

Compliance/Litigation Q5

​Potential impact on Health, Safety, and Welfare of employees if errors and accidents, poor quality, or fraud  arose in the delivery of this engagement by the third party.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); None (0)

Engagements

Compliance/Litigation Q6

​Potential impact on the Health, Safety, and Welfare of customers and unaffiliated third parties if errors and accidents, poor quality, or fraud  arose in the delivery of this engagement by the third party.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); None (0)

Engagements

Compliance/Litigation Q7

​Reputation risk that would be introduced should errors and accidents, poor quality, or fraud  arise in the delivery of this engagement by the third party.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); None (0)

Residual compliance and litigation risk assessment

The following table lists residual compliance and litigation risk assessment questions.

Application

Field Name

Question Text

Values (numeric _value)

Correct Values

Engagement Risk Assessments

COM-00001

Do you have more than fifty customers receiving this kind of engagement?

Yes (1); No (0); N/A (1)

Yes; N/A

Engagement Risk Assessments

COM-00002

​Do you have quality control procedures in place to ensure that this engagement is delivered with a level of quality required by the contract?  If Yes, please attach description.

Yes (1); No (0); N/A (1)

Yes; N/A

Engagement Risk Assessments

COM-00003

​Do you have procedures in place to ensure that the design and delivery of this engagement complies with all applicable laws and regulations?  If Yes, please attach description.

Yes (1); No (0); N/A (1)

Yes; N/A

Engagement Risk Assessments

COM-00004

​Do you have an internal audit function that periodically reviews the processes, controls, and compliance around the delivery of this engagement type?

Yes (1); No (0); N/A (1)

Yes; N/A

Engagement Risk Assessments

COM-00005

​Do you have a third-party assessment and/or certification related to the delivery of this engagement type (such as SSAE16)? If yes, please attach description?

Yes (1); No (0); N/A (1)

Yes; N/A

Engagement Risk Assessments

COM-00006

​Have you received fines or sanctions from any governmental entity or regulatory body in the past year related to the delivery of this type of engagement?  If yes, please attach description.

Yes (0); No (1); N/A (1)

No; N/A

Engagement Risk Assessments

COM-00007

Have you experienced litigation claims over the past year related to the delivery of this kind of engagement?  If yes, please attach description.

Yes (0); No (1); N/A (1)

No; N/A

Engagement Risk Assessments

COM-00008

​Do you have suppliers or subcontractors that are key to the delivery of this engagement? If Yes, please attach list containing the names and description of these service providers.

Yes (0); No (1); N/A (1)

No; N/A

Engagement Risk Assessments

COM-00009

​If you have suppliers or subcontractors that are key to the delivery of this engagement, do you have procedures in place to evaluate that your suppliers are fulfilling their obligations to provide quality inputs and that the design and delivery of those inputs comply with all applicable laws and regulations?  If Yes, attach description.

Yes (1); No (0); N/A (1)

Yes; N/A

Engagement Risk Assessments

COM-00010

​Do you or your suppliers operate in any countries that are considered to be at higher risk for corruption and bribery?

Yes (0); No (1); N/A (1)

No; N/A

Engagement Risk Assessments

COM-00011

​Have you explicitly designated a manager that is responsible for anti-corruption and anti-bribery?

Yes (1); No (0); N/A (1)

Yes; N/A

Engagement Risk Assessments

COM-00012

​Do you have formal policies, practices, and procedures in place designed to prevent fraud and corruption?

Yes (1); No (0); N/A (1)

Yes; N/A

Engagement Risk Assessments

COM-00013

​Are employees required to formally acknowledge the expected code of conduct including those related to anti-fraud and corruption?

Yes (1); No (0); N/A (1)

Yes; N/A

Engagement Risk Assessments

COM-00014

​Have you received fines or sanctions from any governmental entity or regulatory body in the past year related to allegations of fraud, corruption or bribery? If Yes, attach description.

Yes (0); No (1); N/A (1)

No; N/A

Financial risk ratings

Financial risk is defined as: risk associated with credit, liquidity, market, and foreign exchange risk that could be introduced by the third party and/or fraud or theft of company or customer assets stored, managed or processed by the third party.

Financial Risk is assessed on an Inherent and Residual basis using a 5 point scale, where 1 = Low and 5 = High. The 5 point scale is represented as High (H) Red, Medium-High (MH) Orange, Medium (M) Yellow, Medium-Low (ML) Blue, and Low (L) Green.

The Financial Inherent Risk rating (IR) can be assigned manually or is derived from the above inherent risk questions completed by the assessor. IR = the Maximum value answered on any of the inherent risk questions.

The Financial Residual Risk rating (RR) can be assigned manually or is based on answers provided by the assessor to the Residual Risk Assessment questions. It is scored as follows:

  • If IR = Low, then RR = Low

    otherwise

  • RR = The amount of financial-related risk retained by the third party after considering contractual obligations and indemnifications (Q9), adjusted downward based on the percentage of risk mitigated by risk transfer (i.e. insurance) and the third party’s financial capacity to cover the risk (Q10)

If the third party does not have an adequate business continuity program (Q11) or does not have adequate processing procedures and controls in place (Q12), then the RR rating is not adjusted further. If they do, the RR rating is reduced 1 point.

The RR rating can never be less than 1 (Low)

Inherent financial risk assessment

The following table lists inherent financial risk assessment questions.

Application

Field Name

Question Text

Values (numeric_value)

Engagements

Financial Q1

Does this engagement in any way introduce credit, interest rate, price, foreign exchange, or liquidity risk, or involve the deposit of monies with or processing of monies by the third party?

Yes; No

Engagements

Financial Q2

Rate the credit and non-traditional credit risk introduced through this engagement by way of financial settlement timing differences, or current and future liabilities imposed upon the third party through this engagement.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); Not Applicable (0)

Engagements

Financial Q3

Rate the Interest Rate risk introduced by way of this engagement such as securities trading errors or delays in settlement.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); Not Applicable (0)

Engagements

Financial Q4

Rate the Price risk introduced by way of this engagement such as through equity securities trading errors or delays in settlement.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); Not Applicable (0)

Engagements

Financial Q5

Rate the Foreign Exchange risk introduced by way of this engagement such as through currency risk on foreign assets and cross border financial settlements.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); Not Applicable (0)

Engagements

Financial Q6

Rate the Liquidity risk introduced by way of this engagement due to the inability of the third party to settle an obligation due to the failure of the third party or failure of its downstream counterparties.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); Not Applicable (0)

Engagements

Financial Q7

Rate the value of assets on deposit with or under the control of the third party through this engagement.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); Not Applicable (0)

Engagements

Financial Q8

Rate the reputation risk introduced should the financial risks arise.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); Not Applicable (0)

Residual financial risk assessment

The following table lists residual financial risk assessment questions.

Application

Field Name

Question Text

Values (numeric_value)

Engagements

Financial Q9

​How much financial-related risk does the Third Party retain after considering the contractual obligations and indemnifications  around this engagement?

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); None (0)

Engagements

Financial Q10

Considering the third party's financial wherewithal (based on a review of their financial statements) and evaluation of evidence of any risk transfer (insurance) provided by the third party, how much of the financial-related risk can the third party cover?

0% (0); 25% (0.25); 50% (0.5); 75% (0.75); 100% (1)

Engagements

Financial Q11

​Is the business continuity program around this engagement adequate to prevent a material interruption in service that would introduce financial risk?

Yes ; No ; Not Applicable

Engagements

Financial Q12

​Are the processing procedures and controls around this engagement (such as may be evidenced through a service provider audit) adequate to prevent a material incident that would introduce financial risk?

Yes ; No ; Not Applicable

Information security risk ratings

Information Security Risk is assessed on an Inherent and Residual basis using a 5 point scale, where 1 = Low and 5 = High. The 5 point scale is represented as High (H) Red, Medium-High (MH) Orange, Medium (M) Yellow, Medium-Low (ML) Blue, and Low (L) Green.

The Information Security Inherent Risk rating (IR) can be assigned manually or derived from the above inherent risk questions completed by the assessor and is calculated as follows:

  • If the third party has no access to customer, employee, partner, or company information through the engagement, then IR = Low

    otherwise

  • IR = Maximum Value of the answer to Information Security questions Q4, Q5, Q6, Q7, Q8, and Q9. These questions establish the quantity or value of customer, employee, partner, and company information that is accessible by the third party through the engagement.

The Information Security Residual Risk rating (RR) can be assigned manually or based on answers supplied by the third party in the Engagement Risk Assessment questionnaire.

The percentage of questions answered correctly are factored into the rating as in the following table.

Percentage of Questions Answered Correctly

Risk Rating

>= 92%

Low

>= 84%

IR - 3

>=76%

IR - 2

>= 68%

IR -1

< 68%

IR

The Residual Risk rating can never be less than 1 (Low).

Inherent information security risk assessment

The following table lists inherent information security risk assessment questions.

Application

Field Name

Question Text

Numeric Value (numeric_value)

Engagements

Information Security Q1

Means by which third party has access to customer, employee, partner information or company intellectual property through this engagement.

Intentionally Shared; Incidental Access; No Access

Engagements

Information Security Q2

Third Party access to information through this engagement.

Electronic; Physical; Electronic and Physical

Engagements

Information Security Q3

Means by which third party's service providers have access to customer, employee, partner information or company intellectual property through this engagement.

Intentionally Shared; Incidental Access;
No Access

Engagements

Information Security Q4

Number of customer records containing Non-public personal information that third party has access to through this engagement.

>10,000 (5); <10,000 (4); <7,500 (3); <5,000 (2); <2,500 (1); None (0)

Engagements

Information Security Q5

Number of protected customer health records third party has access to through this engagement.

>100 (5); <100 (4); <75 (3); <50 (2); <25 (1); None (0)

Engagements

Information Security Q6

Financial value of company or customer assets managed through this engagement that could be diverted, stolen, or taken over in the event of an information security breach.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); None (0)

Engagements

Information Security Q7

​Importance and confidentiality of employee information that the third party has access to through this engagement.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); None (0)

Engagements

Information Security Q8

Importance and confidentiality of partner information that third party has access to through this engagement.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); None (0)

Engagements

Information Security Q9

Value of intellectual property that third party has access to through this engagement.

High (5); Medium High (4); Medium (3); Medium Low (2); Low (1); None (0)

Reputation risk rating

Reputation risk is defined as the loss of existing business or future opportunities resulting from unwanted disclosure of business activities and risk events arising from the delivery or non-delivery of a third party engagement.

Inherent and Residual Reputation Risk is manually assessed using a 5-point scale, where 1 = Low and 5 = High. The 5 point scale is represented as High (H) Red, Medium-High (MH) Orange, Medium (M) Yellow, Medium-Low (ML) Blue, and Low (L) Green.

Inherent reputation risk assessment

The following table lists the inherent reputation risk assessment question.

Application

Field Name

Question Text

Values (numeric_value)

Correct Value

Engagements

Overall Inherent Reputation Risk

NULL

High ; Medium High ; Medium ; Medium Low ; Low ; None

NULL

Residual reputation risk assessment

The following table lists the residual reputation risk assessment question.

Application

Field Name

Question Text

Values (numeric_value)

Correct Value

Engagements

Overall Residual Reputation Risk

NULL

High ; Medium High ; Medium ; Medium Low ; Low ; None

NULL

Resiliency risk rating

Resiliency Risk is assessed on an Inherent and Residual basis using a 5 point scale, where 1 = Low and 5 = High. The 5 point scale is represented as High (H) Red, Medium-High (MH) Orange, Medium (M) Yellow, Medium-Low (ML) Blue, and Low (L) Green.

Inherent Resiliency Risk can be manually rated or automatically derive its value by interrogating the Criticality Ratings of the Business Processes supported by the third party engagement. The IR rating will be based on the maximum criticality rating across all of the Business Processes supported by the third party engagement. For organizations that utilize the Archer Business Impact Analysis use case, Business Process criticality is determined through the completion of a Business Impact Analysis. Organizations that do not utilize the Archer Business Impact Analysis use case can manually set the value of Inherent Resiliency Risk associated with the processes supported by the engagement.

The Resiliency Residual Risk rating (RR) can be manually assigned or calculated based on answers supplied by the third party in the Engagement Risk Assessment questionnaire as follows:

  • If there are outstanding un-remediated issues from the third party’s last review or test of their own business continuity plans supporting the engagement or associated with their critical service providers reviews and tests (Residual Risk Q12 & 13), then RR = IR.
  • Otherwise, the percentage of questions answered correctly are factored into the rating as follows.
  • The following table describes how the Risk Rating is calculated.

    Percentage of Questions Answered Correctly

    Risk Rating

    >= 92%

    Low

    >= 84%

    IR - 3

    >=76%

    IR - 2

    >= 68%

    IR -1

    < 68%

    IR

    The Residual Risk rating can never be less than 1 (Low).

Inherent resiliency risk assessment

The following table lists the inherent resiliency risk assessment question.

Application

Field Name

Question Text

Values (numeric_value)

Correct Values

Engagements

Resiliency Inherent Risk Rating

Inherent Resiliency Risk can be manually rated or you can automatically derive its value by interrogating the Criticality Ratings of the Business Process(es) supported by the third party engagement. For organizations that utilize the Archer Business Impact Analysis use case, Business Process criticality is determined through the completion of a Business Impact Analysis. Organizations that do not utilize the Archer Business Impact Analysis use case can manually set the value on Inherent Resiliency Risk associated with the processes supported by the engagement.

 

 

Strategic risk rating

Strategic risk is defined as risk a third party engagement poses an strategic objectives of an organization.

Strategic Risk is assessed on an Inherent and Residual basis using a 5 point scale, where 1 = Low and 5 = High. The 5 point scale is represented as High (H) Red, Medium-High (MH) Orange, Medium (M) Yellow, Medium-Low (ML) Blue, and Low (L) Green.

The Strategic Inherent Risk rating (IR) can be manually assigned or derived from the above inherent risk questions completed by the assessor and is calculated based on the strategic importance of the engagement in supporting the company’s objectives (Q1), decremented by 1 value if the engagement type being delivered by the third party is of medium-low or low uniqueness in the market (Q2).

The Strategic Residual Risk rating (RR) can be manually assigned or derived from the above residual risk questions completed by the assessor as follows:

  • IF MIN VALUE (Q1 through Q11) = Excellent THEN RR = IR - 3
  • IF MIN VALUE (Q1 through Q11) = Good THEN RR = IR - 2
  • IF MIN VALUE (Q1 through Q11) = Average THEN RR = IR - 1
  • ELSE RR = IR

    RR can never be less than 1 (a.k.a. Low)

Note: Responses to strategic risk questions included in the Engagement Risk Assessment Questionnaire should be evaluated as part of the strategic risk rating process. These questionnaire responses are not included directly in the calculation of inherent and residual risk.

The following table lists inherent strategic risk assessment questions.

Application

Field Name

Question Text

Values (numeric_value)

Engagements

Strategic Inherent Q1

​Strategic importance of this engagement to supporting the Company's objectives?

High ; Medium High ; Medium ; Medium Low ; Low ; None

Engagements

Strategic Inherent Q2

​Uniqueness of this engagement type within the market?

High ; Medium High ; Medium ; Medium Low ; Low

Residual strategic risk assessment

The following table lists residual strategic risk assessment questions.

Application

Field Name

Question Text

Values (numeric_value)

Engagements

Strategic Residual Q1

​Adequacy of competitive innovation related to this engagement?

Excellent (5); Good (4);
Average (3);
Fair (2); Poor (1)

Engagements

Strategic Residual Q2

​Degree to which the capabilities of this engagement remain consistent with the objectives of the company?

Excellent (5); Good (4);
Average (3);
Fair (2); Poor (1)

Engagements

Strategic Residual Q3

​Quality of this engagement over the past 12 months?

Excellent (5); Good (4);
Average (3);
Fair (2); Poor (1)

Engagements

Strategic Residual Q4

​Volume of incidents related with this engagement / Adequacy of third party incident management over the past 12 months?

Excellent (5); Good (4);
Average (3);
Fair (2); Poor (1)

Engagements

Strategic Residual Q5

​Technical competence of third party related to this engagement?

Excellent (5); Good (4);
Average (3);
Fair (2); Poor (1)

Engagements

Strategic Residual Q6

​General attention of third party and responsiveness to questions and problems related to this engagement?

Excellent (5); Good (4);
Average (3);
Fair (2); Poor (1)

Engagements

Strategic Residual Q7

​Price competitiveness related to this
engagement?

Excellent (5); Good (4);
Average (3);
Fair (2); Poor (1)

Engagements

Strategic Residual Q8

​Effectiveness of cost reducing initiatives?

Excellent (5); Good (4);
Average (3);
Fair (2); Poor (1)

Engagements

Strategic Residual Q9

​Overall speed of delivery of this engagement over the past 12 months?

Excellent (5); Good (4); Average (3); Fair (2); Poor (1)

Engagements

Strategic Residual Q10

​Capacity of third party to respond to short-term and long-term increases in demand should they arise (capacity and logistically)?

Excellent (5); Good (4);
Average (3);
Fair (2); Poor (1)

Engagements

Strategic Residual Q11

​Understanding and management of strategic supply chain risk?

Excellent (5); Good (4); Average (3); Fair (2); Poor (1)

ESG risk rating

ESG risk refers to any environmental, social, or governance risk associated with the third party engagement.

ESG risk is assessed on an Inherent and Residual basis using a 5 point scale, where 1 = Low and 5 = High. The 5 point scale is represented as High (H) Red, Medium-High (MH) Orange, Medium (M) Yellow, Medium-Low (ML) Blue, and Low (L) Green.

The ESG Inherent risk rating (IR) can be manually assigned or derived from the inherent risk questions completed by the assessor.

The ESG Residual risk rating (RR) can be manually assigned or derived from the below residual risk questions completed by the third party and is calculated as in the following table.

Percentage of Questions Answered Correctly

ESG Residual Risk Rating

100%

Low

>= 88%

Medium-Low

>=77%

Medium

>= 66%

Medium High

< 68%

High

The Residual Risk rating can never be less than 1 (Low).

Inherent ESG risk assessment

The following table lists inherent ESG risk assessment questions.

Application

Field Name

Question Text

Value (numeric_value)

Correct Values

Engagements

ESG Q1

​Is the manufacturing and delivery of this engagement done so in an environmentally sustainable manner?

Yes (1) ; No (0)

Yes

Engagements

ESG Q2

Have you received any regulatory citations, fines, or sanctions in the last 24 months related to environmental issues? Please describe violations and status of remediation activities.

Yes (0); No (1)

No

Engagements

ESG Q3

Are there any entities in your supply chain related to the delivery of this engagement that you believe have a significant inherent environmental risk from the consumption of natural resources or through the generation of residual pollutants? If so, attach a list of the names and description of the purpose of each of these entities. ​

Yes (0); No (1)

No

Engagements

ESG Q4

Have you or any of the entities in your supply chain received any regulatory citations, fines, or sanctions in the last 24 months related to human trafficking, forced or child labor? If so, please describe violations and status of remediation activities.

Yes (0); No (1)

No

Subcontractor Governance Rating

The Subcontractor Governance Rating is a measure of the adequacy of a third party's governance of its supply chain risk. It does not reflect the amount of inherent and residual risk associated with any specific subcontractor but provides an indication of how well overall your third party manages their third parties, sub-contractors, and supply chain.

The Subcontractor Governance Rating (SGR) is assessed using a 5 point scale where 1 = Poor (Red); 2 = Fair, 3 = Average (Yellow), 4 = Good (Blue), and 5 = Excellent (Green).

The rating is based on evaluating answers from a subset of the Strategic, Compliance or Litigation, Information Security, Resiliency, and Sustainability question set that specifically relate to subcontractor governance. The more of these questions the third party answers correctly, the higher their Subcontractor Governance Rating. If you have the Archer Third Party Risk Management use case licensed, answers are derived from the most recently completed third party questionnaire and questions are excluded from scoring when they are not asked as a result of the risk category not being applicable or the risk category’s inherent risk not being sufficiently high to trigger the questionnaire for that category.

The Subcontractor Governance Rating is derived from the question set as in the following table.

Percentage of Questions Answered Correctly

Governance Rating

>= 92%

Excellent

>= 84%

Good

>=76%

Average

>= 68%

Fair

< 68%

Poor

Note: It is possible for a third party to have a Subcontractor Governance Rating without the third party disclosing any significant third and subcontractor dependencies. The Subcontractor Governance Rating of a third party is particularly relevant when they have disclosed significant third and subcontractor dependencies. The Subcontractor Governance Ratings of a third party should be taken into account when evaluating each subcontractor risk across the entire population of third parties supplying engagements that are dependent on a subcontractor. The better a third party governs their counter party risk, the less residual risk associated with a subcontractor and the less due diligence a customer may have to do to supplement the governance processes around a critical subcontractor. Subcontractor Governance Ratings are reflected for each engagement whereas Subcontractor Risk is reflected on each subcontractor record in the subcontractors application.

Contract review rating

The Third Party Contract Reviews questionnaire measures a contract against a set of standards in order to calculate the overall contract risk. Findings are automatically generated for each Third Party Contract Review question that is answered incorrectly. The criticality of each finding is manually rated, and then the Contract Risk field (in the Contact record) evaluates the criticality rating assigned to all contract review findings and returns the maximum value.

Scope of Service

The following table lists scope of services questions.

Application

Field Name

Question Text

Values (numeric _value)

Correct Values

Third Party Contract Reviews

CON-00001

​Does the contract clearly describe the rights and responsibilities of the parties to the contract?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00002

​Does the contract address timeframes and activities for implementation and assignment of responsibility?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00003

​Does the contract address services to be performed by the third party including duties such as software support and maintenance, training of employees or customer service?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00004

​Does the contract address the obligations of the Organization?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00005

​Does the contract address the contracting parties’ rights in modifying existing services performed under the contract?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00006

​Does the contract address the guidelines for adding new or different services and for contract renegotiation?

Yes (0); No (1); N/A (0)

Yes; N/A

Performance standards

The following table lists the performance standards question.

Application

Field Name

Operation Text

Values (numeric _value)

Correct Values

Third Party Contract Reviews

CON-00007

​Does the contract include performance standards defining minimum service level requirements and remedies for failure to meet the standards in the contract?

Yes (0); No (1); N/A (0)

Yes; N/A

Information security

The following table lists information security questions.

Application

Field Name

Question Text

Values (numeric _value)

Correct Values

Third Party Contract Reviews

CON-00008

​Does the contract address the third party’s responsibility for security and confidentiality of the Organization’s resources?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00009

​Does the contract prohibit the third party and its agents from using or disclosing the Organization’s information, except as necessary to or consistent with providing the contracted services, to protect against unauthorized use (e.g., disclosure of information to our competitors)?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00010

​Does the contract request that if the third party receives nonpublic personal information regarding the organization’s customers, the third party will assess the applicability of the privacy regulations?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00011

​Does the contract require the third party to immediately report to the organization when material intrusions occur, including the compromise of any information or transaction alteration, related to the organization and its customers, the effect on the organization, and corrective action to respond to the intrusion?

Yes (0); No (1); N/A (0)

Yes; N/A

Reporting

The following table lists the reporting question.

Application

Field Name

Question Text

Values (numeric _value)

Correct Values

Third Party
Contract Reviews

CON-00021

​Do the contractual terms reflect the frequency and type of reports the organization will receive (e.g., performance reports, control audits, financial statements, security, and business resumption testing reports)?

Yes (0); No (1); N/A (0)

Yes; N/A

Business continuity

The following table lists business continuity questions.

Application

Field Name

Question Text

Values (numeric _value)

Correct Values

Third Party
Contract Reviews

CON-00022

​Does the contract address the third party’s responsibility for backup and record protection, including equipment, program and data files, and maintenance of disaster recovery and contingency plans?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00023

​Does the contract include specific provisions for business recovery timeframes that meet the organization’s business requirements?

Yes (0); No (1); N/A (0)

Yes; N/A

Subcontractor relationships

The following table lists subcontractor relationships questions.

Application

Field Name

Question Text

Values (numeric _value)

Correct Values

Third Party Contract Reviews

CON-00024

​If in the event that the third party sub-contracts with third-parties, does the contract provide for accountability, an agreement, and a designation for the primary contracting third party?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00025

​Does the contract provide a provision specifying that the contracting third party is responsible for the service provided to the organization regardless of which entity is actually conducting the operations?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00026

​Does the contract require the third party to ensure that its subcontractors operate consistent with the obligations of this contract?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00027

​Does the contract provide a provision for notification and approval from organization management regarding changes to the third party’s significant subcontractors?

Yes (0); No (1); N/A (0)

Yes; N/A

Licenses and ownership

The following table lists licenses and ownership questions.

Application

Field Name

Question Text

Values (numeric _value)

Correct Values

Third Party Contract Reviews

CON-00030

​Does the contract address ownership and allowable use by the third party of the organization’s data, equipment/hardware, system documentation, system and application software, and other intellectual property rights?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00031

​Has the contract allowed for escrow agreements pertaining to the purchase of software by the organization?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00032

​Do the escrow agreements provide for the following: organization access to source programs under certain conditions (e.g., insolvency of the third party), documentation of programming and systems, and verification of updated source code?

Yes (0); No (1); N/A (0)

Yes; N/A

Contract duration

The following table lists contract duration questions.

Application

Field Name

Question Text

Values (numeric _value)

Correct Values

Third Party Contract Reviews

CON-00033

​Does the contract consider the type of technology and current state of the industry when identifying the length of the contract and its renewal periods?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00034

​Does the contract specify the appropriate length of time required to notify the third party of the organization’s intent not to renew the contract prior to expiration?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00035

​Does the contract specify penalties for early termination?

Yes (0); No (1); N/A (0)

Yes; N/A

Dispute resolution

The following table lists the dispute resolution question.

Application

Field Name

Question Text

Values (numeric _value)

Correct Values

Third Party Contract Reviews

CON-00036

​Does the contract provide a provision for a dispute resolution process that attempts to resolve problems in an expeditious manner as well as provide for continuation of services during the dispute resolution period?

Yes (0); No (1); N/A (0)

Yes; N/A

Indemnification

The following table lists the indemnification question.

Application

Field Name

Question Text

Values (numeric _value)

Correct Values

Third Party Contract Reviews

CON-00037

​Does the contract have appropriate hold -harmless indemnification so the organization is not accepting excessive risk in the process of holding the third party and its subcontractors harmless?

Yes (0); No (1); N/A (0)

Yes; N/A

Limitations of liability

The following table lists the limitations of liability question.

Application

Field

Question Text

Values (numeric _value)

Correct Values

Third Party Contract Reviews

CON-00038

​If the contract has a limitation of liability clause limiting the amount of liability that can be incurred by the third party, does the damage limitation bear an adequate relationship to the amount of loss the organization might reasonably experience as a result of the third party’s failure to perform its obligation?

Yes (0); No (1); N/A (0)

Yes; N/A

Termination

The following table lists termination questions.

Application

Field Name

Question Text

Values (numeric _value)

Correct Values

Third Party Contract Reviews

CON-00039

​Does the contract provide for flexibility of termination rights?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00040

​Does the contract permit the organization to terminate the contract in a timely manner and without prohibitive expense?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party
Contract Reviews

CON-00041

​Does the contract permit the organization to terminate the contract in a timely manner and without prohibitive expense?

Yes (0); No (1); N/A (0)

Yes; N/A

Third Party Contract Reviews

CON-00042

​Does the contract clearly state any costs associated with transition assistance?

Yes (0); No (1); N/A (0)

Yes; N/A

Contract assignment

The following table lists the contract assignment question.

Application

Field Name

Question Text

Values (numeric _value)

Correct Values

Third Party Contract Reviews

CON-00043

Does the contract contain provisions that prohibit assignment of the contract to a third-party without the organization’s
consent, including changes to subcontractors?

Yes (0); No (1); N/A (0)

Yes; N/A

Subcontractor Risk Ratings

A subcontractor may support 1 or more of a customer's third parties. The overall risk exposure to the subcontractor is based on the aggregate inherent risk across the third parties that rely on the subcontractor, the degree they rely on the contractor, and the adequacy of the third party governance of their supply chain risk. Because of this complexity, subcontractor inherent and residual risk may either be calculated using the included questions or set manually.