Is there a documented risk appetite for third-party risk (e.g. acceptable concentration, residual risk thresholds)?
Demonstrate that the organization has formally documented, approved, and operationalized risk appetite statements specific to third-party relationships, including quantitative thresholds for concentration, residual risk acceptance, and aggregate exposure.
Description
What this control does
This control requires the organization to formally define and document acceptable risk thresholds for third-party relationships. It establishes measurable limits such as maximum vendor concentration (percentage of critical vendors in a single industry or geography), residual risk scores that require executive escalation, and aggregate exposure ceilings. Without documented appetite, vendor selection and monitoring decisions become arbitrary, inconsistent across business units, and may accumulate systemic risk. The documented appetite should align with the organization's overall risk tolerance and guide vendor onboarding, ongoing assessments, and offboarding decisions.
Control objective
What auditing this proves
Demonstrate that the organization has formally documented, approved, and operationalized risk appetite statements specific to third-party relationships, including quantitative thresholds for concentration, residual risk acceptance, and aggregate exposure.
Associated risks
Risks this control addresses
- Single-vendor concentration creates catastrophic business continuity exposure if that vendor experiences outage, bankruptcy, or security incident
- Accumulation of high-residual-risk vendors without executive oversight leads to systemic organizational risk exceeding board-approved tolerance
- Geographic or regulatory concentration exposes the organization to correlated failures from regional events, sanctions, or regulatory changes
- Inconsistent risk acceptance decisions across business units result in vendors with unacceptable risk profiles gaining access to critical systems
- Lack of quantitative thresholds prevents early warning when aggregate third-party risk approaches unacceptable levels
- Absence of documented appetite enables individual procurement decisions to override organizational risk strategy
- Undefined residual risk thresholds create liability exposure when incidents occur with vendors leadership never formally approved
Testing procedure
How an auditor verifies this control
- Request the organization's formal third-party risk appetite statement or policy document from senior risk management or third-party governance teams
- Verify the document includes quantitative thresholds such as maximum percentage of critical services from single vendor, maximum concentration by geography or industry, and numeric residual risk scores requiring escalation
- Obtain board or executive committee meeting minutes demonstrating formal approval of the risk appetite statement within the past 12-24 months
- Review the vendor inventory or third-party risk register to identify current concentration metrics (e.g., count of critical vendors, geographic distribution, industry clustering)
- Compare current vendor concentration data against documented appetite thresholds to verify the organization is operating within stated limits
- Select a sample of 5-8 vendor risk assessments completed in the past 12 months and verify residual risk scores were evaluated against documented thresholds
- Trace at least two instances where vendors exceeded risk appetite thresholds to verify escalation occurred per policy and decisions were documented by appropriate authority level
- Interview third-party risk management personnel to confirm they actively use the risk appetite statement in vendor selection, ongoing monitoring, and remediation prioritization decisions