Which statement is FALSE regarding the methods of measuring third party risk?
A.
Risk can be measured both qualitatively and quantitatively
B.
Risk can be quantified by calculating the severity of impact and likelihood of occurrence
C.
Assessing risk impact requires an analysis of prior events, frequency of occurrence, and external trends to analyze and predict the potential of a particular event happening
D.
Risk likelihood or probability is a critical element in quantifying inherent or residual risk
This statement is false because assessing risk impact does not require an analysis of prior events, frequency of occurrence, and external trends. These factors are relevant for assessing risk likelihood or probability, not impact. Risk impact is the potential consequence or damage that a risk event may cause to the organization or its stakeholders. Risk impact can be measured qualitatively (e.g., high, medium, low) or quantitatively (e.g., monetary value, percentage of revenue, number of customers affected). To assess risk impact, the organization needs to consider the nature and scope of the risk, the potential harm or loss, and the sensitivity or tolerance of the organization or its stakeholders to the risk. References:
How to Manage and Measure Third-Party Risk, OneTrust Blog
Third-party risk, Deloitte
Assessing Risks in Third Parties, ERM - Enterprise Risk Management Initiative
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit