Name financial institute:

Nr. Risks Remarks Analysis Likelihood Impact Risk Risk mitigation adjustments Residual risk
Vendor lock-in It may be complex or even impossible to transfer to a competitor,
for example due to technical constraints, a lack of competitors,
or the current service provider's inability or unwillingness to
1 almost certainly very large very high middle
assist in the transitioning.

A lack of resources needed to manage An institution needs resources (i.e. know-how and staff) to make
acquisitions or existing outsourcing supplier selection and monitor suppliers. The latter issue
contracts concerns a service provider's performance, as well as internal
control, IT risk controls and security. A lack of resources means
2 that outsourcing is not or insufficiently managed, potentially very unlikely moderate low very low
exposing the institution to unwanted risks that are not detected
or addressed.

Concentration If a single service provider supplies multiple outsourcing

solutions, the total impact of possible failure could increase with
3 each additional activity outsourced to the service provider. #N/A

Service provider ceases operations Data, systems and services may immediately become
unavailable as soon as a service provider ceases operations.
The institution's day-to-day operations may be disrupted and it
4 may be difficult or impossible to retrieve data. #N/A

Compliance with legal and regulatory An institution is responsible at all times regarding the outsourced
5 requirements. activities and needs to make sure the third party and #N/A
subcontractor apply to applicable law and regulation.
Inadequate performance / results A service provider fails to meet the quality standards or observe
agreements made, even if the required service level is attained
in quantitative terms. Alternatively, the service provider meets
the quality standards but fails to meet the required service level
in quantitative terms. Or worse: the service provider fails to meet
6 both the quality standards and the service level. e.g. service #N/A
level agreements, assurancereports, auditreports.

Geographical data location Data are governed by the laws of the jurisdiction in which the
data is stored or by which they are transmitted. Locally
applicable laws may differ from Dutch legislation, giving rise to
7 risks related to confidentiality requirements. #N/A

Separation of environments Failure of facilities ensuring the separation of storage, memory

and routing, which could have an impact on the reputations of
8 the various tenants of shared infrastructure. very unlikely #N/A

Data access It may be impossible to verify whether a service provider deals

with data in accordance with statutory requirements. This
includes compliance with rules about encryption standards,
9 keymanagemenet, the four-eyes principle, authentication, etc. very unlikely #N/A

1
 Cyberattacks All risk related to cyberattacks, such as DDoS attacks, data
interception or leakage, social engineering, unauthorised
10 access, the unauthorised obtaining of rights, and ransomware. very unlikely #N/A high

Specifiek voor uw organisatie / contract

Nr. Onderwerp Toelichting Analyse Kans Impact Risico Maatregelen Restrisico
1 very unlikely very small very low very low
2 #N/A
3 #N/A
4 #N/A
5 #N/A

2
 almost certainly middle high high very high very high 5
Likelihood

problably middle middle high high very high 4

possible low middle middle high high 3
unlikely low low middle middle middle 2
very unlikely very low low low middle middle 1
very small small moderate large very large
Impact
Residual risk 1
very low low middle high very high 2
3
4
5

3
 Likelihood
almost certainly
problably
possible
unlikely
very unlikely

Impact
very small
small
moderate
large
very large

4
 Explanation
Almost certain that the risk will occur in the coming year (99%)
The risk is likely to occur in the coming year (75%)
The risk may occur in the next three years (50%)
The risk is unlikely to occur in the next five years (20%)
Very unlikely that the risk will occur in the next twenty years (5%)

Explanation
Very small financial damage, impact on reputation or achievement of objectives is very small
Small financial damage, limited impact on reputation or achievement of objectives
Moderate financial damage, moderate impact on reputation or achievement of objectives
Large financial damage, large impact on reputation or achievement of objectives
Very large financial damage, very large impact on reputation or achievement of objectives