Comparing Inherent Risk, Residual Risk, and Profiled Risk

Categorizing Risk for Effective Third-Party Risk Management

Building an effective Third-Party Risk Management (TPRM) program entails dealing with a lot of complexity. Try brainstorming the specific risks that vendors and suppliers present to your business, and you’ll likely end up with a migraine. That’s why it helps to structure your TPRM program around different categories of risk and ensure you have a plan to address each of them.

At the highest level are the two mega categories of “unknown” and “known” risks. Unknown risks are those that stem from external factors, such as hacking from cybercriminals. In this post, I’m going to focus on known risks. These are risks that can be identified through assessments of IT and OT vendors, their security controls, and their operating environments.

Known risks are typically broken out into three primary categories:

1. Profiled Risk

Profiled risk relates to the services that the vendor performs for your organization. A third-party payroll company most likely poses far more risk to your organization than an advertising agency since they have access to far more sensitive information.

2. Inherent Risk

Inherent risk is an existing risk that the vendor poses prior to any remediation efforts taking place. Examples of inherent risk include poor financial posture, bad information security practices, or operational inefficiencies.

3. Residual Risk

Residual risk involves risk that is left over after a vendor has taken adequate remediation actions. It is up to your risk management team to determine whether residual risk is acceptable or unacceptable.

Each type can be evaluated independently or combined to drive more informed, risk-based decisions and actions. Read on for a closer look at each.

Profiled Risk Provides Context for Vendor Assessments

Profiled risk, sometimes referred to as risk classification or stratification, is calculated based on a vendor’s services to your organization and on the environment in which they operate. For instance, your payroll provider will have a higher profiled risk than your advertising agency, since it accesses more sensitive data and is subject to more regulations.

The information required to calculate profiled risk can usually be gathered from internal vendor managers and/or procurement teams. Examples of variables determining profiled risk include:

• Services provided by the vendor
• Types and volume of data handled
• Location (e.g., for geo-political factors)
• Industry (e.g. for compliance factors)

TPRM solutions can help you to automate profiling and other key parts of the vendor onboarding process. They include profiling questionnaires, automate their distribution, and handle the response workflow. With the resulting profiles, you can effectively tier vendors for subsequent inherent risk assessments and determine other due diligence requirements. TPRM solutions should also allow you to manage and update profiles throughout the vendor lifecycle as part a broader vendor performance management strategy.

Don’t make the mistake of skipping the profiled risk step, as it provides critical context for selecting questionnaires for each vendor tier in your third-party ecosystem. Without the context of profiled risk, you’ll inevitably ask the wrong questions, get irrelevant data, and end up with inaccurate inherent risk scores.

Inherent Risk Accounts for a Vendor’s Current Controls

Inherent risk is a vendor’s risk level before accounting for any specific controls required by your organization. Inherent risk builds on profiled risk by incorporating data about a vendor’s current policies and practices around security, privacy, compliance and other risk factors. This is where internal risk assessments come into play. Vendor assessments questionnaires and frameworks include:

• The Shared Assessments Standard Information Gathering Questionnaires (SIG and SIG Lite)
• Industry-standard questionnaires, like that from H-ISAC (Health Information Sharing and Analysis Center)
• Compliance questionnaires like the Prevalent Compliance Framework, which maps to several regulations and industry guidelines

Inherent risk scores should be based on a combination of internal risk assessments and continuous, external threat monitoring.

Given that, if you’re basing inherent risk scores on assessments alone, then you’re only getting a partial view of third-party risk. That’s because assessments are trust-based, meaning that you are relying on information provided by your vendor or supplier. They are also time-dependent, so you are only getting a picture of risk at the time the assessment is taken (usually once per year). That’s why it’s important to incorporate external vendor risk monitoring into your inherent risk scoring methodology.

Continuous external vendor risk monitoring and threat intelligence services enable you to both verify assessment responses and fill the gaps between point-in-time assessments.

By aggregating cyber, business and financial event data for each vendor from thousands of sources, you can correlate externally visible risk findings with reported controls data. For instance, you might find that evidence of compromised passwords on the dark web conflicts with the vendor's reported password management policies. And since monitoring is continuous, you can stay on top of external events that may influence your level of risk from a given vendor.

To identify accurate inherent risk, utilize a matrix that combines likelihood and impact to determine the risk assessment scores.

By combining profiles, internal assessments, and external monitoring, you’ll have more well-rounded and current insights into third-party risk. A good third-party risk management system will help you correlate and analyze this data to reveal specific risks and provide remediation guidance. It will also offer workflow management and reporting capabilities that enable your team to collaborate on remediation initiatives with your vendors.

A third-party risk management platform can facilitate collaboration with vendors to streamline the remediation process.

Residual Risk Is the Risk You Can Tolerate

A major goal of TPRM is to achieve an acceptable level of residual risk across your vendor ecosystem. While it’s impossible to eliminate every inkling of vendor risk, there is a point at which the value of their service outweighs any remaining potential weakness. Therefore, residual risk is the amount risk that remains once the vendor has implemented your organization’s mandatory controls.

To get to a desirable level of residual risk, your vendors will need to apply any “must-have” controls required by your company to deliver secure and compliant services. These can include conducting remediations to directly fix an exposure, such as patching an outdated billing system. They also cover implementing compensating controls, such as adding a level of supervision when handling particularly sensitive data.

Compliance mapping is one way to quickly identify whether an acceptable level of residual risk has been achieved.

It’s important to note that residual risk is dependent on the scope of the vendor engagement and your company’s risk appetite. Small to Medium sized organizations typically don’t have specific “must-have” controls and will adopt industry-standard or baseline risks. However, if you have identified must-have controls, then simply measuring risk against an industry standard would fall into the inherent risk camp. Confusing it with residual risk could leave you with a false impression of security and lead to inaccurate reporting.

A good third-party risk management system will help you to navigate the road from profiled risk to inherent risk and residual risk. For instance, your TPRM solution should automatically map profile, assessment and monitoring data to any particular security controls or compliance requirements mandated by your company. This makes it easy to understand vendor risk in the context of your business and identify specific exposures that present true, actionable risk.

What’s Next?

Once a vendor reaches an acceptable level of residual risk, it doesn’t mean that your job is done! The threat and compliance landscapes are continually evolving, so it’s critical to continue monitoring your vendors and conducting regular risk assessments using continuous evaluations.

Ready to get started? The experts at Prevalent can work with you to build a mature TPRM program that addresses everything covered in this post. Whether you want a unified platform to manage the process yourself, need a partner to handle the hard work for you, or a little of both, we’re here to help. Request a demo to connect with us today.