I have seen a lot of definitions of inherent risk in my 15 years as a practitioner consulting with organizations on building or maturing their third-party risk management programs. Those definitions have been only marginally different until recently, so I’d like to take this opportunity to clarify what inherent risk is and isn’t. Getting inherent risk wrong can have significant negative consequences to your business so let’s make sure we’re all using the same language correctly.
Inherent risk definition
The industry-standard definition of inherent risk says that it, “represents the amount of risk that exists in the absence of controls.” Or, “the current risk level given the existing set of controls rather than the hypothetical notion of an absence of any controls.” More plainly, inherent risk is the amount of risk before you do anything about it.
What’s the key word here? Controls. You must have visibility into a vendor’s controls to score this level of baseline risk.
The wrong approach
I recently was engaged with a prospective customer who indicated they were working with another third-party risk management provider that claimed their solution calculated an inherent risk score which would then inform what questionnaire content to use to assess their vendor. The prospective customer indicated that the third-party risk management provider’s approach involved an analyst answering a set of basic onboarding questions about the vendor – for example what data they have access to, the vendor’s criticality, etc. – prior to engaging with the vendor and therefore without knowing the vendor’s internal controls posture.
I was struck by this approach as this would seem incongruous with the industry-standard definition of inherent risk, and instead more in line with what is known as profiled risk. Once I clarified with the prospective customer what they would be getting with that profiled risk approach, they quickly saw it was not a true picture of inherent risk.
Defining profiled risk
Profiled risk is based on factors such as type of data being shared, type of service being provided, geo-political location, etc. Typically, this is derived based on a set of scoping questions but as you can see, there are no controls-based questions asked here. Profiled risk can be helpful, but it is not inherent risk as there is no visibility into controls. And without that level of visibility, how can you score risk?
To help better describe how risks are calculated I decided to illustrate three (3) types of risks – Profile, Inherent, and Residual – in the table below.
Comparison Table: Different Types of Risk
How Solutions Should Address This Risk
Use Case Example
Based on risk factors such as: Type of data being shared, type of service being provided, geo-political location, etc. Typically, this is derived based on a set of scoping questions.
Auto-categorization based on a set of upfront scoping questions.
Note: Some companies will use threat monitoring report scores to prioritize the vendor universe prior to obtaining profile risk awareness.
Based on initial responses from a vendor to a set of targeted questions
| || |
Adjusted risk related to a relationship with a vendor based on any compensating controls in-place and negotiated remediation plans or activities
| || |
What to look for in a solution
If the third-party risk management solution you are evaluating claims to present an inherent risk score, make sure to really probe into what goes into calculating that score. If that tool is just using a short internal onboarding questionnaire to provide initial scope for due diligence, that helps but it’s not inherent risk.
Instead, look for a solution that shows true inherent risk based on vendor responses to targeted controls-based questions. This metric can be used alongside profiled risk to determine if acceptance or further remediation work with the vendor is necessary. Then, additional capabilities, including automated risk identification and the ability to map those risks to common industry frameworks/regulations and company controls can be applied to enable you to focus and report on the risk associated within your extended enterprise. As you define risk recommendations and risk remediate or accept compensating controls you have reached residual risk.
The Prevalent perspective on inherent risk is the industry standard, adds context, and is much more thorough. Asking 10 short onboarding questions isn’t going to give you those answers. That might tell you how to prioritize your vendors – at best.
For more on how Prevalent can help reveal, interpret, and alleviate the risks inherent in your third-party relationships, contact us today. I’d be happy to conduct a strategy session with you and your team.