What Is True Inherent Risk in Third-Party Risk Management?

Calculating inherent risk is more involved than asking a few onboarding questions before even engaging with the vendor. Know the difference between inherent risk and profile risk. Read the best practice here.
Brenda Ferraro
Vice President of Third-Party Risk
November 06, 2019
Blog inherent risk nov 2019

I have seen a lot of definitions of inherent risk in my 15 years as a practitioner consulting with organizations on building or maturing their third-party risk management programs. Those definitions have been only marginally different until recently, so I’d like to take this opportunity to clarify what inherent risk is and isn’t. Getting inherent risk wrong can have significant negative consequences to your business so let’s make sure we’re all using the same language correctly.

Inherent risk definition

The industry-standard definition of inherent risk says that it, “represents the amount of risk that exists in the absence of controls.” Or, “the current risk level given the existing set of controls rather than the hypothetical notion of an absence of any controls.” More plainly, inherent risk is the amount of risk before you do anything about it.

What’s the key word here? Controls. You must have visibility into a vendor’s controls to score this level of baseline risk.

The wrong approach

I recently was engaged with a prospective customer who indicated they were working with another third-party risk management provider that claimed their solution calculated an inherent risk score which would then inform what questionnaire content to use to assess their vendor. The prospective customer indicated that the third-party risk management provider’s approach involved an analyst answering a set of basic onboarding questions about the vendor – for example what data they have access to, the vendor’s criticality, etc. – prior to engaging with the vendor and therefore without knowing the vendor’s internal controls posture.

I was struck by this approach as this would seem incongruous with the industry-standard definition of inherent risk, and instead more in line with what is known as profiled risk. Once I clarified with the prospective customer what they would be getting with that profiled risk approach, they quickly saw it was not a true picture of inherent risk.

Defining profiled risk

Profiled risk is based on factors such as type of data being shared, type of service being provided, geo-political location, etc. Typically, this is derived based on a set of scoping questions but as you can see, there are no controls-based questions asked here. Profiled risk can be helpful, but it is not inherent risk as there is no visibility into controls. And without that level of visibility, how can you score risk?

To help better describe how risks are calculated I decided to illustrate three (3) types of risks – Profile, Inherent, and Residual – in the table below.

Comparison Table: Different Types of Risk
Risk DefinitionHow Solutions Should Address This RiskUse Case Example

Profiled Risk

Based on risk factors such as: Type of data being shared, type of service being provided, geo-political location, etc. Typically, this is derived based on a set of scoping questions.

Auto-categorization based on a set of upfront scoping questions.

Note: Some companies will use threat monitoring report scores to prioritize the vendor universe prior to obtaining profile risk awareness.

  1. An entity is added to the system
  2. A scoping questionnaire is completed internally
  3. Based on the results, a category is applied to the entity

Inherent Risk

Based on initial responses from a vendor to a set of targeted questions

  1. Auto-identification of risk based on vendor responses
  2. Visualization of a risk score on the entity record and via the risk report output
  3. Application of risk multiplier to adjust risk scores based on entity category
  1. The vendor is assessed, for example with a SIG Lite Questionnaire
  2. Vendor responses net a score of 15 in the solution
  3. “15” is the Inherent Risk
  4. The 15 risk score may suggest taking additional actions

Residual Risk

Adjusted risk related to a relationship with a vendor based on any compensating controls in-place and negotiated remediation plans or activities

  1. In-platform remediation
  2. Vendor collaboration
  3. Risk trending reports (including entity/portfolio-level risk reports)
  4. Risk score evolves as risks are closed out
  1. Company works with vendor in the system
  2. The mitigated risks no longer contribute to the vendor risk score, reducing the score in the system
  3. New score = residual risk - this can continue to change based on remediation efforts in-platform

What to look for in a solution

If the third-party risk management solution you are evaluating claims to present an inherent risk score, make sure to really probe into what goes into calculating that score. If that tool is just using a short internal onboarding questionnaire to provide initial scope for due diligence, that helps but it’s not inherent risk.

Instead, look for a solution that shows true inherent risk based on vendor responses to targeted controls-based questions. This metric can be used alongside profiled risk to determine if acceptance or further remediation work with the vendor is necessary. Then, additional capabilities, including automated risk identification and the ability to map those risks to common industry frameworks/regulations and company controls can be applied to enable you to focus and report on the risk associated within your extended enterprise. As you define risk recommendations and risk remediate or accept compensating controls you have reached residual risk.

The Prevalent perspective on inherent risk is the industry standard, adds context, and is much more thorough. Asking 10 short onboarding questions isn’t going to give you those answers. That might tell you how to prioritize your vendors – at best.

For more on how Prevalent can help reveal, interpret, and alleviate the risks inherent in your third-party relationships, contact us today. I’d be happy to conduct a strategy session with you and your team.

Leadership brenda ferraro 2
Brenda Ferraro
Vice President of Third-Party Risk
Brenda Ferraro brings several years of first-hand experience addressing the third-party risks associated with corporate vendors, services and data handling companies. In her quest to economize third-party risk, she organized a myriad of stakeholders and devised an approach to manage risk, receiving recognition from regulators and a multitude of Information Security and Analysis Centers (ISACs). In her role with Prevalent, Brenda works with corporations to build single-solution ecosystems that remove the complexities of Third-Party Risk Management by way of a common, simple and affordable platform, framework and governance methodology. Prior to joining Prevalent, Brenda led organizations through control standardization, incident response, process improvements, data-based reporting, and governance at companies including Aetna, Coventry, Arrowhead Healthcare Centers, PayPal/eBay, Charles Schwab, and Edwards Air Force Base. She holds certifications in vBSIMM, CTPRP, ITIL and CPM.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo