Assessing Inherent Risk in Third Party Risk Management
JAYEN GODSE, April 2020
A successful vendor management program needs to invest heavily in managing risks associated with 3rd party vendors. Risk assessment consists of assessing inherent risk and residual risk. Inherent risk is the risk associated with a given engagement regardless of the control/s that the vendor has implemented. It gives you an indication of the level of due diligence you need to do on the vendor.
For an engagement with a low inherent risk you may choose to assess basic controls while for a high inherent risk engagement, you may want to do an onsite audit and validate all controls. Residual risk is the risk that remains after assessing the controls that are implemented to mitigate the inherent risks.
Quantifying Inherent Risk
Typical risk calculation looks like Risk = Likelihood * Impact. In the case of vendor risk management, it is the likelihood of a breach happening multiplied by the impact of that breach on the business. To explain this better, let us consider 2 scenarios. In Scenario 1 – you are sending sensitive data to Amazon and in Scenario 2 – you are sending the same sensitive data to a little-known offshore company. Is the inherent risk the same in both scenarios? In the above case, where sensitive data was sent to 2 different vendors, the impact was high regardless of the vendor. (If data for Likelihood is not available, you may choose to go with the same likelihood across all engagements.
If you are being conservative, you will prefer to go with high likelihood). The likelihood of data being breached at Amazon is low while the likelihood of data being breached at an offshore company is high. The result is that the inherent risk in scenario 2 is higher than scenario 1.
In this article, we are going to focus on Inherent Risk. Let’s start with the basics:
IMPACT and LIKELIHOOD:
Impact – Impact gives you a sense of the extent of damage you will incur and the kind of impact it will have on your business. In some cases, it will be the financial loss that will be incurred whereas, in others, it might be a reputational loss.
Likelihood- It is the probability of a breach happening. Typically it is the how and from where the data is assessed. The rating is typically considered low if the data is being accessed from inside your office. The risk is considered medium if the access is offsite from a country with low CPI (Corruption Perception Index) and it is high in all other offsite access.
How is the data being accessed and/or transferred? The risk is inherently high if the access and transfer are manual, to factor in for human error. In the case of automated access, the rating is considered low. In cases where the data is accessed by VDI but there is no transfer of data, the rating is inherently medium.
CATEGORIES of RISK
Inherent risk can be categorized into different areas:
Technology – the risk you face due to a failure in the vendor’s technology,
Compliance– the implications on your company if the vendor is not being compliant while executing your engagement
Finance– the financial losses you will incur if the vendor fails to deliver,
Legal– the legal risk you face when the vendor does not abide by the laws
Privacy– the risk you face if your vendor does not put sufficient controls in place to protect the privacy, and
Since the risk area assessed depends on the type of engagement between the vendor and the client, it is important to quantify risk in each category
For each area/category of risk to be assessed, you will need to develop specific factors to calculate the impact and likelihood. We had seen earlier for Cyber Security risk the impact depends on the type of data and the volume of data accessed. The likelihood depends on how the data is accessed. Develop similar factors for each area.
Aggregating the risk
Once you have determined risk in each category, you should aggregate at the vendor or engagement level. To aggregate, you can assign weights to each category and simply create a weighted average. On the conservative side, you may choose the highest level of risk in any category as the aggregate vendor inherent risk
Calculating inherent risk methodically adds significant value to your vendor risk program. The most important benefit is that it gives you an indicator of where to focus your scarce resources. Contact us to learn more about ComplyScore’s it vendor management services.