Inherent Risks and How they Help VRM Programs
Some vendors are mission-critical to operations, while others are not. Some vendors handle sensitive personal data or intellectual property, while others do not. Insight into the inherent risks of your vendors can help you determine where you should focus your team’s time and resources.
In this post, we’ll define inherent risks and share how we see organizations using them in practice.
What Are Inherent Risks?
There are two schools of thought when it working to define inherent risk.
- Definition #1: Inherent risk is the amount of risk that there would be without any controls in place.
- Definition #2: Inherent risk is the current amount of risk based on implemented controls.
The second definition provides far more insight and therefore is used more often. The FAIR Institute has a great blog that defines inherent risk in much greater detail.
No matter how you define it, the basic principle is the same: inherent risk is the starting point before additional mitigation actions are taken.
OneTrust Vendorpedia can automatically calculate inherent risk for all of your vendors using simple business context. Want to see how? Request a demo today.
How Can You Utilize Inherent Risks?
1) Decide Which Vendors to Assess First
For organizations that are beginning to design their program, the question often becomes: Which vendors should I assess first? Most organizations will tier vendors into three groups:
- Tier 3: Low risk, low criticality
- Tier 2: Medium risk, medium criticality
- Tier 1: High risk, high criticality
Many times, especially during initial evaluation, these tiers are calculated based on inherent risk. In practice, organizations will focus their time and resources on tier 1 vendors first, as they require more stringent due diligence and evidence collection. Typically, tier 1 vendors are subject to the most in-depth assessments, which often includes onsite assessment validation.
But if your organization has 10,000 vendors, determining the inherent risk for each vendor one at a time is overwhelming, especially without automation. Grouping vendors based on basic business context attributes can help you determine inherent risks in bulk. For example, these groups could include:
- Contract value: Vendors with spend exceeding $1 million annually may require automatically bucket them as a tier 1 vendor, due to a high inherent risk based solely on the value of the vendor.
- Data Involved: Applications used by Finance and HR may introduce high risks due to the sensitivity of data they process. Applications used for internal Public Relations activities, such as scheduling social media posts may be considered lower risk.
- By Location: Grouping your vendors by location or region could be a way of understanding their inherent risk. A supplier in an area subject to frequent natural disasters or geopolitical upheaval may increase their inherent risk.
- Criticality: If a vendor is unable to deliver their service, what would that do to your organization’s operations? When the answer is significant disruption to operations, then the inherent risk of the vendor will inevitably be higher.
2) Building Tailored Workflows Based on Inherent Risk Level
Once we group vendors by inherent risk, it’s helpful to configure workflows for each group. This can be a manual workflow checklist, or a workflow that’s completely automated through a technology platform.
Workflows for vendors with higher inherent risks may involve more stakeholders and use a different assessment type or validation level. Automated reassessments may kick off six months before contract renewal.
Workflows for vendors with lower inherent risks may involve fewer stakeholders and less risk mitigation. Automated reassessments may kick off three months before contract renewal.
3) Choosing the Right Assessment Type and Length
It is also important to right-size the assessment or questionnaire for a particular type or group of vendors. This should be factored into your workflows, as mentioned above. In many cases, it won’t make sense to send the same assessment to every vendor.
Depending on your organization, it is probably ill-advised to send a 1000 question assessment to a low risk, low criticality vendor. Instead, use a short threshold assessment that dynamically expands with more questions if more risks are discovered.
4) Choosing the Right Assessment Validation Level
Tier 3 assessment validation (vendor self-attestation) is used most frequently for vendors with low inherent risk. Tier 2 and 3 validation (remote and onsite validation) will be reserved for vendors with high inherent risks.
Read our recent blog post on assessment validation levels to learn more.
How OneTrust Vendorpedia Helps
OneTrust Vendorpedia can automatically calculate inherent risk for your entire vendor inventory. From there, the platform facilitates the assessment process, offering Vendor Chasing Services™ through the Cyber Risk Exchange, as well as managing the entire vendor lifecycle, from onboarding, mitigation, reporting, and ongoing monitoring. Request a demo today!
Businesses + Vendors: How to Make The Third-Party Risk Marriage Work
To reduce vendor-related risks, businesses must conduct security assessments on their vendors. On the other side, vendors must respond to these time-consuming questionnaires. And with recent disruptive events, such as the pandemic and major security breaches like SolarWinds, the volume of security questionnaires a vendor receives has increased drastically.
So, how can businesses and vendors work together in a way that benefits both sides, giving businesses more trust in their vendors, and giving vendors the ability to provide confidence in their security programs?
In this webinar, we brought together both sides of the vendor risk management equation – a business and a vendor – to share their perspective of what it’s like to send and respond to security questionnaires. In having this discussion, we hope to provide insight and tips that can help streamline the vendor risk assessment process for everyone involved.
Our panelists will discuss:
- Their experiences with sending and responding to questionnaires
- The pain points on each side of the assessment process
- What businesses and vendors can do to make the process easier for each other
- Solutions to work better together to build mutual trust and reduce workload