Inherent Risks and How they Help VRM Programs
Some vendors are mission-critical to operations, while others are not. Some vendors handle sensitive personal data or intellectual property, while others do not. Insight into the inherent risks of your vendors can help you determine where you should focus your team’s time and resources.
In this post, we’ll define inherent risks and share how we see organizations using them in practice.
What Are Inherent Risks?
There are two schools of thought when it working to define inherent risk.
- Definition #1: Inherent risk is the amount of risk that there would be without any controls in place.
- Definition #2: Inherent risk is the current amount of risk based on implemented controls.
The second definition provides far more insight and therefore is used more often. The FAIR Institute has a great blog that defines inherent risk in much greater detail.
No matter how you define it, the basic principle is the same: inherent risk is the starting point before additional mitigation actions are taken.
OneTrust Vendorpedia can automatically calculate inherent risk for all of your vendors using simple business context. Want to see how? Request a demo today.
How Can You Utilize Inherent Risks?
1) Decide Which Vendors to Assess First
For organizations that are beginning to design their program, the question often becomes: Which vendors should I assess first? Most organizations will tier vendors into three groups:
- Tier 3: Low risk, low criticality
- Tier 2: Medium risk, medium criticality
- Tier 1: High risk, high criticality
Many times, especially during initial evaluation, these tiers are calculated based on inherent risk. In practice, organizations will focus their time and resources on tier 1 vendors first, as they require more stringent due diligence and evidence collection. Typically, tier 1 vendors are subject to the most in-depth assessments, which often includes onsite assessment validation.
But if your organization has 10,000 vendors, determining the inherent risk for each vendor one at a time is overwhelming, especially without automation. Grouping vendors based on basic business context attributes can help you determine inherent risks in bulk. For example, these groups could include:
- Contract value: Vendors with spend exceeding $1 million annually may require automatically bucket them as a tier 1 vendor, due to a high inherent risk based solely on the value of the vendor.
- Data Involved: Applications used by Finance and HR may introduce high risks due to the sensitivity of data they process. Applications used for internal Public Relations activities, such as scheduling social media posts may be considered lower risk.
- By Location: Grouping your vendors by location or region could be a way of understanding their inherent risk. A supplier in an area subject to frequent natural disasters or geopolitical upheaval may increase their inherent risk.
- Criticality: If a vendor is unable to deliver their service, what would that do to your organization’s operations? When the answer is significant disruption to operations, then the inherent risk of the vendor will inevitably be higher.
2) Building Tailored Workflows Based on Inherent Risk Level
Once we group vendors by inherent risk, it’s helpful to configure workflows for each group. This can be a manual workflow checklist, or a workflow that’s completely automated through a technology platform.
Workflows for vendors with higher inherent risks may involve more stakeholders and use a different assessment type or validation level. Automated reassessments may kick off six months before contract renewal.
Workflows for vendors with lower inherent risks may involve fewer stakeholders and less risk mitigation. Automated reassessments may kick off three months before contract renewal.
3) Choosing the Right Assessment Type and Length
It is also important to right-size the assessment or questionnaire for a particular type or group of vendors. This should be factored into your workflows, as mentioned above. In many cases, it won’t make sense to send the same assessment to every vendor.
Depending on your organization, it is probably ill-advised to send a 1000 question assessment to a low risk, low criticality vendor. Instead, use a short threshold assessment that dynamically expands with more questions if more risks are discovered.
4) Choosing the Right Assessment Validation Level
Tier 3 assessment validation (vendor self-attestation) is used most frequently for vendors with low inherent risk. Tier 2 and 3 validation (remote and onsite validation) will be reserved for vendors with high inherent risks.
Read our recent blog post on assessment validation levels to learn more.
How OneTrust Vendorpedia Helps
OneTrust Vendorpedia can automatically calculate inherent risk for your entire vendor inventory. From there, the platform facilitates the assessment process, offering Vendor Chasing Services™ through the Cyber Risk Exchange, as well as managing the entire vendor lifecycle, from onboarding, mitigation, reporting, and ongoing monitoring. Request a demo today!
eBook | How the Exchange Assessment Works: Explaining Control Mapping and the Emergence of the SIG Lite