In third-party risk management, inherent risk is defined as the level of risk on your organization.
Therefore, the inherent risk represents the natural level of risk that your organization will incur by working with a particular vendor (without managing that risk and/or mitigating security gaps).
Why is Inherent Risk so Important?
As a work tool, inherent risk enables the security team to map the organization’s critical vendors. Subsequently, the organization can prioritize the third-party assessment process.
Here is a quick example:
Let’s assess two vendors: Vendor A and Vendor B.
Vendor A offers on-premises software development services with an inherent risk score of 80. The score is calculated by:
The risk from potential data leakage from unsecured development methods;
Exposure to the company’s business information and procedures; and
Exposure to employee personal identifiable information (PII).
Conversely, Vendor B offers a cloud-based Security as a Software (SAAS) product with an inherent risk score of 86. The score is calculated by:
An additional, potential uncontrolled attacking vector;
The cloud service provider and the vendor’s implemented security controls; and
The service availability risk.
By mapping all of the potential ‘known’ risk factors, the security team can prioritize an assessment audit for Vendor B because Vendor B’s inherent risk score is higher than Vendor A’s.
Inherent Risk vs. Residual Risk
The difference between inherent risk and residual risk is that inherent risk represents the risk score before the organization takes any action to mitigate the risk. (The residual risk, therefore, represents the risk remaining after the vendor replied to a security/regulatory assessment request, and all the gaps have been mitigated.)
More significantly, residual risk is the risk an organization is willing to take after all considerations have been accounted for.
How to Create an Inherent Risk Score Methodology?
To calculate the inherent risk for a vendor, the organization’s security team needs to consider all the aspects of the organization that the vendor’s proposed service can compromise.
A handful of examples are as follows:
- Technology – In case of downtime, how the technology will affect your service.
- Compliance – Appreciating the vendor’s compliance with the relevant regulations and how it processes their data.
- Legal – Exposure to lawsuits and fines.
- Privacy – The risk from handling, managing, and/or processing PII by third-party vendors.
- Business Continuity Plan (BCP) – Continuity, availability, and integrity are the three key factors of risk that an organization will be exposed to whenever they work with a vendor.
To create an effective inherent risk methodology, you must consider:
a. The impact of the vendor’s service on your business; and
b. The probability (or, rather, the likelihood) that their service will become an issue to your organization.
Ultimately, during the procurement or ongoing process, you need to ask (either yourself or the relevant personnel in the organization) a set of questions. The answers to those answers will enable you to produce a risk score that provides you/your organization with a clear understanding of the threat your organization faces due to working with a particular vendor.
How to Implement a Successful Onboarding Process for a Vendor?
A security assessment process is a lengthy one, mainly if the assessment is done manually over an excel spreadsheet.
Generally speaking, the process for many organizations contains:
- A new vendor starts the procurement process;
- The procurement officer approaches the security team;
- The security team return to the procurement officer with the inherent risk (vendor profiling) questions;
- The procurement officer sends the assessment to the vendor by email in an excel spreadsheet.
- The vendor answers the questions in the excel spreadsheet (or ignores them).
- A final decision is made.
The described process may take between three to four months to complete, and this does not even take into consideration:
a. The gaps that may have been found during this process (the residual risk);
b. The reduction plan that the vendor needs to respond to; and
c. The high risk the organization may face is because of the time that passes from starting to work with the vendor to the mitigation of the gaps.
Furthermore, the security team faces significant problems managing the risks from all the other third parties working with the organization by conducting a manual process.
Neglecting the “Longtail” Vendors
Due to the effort, time, human resources, and cost of maintaining the onboarding mentioned above process for all the organization’s third-party vendors, organizations tend to focus on 15%-20% of their most critical vendors. Consequently, organizations tend to neglect their “longtail” vendors, i.e., small, low- to medium-risk vendors.
At Findings, we conducted an internal study that found organizations at an astonishing 30% exposure to significant market vulnerabilities (SolarWinds, Kasya, etc…) due to their neglect of their “longtail” vendors.
Since the COVID-19 pandemic started, it has become routine for nefarious players online to exploit the vulnerabilities of third-party vendors to attack an organization. An organization can’t “hope for the best” anymore. The security team must scale the process to the entire supply chain.
How to Streamline the Procurement/Security Process?
To set, manage, and scale an efficient third-party assessment process that will enable all parties to have a continuous, hands-on capability, the organization must streamline the process using automation tools.
By implementing an automation tool, you need to look for a service that supports the process end-to-end, one that gives you the flexibility to make changes and adjustments when necessary.
Findings’ Approach to Inherent Risk
- Streamline the internal process between departments to evaluate the inherent risk for every vendor rapidly;
- Provide a pre-defined inherent risk model; and
- Customize your own inherent risk.
How Can You streamline the Internal Process between Departments to Evaluate a Vendor’s Inherent Risk?
Findings have replaced internal back and forth communication by emails during the onboarding process of a potential new vendor or as an ongoing requirement by regulations. Instead, we used the questions found in the excel spreadsheet (the “questionnaire”) and wrapped them into a process that we call “BO” (Business Owner). In other words, our platform enables an internal resource to open a new vendor audit request to the security team.
Additionally, the process is designed to automatically produce an inherent risk score, so the security team only needs to open the new request, see the score, and prioritize accordingly.
Lastly, every member of the process is always notified whenever there is a change in the vendor’s status during the process.
