Quantifying inherent risk for third parties is one of the most important aspects of a best practice Vendor Risk Management program. Inherent risk – the amount of risk that exists before controls are put in place – is a calculation that can be used throughout the vendor risk lifecycle. Examples include:
- Risk-Tiering Your Vendors – Use inherent risk as a metric to group your vendor populations by how critical they are to your business operations or by how much risk they pose to your organization.
- Scoping Vendor Due Diligence – Riskier vendors require deeper due diligence before contracts are signed and vendors can be onboarded. A vendor’s inherent risk score can help determine the proper set of questions to include in the initial vendor assessment questionnaire.
- Determining Post-Contract Due Diligence Frequency – When combined with previous assessment review ratings, inherent risk can be used to calculate a residual risk score. The residual risk score can determine how often your third-party risk team needs to conduct follow-on due diligence – annually, bi-annually, etc.
When implementing an inherent risk scoring system for your vendors, here are three tips to consider:
1. Make Inherent Risk a Key Part of the Vendor Request Process
Chances are that the person or department requesting a new supplier or service will have a good handle on how critical the vendor is to business operations. Leverage that knowledge and capture it as part of the vendor request process. Include gating or intake questions in your vendor request form, portal or process – questions whose answers paint a clear picture of a potential vendor’s riskiness to your firm. By involving “the business” in the vendor inherent risk calculation, you build a risk-aware culture while also getting a clearer picture of the risks that need to be mitigated.
2. Use Risk Domains to Define the Right Vendor Inherent Risk Questions
It’s important to include the right questions in your internal inherent risk questionnaire. Every organization has different risks to contend with. Be sure to consider these nine risk areas when determining which questions to include in vendor service requests:
- Identity – Is the vendor a real organization? Are they who they say they are?
- Information Security – Will the vendor have access to sensitive information? How much?
- Geographic – Is the vendor’s location a risk? Will the service be performed internationally? Is that an issue?
- Financial – Is the vendor financially secure? How large is the proposed contract?
- Business Continuity – How hard is it to replace this vendor should something happen?
- Fourth Parties – Does the vendor outsource portions of the service to other companies?
- Reputation – Was/is the vendor involved in any activity that could reflect negatively on your organization?
- Compliance – What laws or regulations are in play here? Can the vendor demonstrate compliance?
- Conflict of Interest – Are there any conflicts that you should be aware of?
Learn More: Download our expert guide, How to Quantify and Manage Inherent Risk for Third Parties, for more details on risk domains and how to build an effective inherent risk questionnaire for your organization.
3. Create an Inherent Risk Scoring and Tiering System for Your Vendors
You have the right intake questions on the vendor request form, and you have business users helping you answer the questions. Now, take it one step further: Assign point values to your questions and build a scoring system that determines which risk tier each of your vendors belongs to. Organizations must determine a point system that makes sense for their business – each response must be aligned to a specific variable, score or value (point, letter, etc.) and weighed accordingly.
This step requires some work; but if done correctly, you’ll have a world-class classification system that you can use throughout the third-party risk lifecycle – initial vendor due diligence, onboarding, ongoing monitoring and more.
Here’s an example of an inherent risk questionnaire completed as part of a request to onboard a records shredder company:
Based on the answers to the intake questions (and the resulting scores), this vendor sits in the high-risk tier for this organization.
Inherent risk scoring and risk-tiering your vendors will also help prioritize where to focus your time and energy when resources are tight. Obviously, the most critical vendors should get your utmost attention. Vendor risk classification can also be used to make a business case to get additional resources – in the forms of software tools, consulting help or outsourced assessment work – when you fall behind.
Quantifying Inherent Risk for Your Vendors Requires Rigor
It’s impossible to avoid risk altogether. Inherent risk is just that — inherent. However, with an effective methodology for quantifying inherent risk, you can mitigate risk as much as possible and protect your enterprise. Objectively judging the risk any given vendor poses is key to protecting the information for which your company is responsible.
Take the next step: Our experts put together a detailed guide for organizations looking to improve their inherent risk calculations. Download How to Quantify and Manage Inherent Risk for Third Parties for real-world advice on developing a quantification methodology that will guide your company to a better and more effective third-party risk management program.