Inherent Risk vs. Residual Risk in Vendor Management

Inherent Risk vs. Residual Risk in Vendor Management

Conducting a thorough vendor risk analysis is an integral step in Vendor Risk Management. However, to do it efficiently, your organization should understand the various types of vendor risk that you need to quantify and manage. There are two main types of risk that organizations evaluate: inherent risk and residual risk.

Getting a handle on both inherent risk and residual risk is becoming more important than ever before. In a recent blog, SecurityScorecard suggests that focusing only on inherent risk will create a partial sense of the organization’s risk profile. A comprehensive vendor risk management program scopes and calculates these risks equally, leading to better-informed decision-making.

Inherent Risk Vs. Residual Risk: The Difference is In Your Controls

Inherent Risk is a vendor’s baseline risk level without accounting for mitigating controls imposed by your organization. Inherent risk is calculated by assessing an organization’s current policies, practices and controls.

Residual Risk is the risk that a vendor poses to your organization after controls are implemented. It is impossible to completely eliminate risk, but your organization can gain a sense of how the third party fits into your risk appetite by calculating the risk that remains after your organization’s controls are applied.

In sum, inherent risk is the risk posed to your organization prior to any mitigating controls. Residual risk is the risk posed to your organization after mitigating controls are accounted for. Calculating these risk levels allows your organization to determine the overall risk a third party poses to your organization – both pre-contract and for the duration of the relationship.

Best Practices for Calculating Inherent Risk

Establishing transparency with your third parties prior to entering a contractual relationship is key to understanding their initial risk profile. The main way that organizations achieve this is by calculating a vendor’s inherent risk prior to onboarding with a pre-contract vendor assessment. Questions should be designed in a way that provides insight into a vendor’s existing security practices and controls. Questions will vary based on the vendor service type, but examples of common questions include:

  • What applications and/or data are the vendor granted access to?
  • What regulations should the vendor be compliant with?
  • Is the vendor service essential to the business operations of the organization?

Additionally, your organization will want to gather any relevant business data on the organization from references, newsfeeds and other reliable sources. Inherent risk questionnaires should be in line with a scoring system that tiers vendors based on their criticality or risk rating. A point system tied to each question can help develop an inherent risk score for a vendor, allowing you to focus on the riskiest vendors throughout the pre-contract due diligence and ongoing monitoring stages of the vendor lifecycle. See below for an example of a vendor risk scoring chart:

Vendor Inherent Risk Scoring

These questions highlight how important it is to develop enterprise-wide integration on third-party risk management processes. Third-party owners should be involved in inherent risk scoring to accurately answer these questions.

Best Practices for Calculating Residual Risk

Unlike inherent risk, residual risk cannot be adequately understood with a point-in-time assessment. Instead, organizations should work towards assessing residual risk by building an assessment cadence within their vendor population. This is where inherent risk scoring can be especially useful – a vendor’s inherent risk score can help inform the depth and frequency of periodic vendor risk assessments.

The goal of monitoring residual risk is to ensure that vendors are operating within acceptable risk levels. Should an issue arise, your organization wants to know about it as soon as possible. Organizations can ensure that a vendor is operating within acceptable residual risk levels by monitoring:

  • Vendor compliance: Is the third party remaining compliant with relevant regulations, and adapting to new regulations as they arise?
  • Controls: Is the vendor maintaining the necessary controls to protect your organization’s sensitive data?
  • Updated Infrastructure: Are your vendor’s critical IT systems up to date and well-protected?

Depending on a vendor’s criticality to your organization’s business continuity, your organization will need to frequently validate the answers to questions such as these. Each assessment can provide an updated risk score for the vendor – allowing your organization to quickly address vendors that are operating above your risk threshold.

How ProcessUnity Vendor Risk Management Automation Can Help

Calculating inherent risk and residual risk accurately within your vendor population can be a complicated, time-consuming process. Your organization can streamline vendor onboarding and ongoing monitoring workflows with automated Third-Party Risk Management tools. ProcessUnity Vendor Risk Management features standardized inherent risk questionnaires tied to a pre-defined risk scoring system, allowing you to easily identify critical vendors. ProcessUnity vendor due diligence software enables your organization to establish an objective pre-contract process and post-contract cadence for evaluating risk on an ongoing basis. To learn more, visit