Measuring inherent risk is necessary to set the tone for how much due diligence you will be doing on a vendor and the frequency that you will be performing the due diligence activities. The correct depth and breadth of the due diligence along with the correct frequency ensures that the correct amount of time is spent answering the correct questions, and those answers are updated at the correct rate.
Inherent risk is the amount of risk that exists in the absence of controls. Therefore, when evaluating inherent risk, you must look at the situation as would exist with no controls in place and not the current situation, where there are most certainly controls in place.
Do not be tempted to redefine inherent risk to make it easier to evaluate. Redefining inherent risk as the risk with the current controls in place assumes that the current controls will stay in place and assumes that you have reviewed them. This is also exactly the definition of residual risk: the amount of risk that remains after controls are accounted for.
With that definition firmly in mind, evaluate the inherent risk of the no control situation by answering a set of questions that evaluate the risk in this condition. Questions include a variety of topics that are independent of controls. One topic is nonpublic personal information (NPI). Questions evaluate whether NPI is sent to the vendor or not, the amount and type of private information sent, what it is used for, and whether that information is passed on to subservice organizations.
Another topic is how closely tied to your business is the vendor? This is reflected both in how quickly you can replace them and how quickly your institution will start to suffer consequences when something happens to the vendor.
How quickly you can replace the vendor is measured in two dimensions. The first dimension is how quickly can you find another vendor, perform the appropriate level of due diligence, and negotiate and execute a contract. The second dimension is how quickly the solution be can implemented. This dimension may include installation, configuration, customization, and integration with other systems. It may include data loading, validating the data loading, and testing the system. Finally, it may include training and a lot more support than normal given the emergency nature of the rollout. These considerations are for IT systems, and similar considerations are important for other types of products and solutions.
Knowing how quickly your institution will start suffering consequences is also important, as it will indicate how quickly you need to implement your back up plan as supposed to obtaining another vendor, the type of planning you need, and any backup items that need to be in place or on hand. From an inherent risk perspective, knowing that a third party’s failure can have significant consequences quickly will drive more in depth and broad review of their controls.
Please note that not all consequences are directly monetary. There is reputational risk, which at the end of the day could have catastrophic monetary consequences but is sometimes missed or downplayed as it is viewed as a soft cost.
Your institution’s policies and the measurement of inherent risk must support each other. Both must recognize what inherent risk is and then require the appropriate depth, breadth, and frequency of residual risk evaluation based on your institution’s risk appetite.
Do you have the correct set of inherent risk questions, questions that support your policies, and measure the risk without controls in place?
Let us help you make sure you are not biting off more risk than your institution’s risk appetite can chew. We can help you make sense of inherent risk and implement the depth, breadth, and frequency of due diligence review to ensure you understand and can mitigate the level of residual risk posed by a vendor and their product or service.
Contact us to discover the best solution(s) to ease your burden and execute effective third party risk management.