Now that we have discussed the foundations of inherent risk measurement, let’s discuss some of the alterations to our approach that can lead to erroneous measurement and, therefore, additional risk exposure. These alterations are easy to fall into and may even appear to make sense. However, staying tuned into the definition of inherent risk and the support that your inherent risk evaluation questions and policies have for each other will keep your third party risk management policy on the straight and narrow.
One alteration is a wish to override the inherent risk that resulted from your questions and answers. There should be no overriding of that inherent risk. Assuming that there is a policy that clearly states what the institution’s definition of inherent risk is and that it closely matches with the actual definition, and assuming that the inherent risk questionnaire supports and reflects the policy, then the results of the inherent risk evaluation questionnaire should be considered the correct inherent risk and due diligence evaluation proceed from that point.
Too frequently, other factors are brought into play that are outside the inherent risk questionnaire. These factors frequently make judgements using controls that are in place and, therefore, break the definition of inherent risk. By breaking the definition of inherent risk, they are actually determining residual risk. Whether or not these other factors break the definition of inherent risk, they are not the policy-supported/supporting set of questions and answers and provide the opportunity for an override which is outside of the institutions policy. This is not good.
There has also been a tendency to want to create a loop when residual risk feeds back to inherent risk. Do not use residual risk to change the depth or frequency of residual risk, aka do not use residual risk to change inherent risk. One frequent example is that a low residual risk score, either once or over a period of time, is used to lower the inherent risk. Then, subsequent residual risk assessments are less deep, less broad, and less frequent. This yields a higher probability of a risk existing, not being mitigated, and occurring. This is not good.
To avoid these alterations, implement policies that support the definition of inherent risk and residual risk. Implement assessments that determine inherent risk and residual risk while supporting your policies and, therefore, the definitions of inherent and residual risk. Stick to those definitions, policies, and questionnaires. Do not let inherent risk questionnaires measure residual risk. Certainly residual risk questionnaires need to be appropriate to products and services offered, and so might need to be updated when new products and services are offered or the current products and services change (e.g., cloud computing instead of individual servers). And those residual risk questionnaires should still measure residual risk. Make sure you are performing the residual risk assessments to the depth, breath, and frequency required by the inherent risk, which is based on your policy, which is based on the definition of inherent risk. Build your third party risk management program on these rocks!
Do you have the correct set of inherent and residual risk questions, questions that support your policies, and allow you to know about and mitigate risks?
Contact us so that we can help you build your third party risk management (TPRM) program on rocks and not sand.