By Hilary Jewhurst, Head of Third-Party Risk Education & Advocacy at Venminder
For many, residual risk is a confusing third-party risk management (TPRM) concept, but it’s important to understand how and when residual risk is calculated and its proper utilization in your TPRM program. Residual risk is a vendor’s remaining risk after controls have been applied.
Determining a residual risk rating is important for two reasons:
First, it helps determine if you need more or different controls before beginning or continuing a vendor relationship. For example, you might require the vendor to conduct more systems testing or implement more frequent monitoring to mitigate identified issues.
Second, it helps determine if the residual risk is acceptable. For example, your organization may be willing to accept high residual risks if the vendor is the sole provider of a product or service crucial to meeting your goals. However, if an existing vendor has high residual risk and, after several attempts, fails to provide evidence of sufficient controls, you may decide to discontinue the relationship.
The Residual Risk Rating Process on Vendors
Let’s explore the steps to determine and assign a vendor’s residual risk rating:
Determine inherent risk: There’s always some level of risk with third-party products, services, and relationships. The specific types and amounts of those risks are typically identified during an inherent risk assessment, which considers the vendor’s raw risk, or the level of risk before any controls are applied.
Conduct due diligence: This involves reviewing and assessing a vendor's risk management practices and controls to mitigate the identified risks and determine if they’re sufficient.
Review vendor controls: These are systems and measures implemented to detect, prevent, or rectify unwanted events. They’re meant to mitigate the risks in vendor relationships, products, and services and provide reassurance in the risk management process.
Assign a residual risk rating: The level of residual risk can only be determined after completing due diligence, when a subject matter expert (SME) concludes the review of the vendor's controls and offers a qualified opinion regarding their sufficiency in mitigating the risk. In other words, do the vendor’s controls lessen those risks' likelihood, occurrence, severity, or impact? Many organizations quantify residual risk with a rating or score, often using the same risk scale for determining inherent risk, such as low, moderate, or high.
Understand your risk appetite: This is the level of risk your organization is willing to accept to pursue its goals and objectives. After determining a vendor’s residual risk, your organization will need to decide if that risk is acceptable or if you need to move on from the relationship.
Controls can't eliminate a vendor’s risks altogether. Think of it like a seatbelt in a vehicle. Wearing a seatbelt can lessen the likelihood of severe injury or death in an accident. Still, it can't prevent an accident, so additional controls are necessary, such as driving the appropriate speed limit. Most individuals recognize the risks associated with driving but are willing to take those risks with proper controls in place. That’s the concept of residual risk in a nutshell – are the controls enough to make you comfortable with the remaining risks while pursuing your objectives?
Calculating a Vendor’s Residual Risk
You need to know how to calculate a vendor’s residual risk. As a high-level concept, residual risk can be expressed as: Inherent Risk + Controls = Residual Risk.
To further refine that concept with a calculation, you might consider one of these formulas:
Residual Risk = Severity × Probability: For example, a vendor accesses, processes, transmits, or stores personally identifiable information (PII). This has a high inherent information security risk because of the potential severity and probability of a data breach. The vendor has strong encryption and data de-identification controls, so if there’s a network breach, hackers won't be able to utilize much of the data, reducing the potential severity of the breach. The vendor also has regular penetration testing and proactively monitors for security events, which can lessen the probability of a breach. Here, the inherent risk is high, but the residual risk is moderate.
Residual Risk = Threats × Vulnerability: Another vendor also accesses, processes, transmits, or stores PII, and customers can access account data through a vendor-provided mobile app. Data could be accessed through the vendor network and the customer's mobile device, expanding the attack surface and increasing the threat of a breach. A review of the controls shows the vendor doesn't utilize multi-factor authentication, which increases the vulnerability to data theft or cyberattacks. Here, the inherent risk is high and the residual risk is also high.
There are other formulas organizations use to calculate residual risk. No matter which method you choose, it’s important to document your methodology and use it consistently, so there’s continuity in the decisions made with regards to residual risk ratings.
Avoiding the Most Common Residual Risk Mistakes in Vendor Risk Management
The residual risk rating should seldom be used to determine the frequency and intensity of core risk management and monitoring activities.
That’s determined by the inherent risk rating. How often risk is re-assessed, the scope and frequency of due diligence, required performance management activities and review cadence, business continuity reviews, and monitoring requirements should all be aligned to the inherent risk.
This is because controls that are only reviewed at a specific point in time may be effective initially but can become less effective or fail over time. Vendor risks are constantly changing, and external events like industry changes, regulatory updates, geopolitical developments, new technologies, or consumer behaviors are factors that can’t be influenced by a vendor's controls. A high-risk vendor with sufficient controls may have a residual risk rating of moderate, but that should never result in a decreased frequency or intensity of core risk management activities; the risks are still high regardless of the control environment.
In conclusion, residual risk ratings are best used as post due diligence data points to determine if more or different controls are necessary before you can confidently move forward with the vendor engagement and if the remaining risks are within your organization’s risk appetite.
"The residual risk rating should seldom be used to determine the frequency and intensity of core risk management and monitoring activities", is a great advice. I have seen many organizations use residual risk to reduce the frequency of recertifications as they are hard pressed for resources.