The short answer is, if you’re doing everything right, it shouldn’t. A good risk management program should already tell you what areas of your organization are most vulnerable to risk. However, the risk environment, and therefore the implemented controls, should be re-evaluated. Because of this unprecedented pandemic, we should all be paying more attention to the areas that have changed and will likely remain changed on the road ahead as we all navigate these unfamiliar times. To do this, we don’t necessarily need to change our risk assessments, but we should realize that our existing risk ratings may be moot, and as a result, may require making adjustments to our assessment calendar.
Inherent Risk vs. Residual Risk
Let me make some clarifications. There is a difference between an inherent risk assessment and a residual risk assessment. A vendor’s inherent risk on your organization should not change because of COVID-19. Inherent risk is an assessment of the most possible risk an engagement could pose if everything went wrong (such as a pandemic).
Also, remember this equation: Inherent Risk + Controls = Residual Risk
We don’t need to change the equation, but we do need to run it again. We need to go back out to our vendors and ask them what they are doing differently due to federal and state mandates to stay home or work under different circumstances. Policies you reviewed one, two or three years ago may have some unforeseen exceptions in place that were not accounted for in your last risk assessment.
So, What’s Changed?
Everyone is working from home. A vendor that once said they never allow employees to access their network remotely may have had to change that rule. A company that was in good financial standing a year ago may have encountered drastic, unexpected changes. A robust and well-staffed audit and security department may have been dialed back as companies struggle to stay afloat.
Once we know what our vendors are doing differently, we should assess whether controls are still in place and/or whether they are still effective. This might take some extra legwork on our end, as I would also expect vendors to respectfully request postponing client audits and questionnaire requests for as long as possible.
Taking all this into account, there will be inevitable adjustments to our risk assessment schedules. I realize it’s painful to reset the clock on current and validated risk ratings. But, start with critical and high-risk vendors. Schedule a call to level-set on key controls and contracted obligations. If you find a vendor whose circumstances warrant the need for a reassessment, try to come to an agreement on a practical timeline for when they can support it.
If you know a vendor has exposed you to risk, document and report it. If you’re not sure if an inherently high-risk vendor’s controls are still valid, document and report it. It’s better to have accounted for and accepted risk than to have low risk across the board that has been poorly validated. When you adjust your review schedules, document why those adjustments were made. And in case you missed the emphasis; don’t forget…document everything.
Learn more about how to create a vendor risk questionnaire. Download this eBook.