(270) 506-5140 CONTACT US
Risk Assessment

Inherent Risk vs Residual Vendor Risk

Mar 28, 2018 by Branan Cooper

A risk assessment should not include just the inherent risk or residual risk with the vendor. In order to complete a robust assessment, both inherent risk and residual risk levels should be evaluated. Foremost, it’s important to understand the different risk types.

Inherent Vendor Risk

The inherent risk is the first impression risk the vendor poses. For example, if you walk into a call center and see sensitive data exposed on employee desks you immediately will think there is a high data security risk before knowing much else about the vendor’s policies and procedures.  

While the inherent risk may give a bad first impression, your review of the vendor should not end there. It’s imperative to understand how they are mitigating controls. In the example regarding the call center, reach out and see if they are being proactive and implementing stricter security procedures or perhaps have begun to train their employees to better educate them. In this case, you may want to increase your onsite visits as part of your due diligence.

Make sure the control mitigation is well-documented, including the scope, frequency and why. You may want to include these in your agreement as an extra precaution as well. Once you’ve determined the inherent risk it’s time to move forward to other parts of the risk assessment such as the residual risk.

Residual Vendor Risk

Unless you’ve misidentified the inherent risk, the residual risk will never be higher. The residual risk must be evaluated after you determine the inherent risk because it's better to understand if you’re comfortable with the controls that are in place. Are they sufficient? You need to determine how good the controls are and what risk remains with them. 

It’s very important to document all of this and include it in senior management and board updates. This shows that you’re identifying and controlling the level of risk posed by doing business with a particular vendor.

To learn how to conduct a thorough risk assessment of your third parties, view our on-demand Risk Assessment Workshop here.

third party risk assessment

Branan Cooper

Written by Branan Cooper

Branan Cooper is the Chief Risk Officer at Venminder. Branan has nearly 30 years of experience in the financial services industry with a focus on the management of operational and regulatory processes and controls—most notably in the area of third party risk and operational compliance. Branan leads the Venminder delivery team as the third party risk management subject matter expert in residence. Branan also serves as an industry thought leader. He's a member of InfraGard and the Professional Risk Management Industry Association (PRMIA). And, he was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Resource Network (GSRN).

Follow Branan Cooper

Subscribe to the Venminder Blog