What Is Third-Party Vendor Residual Risk?

One of the earliest processes within third-party risk management (TPRM) is determining the amount of risk a vendor can pose to your organization. Understanding the type and amount of risk that you'll be dealing with allows you to make better strategic decisions throughout the vendor relationship. All third-party vendors will have varying amounts of inherent risk that is found in the nature of the product or service. After handling this inherent risk through the validation of internal and external controls, you'll then be left with the residual risk.

Let's review some methods on how to determine third-party vendor residual risk and the best practices needed to ensure this risk is properly managed.

How to Determine Third-Party Vendor Residual Risk

Before you can determine residual risk, you must identify all of the inherent risk presented in the activity (products and services) and the vendor's ability to manage those risks (controls). After defining the inherent risk and criticality associated with a vendor, you’ll need to determine what risk-handling techniques to use.

The risk handling techniques are as follows:

• Avoidance: The vendor is rejected and the risk is avoided altogether.
• Mitigation: Controls are identified or implemented to reduce the inherent risk. This may include collecting vendor due diligence such as relevant audits, certificates or reports that help describe its control environment.
• Acceptance: The inherent risk is justified and accepted with approval from leadership and stakeholders.
• Transference: Insurance policies or contract terms are used to transfer exposed financial risk to another party, although other risk types such as operational and reputational risk are still present for your organization.

Avoiding risk essentially removes it from the equation, and no further action is needed. However, when you mitigate, transfer or accept risk, there will always be some amount of risk left. This is the residual risk. It isn't possible to reduce or remove all the risks, but it’s possible to reduce the likelihood or potential impact of that risk.

How to Use Residual Risk Ratings

It’s important to remember that a residual risk rating shouldn’t be used instead of the inherent risk rating. Residual risk ratings indicate how confident your organization is in the vendor's controls.

Suppose you have a vendor who was rated as high risk during the inherent risk assessment. Then, after the review of the vendor's controls, the residual risk score is lowered to moderate.

Does that mean that you now consider that vendor to be a moderate risk? The answer is no.

The vendor engagement is still high risk, meaning that the high-risk rating determines your contract terms, level and frequency of risk and performance monitoring. Residual risk ratings help the organization ensure that they don't become complacent and keep an eye on the risks that weren't addressed through controls.

Next Steps

Now that you've determined the third-party vendor residual risk, what's next? It's important to remember that a vendor's risk profile is rarely fixed and, therefore, must be monitored throughout the course of your relationship.

It's critical to take the following steps to ensure your organization stays well informed of the changing risk environment:

• Ongoing monitoring: This can include various activities, including tracking service level agreements, periodic risk assessments or utilizing third-party monitoring tools.
  
  Periodic risk assessments should be scheduled based on the vendor's inherent risk profile. Here's a good guideline for the frequency:
  • High risk or critical: Annually
  • Moderate risk: Every 18 months – 2 years
  • Low risk: Every 3-5 years
• Documenting and reporting: The information gathered from your vendor risk assessments and ongoing monitoring should be thoroughly documented and reported to the appropriate individuals within your organization.

Identifying, monitoring and documenting residual third-party risk is a good business practice to prevent complacency regarding those risks that can’t be mitigated.