Monster mashes, zombie jamborees, and ghostly galas: Happy Halloween! While we know you will be dancing to Thriller in a graveyard tonight, do not forget the calculated dance of risk management.

Organizations are tasked with a monumental mission in the evolving risk management landscape—to navigate uncertainty while safeguarding their future. Each step taken by an organization involves a calculated dance with potential threats. Yet, amidst this intricate dance, there exists an unpredictable and bone-chilling force: inherent risk.

In this blog, we define inherent risk and introduce Shared Assessments’ new solution for determining vendor inherent risk: the Third Party Risk Inherent Risk Rating, known familiarly as the “TPSIRR”.

What is Inherent Risk?

In the context of risk management, inherent risk is the natural level of risk an organization is exposed to from a vendor in the absence of controls or other mitigation measures. In other words, inherent risk encompasses all potential risks that an organization faces prior to implementing measures to control, manage, and mitigate.

Third-Party Services Inherent Risk Rating Solution

The Third-Party Service Inherent Risk Rating (TPSIRR) product from Shared Assessments helps organizations determine their vendors’ levels of inherent risk with a consistent and documented approach. The TPSIRR solution gives organizations an understanding of the inherent amount and types of risk posed by prospective third-party engagements. Additionally, the TPSIRR defines the scope and depth of Due Diligence that should be undertaken for a given vendor based on the vendor’s inherent risk.

Our TPSIRR solution allows practitioners to:

• Determine third-party Inherent Risk Ratings (IRR) across vendor portfolios
• Discern areas of focus (including controls) for Risk-Based Due Diligence
• Report on the types of third-party risks introduced to an organization by third-party vendors

Key Functionalities of the TPSIRR include:

• Vendor Risk Scoring in accordance with an organization’s customizable risk classifications
• Quick-Glance Assessments using RAG reporting for levels of risk (Red=High, Amber=Moderate, Green=Low)
• Due-diligence scoping and frequency planning including identification of the appropriate SIG Questionnaire for diligence (Lite, Core, Full)
• Risk Tiering derived from inherent risk ratings
• Dashboard tracking on Inherent Risk Ratings (IRR) completed across vendor portfolios

About Inherent Risk Scores

The Third-Party Service Inherent Risk Rating (TPSIRR) product aggregates and scores inputs to seven key areas of impact and displays calculated Inherent Risk results in a dashboard summary. The Seven Areas of Impact covered by the TPSIRR correspond directly with domains in the Standardized Information Gathering (SIG) Questionnaire and include:

1. Operational Resilience: The ability of an organization to prepare, respond, and adapt to operational disruptions. Good business planning is essential to operational resilience. (SIG Domain(s): Operational Resilience, Compliance Management)
2. Cyber Security and Information Protection/ Technology: Strategy, policy, and standards regarding the security of and operations in cyberspace. (SIG Domain(s): Access Control, Application Security)
3. Subcontractors/Fourth and Nth-Parties: Organizations that may do work for the outsourcer’s own third-parties. (SIG Domain(s): Nth Party Management)
4. Geo-Location Factors: Risks associated with the physical location of the third party, including risk of natural disasters as well as wars, terrorist acts, and tensions between states. (SIG Domain(s): Compliance Management)
5. Use of Technology Providers: Risks associated with the organization’s use of and dependence upon the technologies of third parties, primarily varieties of cloud hosting for, location of, and handling of the organization’s data. (SIG Domain(s): Cloud Hosting)
6. Network Connectivity/API Integration: The potential level and nature of the connection between the organization and the third party. (SIG Domain(s): Security, Nth Party Management, Network Security)
7. Artificial Intelligence/Machine Learning & Financial Model Risk: The ability of machines to behave in a way we would consider “smart”; to abstract, create, and deduce from data; and to train itself through a process of data analysis, pattern recognition, and classification. (SIG Domain(s): Compliance Management)

From the Dashboard, users can see recommended potential SIG Questionnaire types based on score in addition to Red-Amber-Green color codes corresponding to High, Medium, and Low risk for the assessed organization.

TPSIRR Diagram

Conclusion

Whether the TPSIRR is used by third-party risk management programs in the vendor selection process or during the renewal of third-party agreements, this solution closes a previously unaddressed gap in the third-party lifecycle. The Third-Party Services Inherent Risk Rating (TPSIRR) solution provides for the foundational evaluation and measurement of a vendor’s inherent risk before establishing the correct controls and due diligence.