Inherent Risk: Use it to Evaluate Third-Party Risk

According to Black Kite, 39.7% of third-party breaches in 2022 originated from unauthorized network access, followed by ransomware (27%) and unsecured servers (9.5%). The harsh truth is that when it comes to business, a certain degree of risk will always exist. Working with third parties also carries its own set of potential risks. But the more you can do to identify, understand and reduce all of these risks, the greater opportunity for success. This starts with evaluating the inherent risk in your third parties.

What is Inherent Risk?

Inherent risk refers to the natural level of risk inherent in a process or activity before risk management has taken place. It could also be defined as the current risk level within the context of a limited set of internal controls. In other words, it’s the risk level your business faces when nothing is done. While reliance on third-party vendors is necessary for doing business, your inherent risk can also be greatly affected by those vendors, because essentially, their risks are also your risks. Examples of inherent risks for organizations include weak passwords, malware, insider threats, phishing attacks, and data loss (such as PII and financial records).

The correct approach to handling inherent risk is to: 

1. Assess the various risk levels
2. Take proactive steps to reduce risk
3. Monitor risks on an ongoing basis

Inherent risk is further broken down into two main categories in the auditing of cyber risk.

Control risk

Control risk is the probability of a risk occurring despite an organization having the proper internal controls in place. Either mistakes were made or the controls in place were not sufficient and attack vectors were left exposed. For example, some misconfigurations or anti-viruses and firewalls weren’t updated.

If an auditor decides that the inherent and control risks of an organization are too high, it may decide to lower detection risk to maintain a normal range of overall risk.

Detection risk

Detection risk is the failure to detect security gaps during a cyber audit.

For example, financial institutions are at risk of having financial material misstatements due to failures in internal controls. Reviewing financial statements can become arduous and cumbersome, and auditors are unable to review all of them carefully. Instead, they conduct targeted audit selections of financial transactions to measure overall audit risk.

What is Residual Risk?

Residual risk is the remaining risk that exists after certain security measures have been implemented. The typical calculation is: Residual risk = Inherent risk – Impact of risk controls. For example, even if an organization implements cybersecurity solutions to defend against third-party attacks, organizations will still be at risk of these attacks not only from unauthorized access and ransomware but also malware, phishing and simple human error.

What is the Difference Between Inherent and Residual Risk?

The difference between inherent and residual risks is when the controls are put in place. If controls are put in place before a risk is discovered, it’s an inherent risk. If controls are put in place after a risk is discovered, it’s a residual risk. Another difference is that monitoring residual risk is a regulatory requirement for compliance with ISO27001.

Both third-party inherent and residual risk are managed through a third-party risk assessment. 

How Can Organizations Assess Inherent Risks?

The first step is to understand exactly how much risk you and your third parties face. This requires creating a risk profile for your company and considering the likelihood of certain adverse events occurring if nothing more is done. You will need to evaluate a variety of factors such as:

• What is the nature of your business? Certain industries and niches face much greater inherent risk than others.
• How sensitive is the information you hold? In other words, what would the consequences be if your data were compromised?
• How educated are your employees regarding basic security principles and the need for confidentiality?
• What is the integrity and competence level of your internal personnel in terms of information security best practices?

Proactive Steps to Reduce Risk

Once you’ve evaluated the inherent risk faced by your business, the next step is to proactively mitigate risk. This decreases the likelihood of experiencing any possible adverse effects from the risk. 

Below are suggested ways to reduce risk in your organization. The exact steps will vary based on your organization’s inherent risks and available resources.

• Assign clear responsibilities. Delegate clear ownership over every aspect of your security policy. Each element should be assigned to an individual or team, leaving no confusion about who handles what.
• Use a consensus-driven approach. While clear responsibilities are essential, applying a consensus-driven approach ensures everyone’s voice is heard. Representation from each department within the organization creates a balanced strategy where everyone’s needs are considered.
• Limit what you keep. Want to reduce stress and make things exponentially simpler in your business? Limit the amount of data you keep and store. It sounds simple, but it is much harder than it seems, especially in today’s digital age. 
• Document everything. One method of limiting the information you keep is by creating an effective document retention and removal program. This speaks to a much larger point regarding strengthening security—document everything you possibly can. This eliminates friction, reduces confusion and provides something firm to stand on should you experience a breach.
• Assess your third parties. Start by mapping out your third parties and prioritizing their impact on your business. This enables you to weigh third parties accordingly and is an important step in reducing risk to your organization. You also need to test the digital perimeter of your third parties to determine how resilient they are in the event of a breach. And lastly, reviewing security questionnaires will help you understand the internal security policies of your third-party vendors.

Monitoring Inherent Risks (Indefinitely)

Monitoring inherent risks should be ongoing. Even after identifying inherent risks and taking proactive steps to avoid issues, you’ll still need to keep tabs on what’s happening. Keeping security risks at a minimum is an ongoing process, requiring continuous monitoring as well as knowledge of the latest security systems and protocols.

Compliance is not something you can take for granted. Just because you have rules or processes in place to prevent situations from occurring doesn’t mean that they are being followed. Your strategy must include continuous monitoring for compliance and consistency enforced over weeks, months and years.

A commitment to monitoring and enforcement shows everyone—including employees, clients and business partners—that you take information security seriously. Furthermore, it demonstrates your commitment to regulators and other external parties that you are aligned with the proper standards.

Understanding Information Security Risk

Information security risk can be described as the risk of an undesired event occurring that results in lost, copied, stolen or otherwise compromised sensitive data, such as PII, PHI, and other personal or proprietary information. The effects can include adverse legal, financial, regulatory and reputational consequences for the company, including lawsuits and fines.

Internal factors such as a data leak or disgruntled employee and external factors such as a misconfigured firewall or a software vulnerability can lead to information security breaches regardless of whether they are deliberate or unintentional. Unfortunately, the damage can range from minor, such as temporarily being unable to access systems, to major, possibly putting a company out of business.

Incurred damage will vary, based on the severity of the breach, and may result in:

• Contractual liability issues such as a breach of contract by an employee, client or other business partner
• Legal expenses related to defending against legal action and/or restoring lost data
• Loss of future revenue such as trade secrets, competitive advantages and/or reputational hits
• Regulatory consequences such as fines from regulatory bodies and other groups designed to protect the industry from unauthorized exchange of confidential information
• Business disruption such as server downtime, which according to one estimate costs at least $5,600 per minute.

While these five consequences are enough to plummet a business, the reputational damage is the icing on the cake. Between disgruntled clients and negative media coverage, a breach can have far-reaching, adverse effects on a company.

Panorays Helps You Automate Third-Party Security

When evaluating a third party’s security risk, you need to understand its business impact on your organization. Panorays enables you to create a custom, standardized process to expedite your third-party management. Our automated platform helps you assess and mitigate security risk and continuously monitor any changes in the third party’s security posture. It is the only platform providing a rapid supplier Cyber Risk Rating that combines automated security questionnaire results with attack surface findings while also considering the business context

Want to learn more about how to evaluate the level of inherent risk in your third parties? Get started with a Free Account today.

FAQs