Companies can have upwards of a thousand third-parties and it is important to be able to differentiate and categorize each one of them. To that end, inherent risk takes into account how a company is using their third-parties and what risk do they pose to the organization. In this blog, we’ll explain how to calculate inherent risk, how to quantify that risk and its importance within a risk management process.
Different companies use third-parties in different ways, and that’s why inherent risk is unique to each enterprise. So when trying to measure, one must look at a multitude of factors which include, but are not limited to, levels of engagement with the third-party, amount of data shared, and the different types of data.
Let’s say an enterprise shares confidential data with a third-party because they need in order to engage with them. The inherent risk of that third-party will be very high, so the enterprise will want to engage in a much more thorough assessment. The opposite is true if that enterprise is not sharing any data. The level of inherent risk of that third-party will be really low, and the enterprise won’t need as in depth of a review.
How to calculate the inherent risk
It is very important to put a framework in place. The first step is to develop an understanding of what categories are important to you, as well as the way you want to weigh those different categories — is one more important than the other? How?
You must take into account the following questions/categories:
- What type of information are you sharing? (i.e. PHI, PII, Financial and Proprietary data)
- How much data are you sharing with the third-party? A little, medium, or big amount?
- Is this data in scope for legal or regulatory concern?
- How large is your engagement with the third-party and how important is it for your business operation?
- How easy is it to replace the third-party with another third-party?
After you create your framework, you will be able to map your inherent risk measurement and then gather the corresponding data to actually measure. Those two things should be done early on in the risk management process, because they will make it easier on the backend.
What are the before and after states for the enterprise?
When there’s no process in place for inherent risk, organizations tend to use a “one size fits all” approach, instead of customizing assessments for each third-party.
They will likely have one form/questionnaire to send out to their third-parties, and they will likely request the same information every time. This makes the process very challenging because not only is it inefficient, it places an arduous (and sometimes unwarranted) burden on the third-parties. Creating a clear process around inherent risk, organizations will be able to start to differentiate the level of due diligence needed for each third-party.
The after state is having a framework that dictates how to categorize and weigh the inherent risk of third-parties. This allows enterprises to tailor their due diligence process.
Inherent risk in practice
A tool like ThirdPartyTrust allows you to use those categories you defined to measure and score inherent risk on each third-party across your different categories, helping automate the process.
So what are the benefits that the ThirdPartyTrust platform provides? From the reporting perspective, it allows for unparalleled visibility and metrics around inherent risk of third-parties for the following reasons:
- It allows customers to take their framework of an inherent risk and tie it to their entire third-party due diligence process.
- It makes it very easy to see what third-parties have high and low inherent risk, and to report on that specific score across a number of different types of filters.
Therefore, enterprises using the ThirdPartyTrust platform are more readily addressing their inherent risks and are working in a more efficient and strategic way. We strongly recommend shifting towards an integrated risk management approach, in order to consider risk factors across the entire business and prioritize which deserve the greatest amount of attention.
Inherent risk will definitely grow in importance because it is a much more strategic way to segment third-parties and to perform due diligence. We believe and are paving the way for more automation to help enterprises attend these sorts of tasks.
For more on how ThirdPartyTrust can help understand and manage the inherent risks in your third-parties, request your demo now: