Inherent vs. Residual Risk in Vendor Risk Management

March 16, 2021

InfoSec teams are constantly looking for new, innovative ways to protect their organizations' data against malicious threats without hindering open-source vendor relationships. One of the ways InfoSec leaders can make confident decisions about risk management is by understanding the inherent and residual risk factors present in any vendor partnership at any given time.

 

Understanding Risk in Vendor Security Management

Inherent risk, or the total amount of risk present at the beginning of a vendor relationship, presents a foundation from which new security measures can be put in place. Once these security protocols are in place, the risk left over becomes the residual risk of a vendor partnership.

Safeguards against inherent risk include:

  • Vendor security assessments and questionnaires to gauge a vendor's security profile.
  • Any protocols an organization has against sharing specific data with vendors.
  • The processes an InfoSec team has in place during the sales process to monitor a potential vendor's risk levels.

Unfortunately, there will always be some level of residual risk left over in vendor risk management because you are dealing with external forces outside of your own security operations. Risk monitoring tools, firewalls, and other post vendor implementation processes are examples of protection against residual risk.

 

Managing Inherent and Residual Risk

So, how can your InfoSec team protect against both inherent and residual risk without shutting down any new open-source vendor partnerships altogether? Having a holistic plan to both plan and prepare for inherent risk while protecting against any unknown residual risk is key for implementing a long-term vendor security management strategy.

Here are a few key steps to make sure you're addressing both inherent and residual risk in your vendor security management strategy:

  1. Ensure you're taking both inherent and residual risk into account by calculating a "risk score" for each type of risk for any potential vendor.
  2. Organize your vendors based on inherent risk to ensure you're delivering the right protections against residual risk throughout your partnership.
  3. Give sales and procurement team members the tools and information they need to determine potential inherent or residual risk before your InfoSec team even joins the conversation.
  4. Stay on top of innovative and creative ways to minimize residual vendor risk throughout a vendor partnership.
  5. Perform ongoing audits and reviews of vendor risk management protocols to ensure no new inherent risk factors appear.

Depending on the type of vendors you're working with and the recurring risk factors in place, your InfoSec team can continue to build and optimize your vendor risk management strategy to address both inherent and residual risk. Over time, your team can confidently make decisions about vendor partnerships through a lens of security management to minimize both inherent and residual risk.

 

Whistic Vendor Security Management

Want to learn more about protecting your organization against inherent and residual vendor risk? The Whistic platform makes it easy for InfoSec teams to track inherent vendor risk while staying on top of ongoing residual vendor risk. You can learn more and get started here.

information security vendor risk management vendor assessment vendor security review security assessments vendor security management

About the author

Whistic
Whistic

The latest insights and updates on information security and third party risk management.