Why Your Company Should Score Vendors on Inherent and Residual Risk

February 08, 2021

On any given day, InfoSec teams are responsible for countless tasks and projects, so adding tracking metrics to your to-do list may seem like a big ask. But just as no two corporate security profiles are the same, so too are no two vendor risk profiles are the same. Scoring vendors on both inherent risk and residual risk can ensure your InfoSec team can build the best security process possible for each individual vendor relationship.


Inherent vs. residual risk

First off, let’s review the definitions of inherent and residual risk. Inherent risk is defined as the amount of risk a vendor presents if there were no safeguards, protocols, or controls in place. This would be the baseline risk level if there were no security regulations controlling any integrations. On the other hand, residual risk is the level of risk “left over” after security safeguards or protocols are put in place.

One easy way to think about inherent and residual risk is to understand that things like security assessments, questionnaires, and protocols protect against inherent risk while stop-gaps like firewalls and security monitoring tools protect against residual risk.


Scoring both inherent and residual risk

Now that we’ve outlined the difference between inherent and residual risk, the question becomes how to score vendors based on these factors and protect your team’s private data against threats that fall into each category.

By sending, receiving, and managing vendor risk assessments in the Whistic vendor risk management platform, your team can see exactly where gaps occur in vendor security processes, where there are potential holes in their security safeguards, and where malicious attacks can get through. By scoring your vendors based on this initial assessment, your team can track vendors’ inherent risk and gauge the level of risk your team is taking on in the partnership.

Next, by documenting all of the safeguards your team has in place and tracking how your security processes respond to this inherent risk within Whistic, you can create a “new” residual risk score for each of your vendor partners. This new score shows both your internal team and your larger corporate team how much “leftover” risk is present once your information security protocols have taken effect.


Tracking vendor risk with Whistic

Scoring vendors on both inherent and residual risk—and managing both of these processes in a vendor risk management platform like Whistic—can show exactly how effective your InfoSec safeguards are when put into place. 

After all, InfoSec teams have a lot on their plate, and the numbers should be there to make sure you’re operating as effectively and efficiently as possible.  

vendor risk management vendor assessment vendor security management residual risk

About the author


The latest insights and updates on information security and third party risk management.

Still need our help? Our support team is waiting to help you.