What Is Inherent Third-Party Risk?

One of the primary functions of the third-party risk management lifecycle is to identify a vendor’s inherent risk in order to make informed decisions on how to handle it and ultimately protect the organization. But, what exactly is inherent third-party vendor risk and how can you identify it? Let’s review the basics to gain a better understanding of this important criteria of vendor assessment.

Defining Inherent Third-Party Risk

Inherent risk represents the most amount of risk that can be present to an organization, without measures in place to mitigate that risk. They’re the risks which are fundamentally tied to the product or service.

Types of Inherent Risk

There are many different types of inherent third-party risk, with some vendors (like one that processes payments) falling into more than one category. Here are just some categories of risk that may apply to third-party vendors:

• Operational: This type of risk is a broad category that can either be applied to internal or external control failures. If a vendor’s products or services are needed to maintain an organization’s business activities, that vendor would have operational risk.
• Financial: A vendor would have financial risk if that third-party relationship could affect an organization’s financial stability.
• Transactional: This risk relates to a vendor that processes transactions on behalf of an organization.
• Reputational: A third-party vendor’s actions can harm an organization’s reputation in many ways including data breaches, poor service, lawsuits or outages. Customers don’t differentiate who’s at fault during a negative experience and will likely place the blame on the parent organization.
• Compliance: Regulatory guidelines are often prioritized in third-party vendor products and services and failure to comply can put an organization under compliance risk.
• Cybersecurity: This risk type is closely related to operational risk and includes areas like information security vulnerabilities and data breaches.

4 Next Steps to Handle Inherent Risk

Now that you can define inherent third-party risks and identify a few categories, it’s important to understand what to do next. After all, one of the primary functions of third-party risk management is knowing how to handle vendor risk within an organization. Here are the four options:

1. Avoid: In certain situations, it may be appropriate to avoid the inherent risk altogether, especially if it’s unnecessary for the vendor to function. For example, it may be discovered that a vendor’s personnel do not actually need credentials to a system.
2. Mitigate: This is perhaps the most common method of handling risk in vendor management. Implementing controls on inherent third-party risk will transform it to residual risk, which will always be the same or lower.
3. Transfer: Contract indemnification or adequate insurance policies are typical ways in which inherent risk can be transferred.
4. Accept: In cases when inherent risk can’t be mitigated or transferred, acceptance is usually the only alternative. Unidentified and ignored risk is also considered accepted, according to auditors, so it’s important to document justification for why it’s being accepted.

Dealing with inherent third-party risk can be tricky to navigate, but it’s essential to understand within your third-party risk management program. Being able to identify the type of inherent risk and knowing how to best handle it is an important strategy that will help create a valuable vendor relationship.