What is Inherent Third-Party Risk?

When an organization partners with a third-party vendor, that third party introduces a new set of risks for the organization. These pose a potential threat that could disrupt operations, cause financial losses, or damage reputations.  

Identifying and understanding inherent third-party risk is crucial to protect organizations. Assessing third-party inherent risks before beginning a relationship shows which vendors pose the highest risk and what steps are needed to manage and mitigate them.  

What is inherent third-party risk and how can you identify it? Let’s review the basics to gain a better understanding of how to safeguard your organization.  

What is Inherent Third-Party Risk? 

Inherent third-party risk is the risk that exists naturally in a third party’s product or service with no safeguards or controls in place. It’s the first impression of the third-party vendor and the amount of risk it poses.

One way to define inherent risk is with this formula:  

Inherent Risk = Impact × Probability  

This formula shows how an event’s potential impact and likelihood come together to determine risk before any controls are in place.  

• Impact measures the severity of harm a risk could cause.
• Probability assesses how likely the event is to happen.  

Inherent third-party risk is tiered, or rated, into categories like low, medium, and high. Some organizations include more tiers, like medium-low and medium-high, which provides more nuance with specific requirements assigned.  

Other organizations may choose a numbered system — where Tier 1 third parties are the most critical and Tier 5 third parties present the lower amount of risk.  

Whichever method you choose, make sure it’s defined. Clear guidelines are essential to assessing risk without controls.  

Your organization has no control over a third party’s inherent risk — it can’t simply be removed from the product or service. Instead, your organization must review the third party’s controls to mitigate the risk and implement your own.  

Related: How to Review Third-Party Risk with Vendor Risk Assessments 

Types of Third-Party Inherent Risk 

There are many different types of inherent third-party risk, with some vendors — like a third-party payment processor — falling into more than one category. Although many inherent third-party risks can overlap with each other, assess each risk independently. 

Here are six categories of inherent third-party risk to assess: 

• Operational: This inherent third-party risk is when a vendor’s product or service is critical to daily operations. The vendor’s ineffective or failed internal processes, people, controls, or systems could cause material loss. Consider if the third party performs critical functions, if sensitive data is accessed, or if a disruption would cause a material impact to your organization.  
• Financial: Relates to the third party’s financial condition and its inability to provide product or services. It also refers to the possibility of your organization losing revenue due to the relationship. Consider if the product or service is a significant expense or if it provides or supports a significant revenue stream.  
• Strategic: This third-party inherent risk occurs when a prospective or current vendor’s decisions and actions are incompatible with your organization's strategic objectives. Consider if the vendor aligns with your strategic goals.  
• Reputational: The variety of ways a third party could directly or indirectly damage your organization’s reputation, brand, or name. Consider if the product or service directly impacts customers and if it directly markets products or services that could cause customers to experience financial loss.  
• Compliance: The vendor's failure to comply with laws, regulations, or your organization's internal policies. Consider if the vendor accesses sensitive customer or organization information or if the product or service exposes your organization to regulations.  
• Information security: Threats or vulnerabilities from third parties that access your organization’s sensitive information, systems, or networks. It includes both cybersecurity and physical security risks. Consider if the product or service requires integration with your network or if the vendor will process, transmit, manage, or store your organization’s data.  

An Example of Inherent Third-Party Risk 

An example of inherent third-party risk is when a vendor needs access to your organization’s or customers’ sensitive information. If this data is transmitted electronically, which is almost always the case, then the third-party vendor presents inherent information security/cybersecurity risk, compliance risk, reputational risk, and operational risks.  

If the vendor fails to protect the information, your organization can be held liable, creating compliance risk. If the vendor experiences a cyberattack or service outage, you're exposed to operational and reputational risk, among others.

These inherent risks exist naturally with the third party and need controls applied before entering into the relationship.  

Related: What Vendor Documents Are Needed to Assess Cybersecurity 

Next Steps to Manage and Mitigate Inherent Third-Party Risk

Once you’ve identified a third party’s inherent risk, it’s important to understand what to do next. After all, one of the primary functions of third-party risk management is knowing how to handle vendor risk.  

Here are next steps for managing and mitigating inherent third-party risk: 

• Perform due diligence on the third party – The third-party's inherent risk informs the level of due diligence needed. The higher the risk level, the more due diligence needed. Collect basic information on the third party like tax ID, an OFAC check, and legal address. You may also need to review the third party’s SOC report, financial reports, information security policies, and business continuity and disaster recovery plans.  
• Send a third-party vendor risk questionnaire – A questionnaire allows your organization to ask specific questions about the third party’s product or service. Be mindful that many third parties receive questionnaire requests, so keep the questions applicable to the third party’s product or service.
• Use a subject matter expert review – SMEs are critical to assessing the third party’s risk and documentation. They review the third party’s information and provide a qualified opinion on the sufficiency of the third party’s practices and controls.  
• Implement organizational controls – Your organization's controls may include provisions in the third-party contract like service level agreements (SLAs), data protection standards, and a right to clause. Implement data security controls like encryption and multi-factor authentication (MFA). Be sure to also continuously review the third party’s risks to identify and mitigate emerging issues.  
• Calculate residual risk – Residual third-party risk is what remains even after implementing controls. Think of this simple calculation: residual risk = inherent risk x control effectiveness. Residual risk quantifies how confident your organization is in the controls used to mitigate third-party risk.  
• Determine how to handle residual risk – It’s up to your organization to determine whether to move forward with the third-party relationship based on the residual risk rating. These approaches are avoid (the vendor isn’t worth the risk), mitigate (add or strengthen risk controls), transfer/share (shift the risk to another party), or accept (acknowledge the risk and accept its consequences). 
  
  Related: What Is Third-Party Vendor Residual Risk? 

Dealing with inherent third-party risk can be tricky to navigate, but it’s essential to understand within your third-party risk management program. Being able to identify the type of inherent third-party risk and knowing how to best manage and mitigate it is an important strategy that creates a valuable vendor partnership. 

What should you do with a third party’s inherent and residual risks? Learn more in this eBook.