Back to Playbook Visit Our Blog

Capability
Inherent Risk Assessment

Know the inherent security risks of each third-party relationship.

What

Know the inherent risks of doing business with each third party. Understand the assets at risk and potential negative outcomes of a security failure. 

Why

Knowledge of third-party inherent risks enables you to understand what is at stake with each entity and informs what risks should be managed and to what degree. 

How

Assign each third party an inherent risk rating using a consistent framwork with enough inherent risk tiers to meaningfully segment the portfolio. Differentiate inherent risk tiers based on attributes such as assets and services exposed, connectivity, and so forth. 

Practice Status Adoption
Implement a framework for assessing third-party inherent risk. Common 87%
In the procurement process implement a simple criteria for purchasing agents to use to identify vendors that require professional risk assessment. Common 77%
Assign each third party an inherent risk rating. Common 77%
Document inherent risk attributes such as services, data types, transaction types, and connectivity. Common 77%
Periodically review third-party relationships for material changes to inherent risk. Emerging 53%