Hi!
This is a great question, and one that we get all the time. Before you get started, remember that we're trying to quantify and calculate a truly subjective and fluid analysis. There are hundreds of great ways to do this, but none of them will be perfect. For that reason, this is a process that often gets thwarted by "analysis paralysis". So my advice is to keep in mind that at some point, you have to draw a line in the sand and choose what you're going to do. Go with your gut, put numbers to your risk and mitigation factors in a way you find logical, and then test it out with a couple different vendors to make sure it makes sense.
First you need to decide if you want to mitigate each of your 15 criteria or if you want to mitigate the overall risk rating. Since you seem to have a good process for determining inherent risk, I would recommend using those 15 criteria, and start by coming up with control areas that would mitigate those inherent risks. What would you do for each risk, individually? You can turn that into a checklist of sorts, and then quantify each of those items in a way that aligns with your current way of calculating the inherent risk. Remember, some controls (like having insurance, good SLAs, background checks, favorable SOC audit) would play a part in mitigating various inherent risks... this can get complicated but try to stay organized.
Once you've done that, use the inherent risks criteria to determine the due diligence that needs to be done (what are the things you've decided to mitigate each applicable criteria?). Then consolidate that list (because there will be duplicates) and conduct your assessment with the vendor. Then once the assessment is complete, knock out your residual risk checklist items. Ideally, you'll have a calculation in place to give you a quantified and logical residual risk rating.
We're doing a webinar on "risk-based due diligence" on Tuesday 2/23 which I think you might find helpful - feel free to join us!
https://www.venminder.com/webinar/vendor-risk-based-due-diligenceGood luck!
Nicole
Original Message:
Sent: 02-16-2021 07:50 PM
From: Anonymous Member
Subject: Residual Risk calculation
This message was posted by a user wishing to remain anonymous
Hi everyone!
We currently calculate the inherent risk of our service providers in the risk assessment. We use 15 criterias to calculate the inherent risk level. This year we have proposed to enhance this process and want to create a methodology to determine the residual risk (RR) for our service providers. I would like to know if anybody can help by sharing the criterias or methodology used to determine the RR or sharing any excel used to calculate it. I will appreciate your help.
Regardsm