You're absolutely on the right track with your process of assessing the inherent risk and using that to guide due diligence. And asking about measuring and documenting residual risk tells me that your TPRM program is maturing and following best practices.
To measure residual risk here's a simple formula you can use and an example of what that might look like:
Inherent risk + Information/Controls = Residual risk
Keep in mind that residual risk will always be equal to or lower than the residual risk.
Initial due diligence
Business continuity risk (high) + Vendor's BC/DR plan & current testing results (sufficient) = Residual risk (low)
During initial due diligence, you review the vendor's BC/DR plan and current testing results after their product was given a high inherent risk score. The vendor's controls are deemed sufficient by your subject matter expert. This might produce a residual risk of low.
Periodic due diligence
Business continuity risk (high) + Vendor's BC/DR plan & outdated testing results (sufficient) = Residual risk (high)
During periodic due diligence, you again review the vendor's BC/DR plan, but discover that the testing results have become outdated after a recent incident. This indicates that the vendor doesn't know whether their BC/DR plan is still viable because they haven't retested it. Therefore, that residual risk might change to high.
After measuring the residual risk, consider the following steps:
- Determine monitoring activities – In the example above, you would likely want to increase your ongoing monitoring activities because of those outdated testing results. This could look like following up with the vendor until they can provide evidence that they've re-tested their BC/DR plans, and the results are considered sufficient.
- Document and report – The residual risk score can be documented within your system and reported to the appropriate stakeholders in your organization like senior management, who should be kept informed of any issues related to critical/high-risk vendors.
I hope you find some of these tips helpful, and I'd like to see how other organizations are documenting their residual risk scores.
Original Message:
Sent: 08-13-2024 12:27 PM
From: Anonymous Member
Subject: Calculating and Documenting Residual Risk
This message was posted by a user wishing to remain anonymous
Hello all,
I am hoping for some clarification regarding measuring and documenting residual risk.
At this stage, all known products and services have been assessed for their inherent risk on a scale of low, moderate, and high. This guided the due diligence process in assessing vendor controls based on their high-risk domains. The process and findings were documented. After these steps, how is residual risk measured? Are people creating another risk assessment within Venminder to document a change in risk levels? Or is measuring residual risk really mean creating a summary of whether the controls were adequate.
Any other ideas would be appreciated!