Due Diligence and Ongoing Monitoring

Hi there

You are correct that you must first complete an inherent risk assessment to establish the risk rating of the engagement. And to identify the level and amount of due diligence required. Once you complete your due diligence, you should be able to determine how confident you are in the vendor's controls and if more due diligence or issue mitigation is necessary. That determination should result in what is known as a residual risk score.

Ideally, the residual risk score is lower than the risk rating because your due diligence has shown the risks to be well controlled. But that isn't always the case. You may for example, have a vendor engagement with high inherent risk and high residual risk. In this example, you may find that more or different controls are necessary to control the risks better and go back to the issue remediation process. Or your organization may choose to accept the level of risk present and implement other measures such as more frequent risk assessments and reviews as well as increased monitoring efforts.

No matter what the residual risk score is, it is essential that you only use your inherent risk rating to determine things like contract requirements, baseline requirements for due diligence, risk and performance monitoring, etc. To provide an analogy, a seatbelt in a car serves as a form of control; however, it cannot transform an unsafe driver into a safe driver. The inherent risk always exists, but measuring the residual risk helps your organization determine if additional risk handling is necessary.

I hope this explanation is helpful, but I would love to hear what other members think.

Thanks,

Hilary