Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Transition from Inherent risk rating to residual risk rating

    Posted 08-03-2023 01:38 AM

    Respected forum members,

    A basic doubt. Can you please help me to understand if due diligence activity should give a risk rating basis the control sufficiency? That needs to be used to derive residual risk rating. Or there is somethin else process involved.

    As per my understanding , 

    Step 1- Conduct inherent risk assessment---> get a inherent score ( for ex, Rating x)

    Step 2- conduct DD (basis criticality level and inherent risk score which is "x" here)---> get a score  (for ex, rating "y")

    Step 3- Asses residual risk (z) i.e  z= x-y



  • 2.  RE: Transition from Inherent risk rating to residual risk rating

    Posted 08-10-2023 03:08 PM

    Hi there

    You are correct that you must first complete an inherent risk assessment to establish the risk rating of the engagement. And to identify the level and amount of due diligence required. Once you complete your due diligence, you should be able to determine how confident you are in the vendor's controls and if more due diligence or issue mitigation is necessary. That determination should result in what is known as a residual risk score.

    Ideally, the residual risk score is lower than the risk rating because your due diligence has shown the risks to be well controlled. But that isn't always the case. You may for example, have a vendor engagement with high inherent risk and high residual risk. In this example, you may find that more or different controls are necessary to control the risks better and go back to the issue remediation process. Or your organization may choose to accept the level of risk present and implement other measures such as more frequent risk assessments and reviews as well as increased monitoring efforts.

    No matter what the residual risk score is, it is essential that you only use your inherent risk rating to determine things like contract requirements, baseline requirements for due diligence, risk and performance monitoring, etc. To provide an analogy, a seatbelt in a car serves as a form of control; however, it cannot transform an unsafe driver into a safe driver. The inherent risk always exists, but measuring the residual risk helps your organization determine if additional risk handling is necessary.

    I hope this explanation is helpful, but I would love to hear what other members think.