Risk Assessments

 View Only

  • 1.  Residual Risk calculation

    This message was posted by a user wishing to remain anonymous
    Posted 02-16-2021 08:21 PM
    This message was posted by a user wishing to remain anonymous

    Hi everyone!

    We currently calculate the inherent risk of our service providers in the risk assessment. We use 15 criterias to calculate the inherent risk level. This year we have proposed to  enhance this process and want to create a methodology to determine the residual risk (RR) for our service providers. I would like to know if anybody can help by sharing the criterias or methodology used to determine the RR or sharing any excel used to calculate it. I will appreciate your help.

    Regardsm


  • 2.  RE: Residual Risk calculation

    Posted 02-19-2021 09:59 AM
    Hi! 

    This is a great question, and one that we get all the time. Before you get started, remember that we're trying to quantify and calculate a truly subjective and fluid analysis. There are hundreds of great ways to do this, but none of them will be perfect. For that reason, this is a process that often gets thwarted by "analysis paralysis". So my advice is to keep in mind that at some point, you have to draw a line in the sand and choose what you're going to do. Go with your gut, put numbers to your risk and mitigation factors in a way you find logical, and then test it out with a couple different vendors to make sure it makes sense. 

    First you need to decide if you want to mitigate each of your 15 criteria or if you want to mitigate the overall risk rating. Since you seem to have a good process for determining inherent risk, I would recommend using those 15 criteria, and start by coming up with control areas that would mitigate those inherent risks. What would you do for each risk, individually? You can turn that into a checklist of sorts, and then quantify each of those items in a way that aligns with your current way of calculating the inherent risk. Remember, some controls (like having insurance, good SLAs, background checks, favorable SOC audit) would play a part in mitigating various inherent risks... this can get complicated but try to stay organized. 

    Once you've done that, use the inherent risks criteria to determine the due diligence that needs to be done (what are the things you've decided to mitigate each applicable criteria?). Then consolidate that list (because there will be duplicates) and conduct your assessment with the vendor. Then once the assessment is complete, knock out your residual risk checklist items. Ideally, you'll have a calculation in place to give you a quantified and logical residual risk rating.  

    We're doing a webinar on "risk-based due diligence" on Tuesday 2/23 which I think you might find helpful - feel free to join us! https://www.venminder.com/webinar/vendor-risk-based-due-diligence

    Good luck! 
    Nicole

    Original Message


  • 3.  RE: Residual Risk calculation

    Posted 02-19-2021 12:05 PM
    I would urge caution in making things too complex as they will become burdensome as your company grows and the number of vendors increase.  As Nicol suggest, perhaps you should consider taking your initial assessment and work on how you can improve the overall score, especially for the criteria points where they scored poorly.  This would most likely give you cause in working with the vendors to improve the score and when needed should certainly play a factor when negotiating the contract. 

    On another note and keeping in mind your desire to enhance the overall process, do you have a set of controls for the vendor management framework which are assessed on a regular basis and applied down to each Department?  As an example, one such control could be, "3rd party vendor access privilege's are disabled upon completion of work."  This control would be evaluated for every department that has vendors and assessed / tested on how well they practice this control.
    Original Message