Hello,
The inherent risk rating determines all vendor risk management requirements and routines. The rationale for not using the residual risk rating is that residual risk is based on the assumed sufficiency of the controls. Those controls are verified at a point in time and can and do sometimes change or fail; they also don't eliminate the risks presented in the vendor engagement.
Always use your inherent risk to determine the scope of due diligence, contractual requirements, level of insurance, and routines to monitor and manage vendor risk and performance.
I hope that is helpful but I would love to hear from other members.
Original Message:
Sent: 04-13-2023 05:19 PM
From: Anonymous Member
Subject: Vendor risk and contracting
This message was posted by a user wishing to remain anonymous
What risk rating are you using as a basis when contracting and insurance requirement? Do you use the inherent risk rating or the residual risk rating?