HOW TO QUANTIFY AND

MANAGE INHERENT RISK

FOR THIRD PARTIES
Overcome the Challenges of Inherent Risk in Your
Third-Party Risk Management Program

PROCESSUNITY WHITE PAPER

EXECUTIVE SUMMARY
Maintaining strong vendor relationships is critical in today’s highly connected and globalized market. But for some
organizations, supply chains have become ungovernably large, and the challenges facing procurement and risk
management teams are only growing.

At the same time, good third-party relationships offer innumerable opportunities for business growth. They can
reduce time-to-market, make your business more efficient and let you tap into resources across the globe.

However, every new vendor adds risk to an organization. With supply chain attacks at an all-time high, it has never
been more important to conduct the necessary due diligence when onboarding new vendors and suppliers and
continue to manage the risk thereafter.

In this paper, we’ll discuss the initial risks involved when onboarding new vendors, and walk through how to track and
manage inherent risk in a way that boosts your ability to build partnerships that add value to the entire organization.

How to Quantify and

Manage Inherent Risk for
Third Parties

HOW TO QUANTIFY AND MANAGE INHERENT RISK FOR THIRD PARTIES | 2

CONTENTS
1 WHY IS INHERENT RISK IMPORTANT?

2 HOW TO DEVELOP INHERENT RISK CALCULATIONS

3 INHERENT RISK METHODOLOGY SIMPLIFIED

HOW TO QUANTIFY AND MANAGE INHERENT RISK FOR THIRD PARTIES | 3

1.
WHY IS INHERENT RISK IMPORTANT?
Every business relationship comes with a degree of
risk. While no organization can expect to eliminate risk
entirely, the right framework can help take it down to an
acceptable level and establish the right contingencies
in case things go wrong.
How an organization conducts pre-contract due
diligence is dependent upon the organization’s
appetite for risk and the thresholds they use to quantify
inherent risk.
Although this sounds like a relatively simple process,
many organizations make it unnecessarily complex
by including too many variables or relying on manual
processes prone to error and inconsistency. From
spreadsheets that cannot be easily consolidated
to emails that fail to create a documentable trail of
activity, time-intensive processes that require heavy
manual analysis can play a large part in discrepancies
and mistakes.

Inherent risk is the unmitigated risk posed to an

organization prior to any mitigation. Before a business
can begin conducting due diligence on a vendor, they
must conduct an intake, questionnaire or assessment to
determine inherent risk.

60
NUMBER OF ORGANIZATIONS

Two thirds of companies are conducting risk

50
assessments on less than half of their vendors.

40

30

20

10

0
20% 40% 60% 80% 100%

PERCENT OF VENDOR POPULATIONS ASSESSED

HOW TO QUANTIFY AND MANAGE INHERENT RISK FOR THIRD PARTIES | 4

Risk is also not always easy to spot. Sometimes, poor
operational practices on the part of a third party
can leave clients open to direct financial loss and
impact their reputation. Other financial risk factors,
such as the financial strength and credit risk of a
third party, may directly impact another risk domain –
operational continuity.
Today’s organizations have grown more dependent
on third parties than ever before; not just suppliers,
but technology vendors which deliver mission-critical
services. Many core business processes now take place
in the cloud, and an increasing number of organizations
are now operating entirely in the digital space. Imagine
then, for example, an online retailer having their website
taken offline due to a technical failure or cyberattack
against the company which hosts it. Until it’s up and
running again, the business will be unable to function at
all, potentially resulting in enormous loss of profit.
Another risk domain – regulatory compliance – extends
far beyond the entities it applies to, to incorporate third-
party vendors as well. Given the lack of a truly global
regulatory environment, the landscape isn’t getting any
easier to navigate either. Moreover, many governmental
bodies are developing their own regulations to tackle
concerns like information privacy and security.
For many enterprises, a poorly vetted supplier can end
up being the weakest link in operational continuity.
The lack of a broader sourcing strategy supported by
appropriate resources introduces many unknowns when
navigating increasingly complex third-party ecosystems.
In short, a bad vendor choice can leave an organization
open to risk across various domains ranging from data
security to compliance failures…or worse.
What Happens If You Ignore Inherent Risk?
• “Both a global airline and major retailer disclosed data
breaches this week that highlight the risk businesses face
from the growing ecosystem of third parties connected to
their networks.” 1
• “An American cybersecurity firm suffered a data breach after
a third-party vendor accidentally published personal data
regarding the firm’s employees online.” 2
• “An organization that is responsible for securing the
country’s borders was the latest high-profile organization to
fall victim to a supply chain attack.” 3
• “A Kentucky-based health insurance provider fell victim to a
data breach caused by a third-party vulnerability.” 4

It is even more complicated to meet the demands of • “Sensitive documents for over a hundred manufacturing
compliance in highly-regulated industries like healthcare companies were exposed on a publicly accessible server
because organizations covered by HIPAA may be held belonging to a US-based robotics vendor.” 5
accountable if one of their vendors is in breach of
compliance. In this case, every vendor a covered entity
does business with must also be HIPAA-compliant by
way of a business associate agreement.

HOW TO QUANTIFY AND MANAGE INHERENT RISK FOR THIRD PARTIES | 5

2.
HOW TO DEVELOP INHERENT
RISK CALCULATIONS
“A fifth of organizations have more
than 5,000 third-party vendors
within their ecosystem.”
- EY
Although all third-party vendors must be onboarded,
they do not merit equal attention. As discussed above,
vendors that provide essential services, or hold sensitive
data, carry a higher degree of risk and must be assessed
as such.
The goal of the inherent risk questionnaire is to
determine which third parties among a vendor
universe carry meaningful risk that requires more than a
cursory review.
Starting the process of onboarding a new vendor starts
with an inherent risk assessment or questionnaire. The
procurement teams, or any other party making the
request to onboard a new vendor or add a new product/
service to an existing vendor, will typically answer a set
of ten or more (…in some cases many more) questions
related to how the new vendor or product/service
manages their security profile and client data.
HOW TO QUANTIFY AND MANAGE INHERENT RISK FOR THIRD PARTIES | 6
The major service types that are necessary for the
business must be determined before an inherent risk
questionnaire can be developed, including finance, data
storage, customer, marketing, legal, etc. In turn, the
standardized list of questions should consider factors
related to confidentiality, criticality, geography,
spend and more – depending on what makes sense for
your business.
The inherent risk questionnaire must be in line
with a scoring system that can be utilized for each
vendor. In short, once a team member completes the
questionnaire, the vendor will be given an inherent risk
score. The score will then be evaluated to determine
the scope of due diligence necessary before deciding
whether or not to onboard the new vendor.
What Does A Typical Questionnaire Look Like?
Inherent risk questionnaires cover two main areas
mentioned – the type of service and the risk criteria of
that service. The combination of the service type and
risk criteria categorizes the level of risk. For example,
a financial services vendor with access to confidential
information presents a much higher inherent risk than a
social media marketing vendor in a position to influence
brand reputation.
The below examples of question types within an
inherent risk questionnaire will determine the extent to
which an organization should perform due diligence with
a potential vendor.
Business Continuity
By far the most important factor when quantifying
inherent risk is how important the service is to the
continued operations of the organization. With many
organizations now hosting a range of core operations
in the public cloud, vendors like Amazon, Google and
Microsoft, for example, are often considered critical to
business operations.
Typically, if a vendor’s service is critical to the business,
then the vendor will automatically be flagged as a
critical vendor and no other inherent risk assessment
is necessary.
Question to Ask: Is the service essential to the business
operations of our company?
Contract Size
Even if the service isn’t critical to business operations,
the annual contract amount also places a heavy burden
on the risk category. Organizations have different
thresholds depending on their size and availability of
funds. For example, a contract size of $1,000,000 might
add to the risk score in a large enterprise. For smaller
companies, the value might be $100,000 per year or less.
Question to Ask: What is the expected annual financial
contract amount of the third-party service?
Geographical Location
Outsourcing overseas adds risk in a variety of ways,
such as varying compliance regulations and business
standards. But sometimes, sourcing from overseas
is unavoidable. If all or part of the service a vendor
provides is performed abroad, it will be necessary to
determine whether they meet any necessary compliance
standards and align with the organization’s policy.
Question to Ask: Will all parts of the service be
performed domestically?
HOW TO QUANTIFY AND MANAGE INHERENT RISK FOR THIRD PARTIES | 7
Difficulty of Replacement
Some vendors are easier to replace than others. For
example, vendor lock-in might prevent clients from
easily switching over to a competing company. With
cloud computing, data egress fees when migrating to a
new provider can be prohibitively costly. Other vendors
might literally be one-of-a-kind, particularly in niche
manufacturing sectors.
Question to Ask: How difficult would it be to replace this
service with an alternative?
Volume of Records
The number of records a vendor is expected to process,
store or transmit, also plays a direct role in the level
of risk taken. Some organizations mitigate this by
using multiple vendors rather than having one handle
everything. As with annual contract amount, the optimal
threshold can differ between companies. Around 50,000
is good start for larger enterprises.
Question to Ask: What is the expected annual volume
of records that will be accessed, processed, stored or
transmitted by this third party?
Regulatory Requirements
Many services are subject to compliance requirements
pertaining to things like information protection, health
and safety, international trade laws and environmental
regulations. If these regulations aren’t met on the part of
a vendor, then the client may also be held accountable,
hence the increased inherent risk.
Question to Ask: Is any part of the third-party
service being provided subject to any regulatory or
compliance requirements?
Access to Sensitive Data Access to Technical Infrastructure
This value is broader than compliance alone, since If a vendor has access to technical infrastructure, such
a breach can result in serious reputational damage as the in-house network or server room, there’s another
and disruption to business operations. If a third potential access point for hackers. Thus, the attack
party is to store or access sensitive information like surface expands considerably.
Personally Identifiable Information (PII) or Patient
Question to Ask: As a part of this service, will the
Health Information (PHI), it automatically adds to
third party have access to our IT network or technical
the inherent risk.
infrastructure?
Question to Ask: Does this third party store,
process, or transmit Personally Identifiable
Outsourcing of Services
Information (PII) or Protected Health Information
(PHI) as a part of this service? Every company outsources operations to multiple
suppliers, including suppliers themselves. No longer is it
enough to think only about third-party risk management,
Cloud Computing
but also about fourth parties – those who vendors
While there’s no denying the business benefits do business with themselves. If a vendor relationship
of cloud computing, it does introduce some new involves a fourth party, the risk also increases.
inherent risks. Although most data breaches
Question to Ask: Will any part of the service be
result from mismanaged access rights rather than
outsourced as part of this agreement?
vulnerabilities in the cloud itself, placing sensitive
data in an off-site location connected to the Web
does expand the potential risk surface.

Question to Ask: As a part of this service, will any of

our data be stored in the cloud?

HOW TO QUANTIFY AND MANAGE INHERENT RISK FOR THIRD PARTIES | 8

How to Score Each Response to Determine the
Risk Classification
Developing the questionnaire is only the first step in
quantifying inherent risk. Once the questionnaire is
set and agreed upon, a standardized scoring system
must be applied to ensure that each vendor is scored
appropriately.
Organizations must determine a point system that
makes sense for their business – each response must be
aligned to a specific variable, score or value (point, letter,
etc.) and weighed accordingly.
Unfortunately, there is no one inherent risk scoring
system that fits every business – the points or variables
assigned to them will vary from one business to the
next depending on their operational environment – but
following the items below will allow teams to develop
a scoring system that will streamline inherent risk
questionnaires and set them up for success.
Develop Risk Classifications
The results of the questionnaire need to align with
a risk classification that will determine the extent to
which an organization should perform due diligence
with a potential vendor. A four-level risk classification
– Low, Medium, High and Critical – is a simple way
to distinguish between the risky vendors and those
that don’t need additional due diligence, but more
sophisticated classifications can be established, as well.
HOW TO QUANTIFY AND MANAGE INHERENT RISK FOR THIRD PARTIES | 9
Determine Which Responses Will Bring More Risk
to the Business
Risk management and procurement teams must
review the questionnaire in detail to determine which
combination of responses will result in a vendor being
classified as Low, Medium, High or Critical.
If an organization determines that a “yes” response
to the business continuity question is enough to
classify a vendor as Critical, the scoring system should
award an affirmative answer with enough points to
cross the Critical threshold. While business continuity
automatically classifies a vendor as critical, there are,
most likely, other combinations of questions and
answers that would also label the vendor as Critical.
The key to building a successful scoring system is to
determine which combination of questions and answers
add up to the outlined risk levels.
For example, a vendor that not critical to operations,
but 1) has a high contract value, 2) is international, 3)
has a high annual record volume, 4) has access to the
technical infrastructure, 5) is delivered as a cloud-
based solution and 6) has access to PII could also be
classified as critical due to the amount of risks involved.
The combined answers from the six questions carries
as much risk weight as a single “yes” to the business
continuity question.
Using simple math, the total score of the six questions
must equal the score of the business continuity
question, so if each of the six questions are worth two
points, the business continuity question should be
worth 12, and the threshold for a Critical vendor should
be set to 12 or higher.
Apply this same logic to build out scores for all risk
levels and then check the math.
Here’s another example: a vendor that will 1) outsource Align Point Values to Risk Classification
a portion of their services and 2) is subject to regulatory
Along with determining the risk classifications and
requirements (four total points) will have a lower risk
establishing point values, each classification must have
classification than a vendor that 1) has a high contract
a threshold – a specified value that must be exceeded
value, 2) is difficult to replace, 3) has access to PII and
for a vendor to be placed within a specific classification.
4) has access to the business’s technical infrastructure
The point/variable distribution that is aligned to each
(eight total points).
risk classification does not need to be uniform (as seen
The below examples of a completed inherent risk within the below example).
questionnaire with scores applied further showcase how
The completed inherent risk questionnaires with scores
risk can be quantified.
applied show how a standardized scoring system can be
Once the team understands where the highest risks applied across a vendor population.
are, point values can be assigned to each response,
and vendors can be reviewed equally without any room
for discrepancy.

RISK CLASSIFICATION VALUES

Low: 0-5 Medium: 6-7 High: 8-11 Critical: 12+

Intake Questions Point Values

Service is essential to company operations 12

Annual contract amount >$500,000 6

A part of the service is performed internationally 2

Difficult to replace service with alternative 2

High annual record volume 2

Service is subject to regulatory requirements 2

Third party has access to PII or PHI 2

Service is delivered as a cloud-based solution 2

Third party has access to our technical infrastructure 2

Third party outsources a portion of the service 2

HOW TO QUANTIFY AND MANAGE INHERENT RISK FOR THIRD PARTIES | 10

 New Vendor: Major Bank

Is the service essential to the business operations

Yes (12 points)
of our company

Inherent Risk Score 12

Inherent Risk Classification Critical

New Vendor: Grounds Maintenance

Is the service essential to the business operations

No (0 points)
of our company?

What is the expected annual financial contract amount Less Than $500,000
of the third-party service? (0 points)

Will all parts of the service be performed domestically? Yes (0 points)

How difficult would it be to replace this service with an alternative? Easy (0 points)

What is the expected annual volume of records that will Less Than 50,000
be accessed, processed, stored or transmitted by this Third Party? (1 point)

Is any part of the third-party service being provided subject to

No (0 points)
any regulatory or compliance requirements?

Does this Third Party store, process, or transmit Personally Identifiable

No (0 points)
Information (PII) or Protected Health Information (PHI) as a part of this service?

As a part of this service, will any of our data be stored in the cloud? Yes (2 points)

As a part of this service, will the Third Party have

No (0 points)
access to our IT network or technical infrastructure?

Will any part of the service be outsourced as

Yes (2 points)
part of this agreement?

Inherent Risk Score 5

Inherent Risk Classification Low

HOW TO QUANTIFY AND MANAGE INHERENT RISK FOR THIRD PARTIES | 11

 New Vendor: Records Shredder

Is the service essential to the business operations

No (0 points)
of our company?

What is the expected annual financial contract amount Less Than $500,000
of the third-party service? (0 points)

Will all parts of the service be performed domestically? Yes (0 points)

How difficult would it be to replace this service with an alternative? Difficult (2 points)

What is the expected annual volume of records that will Greater Than 50,000
be accessed, processed, stored or transmitted by this Third Party? (2 points)

Is any part of the third-party service being provided subject to

Yes (2 points)
any regulatory or compliance requirements?

Does this Third Party store, process, or transmit Personally Identifiable

Yes (2 points)
Information (PII) or Protected Health Information (PHI) as a part of this service?

As a part of this service, will any of our data be stored in the cloud? No (0 points)

As a part of this service, will the Third Party have

No (0 points)
access to our IT network or technical infrastructure?

Will any part of the service be outsourced as

No (0 points)
part of this agreement?

Inherent Risk Score 8

Inherent Risk Classification High

HOW TO QUANTIFY AND MANAGE INHERENT RISK FOR THIRD PARTIES | 12

 New Vendor: Payroll Provider

Is the service essential to the business operations

No (0 points)
of our company?

What is the expected annual financial contract amount Less Than $500,000
of the third-party service? (0 points)

Will all parts of the service be performed domestically? No (2 points)

How difficult would it be to replace this service with an alternative? Difficult (2 points)

What is the expected annual volume of records that will Greater Than 50,000
be accessed, processed, stored or transmitted by this Third Party? (2 points)

Is any part of the third-party service being provided subject to

Yes (2 points)
any regulatory or compliance requirements?

Does this Third Party store, process, or transmit Personally Identifiable

Yes (2 points)
Information (PII) or Protected Health Information (PHI) as a part of this service?

As a part of this service, will any of our data be stored in the cloud? Yes (2 points)

As a part of this service, will the Third Party have

No (0 points)
access to our IT network or technical infrastructure?

Will any part of the service be outsourced as

No (0 points)
part of this agreement?

Inherent Risk Score 12

Inherent Risk Classification Critical

HOW TO QUANTIFY AND MANAGE INHERENT RISK FOR THIRD PARTIES | 13

3.
INHERENT RISK
METHODOLOGY SIMPLIFIED
It’s much harder to mitigate inherent risk if the An automated, standardized scoring system will:
organization has an inconsistent approach to
developing the inherent risk questionnaire and Establish Uniformity Among Vendor Analysts
scoring vendors. Operational siloes between different
One system of record for all questionnaires allows
branches and departments can result in weak links
businesses to remove subjectivity and establish
in vendor management, which can in turn result in
consistency across all vendors. This guarantees that
adverse consequences for the organization at large.
vendor scoring remains the same no matter who scores
An enterprise-wide inherent risk management the questionnaire.
methodology and scoring system can standardize the
vendor onboarding process and provide procurement, Develop Streamlined, Repeatable Processes
Line of Business and risk management teams with
a complete audit trail of every vendor relationship. An automated system actively prompts users for
Additionally, a consistent, standardized process makes necessary information and pushes the process to the
process automation far easier than inconsistent, right people at the right times, minimizing human error
manual scoring. that comes with complicated and lengthy assessments.

Apply Business Logic

Most importantly, automation allows users to apply
rules, logic, and scoring intelligence to move to the
next step. With automated systems, business users
can automatically determine the set of questions and
document requests appropriate to each vendor’s level
of inherent risk.

By streamlining the inherent risk process, due diligence

scoping becomes far easier. With an automated
inherent risk score, effective due diligence can be
conducted to ensure the vendor is secure and the team
can move forward.

HOW TO QUANTIFY AND MANAGE INHERENT RISK FOR THIRD PARTIES | 14

Final Words With the right third-party risk management platform
and policies, teams will be better equipped to make
Organizations can’t rely on taking a reactive approach
informed decisions when choosing new suppliers
when onboarding new vendors within a third-party risk
and maintaining existing vendor relationships. This
management program. As vendor ecosystems grow
won’t just simplify compliance and administration –
more complex, onboarding new suppliers isn’t going to
it will also drive business growth through stronger
get any easier for those relying on manual processes.
partnerships and allow organizations to capitalize on
Moreover, the future holds no shortage of new threats
new opportunities without adding risk.
as data continues to proliferate and new compliance
regulations further complicate the landscape. Contact ProcessUnity to streamline and automate your
inherent risk assessment process. ProcessUnity Vendor
To overcome the challenges of an uncertain future,
Risk Management (VRM) is a software-as-a-service
vendor risk management teams need to:
(SaaS) application that identifies and remediates risks
• Establish an enterprise-wide methodology for posed by third-party service providers. Combining
quantifying inherent risk a powerful vendor services catalog with risk process
automation and dynamic reporting, ProcessUnity VRM
• Quantify inherent risk and determine where their
streamlines third-party risk activities while capturing key
high-risk assets lie
supporting documentation that ensures compliance
• Create a repeatable, consistent process to conduct and fulfills regulatory requirements. ProcessUnity VRM
inherent risk provides powerful capabilities that automate tedious
tasks and free risk managers to focus on higher-value
An intelligent inherent risk intake process acknowledges
mitigation strategies.
differences in risk that merit different degrees of review,
prioritizes the vendors who require further investigation
and reduces costly and time-consuming analyst input.

Click Here

Schedule a demo of ProcessUnity

Vendor Risk Management.

HOW TO QUANTIFY AND MANAGE INHERENT RISK FOR THIRD PARTIES | 15

 www.processunity.com

info@processunity.com

978.451.7655

Twitter: @processunity
LinkedIn: ProcessUnity

 ProcessUnity
33 Bradford Street
Concord, MA 01742
United States

200309