Tuesday, May 5, 2020

Managing Inherent Risks in TPRM


Vendor Risk Management

A successful vendor management program needs to invest heavily in managing risks associated with 3rd party vendors. While doing TPRM, we generally assess risks such as Information Security and Compliance Risk. However, a one size fits all approach for vendor risk management is not optimal. The program needs to be tailored to the risks associated with the specific engagement(s). This risk, which is associated with the nature of the engagement, is called the Inherent Risk. Inherent risk is the risk associated with a given engagement regardless of the control/s that the vendor has implemented. It gives you an indication of the level of due diligence you need to do on the vendor.

For an engagement with low inherent risk you may choose to assess basic controls while for a high inherent risk engagement, you may want to do an onsite audit and validate all controls.

What is Inherent Risk?

Mathematically, Risk = Likelihood * Impact.

It is the likelihood of a breach happening multiplied by the impact of the breach on the business.

To explain this better, let us consider 2 scenarios.

In scenario 1, your client is sending sensitive data to Amazon. In scenario 2, they are sending the same sensitive data to a little-known offshore company. Is the inherent risk the same in both scenarios?

In the above case, where sensitive data was sent to 2 different vendors, the impact was high regardless of the vendor. (If data for Likelihood is not available, you may choose to go with the same likelihood across all engagements. If you are being conservative, you will prefer to go with high likelihood). The likelihood of data being breached at Amazon is low while the likelihood of data being breached at an offshore company is high.

The result is that the inherent risk in scenario 2 is higher than scenario 1.

Inherent risk is different from Residual Risk. Residual risk is the risk that remains after assessing the controls that are implemented to mitigate the risks. This is calculated by multiplying inherent risk with the effectiveness of the control.

In this article, we are going to focus on Inherent Risk. Let’s start with the basics:

IMPACT and LIKELIHOOD:

Impact - will help you figure out the kind of data that can be compromised and how much of a data can be compromised. It gives you a sense of the extent of damage you will incur and the kind of impact it will have on your business. In some cases, it will be the financial loss that will be incurred whereas, in others, it might be a reputational loss. What kind of loss will be more harmful to you? How much of a damage can you survive? These are some areas you will get clarity on.

Likelihood- This will help you figure out the probability of a breach happening. Determining the likelihood depends on several factors. You can take the highest rating if you want to be conservative or you can take an average. Where is the data being accessed from? The rating is typically considered low if the data is being accessed from inside your office. The risk is considered medium if the access is offsite from a country with low CPI (Corruption Perception Index) and it is high in all other offsite access. How is the data being accessed and/or transferred? The risk is inherently high if the access and transfer are manual, to factor in for human error. In the case of automated access, the rating is considered low. In cases where the data is accessed by VDI but there is no transfer of data, the rating is inherently medium.

CATEGORIES of RISK

Inherent risk can be categorized into different areas:

Technology – the risk you face due to a failure in the vendor’s technology,

Compliance- is the vendor being compliant in the manner in which the data is handled,

Finance- the risk you might incur if the vendor fails to deliver,

Legal- the risk you face when the vendor does not keep up with the laws and regulations,

Privacy- the risk you face if your vendor does not put sufficient controls in place to protect the privacy, and

BCP (Business Continuity Process) – the risk you face if the vendor goes out of business.

Since the risk area assessed depends on the type of engagement between the vendor and the client, once the type of engagement is determined, an inherent rating is provided.

For each area/category of risk to be assessed, you will need to develop specific factors to calculate the impact and likelihood. We had seen earlier for Cyber Security risk the impact depends on the type of data and the volume of data accessed. The likelihood depends on the how the data is accessed. Develop similar factors for each area.

QUESTIONS TO ASK:


In this part, we will cover the bare minimum questions you need to ask to help you calculate the inherent risk.

You need to know:

Access to the data: Is the access to sensitive data being separated by roles and responsibilities? Is there hierarchical access and ownership of data? Or is it, free for all.  
Storage and protection of data: Is it in a place with open access? Are there controls in place to safeguard it?

Physical controls: Are there physical controls in place? Is the room hosting the data locked? Is there keycard access in place?

Here is a snapshot of some of the questions posed by our vendor risk management solutions to assess our client’s risk. Contact us to learn more about Complyscore’s it vendor management services.


Top Industries That Need To Up Their Vendor Risk Assessment Game

Upstream compliance, cyberthreats, geographical location, financial assets, and reputation are five of the top vendor risks most organizatio...