In cybersecurity, risk is a constant and is often necessary to allow for innovation, progress, and organizational success. Mature third-party cyber risk management (TPCRM) programs identify unacceptable and acceptable risk, rather than focusing only on the elimination of all risks.
One of the primary tasks of TPCRM professionals is to determine how to respond to risk. Effective risk management requires us to recognize that some risks are not only necessary, but beneficial. We must also realize that while it may sound like a worthwhile goal, attempting to completely remove all risk is futile.
There are two main types of risk - Inherent and Residual. While not all risk is bad, knowing the differences will help shed light into where you should focus your remediation efforts.
Here are a few of the differences between the two:
Inherent risk describes risk when all cybersecurity controls fail or are missing. It provides a worst case scenario view.
Inherent risk analysis answers questions like the following:
- What general risk does this third party pose?
- If this third party has a cyber incident, how bad could it be?
- How is inherent risk distributed across my ecosystem of companies?
- Which third parties pose the greatest and least inherent risk ranked relative to one another?
Residual risk describes risk when cybersecurity controls are in place and is what remains of inherent risk after the controls assessment answers tell us what was mitigated. The residual risk is lowered by implementing (sub-)controls in assessment Tiers 2 and 3 or by performing well against strength, timeliness, and coverage questions for Tier 1 assessments. If questions are routinely answered No, the residual risk will approach the original inherent risk due to lack of mitigation.
Residual risk analysis answers questions like the following:
- What specific risk does this third party pose?
- What types of cyber incidents are likely to affect this third party?
- How is residual risk distributed within this individual third party?
- How is residual risk distributed across my ecosystem of companies?
- Which third parties pose the greatest and least residual risk for specific controls, types of cyber incidents, etc.?