By Patrick McConville
Exposure to inherent and residual risk is business as usual. Using risk controls to minimize liabilities and maximize compliance is what separates successful companies from the rest.
Finding effective and automatic ways of managing and mitigating your residual and inherent risk can also help you gain a competitive advantage over your rivals, increase productivity, and reduce exposure to serious risks.
Here, we’ll explain the differences between inherent and residual risk and discuss which tools you can use to develop effective inherent risk and residual risk management strategies.
Inherent Risk vs. Residual Risk
The simplest risk definition is anything that threatens your organization’s business continuity or profits. You might encounter security risks, strategic risks, reputational risks, operational risks, cyber risks, or risks from external factors such as natural disasters or pandemics. However, the types of risk you’ll encounter depend on your industry, location, who you work with, and beyond.
You have inherent risk when you don’t use risk management or mitigation tools to control new risks or prevent exposure. Keep in mind, your company could have top-notch risk management for yourselves, but working with a company with less than stellar risk policies can still put you at risk.
Examples of inherent risk in your supply chain could include working with third parties or vendor subsidiaries with sanctions, vulnerabilities to cybersecurity threats, lack of compliance with local laws, and more. Just by doing business with a third party, your reputations get tied together — if they get bad press, you could get dragged into it as well.
On the other hand, residual risk still exists after you’ve taken steps to manage and mitigate risks. An example of residual risk is after a company completes a risk assessment for a new vendor. Let’s say the assessment shows one of the directors has been investigated for fraud, but the investigation concluded in their favor. The company decides to work with the vendor but monitors for similar risks.
Even with monitoring, you’ll still have some residual risk. The vendor company could be involved in fraud, so you assume some reputational risk and even operational risk by working together.
What Tools Can You Use to Manage Inherent Risk?
The tools you use to manage inherent risk depend on the type of risk your business may be vulnerable to. Here are a few key tools that can help you identify third-party risks and create risk management strategies:
Risk Appetite and Tolerance Statements
Part of your enterprise risk management (ERM) strategy should include thorough risk analysis to discover potential exposures. A good risk management step is creating a risk profile for your organization. This profile can demonstrate the level of risk that you can be exposed to and how you could manage it.
Risk appetite and risk tolerance statements are helpful tools here as well. Your risk appetite and risk tolerance relate to the amount of risk you’re willing to take on to meet business objectives, guiding your decisions about which third-party companies to work with. As you write those statements you can decide on an acceptable level of inherent and residual risk for you.
For instance, if part of your risk appetite says you can’t take on a certain level of financial risk, you can see what inherent risk you already have. Depending on this, you can decide how much residual risk you’re open to. This can help you consider the risk of involvement in money laundering, fraud, or liquidation as you choose third-party financial services or financial institutions. You might then choose to use certain well-established, regulated financial institutions that have regular financial audits and required financial reporting.
Automatic and Automated Risk Assessments
You can conduct automatic risk assessments through centralized platforms that make it easier for your team to understand the extent to which a third party poses a risk to your company. A platform like this can send automated notifications that help you keep up to date with compliance rule changes and external global risk threats. Automatic risk scoring systems such as Certa can also help you save time and calculate risk levels efficiently and accurately so you can minimize residual risk.
You can use questionnaires to send to vendors as a tool to manage inherent risk. This is a good way to identify or flag any risk factors you normally wouldn’t be aware of. Ask questions that address the risk factors that are particularly important to you such as:
- How regularly do you update your internal software?
- Which countries do your suppliers operate in?
- What cybersecurity software do you use, and how often do you update it?
- What are your policies for protecting against data breaches?
Your ESG strategy should focus on your organization’s and your third parties’ regulatory compliance. Depending on your approach to external scope 3 greenhouse gas emissions, this can determine whether vendors fit with your ESG strategy.
This gives you an opportunity to assess vendor approaches to ESG, including compliance with scope 3 greenhouse gas emissions disclosures. This is important since the U.S. Securities and Exchange Committee (SEC) will be looking more closely at scope 3 emissions over the next few years.
A big risk for businesses is engaging with companies that are working illegally, as this could result in serious consequences for your business. As a business, you must know who owns your third-party companies and whether they are controlled by blocked or sanctioned entities. Not only is this an inherent risk to your business, but it’s a risk to national security too.
In order to remain compliant with U.S. laws, companies must do OFAC screening checks as part of their internal controls and procurement processes. This helps protect them from working with sanctioned companies and individuals. Use the OFAC screening tool to check whether your third-party company has any sanctions by inputting the names of 25% or more beneficial owners.
What Tools Can You Use to Manage Residual Risk?
Residual risk comes once you have put risk management strategies in place. You might always have some amount of residual risk since you can’t protect yourself from every outside circumstance. A residual risk formula can also help you calculate your potential residual risk.
These residual risk tools will help you keep checks on any extra risks that may become apparent as a result of things like natural disasters, political situations or changes in companies such as mergers.
Ongoing Monitoring Risk Assessments
As part of your risk management program, your risk assessments should include implementing risk audit procedures and ongoing monitoring.
For instance, if you decide that a vendor is high-risk, there’s probably some residual risk associated with working with them. In this case, you can do follow-up checks to make sure it’s still safe to do business with them.
You may want to create a risk chart that tells you when you should do follow-up checks based on certain risk scores. Here’s an example of how some categories can look in a risk chart:
- Very high risk (scoring 40-50): Follow-up checks to be completed in three months
- High risk (scoring 30-40): Follow-up checks to be completed in six months
You can set up workflows by using a centralized platform that reminds you when to follow up on checks. That way, your risk response addresses issues fast to avoid exposures and noncompliance and maximize security controls.
Vendor scorecards allow you to monitor supplier performance by considering different key performance indicators (KPIs) such as cost-effectiveness, the quality of the vendor’s product or service, or the efficiency of the product or service.
Part of a scorecard should consider whether the vendor is still complying with laws and regulations, still protecting against cybersecurity risks, holding updated insurance, certifications, or registrations, and so on. You can also add these areas to your ongoing monitoring process for vendors with higher risk.