Inherent risk describes risk when all cybersecurity controls fail or are missing. It provides a worst case scenario view.
Inherent risk analysis answers questions like the following:
- What general risk does this third party pose?
- If this third party has a cyber incident, how bad could it be?
- How is inherent risk distributed across my ecosystem of companies?
- Which third parties pose the greatest and least inherent risk ranked relative to one another?
Residual risk describes risk when cybersecurity controls are in place and is what remains of inherent risk after the controls assessment answers tell us what was mitigated. The residual risk is lowered by implementing (sub-)controls in assessment Tiers 2 and 3 or by performing well against strength, timeliness, and coverage questions for Tier 1 assessments. If questions are routinely answered 'No', the residual risk will approach the original inherent risk due to lack of mitigation.
Residual risk analysis answers questions like the following:
- What specific risk does this third party pose?
- What types of cyber incidents are likely to affect this third party?
- How is residual risk distributed within this individual third party?
- How is residual risk distributed across my ecosystem of companies?
- Which third parties pose the greatest and least residual risk for specific controls, types of cyber incidents, etc.?
Comments
0 comments
Please sign in to leave a comment.