Inherent Risk & Residual Risk…What’s the Difference?
6 minute read
December 2022
by cybergrx
You’ve worked hard to develop, implement, and continually improve your cybersecurity program, recognizing your organization has some level of inherent risk.
You’ve also been successful in obtaining increases in cyber spending that have allowed you to purchase and deploy modern security solutions.
You’re feeling confident and optimistic about the outcome of a recently completed cyber risk assessment, and then you see the report… What are all these risks?
How can there still be risk when you’ve thoughtfully implemented reasonably strong security controls?
In cybersecurity, risk is a constant and is often necessary to allow for innovation, progress, and organizational success. Mature third-party risk management (TPRM) programs identify unacceptable and acceptable risk, rather than focusing only on the elimination of all risks.
One of the primary tasks of risk management professionals is to determine how to respond to risk. Effective risk management requires us to recognize that some risks are not only necessary, but beneficial. We must also realize that while it may sound like a worthwhile goal, zero risk isn’t feasible nor practical.
In this article, I explore inherent risk, residual risk, and common risk misconceptions that can lead to confusion and frustration.
Misconception #1: All Risk Is Bad
Those of us in the Risk Management industry tend to think of risk only in a negative light. In reality, risk is often quite necessary to allow for innovation, progress, and organizational success.
Imagine an educational institution that decides to take every conceivable step to remove all risk from their IT environment. “The internet presents risks – shut down access!” “Data sharing via removable media presents risks – block all storage devices!” “Mobile computing presents risks – take back all laptops!”
You can see how attempting to completely eliminate risk could be quite impractical and detrimental to achieving organizational goals. Mature cyber risk management programs will identify unacceptable and acceptable risk, rather than focusing only on the elimination of all risks.
Misconception #2: Risk Can Be Eliminated
It is tempting to believe that inherent risk can be eliminated through the implementation of strong controls. In reality, there is no way to completely eliminate risk, and as I pointed out above, that’s ok. We couldn’t eradicate risk even if we were willing to suffer the negative consequences. There are several factors that contribute to risk which are important to understand.
Risk Definitions
A threat is any circumstance or event with the potential to do harm or have an adverse impact.
A vulnerability is a weakness that could be exploited by a threat source.
A risk represents the potential for loss or damage when a threat exploits a vulnerability. Risk is often expressed as a function of the likelihood of a threat event’s occurrence and the potential adverse impact should the event occur. The two main types of risk are:
Inherent risk is calculated without taking into consideration the effectiveness of security controls that may or may not be in place. In TPRM, we think about the criticality and volume of data shared with a third party, or how deeply our business relies on a third party as part of inherent risk analysis.
Inherent risk analysis answers questions like the following:
What general risk does this third party pose?
If this third party has a cyber incident, how bad could it be?
How is inherent risk distributed across my ecosystem of companies?
Which third parties pose the greatest and least inherent risk ranked relative to one another?
Residual risk is the amount of inherent risk that remains after controls are accounted for.
Residual risk analysis answers questions such as:
What specific risk does this third party pose?
What types of cyber incidents are likely to affect this third party?
How effective is a particular control in relation to a particular threat?
Ok, so what do all these definitions really tell us?
Allow me to illustrate with a few examples:
In order to eliminate the risks related to earthquakes you would need the power to control the movement of tectonic plates.
In order to remove all risk related to a state-sponsored hacker you would need to be able to persuade them that hacking is bad, or… eliminate them altogether.
Of course, I’m being a bit facetious, but I hope I’ve illustrated the point. There are risks that cannot be completely removed without the power to eliminate associated threats and threat actors.
The objective of many security assessments is to identify the degree to which controls are in place, operating as intended, and producing the desired results. This type of assessment is particularly good at verifying vendor compliance and identifying areas of non-compliance with applicable standards and policies. However, if the assessment stops there it is missing a very important element – risk. Let’s look at an example.
During the course of a security assessment it is determined that a healthcare organization has implemented robust malware detection technology to identify known and unknown attacks. The anti-malware tools are updated with new signatures in real-time and sensors are placed throughout the organization’s external-facing and internal network. This sounds like a reasonably strong control implementation. The organization might assume that they have a fairly low level of malware-related risk and choose to take no additional actions.
But what happens when we consider other factors?
Consider that the healthcare industry creates, processes, transmits, and stores vast amounts of protected health information (PHI). PHI is one of the most valuable data types on the black market and is therefore the target of intense and frequent hacking attempts by well-funded and highly capable, malicious actors. To get a better understanding of risk, we should take into consideration factors such as the capability, determination, and motivation of potential attackers, as well as the frequency and impact of successful attacks. These characteristics lead us to an estimation of inherent risk.
In our example the inherent risk is likely quite high. Considering this high level of inherent risk, we may determine that a medium level of residual risk remains, despite the strength of the anti-malware control implementation.
The situation presents a potential conundrum. You might be thinking, “The healthcare organization in your example has done everything they can. How are they supposed to respond when they are told that they are still at risk?” There are a few things that an organization in this situation may choose to do.
In our example, the organization may:
Place additional monitoring and alerting functionality around their standard anti-malware control implementation.
Increase the ingestion of threat intelligence information related to malware attacks.
Increase staffing for SOC analyst positions.
Require SOC analysts to attend additional training on how to identify and respond to the latest malware attacks.
Take no action, which is always an option when all other reasonable steps have been taken.
Getting Comfortable with Risk
In conclusion, risk is a constant. One of the primary tasks of cyber risk management professionals is to determine how best to respond to inherent and residual risk. Effective risk management requires us to recognize that some risks are not only necessary, but beneficial to success.
We must also realize that while it may sound like a worthwhile goal, attempting to completely remove all risk is ineffective and unproductive.
And finally, the days of getting by with compliance-focused, checklist-style assessments have passed. This is why you need a third-party risk management platform that provides risk-prioritized data that allows you to make informed decisions about what residual risks are acceptable and what risks must be addressed. To learn more about how CyberGRX and ProcessUnity can help you identify your critical risks and make smarter vendor decisions in less time, reach out to our team.
Related Articles
Bridging the Third-Party Vulnerability Gap: Four...
Third-party risk management is at a tipping point when it comes to vendor assessments. Organizations..
Seventy percent of organizations have under-invested in their supplier risk assessments. This fact is startling given the growing reliance organizations have on..
Experts from ProcessUnity and RapidRatings recently got together to discuss why world-class third-party risk management programs are leveraging financial health ratings for onboarding, due..
Creating and distributing vendor risk assessments is a key part of any third-party risk management program. As organizations utilize third-party services to..
Money laundering; bribery and corruption; drug trafficking; and terrorism financing are issues that are rapidly infiltrating business operations. In recent years,..
Assessing Third Party Risk with a Vendor Questionnaire Vendors deliver reduced costs and increased productivity, making them very advantageous for business strategy...
ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.
XProcessUnity uses cookies to improve your experience and measure our website performance. For full details on how we use cookies, please refer to our Privacy Policy.Cookie settingsACCEPT
Manage consent
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
__cfduid
1 month
The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address d apply security settings on a per-client basis. It doesnot correspond to any user ID in the web application and does not store any personally identifiable information.
__stripe_mid
1 year
Stripe sets this cookie cookie to process payments.
__stripe_sid
30 minutes
Stripe sets this cookie cookie to process payments.
cli_user_preference
1 year
This cookie stores consolidated information of consent of all categories in the GDPR Cookie Consent plugin. This cookie is used to ensure the smooth functioning of the plugin with certain cache plugins.
connect.sid
2 hours
This cookie is used for authentication and for secure log-in. It registers the log-in information.
cookielawinfo-checkbox-advertisement
1 year
This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Advertisement'.
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-analytics
1 year
This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-functional
1 year
This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Functional".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-marketing
1 year
This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Marketing".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-preferences
1 year
This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Preferences'.
cookiesession1
1 year
This cookie is set by the Fortinet firewall. This cookie is used for protecting the website from abuse.
PHPSESSID
1 year
This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
__cf_bm
30 minutes
This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__sharethis_cookie_test__
session
ShareThis sets this cookie to track which pages are being shared and by whom.
bcookie
2 years
This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
bscookie
2 years
This cookie is a browser ID cookie set by LinkedIn share Buttons and ad tags.
cf_ob_info
1 minute
The CloudFlare service is mostly used for content distribution network (CDN) services.
cf_use_ob
1 minute
The CloudFlare service is mostly used for content distribution network (CDN) services.
cookielawinfo-checkbox-uncategorized
1 year
The cookie is set by the GDPR Cookie Consent plugin to record the user consent for cookies in the category "Uncategorized".
CookieLawInfoConsent
1 year
Records the default button state of the corresponding category along with the status of CCPA.
lang
1 year
This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc
1 day
This cookie is set by LinkedIn and used for routing.
lissc
1 year
Cookie used for Sign-in with Linkedin and/or for LinkedIn follow feature.
ppwp_wp_session
30 minutes
ppwp_wp_session is a cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing the user's session on the website. The cookie is a session cookie and is deleted when all browser windows are closed.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Cookie
Duration
Description
dtCookie
session
This cookie is set by the provider Dynatrace. This is a session cookie used to collect information for Dynatrace. Its a system to track application performance and user errors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
__stid
1 year
The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.
__stidv
1 year
The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.
_ce.s
1 year
This Crazy Egg cookie records visitor session unique ID, tracking host and start time.
_CEFT
1 year
Crazy Egg cookie that stores page variants assigned to visitors for A/B performance testing.
_ga
2 years
This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_ga_63P4X1D7BY
2 years
This cookie is installed by Google Analytics.
_gcl_au
2 months
This cookie is used by Google Analytics to understand user interaction with the website. All information this cookie collects is aggregated and therefore anonymous.
_gid
1 day
This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
6suuid
2 years
6sense is a B2B predictive intelligence engine for marketing and sales.
BIGipServerab07web-nginx-app_https
1 year
This is a cookie used by the Marketo marketing platform for user tracking purposes.
cebs
session
This Crazy Egg cookie is used to track the current user session internally.
site_identity
2 years
An analytics cookie that is used to better understand your use of our website.
sliguid
5 years
Salesloft cookie for use in live website tracking to help identify and qualify leads.
slireg
1 week
Salesloft cookie for use in live website tracking to help identify and qualify leads.
slirequested
5 years
Salesloft cookie for use in live website tracking to help identify and qualify leads.
undefined
never
Wistia sets this cookie to collect data on visitor interaction with the website's video-content, to make the website's video-content more relevant for the visitor.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
_mkto_trk
2 years
This cookie is associated with an email marketing service provided by Marketo. This tracking cookie allows the website to link visitor behavior to the recipient of an email marketing campaign, to measure campaign effectiveness.
_mkto_trk
2 years
This cookie is associated with an email marketing service provided by Marketo. This tracking cookie allows the website to link visitor behavior to the recipient of an email marketing campaign, to measure campaign effectiveness.
_mkto_trk
2 years
This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Cookie
Duration
Description
cebsp
session
No description
m
2 years
No description available.
pvc_visits[0]
past
This cookie is created by post-views-counter. This cookie is used to count the number of visits to a post. It also helps in preventing repeat views of a post by a visitor.
Any cookie that may not be particularly necessary for the website to function and is used specifically to collect user personal data are termed as non-necessary cookies.
Cookie
Type
Duration
Description
_ce.cch
persistent
session
Used to check if cookies can be added.
_ce.gtld
persistent
session
Used to identity the top level domain.
AnalyticsSyncHistory
persistent
1 month
This LinkedIn cookie is used to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries.
li_gc
persistent
2 years
This is a cookie from LinkedIn and is used for storing visitors' consent regarding the use of cookies for non-essential purposes.
loglevel
persistent
never
Maintains settings and outputs when using the Developer Tools Console on current session.
route-gcrowd-fe-prod
persistent
session
This allows the website to embed quotes from Gartner Peer Insights reviews.
test_cookie
persistent
11 months
This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the users' browser supports cookies.
Marketing cookies are used to provide visitors with relevant content and campaigns.
Cookie
Type
Duration
Description
IDE
1
2 years
Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
li_sugr
persistent
2 months
This cookie is a browser ID cookie set by LinkedIn when an IP address is not in a Designated Country.
u
persistent
2 months
LinkedIn Insight Tag, when IP address is not in a Designated Country
UserMatchHistory
persistent
4 weeks
Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
Preference cookies are used to store user preferences to provide content that is customized and convenient for the users, like the language of the website or the location of the visitor.