Residual Risk Explained

/in , /by

Having a well maintained vendor management program will allow you to build relationships with your vendors, while also strengthening your business. Understanding your vendors’ residual risk is a key piece of your vendor management program and it will let you know the amount of risk or danger associated with a vendor’s action after controls are accounted for.

To understand Residual Risk we need to first understand Inherent Risk.  Inherent Risk is typically defined as the amount of risk that the vendor has in the absences of controls.  Any time a financial institution uses a third party to provide a service or product, the financial institution needs to complete a risk assessment so they can understand the criticality of the risk that vendor will have.  Inherent risk is established only after the vendor’s key objectives have been defined, and steps have been taken to identify what could go wrong to prevent the vendor from achieving those objectives.  In addition to impact and likelihood, management must consider the nature of the risk also.

Once the Inherent Risk of the vendor is established and the financial institution recognizes the criticality of the risk, then the financial institution must realize what controls the vendor has in place to help mitigate or reduce the risk that the vendor has.  Once the controls have been assessed they should also be tested to ensure that they are operating efficiently.  Testing the controls provides confidence that they actually reduce risk to a tolerable level.

Finally, we are able to take a look at residual risk.  Residual risk is the amount of risk associated with each vendor remaining after inherent risks have been reduced by controls that the vendor has in place.  When controls are weak, not in place, or not functioning properly then residual risk will be high.  If vendor residual risk is high then a corrective action plan needs to be put in place on how the vendor is going to strengthen those controls or management should seek out other vendors who can provide the product or service to the financial institution.

An independent certified public accountant has examined Strunk’s operations and found them to be in compliance with the AICPA’s Trust Service Principles. It was determined that Strunk meets the Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria for SOC 2 established by the AICPA.