Back to Playbook Visit Our Blog

Risk Resource Management

Allocate risk resources to match third-party residual risk exposure. Conduct assessments more frequently and at greater depth for low performing third parties. Conduct assessments less frequently for high performing third parties.


Allocate risk assessment resources commensurate with the residual third-party risk exposure, informed by inherent risk, results from previous assessments, and data from continuous surface risk assessments.


Allocating resources based on residual exposure improves outcomes by focusing analyst attention on improving performance of poor performing third-parties. It yields better scale because analysts are not wasting time over-assessing third parties that are strong performers.


Allocate resources based on residual risk rather than inherent risk. Calculate residual risk by factoring inherent risk with results from previous assessment engagements and continuous surface assessment results. Increase assessment frequency and depth for poorly performing third parties. Decrease assessment frequency and scope for strong performers. For example, you might set a schedule as shown below:

Practice Status Adoption
Determine assessment frequency based on inherent risk rating. Common 70%
Determine assessment frequency based on residual risk rating, factoring inherent risk rating with prior assessment or continuous surface assessment results. Pioneering 23%
Establish baseline control assessment scope and validation requirements commensurate for each risk rating. Common 77%
Modify assessment control scope to match the predominant architecture patterns (on-premise, cloud, and so forth). Emerging 43%