Allocate risk assessment resources commensurate with the residual third-party risk exposure, informed by inherent risk, results from previous assessments, and data from continuous surface risk assessments.
Allocating resources based on residual exposure improves outcomes by focusing analyst attention on improving performance of poor performing third-parties. It yields better scale because analysts are not wasting time over-assessing third parties that are strong performers.
Allocate resources based on residual risk rather than inherent risk. Calculate residual risk by factoring inherent risk with results from previous assessment engagements and continuous surface assessment results. Increase assessment frequency and depth for poorly performing third parties. Decrease assessment frequency and scope for strong performers. For example, you might set a schedule as shown below:
|Determine assessment frequency based on inherent risk rating.||Common||70%|
|Determine assessment frequency based on residual risk rating, factoring inherent risk rating with prior assessment or continuous surface assessment results.||Pioneering||23%|
|Establish baseline control assessment scope and validation requirements commensurate for each risk rating.||Common||77%|
|Modify assessment control scope to match the predominant architecture patterns (on-premise, cloud, and so forth).||Emerging||43%|