Inherent Risk
Risk is an inherent component of every business relationship. Every supplier, vendor, affiliate, partner and customer expose your company to hazards. In many cases, the potential impact is small and normal business processes provide reasonable assurance that the risk is managed. In a few cases, the potential impact is catastrophic. In our modern, connected world, recognizing and managing third-party cybersecurity risk is critical and cannot be achieved without analytics.
Using Analytics to Recognize Third-Party Cyber Risk
In the cybersecurity area, there is no universal method to reliably identify every high-risk third party. Many companies use other measures as a proxy for risk, like scores on a cybersecurity assessment or compliance with some regulatory framework. However, these approaches fail in two key areas. First, the measure may not capture information relevant to understanding cybersecurity risk. It may be good to know that your offsite data storage vendor is compliant with the PCI-DSS standard but that reveals nothing about the risk of using their services to store data. Additionally, these approaches fail to consider the nature of the relationship between the third party and the company. Cybersecurity scores and compliance reports don’t address how the third party and the company interact with each other.
A better method starts by understanding how your company and the third party interact. Our analytics solution evaluates this relationship across eight key areas:
Business Processes, People, Digital Identities, Applications, Data, Devices, Networks, and Facilities.
One important factor is the third party’s access to sensitive data:
[Least] No access to sensitive data
[Minimal] Access to internal, low-impact data (e.g., white pages, training documents)
[Moderate] Access to moderately sensitive data (e.g., proprietary company information)
[Significant] Access to highly sensitive data (e.g., regulated or confidential information)
Answering targeted questions across these eight areas allows analytics to categorically assess the potential impact a third party may have if compromised.
The impact score is the sum of all 8 Impact Questionnaire answers along an exponential scale so higher scopes (e.g. Significant) count for much more than lower ones (e.g. Least).
Industry classification plays a key role because the Exchange defaults the impact responses to historical customer interactions for each industry. This allows for impact to be calculated instantaneously for immediate insights.
Adding Likelihood to the Analysis
With impact defined, analytics can go a step further by estimating the likelihood that a third party will suffer a cyber incident. For instance, we assemble an estimate of this likelihood by looking at four different datasets:
Historical cyber incidents are analyzed to understand the types of attacks that have been successful in the past against companies in the same industry.
- Dataset & Weighting: MITRE ATT&CK Use Cases mapped to Controls (25% if Attack Surface exists, otherwise 33%)
Threat intelligence is analyzed to understand the type and volume of attacks currently being directed against companies in the same industry.
Dataset & Weighting: Recorded Future Score (25% if Attack Surface exists, otherwise 33%)
Scans of internet-facing systems provide insight into the information technology maturity of the third party.
Dataset & Weighting: Risk Recon Score (25% if Attack Surface exists, otherwise 33%)
Responses from the third party to questions about their attack surface.
- Dataset & Weighting: Attack Surface Score (25% if exists, otherwise 0%)
Overall Inherent Risk
It is important to note that overall Inherent Risk score is dynamic as input data refresh on an ongoing basis.
Upon pulling the data, likelihood and impact are combined into a single overall inherent risk measure. This is plotted and lands in a band as shown in risk matrix below.
Inherent Risk Thresholds
Inherent risk scores are categorized to help prioritize third-party assessments:
| Overall Inherent Risk Label | Range | Interpretation |
| Critical | 73.7 - 100 | Represents the highest level of inherent risk. A cyber event involving this relationship would have a severe or widespread impact, and the likelihood of such an event is substantial. Immediate evaluation and robust mitigation efforts are strongly recommended. |
| High | 58.7 - 73.6 | Suggests significant risk to the organization. Either the potential impact is severe or the likelihood of a cyber incident is high. Requires focused assessment, risk treatment, and potentially enhanced monitoring. |
| Medium | 36.7 - 58.6 | Indicates a moderate level of exposure. Either the potential impact or likelihood is elevated. This tier may warrant targeted assessment efforts to confirm controls are sufficient. |
| Low | 21.3 - 36.6 | Presents a limited risk. The potential impact is minor or the likelihood of occurrence is low. May not require immediate action, but could be reviewed periodically. |
| Nominal | 0 - 21.2 | The relationship poses negligible cybersecurity risk. Both impact and likelihood are minimal, and no additional due diligence is likely required beyond standard monitoring. |
Once a company understands the potential impact that third parties in their ecosystem who suffer an incident will have, reasonable decisions can be made about managing that risk. Third parties that have both high impact and high likelihood are logical candidates for additional scrutiny. We would recommend a detailed cybersecurity assessment for third parties in this category. Third parties with low impact probably don’t need any additional scrutiny. Existing risk management processes are probably sufficient. For third parties that lie between these two extremes, other measures may be appropriate and should be tailored to the particular situations of the company and its third parties.
No human endeavor is without risk. This is particularly true for modern businesses where companies depend on a wide variety of third party products and services. Analytics provide a way to recognize and manage risk by identifying the third parties that need the most scrutiny.
Identifying third parties that need additional scrutiny is a first step. Dealing with the outcome of the additional scrutiny is the next task. Ecosystem-level views of risk, prioritization of mitigation and remediation efforts, and tracking remediation progress are all important components of a third-party risk management program.
Residual Risk
Residual Risk is calculated by applying the results obtained after an assessment has been completed and the individual responses for various controls have been assessed. The attack scenarios enumerate the MITRE-based techniques that a threat actor must employ to achieve their attack. Each of these techniques, in turn, is mapped to the primary and supporting controls in the assessment that could mitigate it along with the assets that are relevant. Well-performing assessments, by virtue of comprehensively implemented security controls, have the effect of limiting the impact and likelihood of the attack and thus driving the residual risk to a value much lower than the original inherent risk starting point. For poorly-performing assessments, where many or all controls are answered "No", the residual risk remains close to the inherent risk, indicating that the company did little or nothing to mitigate the threats to which they were exposed is calculated by applying the completed assessment results and mapping those responses to relevant MITRE use cases.
There are two additional notes to consider when risk is assessed. First, assessment granularity provide varying levels of fidelity when determining the efficacy of security controls. Assessments with metrics provide a measure of control effectiveness between 0 and 100 while controls supply only Yes/No/NA answers. A "No" answer is taken at its word and assigned a 0% effectiveness. Answers of "NA" are ignored in the calculations as not relevant. And "Yes" answers are assigned 85% based on statistical analysis of responses and to avoid unsubstantiated credit. Second, it is important to note that even with a perfect assessment, there are finite limits to the length of the questionnaire and ability to enumerate known threat actors. So the residual risk can never be lowered to zero in order to account for all the unknowns that are continually in play.
Analyzing Inherent Risk and Residual Risk
While Inherent Risk and Residual Risk are closely related, they represent distinct perspectives based on the availability of additional information.
Inherent Risk reflects the level of risk an organization faces from potential threats, considering the likelihood and potential adverse impacts on confidentiality, integrity, and availability — before any controls or mitigations are applied. The Exchange categorizes inherent risk using five qualitative descriptors: Critical, High, Medium, Low, and Nominal. These classifications help organizations prioritize assessments across large third-party portfolios, focusing on those that exceed acceptable risk tolerances.
Residual Risk, on the other hand, incorporates the effectiveness of attested or predicted cybersecurity controls. It represents the remaining level of risk after mitigation efforts have been applied. Both IR and RR are scored on the same 0–100 scale, with higher values indicating greater risk. Importantly, Residual Risk can never exceed Inherent Risk. Organizations that have not implemented meaningful security measures will have identical Inherent Risk and Residual Risk values, while organizations with robust controls will demonstrate a significant reduction between the two.
The Exchange does not impose a label on Residual Risk outcomes, recognizing that final interpretations depend heavily on how an individual third-party risk management program defines its risk tolerance and governance practices. However, to support more nuanced decision-making, programs have the flexibility to either:
Apply the same qualitative thresholds used for Inherent Risk, or
Adopt secondary thresholds specifically designed for Residual Risk, with user-defined labels that fit their operational needs (e.g., Level 5, Level 4, Level 3, Level 2, Level 1).
The secondary thresholds offered are:
| User Defined Overall Residual Risk Label | Range | Interpretation |
| Level 5 (Highest Residual Risk) | 26 - 100 | Most controls are absent, ineffective, or unverified. The risk remains nearly unchanged from its inherent state. Immediate action is needed to mitigate potential cyber threats. |
| Level 4 | 17- 25.9 | Some controls are in place, but key gaps remain. The likelihood or impact of a cyber event has only marginally improved. Prioritized remediation and reassessment are recommended. |
| Level 3 | 8.1 - 16.9 | A moderate number of effective controls have been implemented, and risk is reduced but still above tolerable thresholds. Risk reduction is evident, but more work is needed to reach an acceptable state. |
| Level 2 | 4.8 - 8.0 | Strong control coverage in place with measurable improvement from the inherent risk. Some residual exposure remains, but it is within most organizational tolerance levels. Continued maintenance is advised. |
| Level 1 (Lowest Residual Risk) | 0 - 4.7 | Effective and comprehensive security controls have significantly reduced the risk. Residual risk is minimal and indicates a mature security posture. Maintain controls and monitor for changes. |
These options enable programs to tailor their risk evaluation processes to organizational risk appetite while maintaining consistency and clarity in reporting.
Maintaining distinct classifications for Inherent and Residual Risk is crucial. Using a shared classification would risk artificially lowering Residual Risk outcomes, which would obscure the true performance of a third party’s cybersecurity posture. By separately measuring Inherent Risk and Residual Risk, programs can more accurately represent the full journey of third-party risk management.
For example, a third party may exhibit low Residual Risk because their initial Inherent Risk was minimal, or because they successfully mitigated a previously high-risk posture. Capturing and preserving these relationships across all three metrics provides the transparency needed for informed decision-making and ongoing third-party oversight.
Risk Reduction
Additionally the inherent and residual risk measures, as a pair, provide high level metrics to determine how well companies have mitigated real-world risks. Moreover, they are useful for comparing assessment performance over time to demonstrate forward, positive progress.
The percentage of reduction highlights how controls mitigate risk and assists in evaluating if additional controls are necessary. For cases where overall inherent risk is less than 5, then that third party will be labelled as Insufficient Inherent Risk.
| Risk Reduction Range | Risk Reduction Label |
| Greater than or equal 90% | Excellent |
| Greater than or equal 80% | Very Good |
| Greater than or equal 70% | Good |
| Greater than or equal 60% | Fair |
| Greater than or equal 50% | Poor |
| Less than 50% | Very Poor |
Each strategy offers a different approach to managing risk, allowing organizations to choose the most appropriate method based on their specific context and risk appetite.