Third Party Risk Management - Consultancy, Assessment & Advisory

Guest Blog – Cutting Corners: Most Companies Conduct Inherent Risk Assessments on Less Than 40% of Their Vendors

What is Inherent risk TPRM Third Party riskMore than two-thirds of companies are cutting corners when it comes to understanding inherent risk within their third-party due diligence

It is no secret that inherent risk assessments are crucial to third-party risk management success, but are they being conducted?

During a recent IT GRC webinar, Automating Your Third-Party Risk Management Program, attendees were asked how many of their vendors have been given an inherent risk assessment during the onboarding process.

While any third-party risk management professional would be quick to say that they perform inherent risk assessments to determine the level of due diligence for a vendor, the survey revealed that two-thirds of companies are actually scoring less than half of their vendors.

That means most companies are potentially exposing their organisation to unnecessary and potentially damaging risks at a time when it’s most appropriate to keep the risk out. Risk managers know that contracting a vendor is the beginning of a new relationship – there are several unknowns and managers can expose their enterprise to risks that can have enduring consequences – and yet the numbers say differently.

Poll of use of Inherent Risk assessments

While some may argue that assessing some vendors is better than a company forgoing inherent risk assessments altogether, once contracted, these vendors have could access to sensitive information. If they are compromised, then your data could be as well. Are you willing to take that risk?

Why are the large majority bypassing a major step in the vendor onboarding process? This is likely due to how tedious, manual and time-intensive the process can be. Traditional spreadsheet-based vetting processes take up a lot of time and require a lot of bandwidth that most companies frankly do not have. They’re not choosing to forgo due diligence, they just don’t have the resources to get it done.

But the good news is, there is an easier way.


Replace Inconsistent, Manual Due Diligence with Risk Management Automation

One of the initial key steps in onboarding a vendor is determining the level of inherent risk, as this determines the depth of due diligence the company must conduct on a vendor. Although all third-party vendors must be onboarded, they do not merit equal attention. Vendors that provide essential services, or hold sensitive data, carry a high degree of inherent risk, and must be scrutinised as such.


So where do you start?

Organisations must determine which third parties carry meaningful risk that requires more than a cursory review. This may consist of a simple, standardised internal questionnaire that helps to determine whether or not the vendor requires deeper due diligence. An intelligent intake process acknowledges differences in risk that merit different degrees of review, prioritises the vendors who require further investigation and reduces costly and time-consuming analyst input.

Although this sounds like a relatively simple process, many organisations make it unnecessarily complex by relying on manual process prone to error and inconsistency. From spreadsheets that cannot be easily consolidated to emails that fail to create a documentable trail of activity, the time-intensive processes that requires heavy manual analysis can play a large part in discrepancies and mistakes.

Assessment automation can help to not only streamline processes, but also provide necessary peace of mind to risk professionals, ensuring that all vendors have been properly assessed to the required level.


How can you improve your inherent risk assessment process?

Download ProcessUnity’s Best Practices Guide for Simplifying Vendor Onboarding and learn how automation can streamline your program and ensure your company isn’t the next organisation making headlines for a third-party data breach.


You’re only as strong as your weakest link

There’s never a more vital time to start thinking seriously about the security posture of your extended enterprise. DVV Solutions are here to help with a range of services and solutions that are proven to improve your ability to execute, analyse and manage more Third-Party (and Fourth-Party) risk assessments. For more advice and information:

Call Us+44 (0) 161 476 8700

Contact Us: Complete our Contact Form, or

Learn more about What We Do


This article was originally published by ProcessUnity and is shared with their kind permission.


About ProcessUnity

ProcessUnity is a leading provider of cloud-based applications for risk management and service delivery management. The company’s software as a service (SaaS) platform gives organisations the control to assess, measure and mitigate risk and to ensure the optimal performance of key business processes.

For public companies and regulated industries, ProcessUnity Risk Suite delivers effective governance and control, supplier risk mitigation and regulatory compliance. For benefit plan administrators and other financial service firms, ProcessUnity Offer Management controls complex product offerings and strengthens client service experience.

ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. The company is headquartered outside Boston, Massachusetts. For more information, visit