Vendor Risk Management

What Is Information Risk Management?

Melissa Stevens | December 15, 2015

If you search the term information risk management (IRM) on Google, you’ll likely come up with many lengthy explanations and definitions. And while you can learn more about IRM by searching the terms “NIST” and “800-53”, many of the definitions you’ll come across are either too vague, or they focus entirely on theory instead of practice. In response, we’ve taken a crack at a simple, yet sufficient working definition:

Information risk management (IRM): The policies, procedures, and technology one adopts in order to reduce the threats, vulnerabilities, and consequences that could arise if data is not protected.

In this article, we’ve outlined how you can how understand the risk equation (shown below) in regard to third-party vendor risk management. Additionally, we’ll go through the process your organization may consider to properly secure your most valuable data.

Intentional & Unintentional Threats

When the average person thinks about a threat, they tend to envision hackers and those with malicious intent from outside an organization attempting to steal data or valuable information through physical or cyber means. This is considered an intentional threat. But it’s important to understand that threats to an organization’s information can be both intentional and unintentional. An unintentional threat might be an employee who doesn’t handle data properly or an IT manager that is careless with an organization’s IT infrastructure. It could also be a security flaw that allows a break-in to take place.

Understanding The Risk Equation

As mentioned in our working definition, information risk management examines this classic equation for risk:

Threat  x  Vulnerability  x  Consequence

Threat is inherent in information risk management, and most organizations assume that their vendors offer at least some level of threat.

Vulnerability comprises the gaps in a protection program. Let’s say you have a really sensitive document and you put it in a safe, in a locked building, protected by guards. You likely feel confident that the document isn’t vulnerable to many threats. Now, if that same document was online in an open network where your organization stores all of its data, it’s easy to understand how this compromises the safety of the document. The moral of this story is to understand not only what the vulnerabilities are in your protection program, but also how the vulnerabilities can be exploited. Once you parse through this information, you’ll gain a clearer idea of how to address your overall risk.

Another really important element in IRM is understanding the value of the information you’re trying to protect, because consequence depends largely on this. But, as you know, the value of your information varies tremendously. Some information holds value because your organization considers it to be of great value. This may include very sensitive designs, blueprints, or pricing. But sometimes information has value because there are legal requirements for protecting that data. Even if you don’t consider personally identifiable information (PII) to be high priority, your customer (and the law) would most likely disagree with you. So in determining the consequence side of risk, your organization needs to ask what might happen if a particular piece of data is compromised.

Properly Managing Information Risk

Knowing what information risk management is and what it entails — through a solid understanding of our working definition and how IRM applies to the risk equation — is the first step. But then, you need to take it a step further and establish a clear strategy for information security and risk management. It’s important to note that this strategy is typically set by the leadership in an organization. Data is the lifeblood of so many companies — so the task of managing information risk isn’t and shouldn’t be taken lightly.

Once senior executives set an IRM strategy, HR and legal teams go through the process for organizational implementation and, in effect, set policy into action. The policies (like an acceptable use policy, for example) are written and distributed throughout the organization, so all employees understand the severity of any IRM infractions. The IT security teams go through the technical controls they need to put into place to help avoid or lessen the impact of a catastrophic data breach. This usually includes the installation of technical controls, including intrusion detection, antivirus software, multi-factor authentication processes, and firewalls. Vendor Risk Management teams are also responsible for working with vendors, suppliers, and other third parties critical to business operations to make sure that they have reasonable IRM policies in place. These combined efforts help ensure that a company doesn’t suffer from the harms they’re trying to stay away from.


Information risk management is what we’d consider a whole organization problem. In other words, this is not something to swiftly pass over or delegate to a low-level intern. IRM requires senior leadership involvement. There are simply too many intentional and unintentional threats to an organization’s data, and if these issues are ignored, the consequences could be severe. Financial, legal, and reputational harm could befall those that do not take this advice into consideration — so make sure you’re prepared!

Download this ebook to learn 5 actionable tips that will help you effectively manage third-party cyber risk. 

third party risk management

Suggested Posts

Third-Party Risk Management Best Practices for Enterprise

Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.


Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.


A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said...


Subscribe to get security news and updates in your inbox.