Inherent exposure risk, explained.
Inherent risk is what a vendor brings before any controls are applied. Understanding it properly is the difference between real risk management and a compliance theatre.
Every vendor brings a baseline level of risk before you put a single control in place. That baseline is called inherent risk, and most risk programmes either ignore it or confuse it with residual risk.
Inherent vs residual
Inherent risk is what is there before controls. Residual risk is what is left after controls. If you only measure residual risk you will never know how much protection your controls are actually providing, because you never measured what you started with.
That is why Vendorapp scores both. Inherent exposure gives you the real shape of the relationship; residual exposure tells you how well your programme is working.
What shapes it
Inherent exposure is driven by what the vendor can reach — data, systems, funds, customers — and by where they operate. A marketing agency with no system access is not the same as a payroll processor with production keys, even if they both pass the same questionnaire.
Getting that distinction right is what separates real vendor risk management from a questionnaire exercise.