What is the significance of the 'inherent risk' assessment in third-party risk management before controls are applied?