Turning the third party risk tables – from assessor to the assessed!
ARTICLE BY SEAN O'BRIEN, DIRECTOR AT DVV SOLUTIONS
A common question I receive from clients as part of Third Party risk management (TPRM) program development is the best way to manage the inbound requests to complete risk assessments from their own clients.
My answer is very simple. “Practice what you preach”. Treat client requests in the same manner you would wish your own suppliers to respond to your risk assessment questionnaires, and make it as easy for you and them to manage the process to minimise time and effort for all.
To do this I’ll always point to a few simple principles:
Be proactive with a self-assessment
Rather than waiting and then reply on-demand to each individual request, a more proactive approach of creating a standard ready-made response will make life much simpler for your own team.
A quick analysis of the numerous questionnaire sets you will have responded to over time will show, as I’ve often found, that around 80% to 90% of questions asked are exactly the same (given changes of wording and nomenclature). Building a common repository of self assessment questions, answers and documented evidence that will satisfy the majority of customers’ demands should therefore not be too difficult a job.
This also shows you take your responsibility for managing security controls within the data supply chain seriously and have a positive, open mindset to understand and mitigate the inherent risks you may present.
Standardise for greater efficiency
I am a strong advocate for the use of recognised standards in Third Party risk management. While frameworks such as ISO27001 are commonly referenced they are not designed to specifically address Third Party risk. The emerging global standard in TPRM is Shared Assessments’ Standardised Information Gathering (SIG) questionnaire sets and Standardised Control Assessment (SCA) criteria for onsite assessments.
With the majority of questions being pretty much the same from assessment to assessment, any differences are typically specific to the relationship/contracted services provided, though often there can also be extraneous and unnecessary questions that have nothing to do with the commercial or operational relationship. Supplementary responses and attestations can be easily added to your basic core responses as and when they arise.
For clients looking to adopt these standards within their own TPRM program, using this as the basis for self-assessment illustrates a firm commitment to managing risk as a supplier, offers the opportunity to feedback and help rationalise risk assessment content, and develops your own hands-on understanding of the processes and content in the SIG and SCA criteria.
Don’t dismiss downstream suppliers
We are all suppliers and customers in the supply chain and so it is highly likely that you outsource the data processing, software development or platform support for your customer’s to Fourth and even Fifth Parties who therefore represent additional layers of risk to your customer’s data and systems.
You should look to build accountability throughout the data supply chain, and work with suppliers to be able to illustrate this within a self assessment. Wherever possible, I advise building up-stream sharing of risk assessment and continuous threat monitoring into contractual terms and SLA’s as well as adding subcontractor requirements into procurement and RFQ processes that you can evidence to customers.
Automate and simplify for all
The tooling you use for your own Third Party risk assessment program should offer the perfect processes and practices to perform a self-assessment, and give you a critical supplier's-eye-view of how simple and effective (or not) the processes that you demand your suppliers go through really are.
Cloud-based worklflow automation tools replace the archaic flow of emails and spreadsheets, making this process as seamless as possible and creating a central repository for your self-assessment and supporting evidence that can be shared en-masse at the click of a button.
Making this information readily available for customers will thus help further reduce the time and resource involved.
An open and honest dialogue
Customer loyalty is ultimately built upon trust and ease of doing business. Your approach to being a Third Party risk assessment respondent should be no different.
Being open and honest with your customers will reap long term benefits and the most transparent way to show this when it comes to managing and mitigating risk is - Practice what you preach!