Organizations continue to increase their reliance on third parties for their products and services. On average, companies share their confidential and sensitive information with 600 plus third parties, thus making third-party risk assessment a business priority. Yet only one in three maintain a comprehensive vendor repository and only one in six have information related to Nth tier vendors.
Even today, two out of three organizations lack centralized control and resources to ensure proper vendor oversight.
Third parties are a key contributing factor to the increasing number of data breaches as their ecosystems are prone to infiltration by cybercriminals and hackers, especially as networks become larger and more complex.
Having proper vendor oversight is an important risk management factor to protect the business.
In every business relationship both the client and vendor are keen for the relationship to succeed on a commercial basis with the appropriate level assessments, data and information exchanged commensurate to the criticality of the product or service being delivered. The business is not interested in assessing all its vendors to the same degree and frequency irrespective of their criticality. Equally the vendors are eager to provide sufficient information appropriate to satisfy client’s needs based on the services or products being supplied. Once the business relationship has been consummated both the parties want to focus on excelling at their business without ongoing excessive intrusions.
Performing the same assessment across all the vendors irrespective of the products and services and on the same frequency leads to vendor and reviewer fatigue. It is also a waste of time and resources for both parties.
Managing and assessing disparate vendors in a manual system using Excel and similar tools makes the process inefficient, ineffective and highly prone to errors further adding to the fatigue.
A good vendor or third-party risk management will go a long way in reducing assessment fatigue and would at the very least include the following:
- Centralized vendor repository which helps categorize vendors based on services and products supplied, criticality and other important factors
- The ability to map vendors directly to business processes, facilities or any multiple facets within the business hierarchies
- Flexible assessment library which allows the addition of new and modification of current assessments and questions
- Ability to streamline questionnaires into tiers and dependencies thus ensuring vendors are asked only relevant questions appropriate to the services or products they supply
- Evidence and artifacts can be provided as attachments or comments directly at the question stage ensuring nothing is lost or missed requiring multiple follow-ups
- Questionnaires can only be submitted by vendors once all the questions have been answered and the relevant attachments and comments provided. This avoids the submission of incomplete assessments and/or missing evidence
- Ability by business to monitor the progress of the assessment in real-time and manage expectations
- Risk scores auto calculated by question, category or pillar based on vendor responses. Formulas on how scores for each question, category and pillar are pre-loaded once and serve to objectively benchmark vendor scores
- On submission, findings are auto-generated based on responses ensuring nothing falls through the gaps. Findings can be assigned directly to the vendor to remediate and remain tied to assessment for future review and audit
- On submission assessment responses are locked to preserve the integrity however, reviews and audits can be conducted in designated areas directly within the assessment, thereby, providing a detailed audit trail of the reasons for any risk score revisions
- It is likely that further communication is required between the client and vendor post submission of assessment and it is essential that this is captured within questionnaire as opposed to externally using emails etc. An ongoing Dialogue field that auto time stamps and captures the key conversation is vital
- Reminders and notifications should be automated and triggered on pre-scheduled dates and events. Reminding both the business and vendors on upcoming submission, re-assessment and other milestones
A good risk management solution is key to addressing both third-party assessment fatigue by automating your vendor onboarding, evaluation and continuous monitoring. Such 3rd party risk management software will also help reduce reviewer fatigue, provide timely comprehensive vendor risk insight ensuring your supply chain is fit for purpose and that your vendors do not degrade the products and services you supply to your customers.
If your organization is interested in seeing the above features and more in a best in class vendor or third-party risk management solution, we invite you to explore the Maclear GRC Suite™ by visiting https://www.maclearglobal.com. Our comprehensive range of solutions is designed using best practices with built-in integration to reduce risk, improve performance, and enable strategic decision-making.
To learn more, request a demo, discuss a free trial proof of value or simply start a conversation drop an email to firstname.lastname@example.org..
Share This Blog
What should a good GRC framework and architecture include?
The pandemic has shown how businesses are complex, interconnected and constantly evolving.
How to Build a Strong FCPA Compliant Compliance Function – 8 Core Components
All businesses irrespective of size face some degree of compliance and it has never been...