Article written by Sean O’Brien CTPRP, Director, DVV Solutions
A common question I receive from clients as part of Third Party risk management (TPRM) program development is the best way to manage the inbound requests to complete risk assessments from their own clients.
My answer is very simple. “Practice what you preach”. Treat client requests in the same manner you would wish your own suppliers to respond to your risk assessment questionnaires, and make it as easy for you and them to manage the process to minimise time and effort for all.
To do this I’ll always point to a few simple principles:
Be proactive with a self assessment
Rather than waiting and then reply on-demand to each individual request, a more proactive approach of creating a standard ready-made response will make life much simpler for your own team.
A quick analysis of the numerous questionnaire sets you will have responded to over time will show, as I’ve often found, that around 80% to 90% of questions asked are exactly the same (given changes of wording and nomenclature). Building a common repository of self assessment questions, answers and documented evidence that will satisfy the majority of customers’ demands should therefore not be too difficult a job.
This also shows you take your responsibility for managing security controls within the data supply chain seriously and have a positive, open mindset to understand and mitigate the inherent risks you may present.
Standardise for greater efficiency
I am a strong advocate for the use of recognised standards in Third Party risk management. While frameworks such as ISO27001 exist they are not designed to specifically address Third Party risk. The emerging global standard in TPRM is Shared Assessments’ Standardised Information Gathering (SIG) questionnaire sets and Standardised Control Assessment (SCA) criteria for onsite assessments.
Remembering that 80% to 90% of questions are pretty much the same from assessment to assessment, the remainder are usually specific to the relationship/contracted services provided (though often they can be extraneous and unnecessary) and so can be easily added to the basic set of responses – offering the chance to feedback and help customers rationalise their risk assessment content.
For clients adopting these standards within their own TPRM program, using this as the basis for self assessment illustrates a firm commitment to suppliers and offers the opportunity to develop a hands-on understanding of the processes and content in the SIG and SCA criteria.
Automate and simplify for all
The tooling you use for your own third party risk assessment program should offer the perfect processes and practices to perform a self-assessment, and give you a critical supplier eye-view of how simple and effective (or not) the processes are that you demand your suppliers go through.
Cloud-based worklflow automation tools replace the archaic flow of emails and spreadsheets, making this process as seamless as possible and creating a central repository for your self-assessment and supporting evidence that can be shared en-masse at the click of a button.
Making this information readily available for customers will thus help further reduce the time and resource involved.
Don’t dismiss downstream suppliers
We are all suppliers and customers in the supply chain and so it is highly likely that you outsource the data processing, software development or platform support for your customer’s to Fourth and even Fifth Parties who therefore represent additional layers of risk to your customer’s data and systems.
You should look to build accountability throughout the data supply chain, and work with suppliers to be able to illustrate this within a self assessment. Wherever possible, I advise building up-stream sharing of risk assessment and continuous threat monitoring into contractual terms and SLA’s as well as adding subcontractor requirements into procurement and RFQ processes that you can evidence to customers.
An open and honest dialogue
Customer loyalty is ultimately built upon trust and ease of doing business. Your approach to being a Third Party risk assessment respondent should be no different.
Being open and honest with your customers will reap long term benefits and the most transparent way to show this when it comes to managing and mitigating risk is – Practice what you preach!
About the author:
Sean has over 25 years’ hands-on experience of delivering managed services within IT security and governance, risk and compliance (GRC) and is a practicing Certified Third Party Risk Professional (CTPRP).
As a foundation to the success of DVV Solutions, Sean has been instrumental in supporting our business partners Prevalent Inc. and Shared Assessments in creating a foothold in the Third Party risk assurance marketplace across Europe.
His philosophy to become a trusted information security partner is built upon long-term relationships with clients based on honesty and shared values.
Connect on LinkedIn:
Connect to Sean O’Brien, CTPRP profile