A few thoughts on the “Evidence Sharing Network” model. I’m pleased to say that the seven key steps for establishing a cost-effective Third-Party risk management (TPRM) program are definitely beginning to resonate. However, as normal, priorities and resources are naturally focused on daily tasks, keeping risk management at a secondary level of importance and diverging from a proactive risk management environment.
Having met with a number of existing and potential clients over the last few months, one thing that has become a consistent topic of conversation is that of scalability. The problem is no longer the understanding and/or development of a sound end-to-end TPRM process, it is the ability to deliver this across an entire estate of Third-Parties and indeed Fourth-Parties. Specifically within Third-Party risk management this means to the ability to execute more security risk assessments with existing or reducing resources.
Taking the pain out of TPRM
Automation is typically the first port of call – making the distribution, collection, aggregation and analysis of risk assessment questionnaires and data as effortless and painless as possible. For many, if not all organisations, this is a clearly beneficial step. I, along with many other service providers and vendors, would clearly advocate automation as part of the solution.
The next big step is Delegation with TPRM-as-a-service offerings such as (excuse the plug) DVV Solutions’ SupplierAssess managed service that have begun to spring up. These delegate much of the time-intensive leg work in the assessment and information gathering processes and provide independent analysis, reporting and remediation advice. This adds the dimension of flexibility to the Customer, enabling them to quickly ramp up, extend or purely outsource the whole assessment process. This means internal resources can be focussed on the ultimately more critical management and mitigation of Third-Party risk.
But wait! Are we all still missing a trick here?
The market is more comfortable with Automation, and is beginning to look towards Delegation but isn’t there any opportunity for Collaboration?
Bear with me. I’m not suddenly instructing everyone to share with each other who their best and brightest suppliers are. For many these relationships can be a huge part of their commercial competitive advantage. But having worked in the TPRM space across a number of different industries and sectors it is clear that each one has its own national, regional or global ecosystem. These “networks” consist of a common set of Third-Party suppliers and service providers that work for multiple organisations in the same industry, and clients that are interested in similar security control information about these Third-Parties.
This isn’t necessarily an epiphany or great insight but what it does mean is that there is a potentially huge amount of duplication of effort. Time and resource is wasted on the same form-filling, email sending (and resending, and resending, ad infinitum), assessment updating and number crunching day-by-day, month-on-month, year-on-year. And that is in effect money potentially wasted by both the Assessor (i.e. YOU) as well as the Third-Parties themselves.
So, the question is… How can risk and security professionals work more intelligently in order to reduce all this wasted time and effort? This is where an Evidence Sharing Network comes into play with a “Complete-Once, Share-Many” model of assessment collection, analysis and distribution.
It starts with (inevitably) some form of standardisation. Standardisation of content, risk tiering and risk management whilst offering some level of flexibility or customisation to suit the most demanding or complex risk assessment criteria.
Next comes more automation. An Evidence Sharing Network will require a centralised assessment automation platform that is able to collate and support the distribution of assessment and evidence to multiple, unique users.
And if you want more, then how about some more delegation? Buy in the manual labour of collection, filtering and results analysis as well as the additional effort required for onsite assessments, but this time you’re sharing the cost of one for all, NOT one for each!
The good news is, it’s already happening.
Shared Assessments SIG, SIG Lite and AUP are pretty much becoming industry standard bases for TPRM methodologies across the globe.
Specialist service providers like DVV Solutions and our Technology partner Prevalent Inc. have developed the TPRM platform and services to deliver the features and functionality required to securely manage the flow and distribution of assessments from multiple suppliers to multiple members of a network. You provide the list of suppliers – We can do the rest.
Evidence Sharing Networks can change the way the risk professionals operate and can significantly reduce the costs of risk assessments and risk management. Not only that, but they enable you to share the burden of mitigating any risks that are identified and shared across multiple Customers and Users.
Can this collaborative model of an Evidence Sharing Network work for your industry?
What will it take to get a critical mass of clients and suppliers in an Evidence Sharing Network?
How difficult will it be to explain why you’re not saving time and money by joining in your network?
As ever, we’re interested to hear your thoughts.