Third-party contractors, especially technology vendors, are becoming increasingly integrated in every business function and industry, including core business functions. Outsourcing work makes it possible for business to be responsive and agile in a disruptive environment. But third parties also introduce risk, up and down the supply chain.
Third-party risk is unique, and a third-party risk assessment is required to ensure due diligence is met – not just at the time of onboarding, but continually on an ongoing basis. Additionally, new compliance regulations require ongoing documentation to justify the renewal of the contract relationship.
A risk assessment template is helpful to guide the audit process. We compiled the following nine-step template using lessons learned from our experience helping successful customers set up and run risk assessment programs.
To produce more effective third-party assessments and streamline the assessment process, it’s helpful to apply the lessons of other organizations.
Here are nine experience-based ways to stand up a streamlined third-party assessment program.
- Understand your risk appetite: Regulatory bodies usually tell you who to assess and how often. However, determining questions to ask in the assessment is frequently left up to you. How do you decide? How might results impact company policies and procedures? Build and test your third-party assessment program internally using questionnaires that reflect your company’s risk appetite.
- Classify your vendors: Develop a method for classifying vendors to identify third parties that are in-scope and require assessments. This helps ensure you don’t assess third parties unnecessarily or miss assessing third parties that pose a risk to your organization.
- Improve the data collected: Obtaining data is one of the biggest challenges in managing third-party risk and a high quality assessment is key. To improve the quality of your questionnaires, start with a widely accepted assessment, like the Standard Information Gathering (SIG) questionnaire from Shared Assessments, and tailor it to your specific business needs and processes.
- Make assessments easier to manage: If you do business with a multitude of third parties, you need a way to make assessments easier to manage. Speed up the assessment process by giving all third parties a low threshold assessment with a few flagging questions. For all flagged third parties, send a higher level, deep-dive assessment for due diligence on risk. It’s an easier and often more thorough process for assessing third parties.
- Pre-populate your assessment world: Assessments are something you do on a continuous basis and often with the same vendors. If your assessment engine pre-populates data, the entity you’re assessing only has to address changes. It’s less work for them and you, and may even improve the response rate.
- Assess for performance, not just risk: With the right platform, you can upload service level agreements (SLAs) and make them part of the assessment process. Compare assessment data to SLAs and then use the analysis to provide feedback to the third party, leverage it in contract renewal, or use it to support switching to another service provider.
- Reassess based on third party’s expanded offering: When third parties expand their services to your company, it changes their risk profiles. One of the best ways to address this is to periodically assess third parties for changes and update risk profiles accordingly. This way, your third-party risk profile is always current.
- Look beyond financial risks with third parties: Most organizations assess third parties to manage financial risk. Sometimes small risks open the door to more serious consequences. Losing revenue can cause problems, but it is recoverable. Losing your reputation may not be.
- Dependency creates a business continuity risk: Any third party can be a business continuity risk. The litmus test is if their service stopped, it would interrupt yours. Maybe it’s the provider of IT services or a supplier with a key role in the supply chain. Third parties that you’re greatly dependent on can pose business continuity risks that can be identified through a risk assessment.
Use these nine tips as you roll out or fine-tune your risk assessment program to make it more effective and satisfy requirements.
Download the Third-Party Guide to Risk Management for more details.