While the use of virtual assessments was rising prior to 2020, that adoption accelerated beyond all expectations last year thanks to the COVID-driven work-from-home (WFM) transformation. This sudden shift caused numerous disruptions, including upending the risk ratings of many third-party vendors.
“Prior to the pandemic, outsourcers deemed many vendors a lower risk due to several criteria, including the fact that they did not allow remote access to any customer data on their networks,” notes Santa Fe Group Senior Vice President & CSO Brad Keller. “Well, guess what? Last spring nearly every company started remotely accessing their networks and their customers’ data.” Getting that remote access up, running and stable marked an all-encompassing objective that shoved aside other considerations, such as data privacy and security. A 2020 survey of 993 global companies conducted by E&Y and the International Association of Privacy Professionals (IAPP) found that 60% of organizations that adopted new technology to enable remote working models “accelerated or bypassed” standard reviews of privacy and security controls.
“One important lesson we learned last year was that no matter how recently you assessed a vendor prior to the WFH shift, you needed to re-assess them to determine how they’re managing remote access,” notes Keller. He emphasizes that most of those assessments now have to be conducted virtually. “One positive development last year,” Keller notes, “was that the pandemic forced outsourcers and service providers to come together and begin to hash out how to perform virtual assessments in ways that are effective for both parties.”
As that constructive back and forth continues this year, Keller identifies five hard-earned insights that outsourcers and their third-party partners should consider when designing and fine-tuning their virtual assessments:
- New approaches and new tools will raise questions: Virtual assessments require new ways of sharing information. During a live session, for example, an assessor may ask the vendor team to share a screen to confirm an action has been performed. But the vendor organization may have a policy prohibiting screen shots of certain systems and data – something the assessor could (conceivably) do without the vendor team’s knowledge. “Sure, you don’t know for certain that your vendor is not going to take that screen shot,” Keller notes, “but you also didn’t know if someone was going to sneak a smartphone into the conference room during an onsite assessment and take pictures of the same screens. So, this is probably not something worth getting hung up on.”
- Pre-pandemic protocols need updating: For organizations that are new to virtual assessments, one of the first areas that requires rethinking involves protocols that address the WFH environment. “Will the vendor’s people be on camera? If so, listening devices in the home need to be turned off or removed,” Keller points out, noting that governance documents pertaining to TPRM need to be updated to reflect WFH risks. “Companies still have documents that identify situations that trigger an on-site controls assessment,” he adds. “Those documents obviously need to be updated to address what occurs when on-site visits can’t be conducted.”
- The new environment revitalizes collaboration: Constructive collaboration between outsourcers and vendors was always important, yet not always present. In some cases, “the customer is always right” attitudes weakened vendors’ negotiating hands when hammering out how to perform assessments effectively and efficiently. “In most cases, virtual assessments are the only option,” Keller notes. “There’s a widespread sense that it’s better to figure this out together, especially when neither the outsourcer nor the service provider has done virtual assessments before…People are really being forced to work together, and I think that will have major benefits over the long term.”
- There is a need for standard assurance platforms: Keller emphasizes that there is also an opportunity for intra-industry collaboration among TPRM teams, particularly when it comes to developing and standardizing portals used to share assurance-related information (e.g., security operation center dashboards, controls-testing logs, records, video, etc.) between outsourcers and vendors. Keller notes that similar “electronic filing cabinets” are used to store information – securely and privately – in mergers & acquisitions work. “There may be a real opportunity for certain service providers to get together and form some kind of a consortium to facilitate the development of this type of tool,” Keller adds. “Could manufacturing groups collaborate on this? Should companies that have common customers get together and figure this out? I think so.”
- Virtual assessments require higher-level skills: “We’re consistently hearing from the companies performing virtual assessments that assessors need a higher level of skill compared to the competencies required during on-site assessments,” Keller reports. He notes that this need relates to technical expertise and to interpersonal skills. “We’ve seen this reflected in the polls we conduct during our virtual assessment webinars –people really feel that assessors have to be much more adept to operate virtually.”