On March 11, 2020, the World Health Organization (WHO) declared COVID-19 a pandemic. That spring, organizations were forced to transition an in-person workforce to a remote workforce. This fall, risk management programs continue to “reimagine how and where work will get done.” While some risk practitioners are on the road back to in-person or hybrid work models, virtual assessments are still de rigueur for risk management programs.
65% of our member community reports that they are not conducting in-person assessments. 29% of our members report that they are conducting in-person assessments, but with limitations. Meanwhile, a very small percent of members have gone ahead with pre-pandemic style in-person assessments.
Virtual assessments, while popularized by the pandemic, have been successfully conducted since 2003. Virtual assessments review the same controls as an onsite assessment. Virtual assessments are an efficient and cost-effective way of evaluating third party controls.
Organizations will need to be able to conduct third party risk assessments for the foreseeable future. Factors that are driving risk management programs to conduct virtual assessments include:
Virtual assessments have changed the way third party risk management programs conduct assessments on multiple fronts:
The Standardized Control Assessment (SCA) is an end-to-end tool for virtual assessments. SCA supplies fact based and objective testing of control attributes as part of the “trust but verify” process in third party risk governance. The control structures in the SCA include 18 critical control domains used in assessing vendor risk and corresponding controls.
The SCA saves risk personnel time and reduces cost of doing assessments manually. Taking the difficulty out of regulatory content, SCA creates a step-by-step process for assessors to find control attributes.
With the SCA, assessments follow an objective and consistent method while enabling accurate and comprehensive record keeping of the assessment to meet regulatory requirements.
In addition to virtual assessments, many other risk management instances leverage the SCA tool. Third party service providers use the SCA to provide independent testing of controls. The SCA can also be tailored to outsourcing relationships based on third party data type, location, and services provided.
Outsourcers and service providers alike use the SCA to enable due diligence in onsite or virtual assessments. External assessment firms who are licensed and credentialed in accordance with SCA guidelines are able to provide a distributable report.
SCA procedures can be used for internal self-assessment or risk assessments. Finally, the SCA reduces audit fatigue by leveraging standardized testing processes for key risk domains.
For virtual assessments Best Practices and an infographic on fundamentals, read this blogpost.
To get best practices for using the SCA in complement with other assessments, download the free best practices guide and tool.