On March 11, 2020, the World Health Organization (WHO) declared COVID-19 a pandemic. That spring, organizations were forced to transition an in-person workforce to a remote workforce. This fall, risk management programs continue to “reimagine how and where work will get done.” While some risk practitioners are on the road back to in-person or hybrid work models, virtual assessments are still de rigueur for risk management programs.
Virtual Assessments vs. In-Person Assessments
65% of our member community reports that they are not conducting in-person assessments. 29% of our members report that they are conducting in-person assessments, but with limitations. Meanwhile, a very small percent of members have gone ahead with pre-pandemic style in-person assessments.
What is a Virtual Assessment?
Virtual assessments, while popularized by the pandemic, have been successfully conducted since 2003. Virtual assessments review the same controls as an onsite assessment. Virtual assessments are an efficient and cost-effective way of evaluating third party controls.
Why Virtual Assessments?
Organizations will need to be able to conduct third party risk assessments for the foreseeable future. Factors that are driving risk management programs to conduct virtual assessments include:
- Cost Savings: virtual assessments only include staff-hours (no travel expenses)
- Time Reduction: virtual assessments are faster to complete
- Cost vs. Risk: Expenses of assessing low risk vendors may exceed that vendor’s worth to the organization
Virtual Assessments Impact on Third Party Risk Management
Virtual assessments have changed the way third party risk management programs conduct assessments on multiple fronts:
- Typical interviews and exchange of artifacts associated with on-site assessment of a third party’s risk controls must be achieved through online collaboration and virtual tools.
- TPRM policies, standards, and procedures for assessments, vendors, and employees must be adapted to the virtual environment.
- A more structured approach must be implemented to organize evidence and collaboration via online meetings or sharing of screens.
- Virtual data rooms or artifact repositories should be used.
- Virtual assessments enable an easier assessment of fourth party/cloud providers who might have virtual data center tours online.
Tool for Virtual Assessments: Standardized Control Assessment (SCA)
The Standardized Control Assessment (SCA) is an end-to-end tool for virtual assessments. SCA supplies fact based and objective testing of control attributes as part of the “trust but verify” process in third party risk governance. The control structures in the SCA include 18 critical control domains used in assessing vendor risk and corresponding controls.
Benefits of the SCA
The SCA saves risk personnel time and reduces cost of doing assessments manually. Taking the difficulty out of regulatory content, SCA creates a step-by-step process for assessors to find control attributes.
With the SCA, assessments follow an objective and consistent method while enabling accurate and comprehensive record keeping of the assessment to meet regulatory requirements.
How is the SCA Tool Used?
In addition to virtual assessments, many other risk management instances leverage the SCA tool. Third party service providers use the SCA to provide independent testing of controls. The SCA can also be tailored to outsourcing relationships based on third party data type, location, and services provided.
Outsourcers and service providers alike use the SCA to enable due diligence in onsite or virtual assessments. External assessment firms who are licensed and credentialed in accordance with SCA guidelines are able to provide a distributable report.
SCA procedures can be used for internal self-assessment or risk assessments. Finally, the SCA reduces audit fatigue by leveraging standardized testing processes for key risk domains.
Looking For More About Virtual Assessments?
For virtual assessments Best Practices and an infographic on fundamentals, read this blogpost.
Looking For More About the SCA?
To get best practices for using the SCA in complement with other assessments, download the free best practices guide and tool.