If a group of risk professionals and their third party partners wound up at a karaoke bar at a certain hour, they might select a classic Stones tune for a heartfelt duet: “My back is broad, but it’s a-hurting,” the third party professional would croon. “I’ll never be your beast of burden,” the outsourcer’s risk professional would respond before the pair repeated that aspirational line in unison.
With apologies to Mick, Keith and the gang, “Beast of Burden” captures the nature of third party relationships that rely on non-standard – and frequently ad-hoc — assessment practices and due diligence.
Service providers often find themselves short of the bodies, time and budget needed to complete a substantial number of lengthy, one-off assessments from their clients. Outsourcers contend with unnecessarily lengthy new-vendor onboarding processes when third parties without well-oiled assessment capabilities pepper their new clients with a barrage of clarification requests and follow-up questions.
“I regularly receive emails from third party providers that describe a significant and pervasive administrative hassle,” reports Shared Assessments Senior Manager Christopher Campbell. “The issue is the sheer amount of time it takes to work through several hundred unique questions from numerous different outsourcers. In smaller to mid-sized organizations, there is often a single person responsible for chasing down all the information needed to address those questions. And they’re dealing with anywhere from a dozen to up to 2,000 proprietary assessment questionnaires each year. The hours required to complete that work can be staggering.”
Campbell and Shared Assessments Senior Director, Product Marketing David Lundquist emphasize that proprietary questionnaires are a beast to deal with on both sides of third party relationships. “Though it’s a shared burden, the workload can be more manageable” Lundquist notes.
Alleviating this strain has grown increasingly important as a mix of supply chain volatility and new regulatory directives require outsourcers to seek out new third party partners while applying deeper scrutiny of potential risks – related to cybersecurity, national security, ESG matters, and more – inside third, fourth and nth party partners. The best path to burden-relief involves understanding the primary aspects of these encumbrances and how a standardized third party risk assessment approach, including any of the Standard Information Gathering (SIG) tools, lightens the load.
The most common manifestations of the third party risk assessment burdens materialize when outsources rely on lengthy, proprietary questionnaires that hold varying levels of relevance to different vendors. TPRM teams are often surprised to see how closely their proprietary questions track to existing standardized questions – which could have saved everyone a lot of time and money but not duplicating efforts. The reasons third parties struggle with these types of information requests include:
- Budget and bandwidth limitations: “Most companies have a lot going on in light of global disruptions, the talent shortage, and other urgencies,” Lundquist notes. “They just don’t have time to hire a bunch of new people to address the work that non-standard third party assessments create. Budgets and bandwidth stand out as the biggest challenge.”
- A math problem: Campbell agrees that funding and resource limitations loom large, especially given how long it takes to complete a proprietary risk questionnaire. “The average time to fill in a proprietary questionnaire is 32 hours,” he notes. “The median number of questionnaires that vendors are required to complete each year is approximately 1,000 – and 32,000 hours takes a lot of people working eight hours a day to complete.”
- A lack of maturity: Some third parties take significantly longer to complete one-off information requests because they have yet to develop formal, repeatable processes related to responding to information requests, storing their policies and procedures, assigning related governance and oversight responsibilities, and leveraging automation to accelerate the retrieval of that information. “ In those situations, the outsourcers may wait weeks or even months for responses from the third party,” Campbell adds
How a standardized assessment tool can alleviate burdens TPRM programs face
Deploying a standardized assessment tool represents a more efficient, and effective, alternative to the use of proprietary third party risk assessment questionnaires. That’s why the most advanced outsourcers and vendors tend to:
- Invest in standardization: Shared Assessments members have several options for standardizing the third party risk assessment process such as our standardized assessment tool(s). The SIG Lite provides up to a maximum of 150 questions, and it is best used as the program-level assessment for lower-risk third parties. The SIG Core, which provides up to a maximum of 825 questions, allows for a deeper scope and more personalized assessment, containing additional questions at the control definition level. (One more custom option is described below.)
- Follow the 80/20 rule: One of the largest third party providers in the Shared Assessments community has achieved and sustained major efficiency gains by following a third party risk management take on the 80/20 rule: the company has found that 80% of its outsourcing clients accept the standard SIG assessment. The remaining 20% of the client based require proprietary assessments to be completed; these still take more time and effort to perform, but substantially less time and effort compared to completing a higher portion of one-off assessment requests.
- Flex as needed: “Shared Assessments members use the Scoped SIG in situations where the SIG Lite or SIG Core are not specific enough to the services provided,” “…Both the SIG Lite and SIG Core can be used as a starting off point for scoping. The SIG tools are infinitely configurable: you can include 100 questions, 50 questions, or even seven questions.”
This type of flexibility and standardization helps outsourcers and third parties achieve greater risk management harmony.
