If a group of risk professionals and their third party partners wound up at a karaoke bar at a certain hour, they might select a classic Stones tune for a heartfelt duet: “My back is broad, but it’s a-hurting,” the third party professional would croon. “I’ll never be your beast of burden,” the outsourcer’s risk professional would respond before the pair repeated that aspirational line in unison.
With apologies to Mick, Keith and the gang, “Beast of Burden” captures the nature of third party relationships that rely on non-standard – and frequently ad-hoc — assessment practices and due diligence.
Service providers often find themselves short of the bodies, time and budget needed to complete a substantial number of lengthy, one-off assessments from their clients. Outsourcers contend with unnecessarily lengthy new-vendor onboarding processes when third parties without well-oiled assessment capabilities pepper their new clients with a barrage of clarification requests and follow-up questions.
“I regularly receive emails from third party providers that describe a significant and pervasive administrative hassle,” reports Shared Assessments Senior Manager Christopher Campbell. “The issue is the sheer amount of time it takes to work through several hundred unique questions from numerous different outsourcers. In smaller to mid-sized organizations, there is often a single person responsible for chasing down all the information needed to address those questions. And they’re dealing with anywhere from a dozen to up to 2,000 proprietary assessment questionnaires each year. The hours required to complete that work can be staggering.”
Campbell and Shared Assessments Senior Director, Product Marketing David Lundquist emphasize that proprietary questionnaires are a beast to deal with on both sides of third party relationships. “Though it’s a shared burden, the workload can be more manageable” Lundquist notes.
Alleviating this strain has grown increasingly important as a mix of supply chain volatility and new regulatory directives require outsourcers to seek out new third party partners while applying deeper scrutiny of potential risks – related to cybersecurity, national security, ESG matters, and more – inside third, fourth and nth party partners. The best path to burden-relief involves understanding the primary aspects of these encumbrances and how a standardized third party risk assessment approach, including any of the Standard Information Gathering (SIG) tools, lightens the load.
The most common manifestations of the third party risk assessment burdens materialize when outsources rely on lengthy, proprietary questionnaires that hold varying levels of relevance to different vendors. TPRM teams are often surprised to see how closely their proprietary questions track to existing standardized questions – which could have saved everyone a lot of time and money but not duplicating efforts. The reasons third parties struggle with these types of information requests include:
Deploying a standardized assessment tool represents a more efficient, and effective, alternative to the use of proprietary third party risk assessment questionnaires. That’s why the most advanced outsourcers and vendors tend to:
This type of flexibility and standardization helps outsourcers and third parties achieve greater risk management harmony.