A risk-based determination of whether – and how – to conduct remote assessments of vendors
Expert Contributors: Angela Dogan and Andrew Hout
Given how much time and money virtual assessment of vendors can save companies and their third party risk management programs, it may be surprising to learn that cost and convenience should have little, if anything to do, with determining whether a risk assessment should be performed in person or remotely.
While virtual assessments can deliver major travel and expense (T&E) reductions and labor cost-savings, the magnitude of risk a vendor relationship poses to the organization should be the foremost factor that third party risk managers weigh when determining which vendors can be monitored via virtual risk assessments.
For this reason, virtual assessments are rarely, if ever, applied to critical vendors. It is also crucial to recognize that a supplier’s assigned risk level often fluctuates over time. Vendors that receive a virtual assessment today may require an on-site assessment six months from now due to a change in the risk a vendor may pose or changes to the importance of the relationship to the outsourcer.
In practice, remote assessments are virtually identical to traditional on-site risk assessments – only with conference calls, email, screen-sharing, file-sharing and, in some cases, videoconferencing replacing face-to-face discussions as the primary modes of interaction. As such, the interpersonal aspects of these assessments may require a bit more attention and consideration than is the case for on-site assessments. The success and smooth execution of virtual assessments hinge on mutual trust between the outsourcer and vendor.
Although our discussion here focuses on the value, determination and execution of virtual assessments, it is important to keep in mind that assessments represent the “Verify” component of the “Trust, but Verify” model that Shared Assessments views as crucial to a comprehensive third party risk management program. As is the case with on-site assessments, the value of a virtual assessment also depends on the third party risk management decisions and activities that occur before and after the assessment takes place.
A Risk-Based Decision
Organizations with leading third party risk management programs rely on a standard methodology as well as advanced tools and supporting technology to ensure that their assessments – regardless of whether they are conducted in-person or virtually – are scoped to meet their organization’s unique needs.
Today, the most advanced third party risk management practitioners design and deploy assessments that gather and evaluate more than a dozen of their vendors’ critical risk domains, including information technology, cybersecurity, privacy, resiliency and data security risks. A longstanding misconception regarding virtual assessments is that their effectiveness is limited when validating physical security controls. Advances in digital video surveillance have equipped assessors with the evidence they need to validate physical security controls in many situations.
A range of technological advancements as well as growing comfort with virtual working arrangements have significantly increased interest in virtual assessments in recent years. When we first began conducting virtual assessments of third parties at the turn of this century, our interactions often involved conference calls, document exchanges, the sharing of photographs and working through a long list of questions centered on validating specific policies and procedures. While recent advances in videoconferencing, video surveillance, collaboration software, third-party risk standards and tools, and related developments have eased the information exchanges at the heart of a remote assessment, the use of validation questions and the criteria for determining whether a virtual assessment can be conducted in lieu of an on-site assessment have remained unchanged. These evaluations should always focus squarely on the risk factors that contribute to the risk tiers that are developed during the process of categorizing the organizations’ vendors.
Companies with formal third party risk management programs typically organize vendors into several risk-based tiers, ranging from the most risk-critical relationships (e.g., Tier 1 suppliers) to comparatively lower-risk relationships (Tier 2 and Tier 3 suppliers). Tier 3 and Tier 2 suppliers are generally considered the most suitable candidates for virtual assessments. While there are occasional exceptions, Tier 1 vendors are rarely a fit for an initial assessment being a remote assessment.
When a vendor’s risk level is deemed appropriate for a virtual assessment, the benefits to the outsourcer can be significant. Our experience shows that a virtual assessment can reduce the time it takes to complete an on-site assessment by 54 percent while reducing the cost of an on-site assessment by 72 percent. These savings stem from eliminating the T&E costs and labor time, which includes travel – and layovers – between different vendor sites) associated with visiting a vendor’s location. For larger companies with hundreds or even thousands of vendors, these cost reductions can add up to substantial savings.
As appealing as these cost-savings can be, they absolutely should not replace the vendor’s risk rating as the overriding factor used to determine when to deploy virtual assessments.
Practical Steps & Qualitative Considerations
Virtual assessments adhere to very much the same process that on-site assessments follow. And, as is the case with on-site reviews, assessment teams should be ready to adapt when unexpected obstacles arise. This elevates the importance of the qualitative dynamics that should be considered in addition to the more tangible components of the virtual assessment.
While virtual assessment protocols vary by organizations, they typically include the following activities:
In the end, it is vital to keep in mind that third party risk management programs and the virtual assessments that strengthen these capabilities are designed to make important relationships with external partners even more valuable.