A risk-based determination of whether – and how – to conduct remote assessments of vendors
Expert Contributors: Angela Dogan and Andrew Hout
Given how much time and money virtual assessment of vendors can save companies and their third party risk management programs, it may be surprising to learn that cost and convenience should have little, if anything to do, with determining whether a risk assessment should be performed in person or remotely.
While virtual assessments can deliver major travel and expense (T&E) reductions and labor cost-savings, the magnitude of risk a vendor relationship poses to the organization should be the foremost factor that third party risk managers weigh when determining which vendors can be monitored via virtual risk assessments.
For this reason, virtual assessments are rarely, if ever, applied to critical vendors. It is also crucial to recognize that a supplier’s assigned risk level often fluctuates over time. Vendors that receive a virtual assessment today may require an on-site assessment six months from now due to a change in the risk a vendor may pose or changes to the importance of the relationship to the outsourcer.
In practice, remote assessments are virtually identical to traditional on-site risk assessments – only with conference calls, email, screen-sharing, file-sharing and, in some cases, videoconferencing replacing face-to-face discussions as the primary modes of interaction. As such, the interpersonal aspects of these assessments may require a bit more attention and consideration than is the case for on-site assessments. The success and smooth execution of virtual assessments hinge on mutual trust between the outsourcer and vendor.
Although our discussion here focuses on the value, determination and execution of virtual assessments, it is important to keep in mind that assessments represent the “Verify” component of the “Trust, but Verify” model that Shared Assessments views as crucial to a comprehensive third party risk management program. As is the case with on-site assessments, the value of a virtual assessment also depends on the third party risk management decisions and activities that occur before and after the assessment takes place.
A Risk-Based Decision
Organizations with leading third party risk management programs rely on a standard methodology as well as advanced tools and supporting technology to ensure that their assessments – regardless of whether they are conducted in-person or virtually – are scoped to meet their organization’s unique needs.
Today, the most advanced third party risk management practitioners design and deploy assessments that gather and evaluate more than a dozen of their vendors’ critical risk domains, including information technology, cybersecurity, privacy, resiliency and data security risks. A longstanding misconception regarding virtual assessments is that their effectiveness is limited when validating physical security controls. Advances in digital video surveillance have equipped assessors with the evidence they need to validate physical security controls in many situations.
A range of technological advancements as well as growing comfort with virtual working arrangements have significantly increased interest in virtual assessments in recent years. When we first began conducting virtual assessments of third parties at the turn of this century, our interactions often involved conference calls, document exchanges, the sharing of photographs and working through a long list of questions centered on validating specific policies and procedures. While recent advances in videoconferencing, video surveillance, collaboration software, third-party risk standards and tools, and related developments have eased the information exchanges at the heart of a remote assessment, the use of validation questions and the criteria for determining whether a virtual assessment can be conducted in lieu of an on-site assessment have remained unchanged. These evaluations should always focus squarely on the risk factors that contribute to the risk tiers that are developed during the process of categorizing the organizations’ vendors.
Companies with formal third party risk management programs typically organize vendors into several risk-based tiers, ranging from the most risk-critical relationships (e.g., Tier 1 suppliers) to comparatively lower-risk relationships (Tier 2 and Tier 3 suppliers). Tier 3 and Tier 2 suppliers are generally considered the most suitable candidates for virtual assessments. While there are occasional exceptions, Tier 1 vendors are rarely a fit for an initial assessment being a remote assessment.
When a vendor’s risk level is deemed appropriate for a virtual assessment, the benefits to the outsourcer can be significant. Our experience shows that a virtual assessment can reduce the time it takes to complete an on-site assessment by 54 percent while reducing the cost of an on-site assessment by 72 percent. These savings stem from eliminating the T&E costs and labor time, which includes travel – and layovers – between different vendor sites) associated with visiting a vendor’s location. For larger companies with hundreds or even thousands of vendors, these cost reductions can add up to substantial savings.
As appealing as these cost-savings can be, they absolutely should not replace the vendor’s risk rating as the overriding factor used to determine when to deploy virtual assessments.
Practical Steps & Qualitative Considerations
Virtual assessments adhere to very much the same process that on-site assessments follow. And, as is the case with on-site reviews, assessment teams should be ready to adapt when unexpected obstacles arise. This elevates the importance of the qualitative dynamics that should be considered in addition to the more tangible components of the virtual assessment.
While virtual assessment protocols vary by organizations, they typically include the following activities:
- Sending out the Initial Communication: The lead assessor typically sends an email that notifies the vendor that it is time for an assessment. This communication explains that the assessment will be conducted virtually and lays out the key steps that will follow, including the timing of a subsequent pre-assessment call, any exchange of documents before the assessment, the creation and sharing of an agenda and the initial scheduling of a date for the assessment. If assessors want the vendor’s team to complete a questionnaire prior to the assessment, they will include that as an attachment or as a link to the Web-based portal where the questionnaire can be completed.
- Holding the Pre-Assessment Call: This pivotal interaction should establish a spirit of collaboration, flesh out and address any confusion and/or concerns (especially among vendors participating in a virtual assessment for the first time), discuss and settle any points of contention or discomfort, finalize a date and time for the subsequent assessment and, ultimately, clearly align expectations. It is important for the vendor’s team to understand that they can and should ask questions about the assessment and help determine the agenda. The call is an excellent time for assessors to educate and inform vendors who lack experience with virtual assessments. The pre-assessment call should also cover all policy and procedure documentation that the assessor wants to see prior to the assessment date. These document requests often spark conversations about vendor policies concerning the sharing of proprietary documentation with external partners. Assessment teams should be prepared to explain how they will transfer, store and delete any vendor documents in a secure manner. During pre-assessment calls, assessors should convey the need for screen-sharing capabilities so that the two parties can agree on which application (e.g., Webex or GoToMeeting). These calls typically last at least 15- 30 minutes; however, more time may be necessary when vendors have not previously conducted remote assessments.
- Setting the Agenda: The agenda for the assessment meeting lays out the vendor’s critical risk domains that the assessor will review (e.g., those related to IT, cybersecurity, privacy, resiliency and data security and other risks), who will be in the room during the call and how long the assessment call will last. A typical virtual assessment requires four to six hours to complete; however, some virtual assessments can be completed within two hours when a significant amount of requested documentation is shared prior to the call.
- Conducting the Assessment: The virtual assessment mirrors the structure and flow of an on-site assessment. The assessor works through the agenda on the phone, asking the vendor’s team to share artifacts via the screen-sharing tool. Most of these requests are for the validation of processes – evidence that the vendor has executed specific tasks in accordance with its policies and procedures. While assessment teams request policy and procedure documents prior to the meeting, they normally want to review the validation documents in real-time, during the virtual assessment. Once the meeting concludes, the assessor adheres to the same protocols that follow a traditional on-site assessment. This includes documenting the assessment’s findings, identifying issues that need to be addressed and laying out remediation plans. In addition to thinking quickly on their feet, assessors should also foster a collaborative mindset. Assessment teams should establish and reinforce trust throughout the process, starting with the initial email communication. It is easier to catch flies – and risk-management lapses – with honey than vinegar.
In the end, it is vital to keep in mind that third party risk management programs and the virtual assessments that strengthen these capabilities are designed to make important relationships with external partners even more valuable.