Last week, 100+ individuals in the Third Party Risk Management (TPRM) industry met in a Cross Vertical Strategy Group to deliberate the benefits and challenges presented by Vendor Risk Assessment Exchanges.
Facilitated by Shared Assessments, practitioners and panelists on the discussion included representatives from TPRM solution providers offering vendor risk assessment exchange solutions. The conversation remained neutral, candid, and open; the spirit of the session was collaborative and helpful.
A risk assessment exchange is a library of vendor risk assessments. Very often, the risk assessments in these libraries are supported with documentation and artifacts. Ostensibly, this type of assessment repository is cost-effective and time-saving for risk practitioners and programs. Assessment exchanges put information at a risk practitioner’s fingertips, keeping them from having to perform assessments on every vendor.
While efficiency is firmly associated with assessment exchanges, they do give rise to questions about efficacy:
How do you get your vendor or third party to adopt a certain exchange platform in the first place? And, once you find a vendor assessment on an exchange, does it “fit” the product or service they will be providing to your organization? Or, are there supplemental questions that are needed to make the assessment on the exchange complete and contextual for your organization?
The strength of TPRM assessment exchanges is that they provide useful data in a centralized location. Assessment exchanges are great tools for transparency. But, it is up to the outsourcers risk program and practitioner to determine how they use the tool.
The data presented in assessment exchanges is owned by the vendor. The vendor has full control of the data. The vendor can paint a picture of their third party control posture.
Even when using a risk assessment exchange, you, the risk program, still own the risk and relationship with the vendor.
An assessment exchange helps outsourcers to examine control responses to questions, provides comprehensive reporting, and facilitates independent analysis.
Assessment exchanges help with time-saving especially when an outsourcer is able to use the exchange to gather proofs of concepts reports (POCs). (It is easier to narrow down a few vendors who are in good standing.) Exchange POC assessment reports can lend deeper insight than even onsite assessments: a deeper level of Due Diligence and Assurance can happen within an exchange for critical vendors.
Assessment exchanges leverage industry standards and best practice templates such as the SIG. Using these standards means efficiency gains for vendors: “do it once share it with many.” For the buyer or reviewer, efficiency is realized through a standardized interpretation of a template.
For most of the industry, the authenticity and thoroughness provided by an assessment exchange are higher than any single risk program can achieve. Yet, assessment exchanges still present challenges.
One of the greatest challenges presented by risk assessment exchanges is determining the freshness or timeliness of the documentation provided by vendors. For example, the SIG year and artifacts need to be updated and checked. But – who is responsible for ensuring the freshness of this content?
If a regulator asks an organization to prove the legitimacy of the information they have taken from an exchange, what evidence can the organization provide? Some exchanges allow the customer to view actual audit material from a vendor.
Other challenges include standardization of format across multiple vendors and platforms and aligning assessments to required controls. (Sometimes, it is hard for risk practitioners to match required controls for critical suppliers in assessments on exchanges.)
Third party risk management programs must balance accountability and ownership of the control assessment data presented in TPRM assessment exchanges with collaboration. When necessary, outsourcers using vendor assessment exchanges need to ask third parties supplemental questions which will ensure their vendors’ controls align with their risk appetite and control framework,
Assessment exchanges do bring momentum to the “Verify” step of the risk management process. If leveraged properly, risk assessment exchanges can improve efficiency, enhance the quality of assessments, boost transparency and collaboration in the risk management process.
It is important to remember that the relationship remains between the client requesting the assessment and the vendor (rather than the exchange itself).
To join in risk management discussions or to learn more about Shared Assessments’ committees and working groups, navigate here.