Today’s companies are outsourcing more critical functions as part of their business operations in today’s complex environment. Every member of the supply chain must be evaluated to ensure they are properly protecting systems and data. With hackers specifically targeting third parties as a way to get to outsourcers’ data, this further emphasizes the need for rigorous information security and risk management programs.
The service provider control evaluation process has long been inefficient and costly. The verification performed during the onsite assessment is a necessary component to ensure sufficient third party controls in place, but today this process is time and resource intensive, inefficient and a burden on both the outsourcer and the service provider.
Professionals in finance/banking, healthcare, insurance, and retail discussed an innovative approach during The Shared Assessments Peer-2-Peer session I facilitated at last month’s RSA Conference: Can Peer Collaboration Be Our Next Best Practice for Risk Management? The discussion focused around using peer collaboration to perform assessments on third parties with common shared services. Many organizations share the same vendors, for the same common services; each historically conducting individual costly and time-consuming independent assessments of their service providers risk control environment. Until now…
The Collaborative Onsite Assessment Program
To help companies use peer collaboration to better manage vendor risk, we recently introduced the Collaborative Onsite Assessment program, leveraging the Shared Assessments Agreed Upon Procedures (AUP), the standardized testing procedures of the Shared Assessments Program, as the common onsite assessment vehicle. During a two-year pilot process, the AUP was augmented to ensure the existing procedures covered 100% of the control requirements of the participating outsourcers who were top tier financial institutions. The “Superset” AUP developed was then leveraged by multiple financial institutions to perform a shared onsite assessment of key service providers—one assessment of a single service provider by multiple financial institutions. Thus creating efficiencies and cost savings for all parties. Through this pilot process, the Collaborative Onsite Program built a stronger third party risk management capability without diminishing the ability to manage the service provider relationship. As the Collaborative Onsite Assessment Program is being rolled out to financial services, additional pilots are planned cross-industry.
This powerful, new collaborative assessment tool has the ability to provide long-term cost savings and FTE efficiencies for both the service providers and financial institutions. Both sets of organizations will be able to spend less on assessments and more on maturing their risk management programs by limiting site visit and annual review man-hours. In addition, the service provider has found that the collaborative onsite assessment created a closer relationship with its clients.
Shared Assessments is a member driven organization of industry, service providers, assessment firms and software providers who understand that third party risk management is not a competitive issue. These organizations understand the value of working collaboratively to develop best practices, processes and robust third party risk management tools. Using peer collaboration can be a cost-effective and efficient way to manage third party risk, strengthen vendor relationships, and protect an organization’s most critical assets.
For more information about the Collaborative Onsite Assessment program, please read the Collaborative Onsite Assessment case study. Please visit the Shared Assessment website for more information.
Robin Slade is Executive Vice President and Chief Operating Officer with The Santa Fe Group. Robin leads all activities of the Shared Assessments Program, including managing its Member Forum, working groups and the Certified Third Party Risk Professional program. Connect with Robin on LinkedIn.
Originally posted on the RSA Conference blog.