Blogpost

Closing the Virtual Assessments Skills Gap

This blogpost identifies the Virtual Assessments Skills needed in risk programs post-pandemic.

Weeks after the World Health Organization designated COVID-19 as a pandemic, EY and the International Association of Privacy Professionals (IAPP) mobilized their research teams. Their mission was to identify how the pandemic and the work-from-home (WFM) migration it prompted were affecting privacy and data protection practices. The findings of this April 2020 research initiative – based on input from about 1,000 privacy and IT professionals from companies in all global regions and industries – remain relevant today, especially as privacy, security and third party risk management (TPRM) teams adapt their strategies, processes and tools to address post-pandemic challenges.

The report primarily focuses on WFH-specific privacy and security issues, how organizations monitored employee health early in the pandemic, and the sharing of organizational data with governments, researchers and public health authorities. The research also contains more than a few findings that shed light on current TPRM challenges, especially those related to virtual assessments. Here are two data points that caught my attention:

  1. 60% of organizations that adopted new technology to enable remote working models “accelerated or bypassed” standard reviews of privacy and security controls; and
  2. When asked to identify their top data privacy and security challenges, respondents ranked “conducting privacy and security reviews of vendors and technologies to enable remote work or client services” fifth on a list of eight priorities.

First off, 60% percent is a big number. Second, it’s not surprising that third party risk management took a back seat during the early weeks of the pandemic. Most companies were understandably consumed by setting up remote operations. Now that those operations are in place, it’s time to do something about that big number. That means that nearly every outsourcer needs to re-assess how their vendors are managing privacy and security controls now that vendor employees routinely access organizational systems – and customer data – from home.

Doing so requires outsourcers and vendors to conduct virtual assessments. The Shared Assessments community invested substantial time and effort comparing notes on all aspects of virtual assessments. Our intense work has generated many useful insights, which will seed improvement initiatives within TPRM programs this year.

Throughout our discussions, meetings, project work and webinars, one of the most commonly expressed virtual-assessment challenges concerned the need for assessors to possess a higher-level skill set.

Think about it: if I’m interviewing you and you’re sitting across the table from me, I have all kinds of visual cues to pick up on. I can see when you don’t fully understand my question. I can detect, based on your expression, when I may not be explaining myself clearly. Those crucial signals are much, much more difficult to detect when you’re communicating virtually, especially when people aren’t on camera.

We’ve also learned that the assessor’s project management skills have to be extremely sharp. The sequence of document reviews and interviews are extremely important in virtual assessments. You don’t want to get halfway through the allotted time and realize that you have to go back and review additional documents – or that you interviewed people in the wrong order. When you’re on-site, those missteps have less of an impact because you know you’re there for four or five days and you can follow up later. Technology skills are also much more important on virtual assessments.

Most companies did an incredibly impressive job transitioning to a WFH model in 2020 amid historically unprecedented circumstances. In 2021, it’s time to convert more TPRM practices and processes, including those involved in assessments, to post-pandemic conditions.

Looking for more information around Virtual Assessments? Try these blogposts:

Ten Tips for Virtual Risk Assessments using Shared Assessments’ TPRM Toolkit or contemplate the Value of Virtual Assessments.