What ‘Virtual’ Means When Conducting Assessments

The word virtual’s various meanings include “near enough” and “not physically existing.” When it comes to performing virtual assessments, outsourcers and third parties should keep both definitions top of mind.

For all practical purposes, virtual assessments are the same as onsite assessments, excluding the assessment team’s physical presence on the vendor’s premises. This means that remote reviews mirror the processes, information exchanges and discussions that occur during traditional assessments. This also means that the interpersonal skills required to sustain the effectiveness, efficiency and cooperative nature of assessment interactions are perhaps even more important on virtual assessments.

“It’s all about the soft sills, regardless of whether you’re working onsite or conducting a remote assessment,” says The Santa Fe Group Vice President Tool Development and Implementation Andy Hout, who began conducting onsite and virtual assessments in the financial services industry two decades ago.  “As an assessor, when I requested documentation during a virtual assessment, I would explain exactly what I would do with that documentation, including how I would securely store it and how long I would retain it. I would discuss that upfront for governance purposes, but also to establish trust. You need to cultivate trust on any assessment, but on a remote assessment, you want to establish a little bit more trust.”

Lynx Technology Partners Director of Vendor Risk & Compliance Services Angela Dogan, a Shared Assessments member, agrees. In a forthcoming article on virtual assessments she co-authored with Hout, Dogan explains why the pre-assessment call that takes place prior to the virtual assessment represents a crucial opportunity for assessors to build trust, align expectations with vendor team, and set a cooperative tone for the ensuing assessment meeting.

Hout and Dogan also facilitated a Shared Assessments Member Forum Call on virtual assessments earlier this month, during which they shared their insights gained from conducting virtual assessments along with this description:

A virtual third party assessment is a form of due diligence that replaces certain onsite evaluations with similar or alternative processes accomplished remotely in real-time. A virtual assessment may be used in circumstances when an outsourcer is denied onsite access and can also be used to reduce travel and expenses. In virtual onsite assessments, web-enabled participants can provide, review and verify required control artifacts from a Third Party’s environment.

The importance of clear communications, aligned expectations, cooperation and mutual trust on all assessments makes sense given how frequently (and costly) human fallibility figures in major risk management lapses.

Capital One’s recent data breach, which exposed the personal information of more than 100 million credit card customers, was attributed to a hacker who worked for one of Capital One’s primary cloud service providers. The cybersecurity breakdown was also attributed to a high turnover rate in Capital One’s cybersecurity unit, according to The Wall Street Journal. In their new book, The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats, co-authors Richard A. Clarke and former Director for Cybersecurity on the National Security Council at the White House Robert Knake zero in on the risks posed by individual employees who never fail to click on links in phishing emails. For years, former-hacker-turned-cybersecurity-consultant Kevin Mitnick has thrived by advising companies and countries to fortify their “human firewalls” through training and awareness. “You can have the best technology in the world,” Mitnick said in a recent interview, “but if I can call or email or somehow communicate with a target in your company, I can usually bypass all of that technology by manipulating the target.”

The human element is equally important to address during all third party assessments, whether they take place on site or virtually. While assessors should deploy the best assessment methodologies and processes in the world, they should also be aware of the softer skills they need to optimize the value of these tools.