Given its heritage of storing, protecting and managing information and other assets for tens of thousands of client companies, it’s no surprise that Iron Mountain has played a pioneering role in advancing third party risk management (TPRM) standards and practices.
As an early member of the Shared Assessments Program, Iron Mountain often has been the sole vendor on steering committees primarily comprised of outsourcers, consultants and other experts. As Shared Assessments membership expanded to include more third parties in recent years, Iron Mountain has remained an influential shaper of TPRM policies, processes, practices and tools. The company’s inbound TPRM service team has developed an instructive approach for driving the adoption and use of the Standardized Information Gathering (SIG) Questionnaire Tools among client companies.
Kudos to Shared Assessments for developing tools that capture and quantify all the necessary risk data. At this point, the SIG acceptance rate is higher than it’s ever been in the marketplace.
That was not always the case, however. During the past decade or so, Iron Mountain’s inbound team worked diligently and creatively to steadily increase the use of SIG tools among its client companies, according to Bailey and David O’Connor, a Manager in Iron Mountain’s Information Security team. More recently, Bailey’s team has contended with a surge in information security schedules — lengthy and complex addenda to vendor contracts designed to address soaring cybersecurity risks — that necessitate similar levels of diligence, ingenuity and collaboration to manage. The discussions that follow focus on the strategies and tactics Iron Mountain deploys to address both challenges.
Three Ways to Increase SIG Adoption
Bailey’s GRC group, which includes inbound and outbound TPRM services teams, is part of the company’s enterprise risk function, which is led by a Chief Risk Officer. This central function houses physical security, information security and all other functions responsible for second and third lines of defense in the global enterprise. This organizational structure, which was recently put in place, is helpful in that it gives TRPM and other risk groups a say at the senior decision-making table, Bailey emphasizes.
As Iron Mountain has a massive, global client base, negotiating with customers over TPRM-related information requests can be time consuming. Iron Mountain typically qualifies as a high-risk vendor given the fact that it stores data and information for its customers. “Our customers’ ranking systems flag us as a high-risk — not all of the time, but quite frequently,” Bailey explains. “That tends to trigger everything from stringent policies, to on-site assessments, to corporate audits.”
This motivated Iron Mountain to join the Shared Assessments Program to help shape the development of the SIG tools (and, more recently, the SIG Lite tool) — and to encourage the adoption of those tools by thousands of customers. As SIG adoption increased, Iron Mountain experienced significant reductions in the time, effort and money associated with manually responding to unique TPRM questionnaires and/or related information requests submitted by different customers.
Completing custom TPRM information requests typically requires eight full-time-equivalent (FTE) hours, O’Connor estimates while noting that the most comprehensive requests can consume up to a full week’s worth of FTE labor. “We get some extremely large and detailed questionnaires from customers,” he notes. “It requires a very labor-intensive response.” Bailey agrees. “All of that time adds up,” he says, “and it represents a material cost to our company.”
After selling customers, as well as internal sales colleagues, on the benefits of the SIG tools, Iron Mountain’s inbound TPRM team managed to reduce the portion of manual questionnaires it completes to a little more than 9 percent: In 2018, only 199 of the 2,173 security/risk management documentation requests customers submitted needed to be completed manually, O’Connor notes. The SIG questionnaire tools comprised the vast majority of automated questionnaires Iron Mountain submitted in 2018.
Getting to that point took significant time and effort, and Bailey and O’Connor indicate that the following approaches were especially helpful:
While those three steps were instrumental in increasing the rate of SIG acceptance over in recent years, Iron Mountain continually evaluates new approaches and tactics for increasing the efficiency and effectiveness of sharing security and risk-management information with customers. “We recognize that some other companies charge customers for certain inbound third-party risk services,” O’Connor notes. “While Iron Mountain has not taken this step, we’re always evaluating potential adjustments that can drive improvements.”
Information Security Schedule Requests Soar
Iron Mountain also continually calibrates its inbound third party risk management activities in response to changing customer expectations. In the past two years, for example, the volume and complexity of information security-specific schedules have increased dramatically.
“We’ve experienced a massive uptick in the information security requirements companies are asking for in their contracts,” O’Connor reports. “Customers are getting very specific and more stringent about what they expect us to do from an information security perspective and what they want us to provide during audits.”
These information security schedules require extensive initial reviews by experienced information security experts, and often a second round of review by Iron Mountain’s Legal team. Time-consuming and detailed discussions between the two companies can ensue, and that back-and-forth can sometimes extend the sales cycle.
“These requests are our biggest pain point right now,” O’Connor says. This is really an industry wide concern.” To address this challenge, the inbound team has taken the following two actions:
Bailey and O’Connor remain optimistic about the progress of TPRM standardization.
“The value we gain from the SIG tools is much higher now than it’s ever been, because the acceptance rate is so high,” says Bailey. “There are several reasons for that, one of which is that the industry is maturing. You can see that in how many people from Shared Assessments’ steering committees have moved to new companies over time. Each time that occurs, awareness grows.”
Iron Mountain Incorporated, founded in 1951, is the global leader for storage and information management services.
Trusted by more than 225,000 organizations around the world, and with a real estate network of more than 90 million square feet across more than 1,450 facilities in over 50 countries, Iron Mountain stores and protects billions of valued assets, including critical business information, highly sensitive data, and cultural and historical artifacts.
Providing solutions that include information management, digital transformation, secure storage, secure destruction, as well as data centers, cloud services and art storage and logistics, Iron Mountain helps customers lower cost and risk, comply with regulations, recover from disaster and enable a digital way of working.
9 percent: Portion of all inbound third party risk management questionnaires containing custom requirements
8 hours: Typical number of FTE hours required to complete a custom questionnaire
40 hours: Amount of FTE hours required to complete the most comprehensive custom questionnaires