Given its heritage of storing, protecting and managing information and other assets for tens of thousands of client companies, it’s no surprise that Iron Mountain has played a pioneering role in advancing third-party risk management (TPRM) standards and practices.
As an early member of the Shared Assessments Program, Iron Mountain often has been the sole vendor on steering committees primarily comprised of outsourcers, consultants and other experts. As Shared Assessments membership expanded to include more third parties in recent years, Iron Mountain has remained an influential shaper of TPRM policies, processes, practices and tools. The company’s inbound TPRM service team has developed an instructive approach for driving the adoption and use of the Standardized Information Gathering (SIG) Questionnaire Tools among client companies.
Kudos to Shared Assessments for developing tools that capture and quantify all the necessary risk data. At this point, the SIG acceptance rate is higher than it’s ever been in the marketplace.
That was not always the case, however. During the past decade or so, Iron Mountain’s inbound team worked diligently and creatively to steadily increase the use of SIG tools among its client companies, according to Seth Bailey and David O’Connor, a Manager in Iron Mountain’s Information Security team. More recently, Bailey’s team has contended with a surge in information security schedules — lengthy and complex addenda to vendor contracts designed to address soaring cybersecurity risks — that necessitate similar levels of diligence, ingenuity and collaboration to manage. The discussions that follow focus on the strategies and tactics Iron Mountain deploys to address both challenges.
Bailey’s GRC group, which includes inbound and outbound TPRM services teams, is part of the company’s enterprise risk function, which is led by a Chief Risk Officer. This central function houses physical security, information security and all other functions responsible for second and third lines of defense in the global enterprise. This organizational structure, which was recently put in place, is helpful in that it gives TRPM and other risk groups a say at the senior decision-making table, Bailey emphasizes.
As Iron Mountain has a massive, global client base, negotiating with customers over TPRM-related information requests can be time consuming. Iron Mountain typically qualifies as a high-risk vendor given the fact that it stores data and information for its customers. “Our customers’ ranking systems flag us as a high-risk — not all of the time, but quite frequently,” Bailey explains. “That tends to trigger everything from stringent policies, to on-site assessments, to corporate audits.”
This motivated Iron Mountain to join the Shared Assessments Program to help shape the development of the SIG tools (and, more recently, the SIG Lite tool) — and to encourage the adoption of those tools by thousands of customers. As SIG adoption increased, Iron Mountain experienced significant reductions in the time, effort and money associated with manually responding to unique TPRM questionnaires and/or related information requests submitted by different customers.
Completing custom TPRM information requests typically requires eight full-time-equivalent (FTE) hours, O’Connor estimates while noting that the most comprehensive requests can consume up to a full week’s worth of FTE labor. “We get some extremely large and detailed questionnaires from customers,” he notes. “It requires a very labor-intensive response.” Bailey agrees. “All of that time adds up,” he says, “and it represents a material cost to our company.”
After selling customers, as well as internal sales colleagues, on the benefits of the SIG tools, Iron Mountain’s inbound TPRM team managed to reduce the portion of manual questionnaires it completes to a little more than 9 percent: In 2018, only 199 of the 2,173 security/risk management documentation requests customers submitted needed to be completed manually, O’Connor notes. The SIG questionnaire tools comprised the vast majority of automated questionnaires Iron Mountain submitted in 2018.
Getting to that point took significant time and effort, and Bailey and O’Connor indicate that the following approaches were especially helpful:
While those three steps were instrumental in increasing the rate of SIG acceptance over in recent years, Iron Mountain continually evaluates new approaches and tactics for increasing the efficiency and effectiveness of sharing security and risk-management information with customers. “We recognize that some other companies charge customers for certain inbound third-party risk services,” O’Connor notes. “While Iron Mountain has not taken this step, we’re always evaluating potential adjustments that can drive improvements.”
Iron Mountain also continually calibrates its inbound third-party risk management activities in response to changing customer expectations. In the past two years, for example, the volume and complexity of information security-specific schedules have increased dramatically.
“We’ve experienced a massive uptick in the information security requirements companies are asking for in their contracts,” O’Connor reports. “Customers are getting very specific and more stringent about what they expect us to do from an information security perspective and what they want us to provide during audits.”
These information security schedules require extensive initial reviews by experienced information security experts, and often a second round of review by Iron Mountain’s Legal team. Time-consuming and detailed discussions between the two companies can ensue, and that back-and-forth can sometimes extend the sales cycle.
“These requests are our biggest pain point right now,” O’Connor says. This is really an industry wide concern.” To address this challenge, the inbound team has taken the following two actions:
Bailey and O’Connor remain optimistic about the progress of TPRM standardization.
“The value we gain from the SIG tools is much higher now than it’s ever been, because the acceptance rate is so high,” says Bailey. “There are several reasons for that, one of which is that the industry is maturing. You can see that in how many people from Shared Assessments’ steering committees have moved to new companies over time. Each time that occurs, awareness grows.”