Your third-party management footprint is exploding, and the term “business resilience” is echoing in Zoom meetings … but your vendor due diligence processes are still being ironed out. Rest assured that you’re not alone. In this post, we’ll introduce three approaches to get you on the right track.
Before working with a new vendor, supplier or other third party, you’ll want to conduct due diligence prior to onboarding. The due diligence process should not only assess a vendor’s financial and operational stability, but also gauge any potential risks they could introduce to your organization. The due diligence process usually involves a combination of contract understanding, vendor-completed assessments, and external intelligence gathering on the target company and their subcontractors. All of this is ultimately weighed against your organization’s level of risk tolerance.
Recently, vendor due diligence to-do lists have been getting a lot longer for procurement, risk management, and security teams. Given the coronavirus pandemic’s impact on third-party operations – combined with other health, environmental and geopolitical challenges – many organizations are expanding their vendor due diligence efforts beyond simple IT security assessments. This includes gathering information related to manufacturing, transportation, non-IT products, and other domain areas that comprise today’s complex supply chains.
Whether you’re formalizing a vendor due diligence program for the first time, or need to evolve your existing program, it’s important to take a step back and consider your overall strategy. At Prevalent, our customers typically take one or more of the following approaches to due diligence: In-house, Shared or Outsourced.
Many companies seek to internally manage vendor data collection and analysis. However, even if your organization is well-staffed and funded, DIY due diligence can be a burden if you use disparate, manual tools (e.g., spreadsheets) to manage the process. Bringing in an automated third-party risk management platform can help. Here are some capabilities you’ll want to look for:
One key to success with an internal approach is you have to make it as easy and painless as possible for vendors to respond to assessment questionnaires. The solution should also include a vendor-facing portal for viewing survey completion status, threat intelligence reports, and suggested remediations. It should also maintain a complete audit trail for future assessment validation.
Finally, you’ll want to be sure that the solution is able to automatically trigger workflow tasks based on assessment attributes, risk scores, and recommendations. For instance, triggers can initiate activities related to vendor profiling and tiering, risk correlation across assessment responses, and normalization of assessment and monitoring intelligence. This will make it much easier for you to focus more on risk management and spend less time worrying about content collection.
As due diligence requirements expand to supply chain vendors and outsourced supply chain management providers, vendor management processes can be taxing on under-resourced teams. In my experience, an assessor can juggle around 150-200 concurrent assessments before they become overloaded. What happens when your board asks for supply chain risk data to inform decisions, and you have 15,000 vendors to assess?
Communicating with vendors and collecting risk data usually accounts for the largest share of time in the due diligence process. If all you have is spreadsheets and de-coupled assessment and monitoring data to work with, then you are headed for a burn-out situation! Compounding this issue is the shifting regulatory landscape, which requires expertise to interpret compliance reporting obligations.
Vendor risk intelligence networks can help when resource-constrained teams need to scale their programs. In this approach, network members and vendors pool their resources and share completed risk content to streamline risk analysis and mitigation. They offer on-demand access to readily available risk scores and content backed by industry-standard questionnaires. They’re perfect for SMBs that need benchmark data or larger organizations that need a quick way to tier vendors and identify those requiring more in-depth assessments.
Prevalent offers the following vendor risk intelligence networks:
Our customers typically find about 40% of their vendors in our networks. They also report an average 44% time and cost savings when using a Prevalent vendor risk network vs. conducting assessments on their own with manual tools.
A popular option is to outsource third-party evidence collection and analysis to vendor risk assessment services. This approach frees your in-house team to focus on risk identification and remediation, rather than on chasing down assessment responses and verifying their accuracy.
This approach can deliver a faster time-to-value for risk reduction. It’s also a solid option for extremely resource-constrained teams – or those with limited internal skillsets. Here are a few of the ways your risk management program can leverage outsourced due diligence:
Managed services have become increasingly popular as Covid-19 has restricted companies from performing onsite risk validation. While you can conduct virtual due diligence using in-house resources, an established managed service provider can deliver the expertise, process and resources necessary to supplement and scale your program.
Many Prevalent customers opt to take advantage of two – or all three – of the above approaches to accelerate and automate their third-party risk management programs. For instance, some customers tap into our networks for initial due diligence checks and then work with our services team to conduct assessments of vendors that aren’t yet in the network or that require more in-depth analysis.
Everything is managed in our centralized SaaS platform, which in-house teams can use to conduct periodic follow-up assessments – either on their own or with the support of Prevalent services – while continually monitoring third parties for cyber, business and financial risk.