Selecting the Right Technology for Your Third-Party Risk Management Program
Published On November 24, 2020
Blog Post by Aditya Tripathi, Client Engagement Associate at CORL Technologies
Effective third-party risk management (TPRM) begins with maintaining an updated vendor inventory and conducting assessments for a prioritized subset of vendors who pose the greatest risk to your organization. Technology and automation play a critical role in your program’s ability to deliver assessments and high-quality risk intelligence to the business in a timely fashion.
Applying the right technology in the right places in your vendor risk workflow can also save valuable time and money that would otherwise be spent on costly manual processes and systems.
There are multiple types of solutions available on the market today that can play a role in TPRM programs, including Governance Risk and Compliance (GRC) platforms, survey automation tools, digital workflow management tools, data visualization tools, cyber risk scoring solutions, vendor exchanges, and more. These offerings are not mutually exclusive and many of the capabilities compliment and support one another.
Selecting the technology capabilities that best fit your TPRM program needs can be a daunting challenge. This blog post provides guidance on requirements and key questions to consider when evaluating TPRM technology and automation solutions.
A common misconception is that effective TPRM can be achieved by implementing automated questionnaires and security surveys alone. In managing over 120 TPRM programs, we have learned here at CORL that a combination of technologies, processes, and people are required to get it right. Some examples of ways in which technology can be applied to TPRM programs include:
- Facilitating efficient exchange of assessment data and supporting evidence (e.g. via automated security questionnaires)
- Automated risk scoring, vendor tiering, and decision support
- Risk findings tracking and remediation capabilities (e.g. risk registers)
- Workflow automation
- Automated exchange and reuse of vendor risk data and assessments already conducted for your peers in the industry
- Integration with your other risk management programs and systems outside TPRM (e.g. GRC solutions)
- Reporting and data visualization
The following section lists some questions that can help you pick the right solution or combination of technical solutions for your TPRM program.
How many vendors do you plan to assess per year?
If you have a high volume of assessments (e.g. >50), then an enterprise scale solution that has enterprise reporting, workflow, and tracking is recommended. If you have a smaller number of vendors to assess, then you may only need to focus on more limited capabilities like questionnaire automation and reporting.
What is your risk scoring methodology?
A well-defined risk scoring model that includes inherent impact and likelihood of a breach is important in a mature TPRM program. Some GRC platforms can be set-up to handle complex rules and methodologies around risk calculation, whereas a lot of the other GRC platforms and survey automation tools lack in this area. Note: contact your team here at CORL to learn more about the pros and cons of specific GRC platforms on the market.
How do you plan to track risks?
If you plan to track risks at the enterprise level, it is highly recommended to maintain a risk register that has capabilities such as assigning a risk owner, tracking treatment plans, business units, facilities, locations, dates, status, etc. Most of the established GRC tools have this functionality, but you do not necessarily need a full blown GRC solution to achieve this objective.
Have you defined your VSRM workflows?
Vendor risk management workflows are as important to establish as the tool itself, if not more so. You should define the end-to-end assessment workflow that helps to track an assessment at any given time, and at the same time has quality control capabilities. Many GRC tools today cannot handle complex workflows. You should consider the use of a digital workflow management tool in addition to a GRC if it does not meet your needs alone. Do not assume that buying a GRC with a vendor risk module or capability will deliver an effective out-of-the-box workflow that works for you or the organization.
Do you have risk visibility into your entire vendor portfolio to support decision making for the business?
If your program and workflows are well-defined and able to scale to report on risk for your entire portfolio, then you may not need much additional technology to automate these pieces. However, if you have scattered assessment data that fails to provide a “30,000 foot” view of your overall vendor risk posture, then you may want to consider technology and tech-enabled managed services like CORL that can provide reporting and coverage for your entire vendor portfolio.
What are your operational and executive level reporting needs?
Reporting capabilities of each tool varies significantly, and so do the needs of an organization. While some technology platforms can create intuitive and detailed reports, some lack in this area. Your organization should consider leveraging the use of a data visualization tool if the reporting needs are not met by the technology platform that handles the assessments. Your organization may also already have data analytics capabilities and tools that can be applied to your VSRM program, with less cost than purchasing a dedicated VSRM point solution to solve your reporting needs alone.
Due to the limitations of the GRC and TPRM solutions on the market today, many organizations are forced to leverage the capabilities of multiple technology solutions to deliver effective TPRM programs. In response to the market demand, however, technology companies are quickly adjusting to meet end-to-end requirements of the customer. GRC companies are releasing new and enhanced vendor modules, and TPRM solutions are also enhancing their offerings with additional reporting and workflow capabilities. CORL’s industry leading tech-enabled managed services integrate our services, data, and workflows with many of the leading TPRM solutions, including GRC platforms.
Organizations must also make sure to have the right personnel to effectively manage TPRM tools and associated vendor risk management workflows. Consider leveraging TPRM managed services firms like CORL if you have limitations on the availability and cost of maintaining your own dedicated TPRM team.
It is rare for one tool to meet all TPRM requirements for a complex organization. CORL’s experience includes almost a decade of performing TPRM due diligence for thousands of organizations a year. CORL provides managed services for TPRM programs for healthcare organizations across the country. We have launched over 120 vendor risk programs and operated these programs for 8+ years. Serving 125+ clients, CORL performs an estimated 8,000 assessments per year, with over 70,000 vendors assessed in total. As a part of its service, CORL works with many of the leading technologies on the market for conducting TPRM assessments.
If finding the right tools for your TPRM program is as challenging for you as it is for most of your peers, then reach out our team of experts here at CORL to help you build out a technology solution and TPRM workflow that aligns with your organization’s needs.