This article is the third in a series of blog posts to discuss and explain how to start and implement third-party risk within your organisation.
A 6-step approach is used whereby every step will be an explanatory blog post:
Due diligence assessments (this blog post)
Risk monitoring & exit
In the previous blog post, we have discussed the need to segment your third parties as not every party carries the same risk or compliance requirements. In this blog post, we will continue our implementation with the foundation of your Third Party Risk Management (TPRM) capability: the concept of due diligence assessments.
The primary reason you perform TPRM due diligence assessments is to identify if your organisation is at risk due to a third-party relationship. That's why it is an important element within every TPRM capability.
In this article, I will explain and discuss the following topics:
The different types of assessment
The assessment content - What do you ask?
The timing of your assessments
How to adequately sent out due diligence assessments
The review and follow-up - Important step as you want to closely monitor and remediate (if possible) the identified risks.
On a high-level, you can distinguish the following types of a due diligence assessment:
You are creating a questionnaire and request the third-party to fill it in according to their best beliefs.
Instead of allowing the third-party to answer your questions, you are going in yourself (or an external audit partner/regulator) to answer the questions.
An audit is trustworthy but a more labour- and financially comprehensive assessment compared to the self-assessment type.
Companies like SecurityScoreCard and BitSight offer generic company risk profiles and risk reports. These reports can provide added value, especially since they continuously monitor third-parties on different elements. The downside of these reports is their generic nature, setup and content. They often contain a lot of content and risks irrelevant for the engagements you have with a third-party.
In most TPRM approaches, you create a mix of one or more of these types, whereby the self-assessment is a cornerstone. Within this approach, you can use the self-assessment- and third-party data providers input to identify and prioritise your audit efforts.
You have different options to set up your due diligence assessments.
You can use ready to use (or paid) best practice assessment templates like:
SIG (Standardized Information Gathering Questionnaire) from Shared Assessments (premium).
CAIQ (Consensus Assessments Initiative Questionnaire) from the Cloud Security Alliance. (premium).
Or the different 3rdRisk best-practices (free to use by our platform users).
Some industries have designed and created their industry-specific assessment templates, especially in different manufacturing industries, this is very common.
You can also decide to request yearly an ISO, PCI or SOC (System and Organisation controls) report from your third-parties, In that case, you just periodically review these reports.
It is a good start but you have to keep an eye on:
The scope; are the services/products that you leverage from this third-party completely covered by the report?
If the services are in scope, does the audited framework also cover your requirements and identified risks? E.g. If you have a strong interest in continuity management than a standard ISO 27001 security certification will probably not suit your needs.
The generic nature; these reports are often based on generic processes and capabilities. Is that sufficient for the services and products that you leverage?
The type of report/certification; an ISO certification does not provide the same assurance as a SOC report.
The auditor; is it an accredited and reputable audit firm?
You can also decide to create your own questionnaire template, e.g. if the best practices do not fully cover your needs, are too expensive or you want to integrate multiple disciplines.
In that case, there are some recommendations:
Try to use a recognized framework like ISO / NIST as a foundation to ensure you are covering all the critical elements;
Design the questions based on the level of compliance and risk exposure that are applicable for your organisation;
Take into account the contextual risks that you're already aware of (e.g. sustainability risks due to your type of business)
Define questions that are clear and concise
Try to use multiple-choice questions to make it easier for your third-parties to answer your questions and ease your analysis efforts. You can always allow them to use a comment function to provide additional context.
Yes/No questions are valuable in questions where it needs to be clear which requirements are to be met.
Be strict about the number of questions that you ask. There is a correlation between participation, response time, answer quality and the number of questions. Generally speaking, I would like to advise not to ask more than 200 questions.
Some generic advice; make your assessments (also if you use best-practice assessment questionnaires) are conditional based on the risk profile, type of services, contract value, geographical locations etc. You don't want to ask the same 200 questions to a mom & pop kind of supplier that you also ask to a multinational.
Only ask questions that can verify compliance levels and determine potential risk exposures while driving performance.
You can select multiple options when you want to assess and re-assess your third parties:
Most organisation share and negotiate on a list of requirements (e.g. security, privacy, sustainability) before agreeing with a third-party.
This is good practice as you will filter at the gate. It is often easier to have the difficult conversation during a commercial phase than during the contract period.
After a few years, contracts may have to be renewed. This new procurement moment gives you another excellent opportunity to discuss further requirements, issues and improvements.
We often see that third-party assessments are initiated due to external factors like incidents, a shift of regulators' interests, political movements, the increased public interest, or leadership change.
In this case, an organisation is performing periodically due diligence assessments on their third-parties. The time frame can differ, but this can be, e.g. yearly or bi-yearly.
The systematic approach is incorporating the level of risk and compliance level that is associated with a third-party. Based on this risk profile, the organisation determines the assessment frequency. e.g. they assess their critical third-parties every year, while their less risky third-parties get an assessment every three years.
Most TPRM teams use a mixed systematic approach; They create clear and organisation tailored purchasing conditions/baselines to ensure that they filter at the gate. Secondly, they use a systematic approach to evaluate their third-parties, whereby they prioritise their efforts. The contract renewal moment is used as the momentum to incorporate and agenda improvement initiatives for negative due diligence assessment results.
Regarding the trigger results, with a systematic-based approach, you will limit the ad-hoc requests. Still, it is not always possible to foresee everything upfront.
It is advisable to inform your internal stakeholders (e.g. procurement, contract owners) upfront before sending out due diligence assessments to their relationships. They can also support the prioritisation on your third-parties side.
Always start with a solid introductory text, or maybe even a call before you sent out the assessment, whereby you explain the purpose and expectations of your initiative. It is easier to get good results if the third-party understands your purpose and need.
Traditionally organisations used to send out due diligence assessment via spreadsheets and email. It can become difficult to administer and scale if you need to send out a couple of dozen assessments. Adopting a cloud-based TPRM solution is a good idea for requesting due diligence assessments and analysing responses.
It is also good to recognize that due diligence assessments are also a formal communication moment from your organisation to your third-party. A long boring and complicated spreadsheet will not really engage the best possible experience on the receiving end. Besides, it does not feel right to ask all kinds of sensitive security questions via a spreadsheet that is sent via an unsecured communication channel like e-mail (at least by default).
To showcase professionalism, create scalability and save time, I would definitely advise starting with a technical cloud solution from day 1.
Before you receive the assessment results, you should already start thinking about the data gathering, analysing the answers and the follow-up process in case of any questions or clarification.
During this analysis, you will also quickly see that adopting a cloud-based solution is beneficial. These cloud solutions will safely process the responses, perform an initial analysis on the provided answers, and allow you to ask questions back on forth on specific questions.
Start thinking about the process when you have an unexpected answer. You asked the question to this third-party for a reason, so you should know the follow-up action, especially with yes/no questions.
You might want to create an aggregated assessment response- and result overview for your internal and external stakeholders. Please start thinking about the different user groups that have information need:
Which user groups do you distinguish?
What are their data needs?
What would be the best form (e.g. report, dashboard, raw export)
What kind of visualisations are needed and how can we easily create these?
What is the reporting frequency?
After the completion, you want to provide an overview of observations and expected actions to your third party and internal stakeholders (e.g. contract owner and procurement). This will provide the third-party with the opportunity to formally respond to your analysis and agree/disagree on the follow-up actions. The outcome can be taken to the next phase: Risk monitoring & exit - the topic of my next blog post.
Setting up a TPRM program is complicated, but you can implement TPRM within your organisation altogether with a little guidance. In the next blog post, we will conclude this series of blog posts with explaining risk monitoring & exit. So keep following our social channels (LinkedIn, YouTube, Twitter) for the latest content updates.
If you have any questions during or afterwards this series, please feel free to email at Bram@3rdRisk.com, and I am more than happy to provide some additional context or information.