9 Tips When Conducting Third-Party Risk Assessments
Risk assessment templates are nice, but they’re better as a starting point than a be-all and end-all questionnaire. To produce more effective third-party assessments and streamline the assessment process, it’s helpful to apply the lessons of other organizations.
Here are nine tips culled from our experiences helping companies set up and run third-party assessment programs.
- Understand your risk appetite
Regulatory bodies usually tell you who to assess and how often. However, determining questions to ask in the assessment is frequently left up to you. How do you decide? How might results impact company policies and procedures? Build and test your third-party assessment program internally using questionnaires that reflect your company’s risk appetite.
- Classify your vendors
Develop a method for classifying vendors to identify third parties that are in-scope and require assessments. This helps ensure you don’t assess third parties unnecessarily or miss assessing third parties that pose a risk to your organization.
- Improve the data collected
Obtaining data is one of the biggest challenges in managing third-party risk and a high quality assessment is key. To improve the quality of your questionnaires, start with a widely accepted assessment, like the Standard Information Gathering (SIG) questionnaire from Shared Assessments, and tailor it to your specific business needs and processes.
- Make assessments easier to manage
If you do business with a multitude of third parties, you need a way to make assessments easier to manage. Speed up the assessment process by giving all third parties a low threshold assessment with a few flagging questions. For all flagged third parties, send a higher level, deep-dive assessment for due diligence on risk. It’s an easier and often more thorough process for assessing third parties.
- Pre-populate your assessment world
Assessments are something you do on a continuous basis and often with the same vendors. If your assessment engine pre-populates data, the entity you’re assessing only has to address changes. It’s less work for them and you, and may even improve the response rate.
- Assess for performance, not just risk
With the right platform, you can upload service level agreements (SLAs) and make them part of the assessment process. Compare assessment data to SLAs and then use the analysis to provide feedback to the third party, leverage it in contract renewal, or use it to support switching to another service provider.
- Reassess based on third party’s expanded offering
When third parties expand their services to your company, it changes their risk profiles. One of the best ways to address this is to periodically assess third parties for changes and update risk profiles accordingly. This way, your third-party risk profile is always current.
- Look beyond financial risks with third parties
Most organizations assess third parties to manage financial risk. Sometimes small risks open the door to more serious consequences. Losing revenue can cause problems, but it is recoverable. Losing your reputation may not be.
- Dependency creates a business continuity risk
Any third party can be a business continuity risk. The litmus test is if their service stopped, it would interrupt yours. Maybe it’s the provider of IT services or a supplier with a key role in the supply chain. Third parties that you’re greatly dependent on can pose business continuity risks that can be identified through a risk assessment.
Apply our nine tips when conducting third-party risk assessments to improve the quality of your assessments. Contact us or search online for additional tips and guidance on managing third parties.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.