Third Party Risk Management Virtual Assessments Forced by Pandemic

Due to the COVID-19 pandemic companies have been mandated to work remote as much as possible to with over 95% of all business travel paused and employees being required to work outside of traditional work environments, including client site visits, conferences and group lunches. 

For specialized areas like third-party risk management (TPRM), this has been quite an adjustment. Typically, TPRM practices require on-site visits to their critical and high risk third parties to validate logical and physical security controls are in-place, but with most travel has been restricted, virtual assessments are more important now than ever. Over the years, TPRM teams have continuously sought to reduce overhead and increase efficiency. With improvements in technology, the concept of virtual assessments is not new to TPRM groups, however, the abrupt industry shift to virtual assessments was one in which no one would have guessed.

There are certain welcomed advantages to virtual assessments including cost reduction, ease of scheduling and coordination, and timesaving’s for all parties involved. There are also several disadvantages presented by the virtual environment – virtual reviews can take longer due to the nature in which information is shared and digested, lack of physical and environmental control assurance, and reduced third party accountability.  Although the shift to virtual assessments raises some concerns, the potential benefits seem to outweigh the drawbacks. Perhaps this is another situation in which COVID-19 propelled digital transformation.

Have you considered how your organization will continue to provide assurance and comfort to management without physical assessments, in a secure and efficient manner? Well, as you continue to mature your virtual assessment approach, consider implementing these tried and true practices:

Initial Contact with the Third Party

  • TPRM assessor will email their Third Party that an assessment is required to be completed;
  • TPRM assessor will provide their questionnaire to be completed or alternative questionnaires that will be accepted;
  • The TPRM assessor will schedule an introduction call.

Introduction Call/Evidence Request

  • TPRM assessor will clearly define the virtual assessment process;
  • TPRM assessor will request the documentation/policies that will need reviewed;
  • TPRM assessor will inform how to upload/provide the documentation/policies;
  • TPRM assessor will inform what physical controls will need to be reviewed and request SOC reports;
  • TPRM assessor will work with the Third Party to scheduling the assessment;
  • TPRM assessor will set expectations of the Third Party;
  • Determine what technology will be used to conduct the virtual assessment (Zoom, Teams, WebEx, etc…). 

Perform the Assessment

  • TPRM assessor will perform the assessment by reviewing the completed questionnaire and leverage provided documentation/policies;
  • TPRM assessor will conduct a virtual session to review the required physical controls and any controls not covered by the documentation/policies;
  • TPRM assessor will document any gaps/findings identified.

Wrap Up the Assessment

  • TPRM assessor will summarize the key points of the assessment to confirm their understanding;
  • TPRM assessor will confirm remaining follow up items with the Third Party and provide a closeout communication that is detailed and knowledgeable. 

It is important to keep in mind that virtual assessments are being utilized to strengthen and designed to make important relationships with third parties even more valuable.

Related Articles

This article is part of a series exploring the importance of third-party risk management programs, you can view additional articles below.

About Schneider Downs Third-Party Risk Management 

Schneider Downs is a registered assessment firm with the Shared Assessments Group, the clear leader in third-party risk management guidance. Our personnel are experienced in all facets of vendor risk management, and have the credentials necessary (CTPRP, CISA, CISSP, etc.) to achieve meaningful results to help your organization effectively achieve new vendor risk management heights.  

Learn more at or contact us for more information. 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
DOE Significantly Expands Definition of Third-Party Servicer in New Guidance to Higher Education Institutions
Shared Assessment SIG Questionnaire – What’s New for 2023?
Lincoln College Closes Due to Ransomware Attack
Is There Additional COVID-19 Relief Incoming?
The Top Ten Most Common SOC 2 Exceptions
The Pandemic’s Impact on Contractors’ Backlogs
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.