Due to the COVID-19 pandemic companies have been mandated to work remote as much as possible to with over 95% of all business travel paused and employees being required to work outside of traditional work environments, including client site visits, conferences and group lunches.
For specialized areas like third-party risk management (TPRM), this has been quite an adjustment. Typically, TPRM practices require on-site visits to their critical and high risk third parties to validate logical and physical security controls are in-place, but with most travel has been restricted, virtual assessments are more important now than ever. Over the years, TPRM teams have continuously sought to reduce overhead and increase efficiency. With improvements in technology, the concept of virtual assessments is not new to TPRM groups, however, the abrupt industry shift to virtual assessments was one in which no one would have guessed.
There are certain welcomed advantages to virtual assessments including cost reduction, ease of scheduling and coordination, and timesaving’s for all parties involved. There are also several disadvantages presented by the virtual environment – virtual reviews can take longer due to the nature in which information is shared and digested, lack of physical and environmental control assurance, and reduced third party accountability. Although the shift to virtual assessments raises some concerns, the potential benefits seem to outweigh the drawbacks. Perhaps this is another situation in which COVID-19 propelled digital transformation.
Have you considered how your organization will continue to provide assurance and comfort to management without physical assessments, in a secure and efficient manner? Well, as you continue to mature your virtual assessment approach, consider implementing these tried and true practices:
Initial Contact with the Third Party
TPRM assessor will email their Third Party that an assessment is required to be completed;
TPRM assessor will provide their questionnaire to be completed or alternative questionnaires that will be accepted;
The TPRM assessor will schedule an introduction call.
Introduction Call/Evidence Request
TPRM assessor will clearly define the virtual assessment process;
TPRM assessor will request the documentation/policies that will need reviewed;
TPRM assessor will inform how to upload/provide the documentation/policies;
TPRM assessor will inform what physical controls will need to be reviewed and request SOC reports;
TPRM assessor will work with the Third Party to scheduling the assessment;
TPRM assessor will set expectations of the Third Party;
Determine what technology will be used to conduct the virtual assessment (Zoom, Teams, WebEx, etc…).
Perform the Assessment
TPRM assessor will perform the assessment by reviewing the completed questionnaire and leverage provided documentation/policies;
TPRM assessor will conduct a virtual session to review the required physical controls and any controls not covered by the documentation/policies;
TPRM assessor will document any gaps/findings identified.
Wrap Up the Assessment
TPRM assessor will summarize the key points of the assessment to confirm their understanding;
TPRM assessor will confirm remaining follow up items with the Third Party and provide a closeout communication that is detailed and knowledgeable.
It is important to keep in mind that virtual assessments are being utilized to strengthen and designed to make important relationships with third parties even more valuable.
This article is part of a series exploring the importance of third-party risk management programs, you can view additional articles below.
Schneider Downs is a registered assessment firm with the Shared Assessments Group, the clear leader in third-party risk management guidance. Our personnel are experienced in all facets of vendor risk management, and have the credentials necessary (CTPRP, CISA, CISSP, etc.) to achieve meaningful results to help your organization effectively achieve new vendor risk management heights.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.