Due to the COVID-19 pandemic companies have been mandated to work remote as much as possible to with over 95% of all business travel paused and employees being required to work outside of traditional work environments, including client site visits, conferences and group lunches.
For specialized areas like third-party risk management (TPRM), this has been quite an adjustment. Typically, TPRM practices require on-site visits to their critical and high risk third parties to validate logical and physical security controls are in-place, but with most travel has been restricted, virtual assessments are more important now than ever. Over the years, TPRM teams have continuously sought to reduce overhead and increase efficiency. With improvements in technology, the concept of virtual assessments is not new to TPRM groups, however, the abrupt industry shift to virtual assessments was one in which no one would have guessed.
There are certain welcomed advantages to virtual assessments including cost reduction, ease of scheduling and coordination, and timesaving’s for all parties involved. There are also several disadvantages presented by the virtual environment – virtual reviews can take longer due to the nature in which information is shared and digested, lack of physical and environmental control assurance, and reduced third party accountability. Although the shift to virtual assessments raises some concerns, the potential benefits seem to outweigh the drawbacks. Perhaps this is another situation in which COVID-19 propelled digital transformation.
Have you considered how your organization will continue to provide assurance and comfort to management without physical assessments, in a secure and efficient manner? Well, as you continue to mature your virtual assessment approach, consider implementing these tried and true practices:
Initial Contact with the Third Party
- TPRM assessor will email their Third Party that an assessment is required to be completed;
- TPRM assessor will provide their questionnaire to be completed or alternative questionnaires that will be accepted;
- The TPRM assessor will schedule an introduction call.
Introduction Call/Evidence Request
- TPRM assessor will clearly define the virtual assessment process;
- TPRM assessor will request the documentation/policies that will need reviewed;
- TPRM assessor will inform how to upload/provide the documentation/policies;
- TPRM assessor will inform what physical controls will need to be reviewed and request SOC reports;
- TPRM assessor will work with the Third Party to scheduling the assessment;
- TPRM assessor will set expectations of the Third Party;
- Determine what technology will be used to conduct the virtual assessment (Zoom, Teams, WebEx, etc…).
Perform the Assessment
- TPRM assessor will perform the assessment by reviewing the completed questionnaire and leverage provided documentation/policies;
- TPRM assessor will conduct a virtual session to review the required physical controls and any controls not covered by the documentation/policies;
- TPRM assessor will document any gaps/findings identified.
Wrap Up the Assessment
- TPRM assessor will summarize the key points of the assessment to confirm their understanding;
- TPRM assessor will confirm remaining follow up items with the Third Party and provide a closeout communication that is detailed and knowledgeable.
It is important to keep in mind that virtual assessments are being utilized to strengthen and designed to make important relationships with third parties even more valuable.
Related Articles
This article is part of a series exploring the importance of third-party risk management programs, you can view additional articles below.
- Third Party Risk Management in 2020: What We’ve Seen
- Third Party Risk Management Planning During COVID-19
- Compliance and Third Party Risk Management: A Function for Continued Success
- The 5Ws and H of Third-Party Risk Management
- How Third Party Risk Management Caters to Your Organization
- Your Cyber Program is only as Strong as Your Weakest Link – Including Your Vendors
- Secrets Revealed: What Your Third Party Auditors Don’t Want You to Know
- Mind Your T’s and C’s
About Schneider Downs Third-Party Risk Management
Schneider Downs is a registered assessment firm with the Shared Assessments Group, the clear leader in third-party risk management guidance. Our personnel are experienced in all facets of vendor risk management, and have the credentials necessary (CTPRP, CISA, CISSP, etc.) to achieve meaningful results to help your organization effectively achieve new vendor risk management heights.
Learn more at www.schneiderdowns.com/tprm or contact us for more information.