Two-thirds of data breaches occur due to an insecure or poorly managed third-party relationship. Gaining control over your network of vendors is a critical risk activity.
Here at SureCloud, we are passionate about reinventing the way organizations manage vendor risk, including third-party and fourth-party risk.
Below are some key pieces we have created to educate on third party risk management, so you have everything you need to know when facing the challenge of tackling your suppliers, vendors, partners, etc.
Questionnaires aren’t inherently bad; they are an efficient means of collecting third-party information across some respondents to form a consistent and comparable set of data. The issue is with the effectiveness, and the primary cause of that ineffectiveness is caused by human involvement in the process. The cognitive process involved in answering questions is quite a resource-intensive for the respondent.
The first step in the process is to collect the requirement for the assessment. It is not unusual for organizations to skip this step and move directly to drafting a long list of questions. Organizations are conducting third party risk assessments to support a purpose. The danger is that without a clear goal, the person writing the questions will pass it around to various people who will, in turn, add questions to it…
When thinking about questionnaires, we need to plan what to do with the information. This move to decision-orientated research is far superior to the approach of obtaining data simply for the sake of having more information or expecting an epiphany from the data set. This decision-orientated approach is helpful because it will cut through the inefficiency of collecting third-party data that you have no intention of making any decision on…
The final part of requirements is to understand the threshold which must be achieved for each of the elements. We’ve created a simple framework example for pulling together your organization’s requirements for third party questionnaires…
During the research phase, we need to concentrate on determining what third-party information we need to support our decision. This will require some research across the internal organization to find out what we need to make that decision…
The next phase is to plan out the questionnaire. The first thing to consider is the survey method. This paper focuses on questionnaire assessments, but there are other methods of survey such as audits, face-to-face interviewing, and telephone interviews. Additionally, there will not be just one assessment over the life of the third-party relationship. Once we have established the survey type, we can then think about satisfying the information needs identified in the requirements and research phase…
In the sixth instalment of our Third-Party Risk Management blog series, Alex will be exploring the importance of clear communication for collecting accurate information from your third parties. He will be providing 8 key rules for how to write well thought out questions, three of which are exclusive to this series.
In the seventh instalment, Alex will explore the do’s and don’ts on how to write answerable questions. This will include the importance of allowing respondents to communicate their uncertainty.
In the eighth instalment, Alex will discuss how to increase the readability of your questions for your Third-Party Risk Management questionnaires. This will include reducing the length of the questions and engaging more of the senses.
In the ninth instalment, Alex will continue to discuss the importance of shortening your questionnaires to ensure you have your readers attention. This will include the science behind your respondents’ concentration levels and the number of questions asked.
In the tenth installment, we will continue to discuss the importance of shortening your questionnaires to ensure you have your readers attention. Alex will explain how simply providing the most suitable questionnaire options, you can increase the reliability of your respondents’ answers.
In the eleventh installment, Alex will explore the positives and negatives to using an open question in your questionnaire, detailing the techniques on how to get the most reliable answer from your respondent.
In the twelfth installment of the blog series, we will explore the steps that should be taken to test your questionnaire before you run your third-party assessment.
Data breaches are a growing problem; since 2005, over 10 billion consumer records have been compromised. For large enterprises, each data breach can result in lost revenue of £1.3m. One of the main culprits of data breaches are third-parties that organizations engage to perform key functions within the business. It’s the weaknesses within their infrastructure, and the services they provide, that can often leave you vulnerable.
Brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define an organization. The modern organization is an interconnected mess of relationships and interactions that span traditional business boundaries.
The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to third-party risk management: “The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”
These third parties can offer a strategic advantage and business value, helping organizations to offer cutting-edge services and focus on their own area of specialization. But they can also present a number of third-party risks that may have a knock-on effect on business, causing issues ranging from temporary service disruptions to complete shut-down.
By assessing and tracking the potential third-party risks your suppliers may pose, keeping good records and ensuring communication and transparency is paramount, you can lower the chances of encountering risks like those described here.