by Richard Hibbert, CEO, SureCloud
Assessing risks of a supply chain is largely performed by old-fashioned methods of spreadsheet questionnaires. This manual, laborious method becomes impossible to manage, even when recruiting an army of skilled compliance officers, who then spend most of their time chasing spreadsheet responses. This can be resolved by a Cloud-based system that provides self-validating forms to the appropriate suppliers’ personnel. The system reports on progress and – analyses results, providing vital information on best-performing lower risk suppliers. Such a system makes spreadsheet overload a thing of the past.
As the focus on data protection continues to grow – with the Information Commissioners Office (ICO) issuing fines on a frequent basis and high profile breaches making regular front page news – organisations are looking to extend risk assessments to their suppliers and trading partners.
The most common method of assessing supplier risk is through a self-assessment questionnaire (typically delivered by email in a spreadsheet), which is sometimes followed up by an on-site audit. The first step in this process is to determine which set of questions you will use to assess the risk. It makes sense for the organisation to base the questions on those already used to assess internal risk and compliance, whether that is based on ISO27000, the Payment Card Industry Data Security Standard (PCI DSS) or any other regulatory standard, not forgetting the opportunity to ask some additional questions specific to the organisation’s own working practices and requirements. In reality there isn’t a common supplier self-assessment questionnaire, which means the majority of organisations use non-standard spreadsheet templates to run this type of audit programme. As we will see, this not only impacts the organisation performing the audits, but also the organisation being audited – resulting in spreadsheet overload.
Organisations operating supplier assurance programmes sometimes underestimate the impact that running such programmes will have on resources. Each programme is generally coordinated by the internal compliance team, whose primary responsibility is to drive the organisation’s own compliance objectives. As mentioned in the introduction, it makes sense to take the internal assurance requirements and direct them at the supply chain – after all, the objective is for suppliers to at least protect data to the same level required in-house. The internal spreadsheet is then “tweaked” to ask additional questions and the programme is ready for launch.
Consider an organisation with 10 suppliers, which means there are now 10 versions of the internal spreadsheet sitting with suppliers to complete. As soon as the Send button is clicked, the organisation has lost visibility and therefore control over the process. Did the spreadsheet get to the intended recipient? Have they opened it? Have they started to answer the questions? What is the quality of the answers? When will the spreadsheet be sent back? These are all questions which cannot be answered without manual follow-up and that means skilled compliance managers essentially doing admin – an extremely inefficient use of valuable resource. As each spreadsheet is returned, the manual process of assessing risk begins. Some questions will not have been answered sufficiently and some questions may not have been answered at all. Manual follow-up, typically by email is again required.
The analysis that can be performed using spreadsheets is limited to each individual spreadsheet; if I want to rank order my suppliers by risk, or want to understand common areas of non-compliance or best/worst performers, I have to then undertake an extremely labour intensive process of summarising spreadsheets to deliver that insight. Now consider an organisation with 1,000 suppliers or more – the challenges can very quickly spiral out of control. Not to mention adding that additional question to each spreadsheet that was overlooked at the program outset.
The lack of automation adds up to a huge administrative burden. Not only is it inefficient but the sheer number of disparate pieces of data makes analysing the results also difficult. The upshot is that you have very skilled people in an organisation doing a lot of administration, chasing people, making sure they received their questionnaire, they understood it and know the deadline for returning it. You end up with a mass of box-ticking but no way of telling who is performing best or which suppliers are leaving the organisation exposed to the most risk.
As highlighted, one of the key issues for organisations is that there is no such thing as a standard questionnaire; every organisation does it their own way. They can be as unique as the process owner that created it, or perhaps based on some ‘best practice’ adopted from an employee’s previous company. Suppliers further down the supply chain, will inevitably be subject to an increasing number of supplier assurance programmes, each slightly different but with a considerable degree of overlap, yet each requiring the same consideration and sign-off. Furthermore, these suppliers tend to be smaller entities with less resource to respond to such requests – sometimes it is the IT Manager rather than a dedicated compliance resource having to provide the answers.
The UK has long had a reputation for being comparatively soft on penalties when it comes to non-compliance with data protection regulations. The result has been a lack of executive backing and funding, with companies choosing to use ‘home grown’ spreadsheets to manage compliance, rather than more robust process driven solutions. This approach has proliferated across many standards and regulations, to the point that the approach is no longer scalable and is a burden to the very professionals that introduced them; who are unable to perform their jobs properly without disproportionately recruiting new heads.
This is in stark contrast with the USA where the Enron and Worldcom financial scandals gave birth to the Sarbanes Oxley Act (often shortened to SOX) in 2002. The consequences for non-compliance with SOX are fines, imprisonment, or both, which has led to a culture of investment in governance, risk and compliance software to meet the governance and compliance needs of the organisation.
However, a shift in the regulatory landscape is very much on the cards; the Information Commissioners Office is routinely doling out large fines to companies that fail to protect personal data. Furthermore, the UK government does not believe that companies who outsource information to third parties are properly assessing the risk, and to combat this are promoting the adoption of standards such as ISO 27001, which clearly states the need to protect data held by third parties.
In addition, the EU is becoming increasingly concerned about the rising number of cyber-attacks on government and industry by hostile governments and mafia-style cyber criminal gangs. The European Commission conducted its own research which found 57 per cent of respondents had experienced network information security (NIS) incidents in the past year. (The Commission refers to NIS incidents as instances where the abilities of networks or information systems are compromised). NIS incidents stop businesses functioning, and generate substantial financial losses for the EU economy and the Commission is determined to take action.
The EU is currently considering sanctions against businesses that don’t take reasonable steps to protect consumer data or fail to promptly report data breaches. A proposed EU directive for Data Protection, whereby companies will have to immediately disclose when they have had a breach, is set to be brought in in 2014. Fines of up to 2% of business turnover could be imposed if the proposed legislation takes effect. This means that there is an immediate need for businesses to take ownership for the security of their data and to consider their strategy for doing so now. When this happens the intensity with which industry polices itself will significantly increase, forcing risk management professionals and budget holders to agree finally that the compliance by spreadsheet approach is no longer acceptable.
One of the most effective ways to improve in-house supplier assurance activity is to lift the whole process into the Cloud. An IT Governance, Risk and Compliance (GRC) platform delivered as a Software-as-a-Service allows organisations to automate the auditing process, devolving responsibility for completing questionnaires or sections of questionnaires to those most qualified to provide the answers, for example HR, Finance or IT, and centralises evidence collection. This immediately removes any need for lengthy spreadsheet-based programmes and frees up highly skilled compliance and risk personnel from time-consuming project administration. Cloud-based platforms dramatically reduce the total cost of ownership for IT GRC solutions, are simple to implement, open up lower points of entry, thereby significantly reducing the risk of project failure.
Furthermore, compliance teams can analyse the entire result-set from the combined supplier responses to deliver intelligence back to the organisation. By analysing the data collected, more informed decisions can be made allowing the audit experts to further de-risk the organisation – for example, some very useful questions can be answered, such as: which are my worst performing suppliers?; do I want to continue to trade with them?; and which compliance requirements are all of my suppliers struggling to meet?
Industries such as financial services and retail are starting to benefit from this new found ability to gain unprecedented insight into their supplier assurance programmes. Shop Direct Group, for example, is looking to use a cloud-based system to make managing the due diligence process with third parties much more straightforward. Not only does it eliminate the need for emailing spreadsheets backwards and forwards but it is versatile enough to support future needs.
Automation via the cloud brings a variety of benefits including:
Senior managers have for too long relied on spreadsheets to provide them with information about the asset and risk registers, the compliance audit and for gap analysis. Spreadsheets are regularly used for all kinds of compliance and risk management processes from supplier assurance questionnaires to incident responses and management reporting. The issue is that these processes are inefficient, labour intensive and risk delivering results that are not fit for purpose. SureCloud advocates a collaborative approach to compliance using a cloud-based model. The approach is agile enough to accommodate any existing processes, allows auditors to see at a glance the status and progress of their programmes and incorporates business analytics for assessing which parts of the supply chain are the most vulnerable.
Already in the current business climate IT spend is under extreme pressure. On top of this new EU regulations are coming into force that will mean organisations can no longer afford to stick with old and inefficient practices. Ultimately, using office productivity tools to implement IT GRC processes does not make sense. The days of compliance spreadsheet overload are numbered. Senior management urgently needs to grasp this by dropping the inherent inefficiencies and false economies of the old ways and embracing the agile and devolved approach available via the cloud.