Third-Party Assessment Fatigue I What is it and How to Prevent it
Third-Party Assessment Fatigue
Every organisation is challenged with monitoring and managing the risk of multiple third-parties. Figures suggest that only 4% of companies don’t use third-party apps, and 82% of businesses unwittingly give third-parties access to all their sensitive information – making due diligence a primary concern to savvy firms trying to protect their data.
The ongoing admin (within both the business and the third-parties), alongside quickly addressing related threats and incidents when they arise from third-party vendors, is resulting in increased fatigue among compliance and risk teams.
This is where third-party risk management software and services come in. But first, let’s delve into the specific ways that third-party assessment fatigue needs to be alleviated.
The Power of Technology
The simple answer to minimising fatigue is automation. Technology takes the onus off security teams when running third-party risk assessments on every potential vendor, freeing staff to focus on more strategic vendors requiring hands-on scrutiny.
Organisations can automate everything from vendor onboarding to evaluation and continuous monitoring. Business users can automatically initiate third-party requests and manage vendor profiles, contacts, and risk scores – resulting in more efficiency. This gives teams superior vendor risk insight in less time than through manual assessment, ensuring their supply chain is fit for purpose and that onboarded vendors do not degrade the service that businesses provide.
Infosecurity Magazine spoke to Alex Hollis, VP of GRC Services, to further discuss the benefits of technology in third-party assessment.
Here are Alex’s comments in full:
How would you define assessment fatigue?
Assessment fatigue comes from the medical world. It relates to the sickness and false symptoms a patient may display when subjected to an excessive level of diagnostic testing. In the third-party world, we have borrowed the term to explain the exhaustion felt when third-parties are hit with a large number of assessments and questions.
Why is third-party risk assessment fatigue a problem?
SureCloud has conducted primary research and found that the focus of someone answering due diligence assessments drops by over 40% after the first 100 questions and exponentially increases.
Other studies around assessments have found that increasing the number of questions reduces the time spent per question, which may, therefore, impact the quality of the answer.
In an ideal world, a third-party would give us a list of the risks they manage on our behalf, with a rating and any mitigating controls. However, that won’t happen. So, we need to reach that same level of trust through enquiry.
Is there a suitable alternative to vendor risk assessments?
It is accepted among third-party risk professionals that survey-style assessments are not a perfect tool. However, there has not been a better alternative for creating a standard test which can be deployed on mass.
However, there have been several attempts over the years by companies to create centralised pre-answered vendor assessments, but all have failed due to the issue of control and trust. The model has been for companies to reach out to suppliers and collect the data in advance, then make that data available to consumers for a fee or as part of a broader offering.
The issue is that, as much as suppliers find due diligence assessments painful, they do not want to hand over sensitive data to an intermediary, nor do they want to unwittingly give unknown persons the opportunity to release that data.
The other model is to create a question set that both suppliers and consumers agree on, such that suppliers can prepare answers against that question set in advance. Then consumers can consume the elements that interest them. Some companies are making good money from this method. Still, the barrier to entry is high, as both suppliers and consumers must not only agree on the same standard but also typically pay a subscription to use the question set.
Interestingly, standards such as ISO 27001 often appear as specific questions around whether the supplier holds the certification. The same assessment will then go on to ask specific questions about policies and procedures, which must be in place if the company is certified.
This either indicates that care has not been taken around the generation of third-party assessments or that the certification of these standards is not trusted. This leads companies to use statements like “we’re compliant with the ISO 27001, but not certified”, as the certification provides no benefit.
Benefits to vendor assessments underpinned by technology
Returning to the bespoke survey assessment, it is easier now to appreciate that the costs are generally low, and the solution is universally applicable to the problem of collecting answers. In addition, this solution can be enhanced with technology to manage the relevant questions asked and ensure answers are given in a way that can be automatically processed and scored.
Further, the transmission and return of the assessment can also be managed, ensuring that reminders are sent, and activity is tracked.
What should organisations be focusing on when sending assessments out?
The goal is to ask the correct number of questions to reach an opinion on the risk a third-party presents without incurring quality issues due to assessment fatigue.
Using technology to strip back questions irrelevant to the third-party and context of the engagement, are duplicate, aimless, unnecessarily detailed, or for general exploration, reduces the exposure to assessment fatigue.
While it is possible to improve questions generally, the relevance of questions may only be realised when other questions are answered; this is referred to as question dependence.
Question dependence needs a technology solution – in the form of third-party risk assessment software – at the point of answering to introduce or remove questions.
How do we prevent third-party risk assessment fatigue for the reviewer?
Start by assessing the order of your questions:
- Higher risk questions should be asked first
- Questions containing information that is harder to understand should also feature near the beginning of the assessment
- Questions that present little-to-no risk should be asked last
- Easy-to-answer questions can also be asked last
The attention of your human risk expert is valuable and expensive; therefore, ensure it is pointed towards the responses where it can provide the most value.
Often, these interactions are a set of clarifications around the questions and answers given over email. This occurs most often when questions are not tailored to the specific third-party. They may be asked questions which are not in keeping with the context of their organisation — for example, asking online-only software companies whether their software can be deployed in a virtual machine. Third-party risk management software can assist in tailoring each assessment.
The asynchronous nature of this method means that the context of the question and even the question text is often lost in the email exchange. This adds confusion and further fatigue in explaining why the question is irrelevant or why alternative controls have been chosen. Keeping the conversational exchange a part of the assessment is useful for keeping all context together.