Every organisation is challenged with monitoring and managing the risk of multiple third-parties (figures suggest companies share confidential information with 583 third parties on average) – and quickly addressing related threats and incidents when they arise from vendors. This is resulting in increased fatigue among compliance and risk teams.
Automation can help minimise fatigue and technology can take the onus off security teams when running third party risk assessments on every potential vendor – leaving them to focus on strategic vendors that require more hands-on scrutiny.
For example, organisations can automate vendor onboarding, evaluation and continuous monitoring. Automation can help business users initiate third party requests and manage vendor profiles, contacts, and risk scores more effectively. This will give teams superior vendor risk insight, in less time, which will, in turn, ensure their supply chain is fit for purpose and that onboarded vendors do not degrade the service that businesses
Assessment fatigue comes from the medical world and relates to the sickness and false symptoms a patient may display when subjected to an excessive level of diagnostic testing. In the third party world, we have borrowed the term to explain the exhaustion felt when third parties are hit with a large number of assessments and questions.
SureCloud has conducted primary research and found that the focus of someone answering due diligence assessments drops by over 40% after the first 100 questions and exponentially increases. Other studies around assessments have found that increasing the number of questions reduces the time spent per question, which may, therefore, have an impact on the quality of the answer.
We would love it if a third party gave us a list of the risks they manage on our behalf with a rating and any mitigating controls. However, that won’t happen. So, we need to reach that same level of trust through enquiry.
It is accepted among third party risk professionals that survey-style assessments are not a perfect tool. However, there has not been a better alternative for creating a standard test which can be deployed on mass, unfortunately.
However, there have been a number of attempts over the years by companies to create centralised pre-answered vendor assessments, but all have failed due to the issue of control and trust. The model has been for companies to reach out to suppliers and collect the data in advance, then make that data available to consumers for a fee or as part of a broader offering.
The issue is that as much as suppliers find due diligence assessments painful, they do not want to hand over sensitive data to a middleman nor do they want to give up control of releasing that data to unknown persons the supplier does not have a relationship with.
The other model is to create a question set that both suppliers and consumers agree on, such that answers against that question set can be prepared in advance by suppliers and consumers can consume the interesting elements. There are some companies that are making good money from this method, but the barrier to entry is high, as both supplier and consumer must not only agree on the same standard but also typically both pay a subscription to use the question set.
Interestingly standards such as ISO 27001 often appear as specific questions around whether the supplier holds the certification. The same assessment will then go on to ask specific questions about policies and procedures, which must be in place if the company is certified.
This either indicates that care has not been taken around the generation of third party assessments or that the certification of these standards is not trusted. Which leads companies to use statements like “we’re compliant with the ISO 27001, but not certified” as the certification provides no benefit.
We return to the bespoke survey assessment and appreciate that it is low costs and universally applicable solution to the problem of collecting answers. This can be enhanced with technology to manage the relevant questions asked and ensure answers are given in a way that can be automatically processed and scored.
Further, the transmission and return of the assessment can also be managed, making sure that reminders are sent, and activity is tracked.
The goal is asking the right number of questions to reach an opinion on the risk a third party presents without incurring quality issues due to assessment fatigue. Using technology to strip back questions which are irrelevant to the third party and context of the engagement, duplicate, aimless, unnecessarily detailed, or for general exploration, reduces the exposure to assessment fatigue. While it is possible to improve questions generally, the relevance of questions may only be realised when other questions are answers; referred to as question dependence. Question dependence needs a technology solution at the point of answering to introduce or remove questions.
I’d advise higher risk questions or those that present information not easily computed, should be reviewed earlier than those who present little or no risk and are straightforward to be automatically interpreted. The attention of your human risk expert is valuable and expensive, therefore ensure it is pointed towards the responses where it can provide the most value!
Often the nature of these interactions is a set of clarifications around the questions and answer given done over email. This occurs most often when questions are asked which are not in keeping with the context of the organisation — for example, asking online-only software companies whether their software can be deployed in a virtual machine.
The asynchronous nature means that often the context of the question and even the question text is lost in the email exchange. This adds confusion and further fatigue in explaining why the question is not relevant or why alternative controls have been chosen. Keeping the conversational exchange a part of the assessment is a useful approach for keeping all context together.