Organisations are facing increasing requirements to introduce third party assurance programmes in order to reduce the risks involved with essential supplier relationships. Setting up such programmes from scratch or extending existing programmes brings about challenges. Is there a quick and easy way to address them?
Why is third party assurance necessary?
As digital trading relationships have evolved, the boundaries between organisations have eroded making them difficult to define. The emergence of cloud suppliers and IT-as-a-service has led to key business processes, such as IT Support, being outsourced. Consequently, organisational perimeters have blurred. Many relationships are built on trust, and this becomes diluted as relationships proliferate along the supply chain. A more rigorous level of assurance is needed for organisations to be sure that their suppliers and their suppliers’ suppliers are meeting the same commercial and legal requirements that they are. Suppliers have an obligation to meet an organisation’s requirements, but it is ultimately the organisation’s responsibility to ensure all contractual and regulatory requirements are met.
Whilst a wave of IT compliance guidelines and requirements (including FCA SYSC 8.1, PCI DSS, ISO27001, EU cyber security directive, ICO legislation) has led to an environment where everyone is auditing everyone, a significant number of organisations are still failing to obtain assurance about their suppliers’ security standards. In a survey of 172 organisations*, only 65% of respondents ensured that the contract with its externally hosted service provider included provisions for security.
It’s perhaps difficult to understand why this percentage is not any higher, especially when you consider the consequences of getting it wrong. The recent horsemeat scandal is a good example of how failure to properly check suppliers’ credentials and processes led to widespread food fraud. The global retailers and food companies with multi-level supply chains suffered considerable brand damage and lost revenue as a result, and still face the potential of fines and criminal proceedings.
What challenges does third party assurance pose?
Historically, it has been small teams of people that deal with internal risk and compliance. Introducing the need to audit suppliers therefore multiplies the compliance processes by the number of suppliers. And, as organisations embrace more mobile and cloud-based approaches, the need for supplier assurance will increase further.
Typically, spreadsheets are emailed to suppliers to complete and return. Whilst they are a convenient tool to record information about a supplier, they do not scale well, even for a handful of suppliers. Collating the data is difficult to manage, as is version control. Relying on email to distribute the requests to suppliers provides no information about how suppliers are progressing, and about how good their responses are. Any analysis that has been built into the spreadsheet is difficult to aggregate, in order to provide a meaningful comparison of suppliers.
Establishing an automated third party assurance programme
SureCloud has worked with many customers developing programmes to efficiently undertake auditing and ensure compliance with industry regulations. Depending on the scale of the requirement it may be appropriate to take a phased risk-based approach to auditing; one of the programmes SureCloud has successfully implemented is structured as follows:
Phase 1: Information classification – define your objectives (based on your auditing requirements) and decide what information is most critical, (e.g. name, address, contact details, bank account number, credit card number etc.). Assess all suppliers against a short checklist to establish the type and volume of data they handle on your behalf. This will give an organisation the ability to audit all suppliers quickly and produce a rank ordered list of suppliers by data risk.
Phase 2: Supplier self-assessment – formulate your questions carefully, avoiding ambiguity and repetition; don’t be afraid of closed questions. The qualitative information should be given a weighting according to its importance, to enable risk to be calculated, i.e. 1=low, 2=medium, 3=high, 4=critical. Hide your measurements to avoid making the ‘correct’ answer obvious. Consider risk from a strategic, operational, regulatory, legal and reputational perspective. Ensure you coordinate with all other departments requiring information from suppliers. Give your suppliers access to online forms into which they can enter the information you need. You should be able to check on their progress as they complete the questionnaire. Once the information has been submitted, supplier risk can be calculated automatically; aggregating the information will enable suppliers to be ranked according to risk based on the weightings applied to the questions. Even for organisations with a small number of suppliers, e.g. five or more, this automated approach will drive efficiency.
Phase 3: On-site auditing – in-person supplier audits should be undertaken to validate the information supplied. You may not need to visit all your suppliers, so you can prioritise visits based on the highest risk suppliers from Phase 2. This will enable you to utilise your compliance resources as efficiently as possible, save time, and shorten supplier assurance cycles.
Phase 4: Remediation of high-risk suppliers – based on the findings of the on-site visits, suppliers can undertake tasks and projects to improve their risk scores. These should be recorded online to enable you to check on progress, repeat phases 1-3 where necessary, and to make more informed risk-based decisions about whether to maintain supplier relationships.
*Source: 2013 Information Security Breaches Survey, Department of Business Innovation & Skills in conjunction with PwC
About the author
Richard is cofounder and CEO of SureCloud®, a provider of Software-as-a-Service Governance, Risk and Compliance solutions. Prior to founding SureCloud, Richard held a range of senior executive positions at high technology organisations in the UK, mainland Europe and North America, where he led sales, marketing and market development functions.
Today, in addition to leading SureCloud and overseeing the continual innovation of the SureCloud platform, Richard advises enterprises on their governance, risk and compliance practices.