Third Party Risk Assessment Fatigue - Why should you care?
(spoiler alert - mutual efficiency is key to your risk program's success)
It's no secret that companies are increasingly relying on third parties for their product and services that they use in their operations. As a result, companies often have to share confidential information with these third parties and vendors.
This makes third-party risk assessment crucial for any business. In other words, it should be one of its top priorities. It's simple, when companies share their confidential information with third parties, they open themselves to the risk of data breaches and a variety of other cyber security risks.
In the process, they also expose their systems to attacks by cyber criminals. This is especially true when you consider the state of technology. Networks are becoming larger and more complex, while businesses are generating more data than ever.
This means having proper oversight over these third parties is an important risk management tool to protect the business. Despite this, two out of every three companies don't have centralized control and resources to enable them to have proper vendor oversight. This leads to companies performing the same assessment for every vendor irrespective of what product or service the vendor will provide.
By using the same assessment for all vendors leads to third party risk management fatigue and it wastes time for both the company and the vendor. But what exactly is third-party risk management fatigue and how can you prevent it? This post will look at this question in more detail.
What Is Third-Party Risk Management Fatigue?
Assessment fatigue is a term that originates from the medical world. It describes the false symptoms someone may show when they’re exposed to too much diagnostic testing. In other words, a patient may experience symptoms of a disease if they’re constantly tested for it, even though they don't have the disease.
The third-party risk management industry is now using the same term. Here, it describes the exhaustion felt when you expose third parties to a large number of assessments and questions.
This typically happens when a company uses the same assessment procedures for all vendors irrespective of the products or services that they offer to the company.
The Problem With Current Third-Party Risk Assessment Processes
Every company, no matter how big or small, is challenged with monitoring and managing the risk of many third parties. In fact, the numbers suggest that, on average, companies share their information with 583 third parties.
Now consider that each of these third parties should be assessed and it's easy to see why companies are suffering from assessment fatigue. And it's not only the companies who are struggling, third parties face challenges too. This is simply because they must deal with a large number of vendor onboarding assessments and questions before doing business with the company.
In fact, according to research, the focus of someone answering due diligence assessments decreases by over 40% after the first 100 questions. This decrease increases exponentially when there are more questions.
Also, other studies have found that, if you increase the number of questions, you effectively reduce the time spent per question by someone completing them. As a result, this has an impact on the quality of the answers and the overall effectiveness of the assessment.
A simple solution to the problem would be that third parties give these companies a list of the risks they could manage on the company's behalf together with ratings and mitigating controls. This would effectively remove the need for a third-party risk management assessment. This, unfortunately, won't happen, so companies need to stick with their current assessment processes.
And herein lies the big challenge. Although current survey-style assessments are not ideal for an effective risk management assessment process, there was simply not a better alternative available. The fact is that current systems of managing and accessing vendors using manual processes makes the process inefficient, ineffective and opens the door to errors which, in turn, adds further fatigue.
In every business relationship both the company and the vendor want the relationship to succeed on a commercial basis. The company is not interested in assessing all its vendors to the same degree. Likewise, the vendors are eager to provide sufficient information to allow the company to do their risk assessment based on the services or products being supplied by the vendor.
This requires the appropriate assessments and data based on the product or service. So, one of the main challenges of third-party risk management processes is to get the relevant information while at the same time reducing for reviewer and vendor fatigue.
Now, over the years there have been a few attempts by companies to meet these challenges. One solution was to create a centralized hub of pre-answered third party assessments.
Using this model, a company would reach out to third parties and collect the data before making it available to other companies. In turn, the company would then charge a fee for its services. The problem is that third parties don't necessarily want to give their sensitive data to a middleman.
Another solution is to create a question set that both the company and the third-party agree on before the time. Now, this could be an appropriate solution, but it brings with it certain challenges. For one, both parties must agree on the questions which takes extra time and effort. In addition, both parties must typically pay a subscription to use the questions.
Despite both proposed solutions being capable of solving the challenges to some extent, they're not perfect.
And here, technology seems to be the answer.
By using automation, assessment fatigue can effectively be reduced, and the workload can be taken off security teams when they're doing third-party risk assessments. This frees up their time to focus more on third parties who require a more hands-on approach.
In this way, a good risk management solution reduces assessment fatigue by automating third-party onboarding and evaluation, while also allowing companies to continuously monitor the process. It also reduces reviewer fatigue by providing complete third-party risk insight which ensures that companies use the right vendors for their products or service.
Typically, for a risk management solution to effectively reduce assessment fatigue it must, at least, have the following features:
Provide a centralized vendor repository that helps companies to categorize vendors based on their services and products and the importance of these for the business.
Offer the ability to map vendors directly to business processes within the business.
A customizable, transparent score calculation model.
A flexible assessment library that allows companies to add knew questions and assessments or modify them.
The ability to organize questionnaires into tiers and dependencies which ensures that vendors are only asking the relevant questions appropriate to the products or services that they supply to the company.
Dynamic assessments that can help to improve questions by asking relevant questions based on previous answers given by the vendor.
The ability to add comments to questions or add attachments if necessary.
Questionnaires that can only be submitted once all questions have been answered. This saves time by preventing the submission of incomplete assessments.
The ability to monitor the progress of the assessment in real-time and manage expectations on behalf of both the company and the vendor.
The auto calculation of risk scores when the assessment is completed.
On submission of the assessment, it should provide auto generated findings which are based on the responses of the vendor. This ensures that no details are missed.
The ability to lock assessment responses when the assessment is submitted. This preserves the integrity of the assessment and provides a detailed audit trial.
The ability to capture further communication after the submission of the assessment. This eliminates email communication post submission and provides auto timestamps and captures the conversation regarding the assessment. This is vital for an effective risk management process.
It should offer reminders and notifications which can be scheduled on predetermined dates and events. This reminds both the company and the vendors of upcoming submission, assessment, and other milestone dates.
Ultimately, this solution will improve the assessment model by posing the right questions to the right vendors. It also allows the company to gain valuable insights into their risk management processes and get instant feedback while reducing vendor and reviewer fatigue in the process.
The Bottom Line
With companies increasing looking to third parties for vital products and services they use in their business processes, third-party risk management has become crucial to ensure that a company is not exposed to unnecessary risk in their procurement processes.
Unfortunately, up to date, there hasn't been an efficient risk management solution and companies were largely limited by manual processes that waste time, are inefficient, and increases third party and reviewer fatigue.
Fortunately, technology and automation offer companies an effective solution to meet these challenges head on. With it, they'll be able to streamline their third-party risk management processes and make it much more efficient. As a result, a company can effectively reduce or eliminate third party risk management fatigue.
If you need more information about Rescana, or how out platform can improve your third-party risk assessment processes, visit our website, or contact us for more information.