Risk and compliance teams like mine are seeing a dramatic increase in requests for security risk assessments. Not necessarily in volume, but in complexity. The shift has consumed a significant number of resources – human and otherwise —and requires teams on both the pre-and post-sales side to engage at different points in the process and collaborate with different departments on our customers side to ensure success.
Additionally, as the risk landscape evolves, it’s become more common for organizations to engage with one another multiple times a year to satisfy due diligence requirements. In the end, passing documents back and forth and having conversations does little to reduce the amount of risk that new relationships present for a company.
If we are looking to reduce risk, then we must work together as an industry to create a more efficient, collaborative model with less box checking. We must start looking at risk assessments as a two-way street that requires effort from both the customer and the vendor. If we are successful, we’ll establish a comprehensive risk management process that will let us proactively address security concerns within organizations and throughout our vendor ecosystem.
Build a proactive compliance assurance program
With an eye towards efficiency and collaboration as well as being ready for as many audits as possible, I’ve prioritized building a robust, proactive compliance assurance program. We aim to streamline the assessment process and deliver as much information as possible at the beginning of the customer journey to dig into the bigger picture items that truly affect the risk posture of customers. Toward that end, preparing a compliance assurance package that’s loaded with relevant information has become extremely important.
Now, every customer who engages with our assurance program receives a comprehensive package. The package typically includes information about our security, risk, and compliance programs, answers to commonly asked questions, and summary reports from security testing and external audits deemed acceptable to send externally to customers, including sharing our CyberGRX assessment. This package may not answer every question, but it does give the customer’s team a great starting point critical for driving efficiency and kicking an engagement off on the right foot.
Today, I see a high success rate of organizations that use our compliance package as a tool to square up their own assessment – in fact, there have been instances where my team didn’t have to get involved in an assessment because the compliance package met a customer’s assessment requirements. Of course, while uncommon, this does represent a compelling example for what these processes could look like. As I envision what a new wave of collaboration and engagement looks like in risk management, here are three recommendations for a collaborative assessment process:
- Streamline assessment requests. More frequently, we sees assessment requests doled out based on how a customer categorizes risk – GDPR, cloud related controls, application development. Or, in larger organizations different risk management teams across different business units send the same, or similar, assessment. Because there’s so much overlap, many of the questions contained in these individual assessments are the same. If customers merge these fragmented assessments and assessment processes into one comprehensive request, we can move through the initial due diligence process with haste and into the audit process, which, rightfully so, we should give more attention.
- Review the compliance assurance package. Do the work upfront to review the compliance package and cross reference against the customer’s assessment requirements. From here, it’s possible to come back with 20 or 30 questions that were not addressed by the initial sharing of information. This process almost ensures that customers are brought to the front of our queue and could mean that in less than a day we can satisfy the entire assessment as a team.
- Bring teams together. In most instances, bringing teams together at the outset to discuss important elements of the assessment will streamline the engagement and ensure timely completion. For example, everyone involved should agree on everything upfront, clearly identifying the assessment scope, discussing deliverable expectations, and agreeing on post-engagement commitments.
We’ve already seen this year that managing risks – whether from economic fluctuations, bank failures or power outages caused by weather – has become critical. As these risks reverberate and affect the communities with which we do business, it becomes increasingly imperative to design a mature and repeatable risk management strategy that positively impacts both customer and vendor. If we can get the ball rolling with deliberate communication and a commitment to collaboration we can exponentially increase the amount of assessments we can complete and leave more time for mitigating any risks uncovered by these assessments. We have come a long way, and I am buoyed by our customers who believe in collaboration and efficiency to make this year the turning point by which third-party risk management gets prioritized.
David Wilson, director of compliance assurance, ACI Worldwide