Cutting Corners: Most Companies Conduct Inherent Risk Assessments on Less Than 40% of Their Vendors
More than two-thirds of companies are cutting corners when it comes to third-party due diligence
It is no secret that inherent risk assessments are crucial to third-party risk management success, but are they being conducted?
During a recent IT GRC webinar, Automating Your Third-Party Risk Management Program, attendees were asked how many of their vendors have been given an inherent risk assessment during the onboarding process.
While any third-party risk management professional would be quick to say that they perform inherent risk assessments to determine the level of due diligence for a vendor, the survey revealed that two-thirds of companies are actually scoring less than half of their vendors.
That means most companies are potentially exposing their organization to unnecessary and potentially damaging risks at a time when it’s most appropriate to keep the risk out. Risk managers know that contracting a vendor is the beginning of a new relationship – there are several unknowns and managers can expose their enterprise to risks that can have enduring consequences – and yet the numbers say differently.
While some may argue that assessing some vendors is better than a company forgoing inherent risk assessments altogether, once contracted, these vendors have could access to sensitive information. If they are compromised, then your data could be as well. Are you willing to take that risk?
Why are the large majority bypassing a major step in the vendor onboarding process? This is likely due to how tedious, manual and time-intensive the process can be. Traditional spreadsheet-based vetting processes take up a lot of time and require a lot of bandwidth that most companies frankly do not have. They’re not choosing to forgo due diligence, they just don’t have the resources to get it done.
But the good news is, there is an easier way.
Replace Inconsistent, Manual Due Diligence with Vendor Risk Management Automation
One of the initial key steps in onboarding a vendor is determining the level of inherent risk, as this determines the depth of due diligence the company must conduct on a vendor. Although all third-party vendors must be onboarded, they do not merit equal attention. Vendors that provide essential services, or hold sensitive data, carry a high degree of inherent risk, and must be scrutinized as such.
So where do you start?
Organizations must determine which third parties carry meaningful risk that requires more than a cursory review. This may consist of a simple, standardized internal questionnaire that helps to determine whether or not the vendor requires deeper due diligence. An intelligent intake process acknowledges differences in risk that merit different degrees of review, prioritizes the vendors who require further investigation and reduces costly and time-consuming analyst input.
Although this sounds like a relatively simple process, many organizations make it unnecessarily complex by relying on manual process prone to error and inconsistency. From spreadsheets that cannot be easily consolidated to emails that fail to create a documentable trail of activity, the time-intensive processes that requires heavy manual analysis can play a large part in discrepancies and mistakes.
Assessment automation can help to not only streamline processes, but also provide necessary peace of mind to risk professionals, ensuring that all vendors have been properly assessed to the required level.
How can you improve your inherent risk assessment process?
Download ProcessUnity’s Best Practices Guide for Simplifying Vendor Onboarding and learn how automation can streamline your program and ensure your company isn’t the next organization making headlines for a third-party data breach.