In the past couple of months, I have had the privilege of attending the RSA Conference and OpRisk North America. Across these two events I met many CISOs and Operational Risk Managers and got to take a look at some complimentary vendor products. What I think I heard as a common theme is that practitioners are becoming frustrated with the use of questionnaires as the primary means of performing risk and control assessments. In particular, third party risk managers are becoming increasingly skeptical that questionnaires are a reliable way to evaluate the internal control environment of their third parties. Getting questionnaires completed has become more of a paper chase and compliance exercise.
The market seems to be responding to these frustrations in a number of ways, some of value and some not so much:
• To reduce the significant time spent distributing and collecting questionnaire results, some vendors are popping up with information exchange networks. The theory is that if all third parties would answer a common questionnaire and deposit it centrally, it could be made available to their clients. For third parties, only one questionnaire has to be completed and it’s a one-stop-shop for clients looking for risk and control information about their third parties. The problem is that many organizations do not want to participate in exchanges because of legal issues. In short, third parties provide information to their clients on a negotiated basis. How much and what type of information provided introduces litigation risk. Third parties don’t want to provide any more information than they have to and clients want as much information as they can get. Unfortunately, clients can’t agree on a common set of information to collect from third parties and third parties selectively decide which clients get what information. Except for extremely large organizations that can force their third parties into an information exchange, adoption has been poor. If your organization is thinking about participating in an information exchange, check with legal counsel first.
• A few credit scoring vendors such as D&B have been around a long time and they provide value to third party managers concerned about whether their critical third parties might go out of business due to financial problems. Instead of gathering third party financial statements and performing credit assessments themselves, they can rely on the ratings of the credit scoring vendor. This is particularly helpful when evaluating the credit worthiness of privately held companies and small businesses.
• To understand the control culture of a third party and sometimes the integrity of its principals, information supplied by organizations such as Lexis Nexis, Bloomberg, and Advisen can be helpful.
• To understand how well a third party has been managing its information security, Advisen can tell you about the history of breaches and losses a company has experienced, QuadMetrics calculates the odds a company will be breached and BitSight and SecurityScorecard provides security rankings on organizations.
I am sure there are many more information providers than those I have mentioned. My point is that viable alternatives are emerging to replace questionnaires altogether or at least supplement them with external information. Many organizations use some or all of these kinds of data feeds every day. Mature organizations are bringing this kind of information into their third party governance solutions like RSA Archer, to obtain a holistic, more defensible view of the risk and performance of their third parties. Not just any GRC solution can be easily adapted to accommodate such integration, like RSA Archer. If this is the direction you are headed with your program and you're not using Archer, make sure you validate the integration and configurability capabilities of your chosen GRC platform.