Addressing Third Party Assessment Fatigue with Automation

Written by

Every organization is challenged with monitoring and managing the risk of multiple third parties, and, when we say multiple, we mean hundreds.

Figures suggest that on average, companies share confidential information with 583 third parties. It’s no wonder then that these companies are suffering from assessment fatigue. The third parties themselves are suffering too – they are exhausted when they are hit with a large number of vendor onboarding assessments and questions.

According to our own research, the focus of someone answering due diligence assessments drops by over 40% after the first 100 questions while other studies show that increasing the number of questions reduces the time spent per question, therefore impacting the quality of those answers.

The nirvana state is where third parties would proactively give organizations a list of the risks they could manage on their behalf along with ratings and any mitigating controls removing the need for assessment. However, this will not happen: so organizations need to reach that same level of trust through enquiry.

It is accepted among third party risk professionals that survey-style assessments are not a perfect tool, however there currently is not a better alternative for delivering a standard test on mass.

Granted, there have been a number of valiant attempts over the years by companies to create centralized and pre-answered vendor assessments but all have missed the mark due to the issue of control and trust. The model has been for companies to reach out to suppliers and collect the data in advance before making that data available to consumers for a fee or as part of a wider offering.

The challenge is that, as much as suppliers find due diligence assessments painful, they do not want to hand over sensitive data to a middleman, nor do they want to give up control of releasing that data to unknown persons that the supplier does not currently have a relationship with.

The other model is to create a question set that both companies and their suppliers agree on, with answers against that question set prepared in advance. There are some companies that are making good money from this method but the barrier to entry is high, as both parties must not only agree on the same standard, but also typically both pay a subscription to use the question set.

We therefore return to the bespoke survey assessment model. So how can organizations make this work to their advantage? Automation technology can help take the onus off compliance and risks teams when running assessments on every potential vendor – leaving them to focus on strategic vendors that require more hands on scrutiny while minimizing fatigue.

It can be used to enhance survey assessments whereby users manage the relevant questions asked and ensure answers are given in a way that can be automatically processed and scored. What’s more, the transmission and return of the assessment can also be managed, ensuring reminders are sent and activity is tracked.

The key in making this really work is in asking the right number of questions to reach informed opinion on the risk a third party presents without incurring quality issues due to assessment fatigue. Automation can strip back questions which are irrelevant to the third party and context of the engagement, as well as those that are duplicated, aimless, unnecessarily detailed, or used simply for general exploration – therefore greatly reducing the exposure to assessment fatigue.

Dynamic automation can also help improve questions although it’s important to recognize that the relevance of questions may only be realized when other questions are answered first – otherwise known as question dependence. Question dependence needs a technology solution at the point of answering to introduce or remove subsequent questions which, done right, will save organizations time.

Once an assessment is completed and returned, organizations then need to review all of the information submitted. Again, the reviewer can suffer assessment fatigue which means the quality of that review could deteriorate. One way to tackle this is for reviewers to prioritize risks in order of importance.

Higher risk questions, or those that present more complex information, should be reviewed earlier than those which present little or no risk and are easy to automatically interpret.

What is clear is that vendor risk assessment is the lynchpin of effective third-party risk management. After all, security breaches often highlight that information-related incidents come through the supply chain. The attention of risk professionals is therefore invaluable, so organizations need ensure they are given the tools to provide the most value both to the business and the vendors.

So if there is one takeaway for organizations it’s this – address third party assessment fatigue by automating your vendor onboarding, evaluation and continuous monitoring. This will give your teams superior vendor risk insight, in less time, which will in turn ensure your supply chain is fit for purpose and that onboarded vendors do not degrade the service you give to your customers.

What’s hot on Infosecurity Magazine?