Iceberg’s Third Party Risk Management Process
Iceberg recently worked with a large U.S. financial organization to centralize and automate a number of Third Party Risk Management (TPRM) processes within a GRC solution, in order to achieve greater efficiency and effectiveness.
Many of the organization’s vendor risk management activities were being done using tools like Excel, Sharepoint and PeopleSoft, posing a number of challenges including:
- Overall vendor management: Getting an accurate, centralized view of all engagements for a vendor was difficult, and there was no way to aggregate risk scores between engagements. Information about vendors was disjointed in numerous spreadsheets and internal documents.
- Risk assessments: The Excel-based questionnaire had become unwieldy because of the sheer volume of questions, answers, reviews, and comments (in some cases covering nearly 1,000 control questions) and they were having trouble scaling this approach due to the number of engagements. The organization needed a logic based questionnaire to reduce the complexity of the assessment process.
With the new solution, the organization wanted to be able to answer these three key questions for their executives:
- Which vendors represent the greatest risk to our organization?
- How are we mitigating vendor risk?
- Are we adhering to regulatory demands?
The organization chose Iceberg because of our extensive experience implementing GRC solutions for financial organizations, including third party risk management. The depth of our GRC development team was ideally suited for their requirements.
Iceberg’s implementation group interacted with the customer’s team which included 10 stakeholders, two executive sponsors, three project managers, and remote teams across the United States and worldwide. Work on this project began in November 2016, and included an iterative approach using Iceberg’s Solution Lifecycle Management (SLM) methodology for GRC implementation. The SLM included initial on-site stakeholder workshops (including a “game board” simulation exercise to help with requirements gathering); iterative development; consultant demos; developer leadership and suggestions; and defect tracking, triage and remediation.
The initial project involved capturing records of approximately 1,000 existing vendor engagements into one centralized repository, and consolidating the security questionnaires within the GRC solution. The team developed a new evaluation process based on 12 sequential questions. An automated, logic-based system improved the user experience by using risk scores to determine which questions and assessments are required, reducing the burden on vendors. For example, if the vendor is not storing, processing or transmitting sensitive information, or did not require access to secure premises, they are assigned a lower risk score. As a vendor becomes more integrated with the organization’s data, systems and facilities, their risk score goes up, and so does the requirement for assessment and documentation.
The organization has achieved greater efficiency by applying the right rigor to the right vendors. In other words, resources are now spending the most time assessing vendors who present the greatest potential risk to the organization’s operations. The organization now has:
- Consolidated vendor information into one GRC system using data feeds.
- The organization has a centralized view of all vendor engagements, with a view of where each vendor is at in the vendor risk management lifecycle.
- A single, standardized process for vendor creation requests, removing much of the manual paper-based labour.
- A workflow to manage the lifecycle of assessing new and existing third party vendors through three questionnaires: Triage; Inherent Risk Assessment; and Third Party Due Diligence.
- Completed vendor questionnaires are stored within the GRC solution, so that previous answers can be re-used or updated for future assessments.
- Alerts and indicators can help monitor assessments that might be coming due, or are overdue for assessment or acceptance.
- The Operational Risk Management group can see aggregated risk scores across different vendor engagements.
- Vendor and third party risk ratings can be leveraged as part of the organization’s broader GRC activities. The organization meets regulator requirements and can demonstrate that they have more mature vendor risk processes and management in place.
Besides realizing greater efficiencies, senior management (including executives) and external regulators now have greater confidence – along with access to supporting evidence – that all vendors have been properly assessed and that the level of risk is understood. They have visibility into which vendors
pose the highest risks to the organization, and they understand how that risk is being monitored and mitigated.