Tue Apr 06 2021

Assessing the risks of your third parties, part 1; an introduction.

Jimmy Pommerenke

My previous articles were mainly focused on the risks introduced by your digital footprint. I've briefly touched on the non-controlled assets, or assets managed by third parties, without delving too deep into the third party risk management.

Managing the risks of working with third parties go far beyond some shared assets on your digital footprint. Think about shared processes, shared internal assets, data your share with your suppliers (be it confidential or not), databases, transactional systems, consultant's laptops on your network, or even physical access.

There are several layers of gaining a risk based view of your third party. Aligning with the list above we can already enumerate;

  • Shared external assets
  • Shared internal assets
  • Shared data
  • Shared processes
  • Shared access

The shared external assets are the web applications and their underlying servers managed and hosted outside your environment, the DNS and email systems, and other systems composing your digital footprint. For more information on these systems I'd like to refer to one of my previous posts; https://www.linkedin.com/posts/jimmypommerenke_ive-been-writing-up-on-managing-your-digital-activity-6772128766211706881-nIFX and https://www.linkedin.com/posts/jimmypommerenke_digitalfootprint-riskmanagement-thirdpartyriskmanagement-activity-6774958906759233536-dgi1. The latter article described setting up an automated system of enumerating external assets and deriving a risk exposure severity.

But let's focus on the other items in the list for this article. Solely enumerating and assessing these external assets will not provide you with that in depth risk view of your supplier. Ideally, you have a process or a tool to help you determine how you work with them, what assets or other resources are shared with them, and what the risks are. You'd like to set up a system where you can not only get a view on these risks, but also to start managing them.

Sending out self assessment questionnaires to your third parties might be the most effective way to achieve this. The idea behind it is pretty simple; create a list of questions you'd like your supplier to answer (as objectively as possible) so you know where the strengths and weaknesses of working with them lie and where you need to focus your attention on.

Unfortunately this is easier said than done. Creating the most ideal questionnaire is very difficult. You need a good understanding of what your supplier does (and doesn't!), how critical their services are, and what you effectively want to know (cutting through the noise and distractions). Sending out the questionnaire via email and keeping track of their status requires quite some resources. Next, getting suppliers to spend a decent amount of time to reply and to provide relevant and quality answers. You need to take into account you're not the only one sending them questionnaires, there's a certain level of questionnaire-fatigue with mid to large size suppliers which will make your task even more difficult. Next, when you get the completed questionnaire back you'll need to spend time to review and assess it. And, finally, you re-iterate this process with your supplier and start working with them to rectify gaps and re-evaluating accordingly.

Lot's of companies manage the above process with a spreadsheet, containing their questionnaires, and email, used to send out and track the progress with the different suppliers. Needless to say that this approach is prone to mistakes, costly on overhead, and difficult to standardize and automate. In the next couple of articles I'll deep dive in a more standardized process, creating ideal questionnaires, and facilitating the follow up of open risks. Stay tuned!