Nick Rafferty offers advice on how companies can best manage multiple assessment requests from third-party partners.
With compliance demands becoming ever more stringent and complex, businesses not only need to worry about assessing their third-party suppliers, but also being assessed themselves. If your organization has many partners you share data with, then you never know when that assessment questionnaire or spreadsheet will pop into your inbox, asking complex questions that need to be answered in detail, and to a deadline. These assessments can be an inconvenience and a disruption to your daily work, but they are necessary to ensure compliance and more than likely, to maintain contracts with a partner.
But what makes the process even trickier is the lack of a globally adopted third-party assessment framework. This means that every organization has its own way of assessing its partners, and can ask the same control related question in different ways; they might reword control definitions into questions, or incorporate more than one control definition into a single question, meaning that a different response and associated evidence is required. Worse still, different organizations may ask different questions when assessing against the same regulatory standard; or ask the same question to assess against different regulatory standards. Large organizations in particular, due to the volume of partners they assess, are likely to demand that you follow their practices – making for a complex muddle of questions that you have to navigate and answer as accurately as possible.
Given that some assessments can consist of hundreds of questions, going through every single one can be a major pain. Thankfully, there are a few steps you can take to make the process a little less painful, and to help you build a resource that speeds up responses while improving your own compliance posture.
Response team: assemble
As the number of external assessments from partners is likely to grow, and become more regular, it’s a good idea to have a designated team in place that will be responsible for handling the assessment questionnaires you receive and responding to them. For most third-party assessments it’s unlikely that there will be a single individual who is capable of answering all the questions, and the relevant personnel may well have changed since the last one, so you’ll need representatives from different departments across the business as well as management. Having the right people in your squad will enable you to respond quickly to the assessors’ queries, ensuring that the process goes as quickly and smoothly as possible and that you maintain a good relationship with your partner.
Build up an evidence pool
The best strategy for dealing with regular assessments is to build up a database of compliance evidence that you can call upon every time you’re assessed. Start by identifying the main areas of security that you’re ever going to come across (e.g. policy, disaster recovery, incident management etc.) and adding questions that you’ve faced in the past to each of those categories. You can then attach your responses and accompanying evidence for each of the questions.
By regularly updating this bank of assessment information you will build up a comprehensive repository of evidence that prepares you for even the trickiest third-party assessment and ensures that your business is well placed to meet future compliance challenges. No two assessments are exactly the same, but they are often similar – particularly when they are from the same organization – so having this centralised database will minimise the hassle involved and speed up the process.
Let technology do the work
Many organizations still rely on spreadsheet-based systems for their assessment and compliance processes, but when you’re dealing with multiple third parties who each have their own method of assessing, it is difficult and time-consuming to manage and co-ordinate compliance activity using spreadsheets. Automating the process can take away much of the pain by providing you with a centralised structure that is accessible to everyone involved in the process, as well as automated tasks and workflow to track activity, making it easier to manage version control and quickly access evidence for responses. This saves you time, money and manpower, giving your team greater visibility and control over your compliance activities.
There is no silver bullet solution for completely removing the pain from handling third-party assessments, but by putting the right response team in place, collating evidence and automating compliance processes, you can reduce it to an easier, manageable level, and ensure that your business stays on top of its internal and external compliance requirements.