A large pharmaceutical research & development company used to assess third party vendors with a very manual and tedious process, involving multi-tab spreadsheets that were passed back and forth. When a new program came up where they had to assess 1,000+ third-parties in a year, they chose ThirdPartyTrust to accelerate and scale this process.
This case study describes how we helped meet (and exceed) those needs, helping the company perform 2x vendor risk assessments with the same resources. Below is a recap of our conversation with the Program Manager & Security Consultant for this company, which asked to have their name blinded to protect their confidentiality.
The process that we had was totally manual. There were spreadsheets sent to the supplier, which had to be tracked by remote and local teams, in an extremely manual and tedious way.
There was a program coming up by which we would have to do 1,000 third-party risk assessments in two years, which was way more than we were capable of. So we started looking for a solution that could help accelerate and streamline that evaluation process.
If it worked for that program, we could transition the tool to our day to day manual process for assessing new vendors. [Spoiler alert: it worked!]
Probably 300 a year at most. Our volume was estimated to increase over time because of a greater awareness of the requirement to do evaluations, so we knew that we needed to improve compliance with that requirement. And for that, we needed a scalable third-party risk assessment process.
When the next large project starts, we’ll need to be initiating 60 vendors a month at minimum, so that will essentially double the numbers of evaluations we’re doing each month.
When a business owner wants to engage with a new third party vendor, they have to send the request through ServiceNow (which can be integrated with ThirdPartyTrust via API). A Third Party Security Evaluation Analyst reviews the request and determines if an evaluation is truly required. If it is, they initiate the vendor risk assessment using the connection request functionality of ThirdPartyTrust, that kicks off all the invitation emails and reminders to the supplier.
The supplier needs to register into ThirdPartyTrust and respond to our requirements. Our Subject Matter Experts (SME) then review the answers and mark them as ‘Acceptable’ or ‘Not Acceptable’. For not acceptable cases, a finding is attached and the supplier can let us know when they’re gonna remediate that finding.
The best part is this discussion happens within the tool under the ‘Findings’ tab, and we don’t have to pick up the phone anymore!
Once everything is settled we send a summary report to the person who requested the evaluation to let them know how much risk that supplier would expose our company to.
The communication back & forth about the findings has much improved. We’re looking at documents in the system instead of email threads. We now have the capacity to do many more assessments than we did before, with the same resources.
All our vendors are in one place and we can monitor their progress and apply filters to focus on what we need to be working on.
The next thing we’re going to try on ThirdPartyTrust is the regulatory requirement to re-evaluate third-parties after a certain period.
For new suppliers we have a very high acceptance rate of 90%. They want to do business with us, so they fulfil our requirements.
I think the best part is the innovation of the tool. ThirdPartyTrust is keeping their finger on the pulse of what’s needed by its customers, which is outstanding.
I have a 40-something-year career in IT and I’m in meeting after meeting with suppliers that will just say: “That’s not how the system works”. Whereas the support we get from ThirdPartyTrust for developing our program is just amazing.
The partnership that we have with ThirdPartyTrust is unlike any other that I’ve had as far as understanding and responding to our needs and improving the product. Every vendor will say they’ll be a great partner. But I’m here to tell you this partnership with ThirdPartyTrust has just been above and beyond.
We wouldn’t have succeeded on our previous programs and we wouldn’t have transitioned to using the tool if it hadn’t been for the over and above efforts of the ThirdPartyTrust partnership.
Requesting vendors to complete risk assessments should not be a killer.
Get your free strategy guide and learn how to boost efficiency, transparency, and control over your risk management process and business bottom line.
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|