One of the biggest credit unions in Texas, with more than 350,000 members, was looking to replace a manual vendor risk assessment process with a streamlined workflow. Their goal was to comply with regulations around third party risk in the financial services industry while increasing security across their vendor supply chain.
They now enjoy a centralized workflow with customized requirements per type of vendor, and notifications around upcoming due dates for security documentation.
Below is a recap of our conversation with our customer, Manager or Information Security Compliance at this credit union.
We started with third party risk assessments about a year and a half ago, with a manual process that was not very satisfactory. We had to set up a file storage to keep all the documents that vendors sent to us; we had to set up a separate inbox to send and receive emails with security documentation; and we also used that mailbox for the approval process.
Vendors would send their final report to me, I’d approve it and send it to my boss, and he’d approve it. That whole approval process was time consuming and not scalable.
And of course we had no reminders of upcoming tasks or documents about to expire. I guess we could have used the inbox calendar to set up recurring assessments, but all in all it was a very manual process and we really didn’t like it. So that’s what prompted my search.
We looked at 6 different tools, but some were not even in the same game. Companies that score risk based on information they can gather from the internet provide valuable insights, but only when those insights are combined with all the other documents that a vendor supplies.
The process is more or less the same but it now takes way less time. We still go through the process of trying to figure out who we need to contact at the vendor organization, but then I just need to invite them to the platform. Once they submit their documentation, I can complete the assessment in around 24 hours.
Another great benefit is that when business owners come to me saying they need to do a risk assessment, they often only have the Sales person’s name or the Customer Success Manager’s name. If their company is fully engaged in the ThirdPartyTrust platform, the people that have already joined also get notifications when I send stuff to these Sales or Customer Success representatives. I don’t have to hunt for contacts, they automatically get notified. That part has really been simplified for the participating companies and we’ve received really great feedback from vendors who enrolled in the platform.
One more thing worth mentioning is that before, we had to build our own risk assessment table. It took a lot of time to agree on how to set it up, what factors to consider and how much they should weigh. With ThirdPartyTrust, we just did the setup once, spent a couple of hours refining it to suit our business needs, and we were ready to go.
There’s a lot of hours saved, definitely less back and forth via email chasing vendors to complete requirements. With fully participating companies, I only need to wait for them to upload their documents and I can turn the whole thing around in 24 hours.
The ability to customize the tool and adapt it to our use cases. For example, being able to tag a third party vendor as whether it’s cloud based, in-house or hybrid model, so I don’t have to think about what documents I need to ask of them. The tag has an associated template with specific requirements. It’s really just a matter of inviting people to respond to it.
Another thing I find very helpful is the dashboard, which provides a quick glance of different indicators and analysis of our entire vendor population. For audit and reporting purposes, this dashboard and the ability to download data as CSV is a win.
We’re in the financial services industry so we’re very heavily regulated. Third party risk assessments are one of the biggest things they look at, so implementing a tool that allows us to be compliant was a step in the right direction.
Now we need to start analyzing our fourth-parties, as everything is getting so intertwined and information is everywhere now.
After evaluating several tools, we chose ThirdPartyTrust because it had the best balance of functionality and price. It has definitely accelerated our ability to complete risk assessments with the added value of continuous monitoring. Being able to look at the scans from BitSight, RiskRecon, and others and see that nothing drastic has changed for a certain vendor is extra reassurance on the process of checking a vendor’s security posture.
Requesting vendors to complete risk assessments should not be a killer.
Get your free strategy guide and learn how to boost efficiency, transparency, and control over your risk management process and business bottom line.
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|