This case study is based on an engagement with one of our customers at a large regulated utility company in the United States. It serves more than 800,000 customers, with power plants that generate electricity using natural gas, coal, wind and solar power. The profiled company asked to have their name blinded to protect their confidentiality.
They have more than 2,000 employees and engage with hundreds of third-parties. They were looking for a tool to automate risk scoring, with the ability to track third-party risks over time and ease of integration with other services via API. They chose ThirdPartyTrust.
The Search for a TPRM Tool
The organization had a manual, time-consuming process for assessing third-parties, that consisted of a 20-page Word document with nearly 150 questions. This required a lot of effort both from the vendor, who had to pass it around to complete it, and from the team that had to chase them via phone or email to get the questions answered.
The main goal was reducing the manual efforts and the back & forth needed to get third-parties to complete the questionnaires. Their business requirements included:
- Obtaining a quantitative approach to third-party risk management
- Evaluating, managing and reevaluating vendors
- Having a risk score process
- The ability to track vendor risks over time
- Visibility over technical and financial risk
- Metrics for vendor evaluations
- API integrations
According to the TPRM team: “ThirdPartyTrust was one of the very first presentations that we saw and the tool really spoke for itself. From that point on, we compared everything to ThirdPartyTrust, and realized none of the other tools offered the same diversity in functionality”.
ThirdPartyTrust’s added value was the fact that it allows to actually track the questionnaires from start to finish, gathering the data, calculating the risk score, and retrieving security ratings from BitSight, RiskRecon, and SecurityScorecard.
The operational improvements
“We’ve turned to the platform to track and monitor third-party risk. The internal client that wants to engage with a new vendor just has to ask for a point of contact and send the connection request, inviting them to the platform so they can enter and submit their security documentation themselves. Involving the internal client has just been fantastic”, a team member commented.
With this new, automated process the team also gained a quantitative approach to third-party risk management (TPRM). Instead of relying on the analyst’s gut feeling, they can now rely on the data (i.e. trust, impact, and risk scoring) to determine whether a third-party is safe to engage with or not.
Customization and Better Communication for the Optimal Experience
Based on the implementation type of any new third-party relationship (on-premises, on vendor premises, cloud, etc.) the team sends a different version of the assessment questionnaire. Through the use of labels, ThirdPartyTrust allows for a stratified approach vs. one-size-fits-all, with the flexibility to assign the appropriate requirements based on the products and services that the third-party is supplying.
The team also highlights how easy it is to report a finding and work on remediation. If an analyst detects an issue, they can start a conversation with the third-party within the same tool, ask for an update and get a response within a few days. Reminders and alerts really help streamline the process and detect red flags on time.
“We recently requested a vendor to complete our questionnaire on ThirdPartyTrust and we had that information turned around in 48 hours, which is really unheard of. It usually took weeks for someone to complete our questionnaire the old way”, shared a team member.
As closing words, the customer stated: “ThirdPartyTrust has been valuable in helping us get a better understanding of how we can try to keep our organization as risk free as possible. It gives us the ability to get a really solid look at a supplier before making the choice of whether to use it or not”.
To learn more about how ThirdPartyTrust can help you streamline your TPRM program, request your free trial now: