Third-Party Risk Management: Collaborating for Results

July 22, 2020 by Matt McKillop

Organizations across many industries seek to leverage the services and partnerships provided by external firms in support of their core business mission, which can present them with a complex set of operational, financial, reputational, and regulatory risks. To identify and mitigate these risks, organizations often establish vendor management or third-party risk management (TPRM) programs that are designed to assess and manage the specific risks within these relationships. Due diligence of the provider is a key component of these programs in order to gain visibility into the provider's controls and evaluate if they are effective in managing risks associated with the service, from cybersecurity, to resiliency, to compliance. However, due diligence remains a complicated process for both consumers and providers of services.

Here are some of the current challenges with due diligence and opportunities to improve the process for all parties involved.

Due Diligence Challenges

Due diligence comes in many forms but is most frequently a questionnaire that is established by the consumer of a service and sent to the provider for response. The questionnaires typically encompass many domains including cybersecurity, resiliency, compliance, and operational controls, and can often run in the hundreds of questions for a provider to review and respond to.

This is where the challenges begin for the providers -- they are often faced with dozens, if not hundreds of questionnaires from their customers, each with different questions in numerous formats, delivered by multiple routes. Providers must establish and staff an internal program to respond to these requests, and given the diversity of questionnaire formats and delivery methods, this becomes a full-time function for several staff to manage. Ultimately, this increases the complexity of client onboarding and increases product costs.

For the consumers of services, the due diligence effort can seem too time consuming. This can frustrate function managers who need provider services to enhance their operations or expand product offerings

Many attempts have been made, with varying levels of success, to establish standard, industry-specific questionnaires, but most of these attempts have never gained the broad acceptance needed to become an agreed upon standard.

Approaches to Standards and Efficiency

The good news is the due diligence process doesn't have to be this complex and burdensome.  There are several steps that can be taken to reduce the challenges.  These include:

  • Collaboration on standard questionnaires is a key element in improving the process. Getting consumers and providers to agree on a common set of control questions that provide the consuming organization with the necessary visibility into controls and the providers a standard set of questions to respond to can provide a win for all.
  • Tailoring the standard questionnaire to focus on the areas related to the service being assessed can reduce the overall number of questions a provider needs to respond to, further reducing the cycle time for due diligence.
  • Leveraging smart technology that supports collaboration by providing capabilities to distribute and collect questionnaire responses, and analysis of the responses that can then be shared with other consumers to provide further efficiencies for all parties.

How We Help

ACA’s vendor management outsourcing service vendor management outsourcing service (VMOS) allows your firm to offload the vendor due diligence and risk assessment process. Our team of experienced information security risk analysts can administer standard due diligence questionnaires (DDQ), analyze DDQ responses, identify vendor risks, and report on results so your company can focus on more strategic tasks.

Our tailored DDQs include over 300 questions and are customized for each vendor type to provide an accurate assessment of possible risks. Additionally, the ACA VMOS platform now enables vendors to complete due diligence  for a service once and permission the due diligence package to multiple clients, saving the time of having to respond to due diligence from each client. The platform also provides the ability for providers to develop and report on remediation plans for control issues identified during the due diligence process. Providers can develop one remediation plan and share with all clients through the ACA platform.

ACA's TPRM Advisory service provides program design and enhancement services for clients with a focus on developing efficient and effective processes to manage the risk of third-party relationships

For more information, contact or your ACA consultant.

Vendor Management Resources

The following ACA resources are available to help your firm navigate the complexities of vendor risk management:

Contact Us

About the Author

Matt McKillop is a Director at ACA Aponix. Prior to ACA, he served as Senior Vice President, Head of Third Party Risk Management for Citizens Bank. Prior to that, he served as Operational Risk Director for State Street Bank, as a leader in the bank’s third-party risk management program. Matt has been an active collaborator in financial services forums on third-party risk management, including the Risk Management Association and the Bank Policy Institute.