Third-Party Risk Management: DIY? Or Ask an Expert?

December 14, 2018 by Jeff Rowley


Performing third-party risk management (TPRM) on vendors is a complex, high-stakes process. So how do you decide what is the right solution for your company?

Managing third-party risk is a continuous process that requires expertise, precision, and transparency. How cost-effective and efficient this process is depends on making a choice between process automation or process outsourcing. Here are 5 key differences between process automation and process outsourcing to help you determine which solution is the right call for your company:

Process Automation vs. Process Outsourcing: What's the Difference?

 

Automation Drives Efficient Data Collection — But Doesn’t Do The Heavy Lifting

Companies routinely turn to automated software solutions to gather and organize massive amounts of third-party vendor data. This is because many companies assume automation software is the only alternative to doing it all manually and on their own. Companies purchase or subscribe to tools and platforms that manage the preparation and delivery of standardized due-diligence questionnaires (DDQs), and vendors submit their answers electronically via a secure network portal, ensuring the data flows into a central repository controlled by the client. Technology also allows for templated DDQs that can be updated to reflect best practices and regulatory requirements, a benefit that improves upon limitations of in-house expertise and makes the DDQ process more efficient.

While vendor management software is a vast improvement over traditional methods of manually sending and compiling spreadsheets of vendor data, it doesn’t eliminate the demand on your company’s resources to fill in the gaps, connect the dots, and draw actionable conclusions about the levels of risk for each vendor. Automated solutions are not designed to handle this important function – they will often require an internal team to handle the heavy lifting of judging vendor risk.

Process Outsourcing Fills In The Gaps — And Offloads The Resource Burden

This is where process outsourcing presents a more comprehensive solution that eliminates both paperwork and uncertainty. Since TPRM is essentially a process of verifying qualifications and establishing trust between businesses, it requires a significant amount of human hours and expertise in order to analyze and make judgments based on complex, often incomplete information.

Process outsourcing effectively delegates these vital responsibilities to a team of information security risk specialists who are accountable for ensuring the answers are complete, accurate, and accessible. Information security risk specialists manage the entire process (ensure vendors reply in a timely manner, analyze DDQ results, review SOC audit) and eliminate the learning curve that a software solution can require (how to configure a scoring system, which vendors have the highest level of operational risk, etc.).

Make The Right Call For Your Company

Deciding how to proceed with TPRM is an important decision that affects your company’s reputation, regulatory compliance, finances, and more. What’s best for one company might not suit another. It’s important to determine what your company needs to perform TPRM effectively and select the right solution accordingly.

How ACA Can Help

ACA’s vendor management outsourcing service (VMOS) provides a combined white-glove service and technology solution that allows your firm to offload the vendor due diligence and risk assessment process. Our team of experienced information security risk analysts can administer due diligence questionnaires (DDQ), analyze DDQ responses, identify vendor risks, and report on results so your company can focus on more strategic tasks. Our tailored DDQs include over 300 questions and are customized for each vendor type to provide an accurate assessment of possible risks. Our service also includes a vendor management platform that allows you to track progress and view findings.

For more information, contact info@acaaponix.com or your ACA consultant.

Vendor Management Resources

The following ACA resources are available to help your firm navigate the complexities of vendor risk management:

About the Author

Jeff Rowley is a Principal Consultant at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. Jeff has over twenty years of experience in technology and risk in the financial sector. Most recently, Jeff served as Vice President for Bank of America Merchant Services where he was responsible for designing, implementing, and sustaining OCC compliant third-party programs. Jeff earned his Bachelor of Science from the University of North Texas and has accumulated advanced studies in Accounting and Computer Science from the University of Hartford and Rensselaer Polytechnic Institute, respectively. Jeff is a Certified Third-Party Risk Professional (CTPRP).