Third-Party Monitoring: The 80/20 Rule Wins
The increased risk of data breaches and growing regulatory pressure has made third-party monitoring a priority for every company. It used to be that only enterprise companies could manage this process. That is no longer an option: even small companies, especially those in sensitive industries like financial services and health care, need to have a minimal third-party monitoring program in place. The problem is common in the compliance world, the current platforms and tools are pretty ‘heavy’ and require a great deal of time to evaluate integrate and implement. The traditional answer was either very manual processes with spreadsheets or heavy GRC platforms which, under the best of circumstances, would take 18 months to implement and hundreds of thousands of dollars. In addition, things change in 18 months so what’s designed 18 month ago, may not be applicable to a company’s need in 3 or 4 years. We believe there is a better way to perform third-party monitoring with a better ROI than large implementations. We believe that the 80/20 rule to implementing a third-party monitoring program is best (like most of life and business).
Here are some tips for implementing a ’lite’ but highly effective 3rd party monitoring program:
- Create a single directory of all vendors. Pick the most critical ones to focus on. Criticality will obviously depend on things like access to confidential information, level of dependence on the 3rd party or the size of the relationship. It’s important to categorize vendors on their attributes like criticality. This way you can apply a different due diligence strategy to different categories.
- Pick a standard questionnaire or assessment template. Do not waste time trying to create your own. There are plenty of very good templates available that cover all the critical areas. The SIG assessment is one such example.
- Pick a simple platform that lets you automate your end-to-end assessment process including automated scoring. Automating your assessments/due diligence process eliminates any manual, error prone steps in the process, which ultimately results in time and cost savings. The other advantage of automation is the process of evaluation can be automated. Reponses from the third parties can assigned to different teams for evaluation. All follow-ups, documents, and communication with the third party is in one place, making it easier to review.
- Aggregate all third-party documents in one place. Create a checklist of all documents that you might need on an annual basis. This could be metrics, compliance and security policies, etc. This is particularly important for any ongoing monitoring where a full assessment may not be needed.
- Document and track issues/findings from evaluation. Capture all important details about an issue: severity, recommendation, status, etc. Collaborate with third parties and request updates from partners on issues remediation.
At CENTRL we have developed a highly scalable platform for automating third-party monitoring and due diligence without making it cumbersome to use. We have designed it with the 80/20 rule in mind. It is lightweight so you can get started quickly and add features and functionality as you grow. We make it easy for you to use but also for your vendors because your success depends on their success.
Read more on vendor monitoring and how CENTRL can improve your third-party monitoring and due diligence.