Risk Remediation and Tracking by ComplyScore: How We Do It ?

Risk remediation is a crucial part of the vendor risk assessment cycle. If incorrectly executed, it will dilute and diminish the effort put into the assessment. A detailed and relevant questionnaire, a thoroughly executed assessment, is a wonderful precursor to mitigation tracking.

At ComplyScore, we have been performing almost 3,000 assessments annually. Our vast experience providing it vendor management services and performing assessments across various industries and working with vendors globally has given us a good perspective on how to effectively track risk remediation. I will be sharing my insights and best practices implemented by us in the following sections.

All clients have different policies and guidelines which must be followed when handling company data. Thus, ComplyScore risk assessments and mitigation tasks vary depending on the client. Slight variations to the assessment don’t change the way one should follow up with a mitigation task. After an assessment is reviewed, a gap report or mitigation plan is sent to either the client or vendor contact. The amount of time allotted to respond depends on the inherent risk of the vendor, the severity of the gap and the policies of the client  It is always preferred to have the ability to track mitigation tasks automatically as the more assessments you need to track, the harder it becomes to track it manually.

Working with Vendors for Mitigation

Gaps & mitigation tasks must be first confirmed by the vendors. Allowing the vendor to clarify mitigation tasks is an important step in the process as well. There are compensating controls that may cancel out the mitigation task. Typically, we offer 2 weeks to the vendor to do the same. We see that 2-3 follow-ups are required before the vendors confirm.

An automated process helps. We send an email before the expiry of 2 weeks that the mitigation tasks would be assumed to be accepted if not confirmed within the allocated time. This evokes a quick response. Within a week of that email, we see a spike in acceptance or clarification of mitigation tasks. Mitigation tasks that are high risk should be closed quickly. For a tier 2 vendor, ComplyScore provides a due date of 60 days for high-risk findings, the medium should be closed out in 90 days and low risk 120 days.

Tracking all communications in one place is critical. Tracking clarifications, adjustments to impact, or any other aspect of the mitigation task must be captured online. Emails or phone calls do not provide the audit trail that is required in the future.  Also, negotiating on completion date is common. Smaller companies tend to think they are the exception to the rule because they have fewer employees or work from their home. Of course, exceptions can be made after reviewing all factors and ensuring that the company data will be protected. We do not expect everyone to have an ISO or SOC2 Type 2 report like larger companies. Still, things like multi-factor authentication, which is not determined by the size of your company, can be expected at a minimum.

Periodic communication with the vendor is key. ComplyScore sends out email reminders at the midpoint of the task and close to the completion date. While these reminders are critical, what we have found is that a personal email following up on these emails, or even a phone call, helps keep the vendors focused on the tasks.

Once the tasks are closed, vendors must upload supporting documents or present the documents in an online meeting.  Besides sending automated email reminders, setting up such meetings is also very important. The more the human touch, the higher the rate of response. While these add extra efforts, the return is high.

Overall, I feel that managing mitigations are as critical as conducting assessments, and consistent communication is the key to get the tasks completed on time and result in a successful it vendor risk management outcome. Contact us to learn more about our vendor management solutions.

This blog was originally posted on https://complyscore.com/blog/risk-remediation/

Supply Chain Risk Management

What is SCRM?  

Supply Chain Risk Management is “the implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity.”

 Supply Chain Management is an essential part of vendor governance, and involves the entire life cycle from procuring the raw materials required for a product until it reaches the consumer. Supply chain management consists of identifying the vendors involved in producing a finished product and the risk these vendors pose to the entire chain. While sourcing, contract management, and supplier management are some of the critical elements of SCM, in this article, I will focus on vendor risk management.  

A supplier’s risk to the supply chain cannot be conducted in isolation but needs to be conducted along with cyber risk, financial, reputational, legal, risks. For example, a supplier with weak cyber operational controls will pose a significant risk for the entire chain. Supplier management needs to be meticulous, thorough, data-driven, and also include a list of back up suppliers to minimize the impact in the event of a disruption.  

Today, almost all organizations rely on hundreds if not thousands of suppliers across all areas to function. In many cases, the overwhelming volume of suppliers and the massive load of data associated with them, are some of the reasons for organizations to defer looking into starting the process of supplier management. 

At ComplyScore, as a vendor risk management company, we have helped multiple companies reduce their supplier risk by implementing industry best practices. I have listed a few of them below. 

1. Information– The more information you have, the better!

Have a complete inventory of all the suppliers your organization uses. Do not just focus on your tier 1 suppliers. You need to have details on your tier 2&3 too. Also, have a backup list of suppliers you can use in case of a disruption of service from your current supplier. Not having a list as well as a backup list puts you at a disadvantage from the get-go 

2.  Inherent Risk on each supplier–  

First, assess the “impact” of the vendor across multiple areas. These areas are: 

      a. Financial Impact 

What will be the monetary impact on your business if the supplier is unable to deliver due to any reason? E.g., Bankruptcy? 

     b. Operations impact 

Will a delay/disruption from a particular vendor affect your production directly and indirectly? 

    c. Legal Impact 

Will, there be a legal impact, and how much will it be a lawsuit if the supplier does not comply with regulations? 

   d. Information Security impact 

Does business with a particular supplier put your security posture at risk?  

   e. Reputation impact 

Will, the goodwill and reputation of your organization, be impacted by doing business with the supplier 

   f. Assess the sensitivity of the supplier‘s failures across internal & external factors: 

• Examples of external factors include 

1. Liquidity – A highly leveraged supplier will be very sensitive to liquidity 
2. Geographical disruption – Social, political or environmental disturbances 

• Examples of internal factors include 

1. Compliance culture 
2. Process maturity 

Meticulously designed supplier risk assessments are needed to adequately assess the risk and its impact on your organization’s security posture. 

 3. Putting it together –  

• Create risk appetite policies 

• Establish inherent risk scoring of the suppliers 

• Establish sensitivity of the supplier to external factors which predict the risk of failure  

• Create a heat map of Likelihood and Impact of failure 

• Establish mitigation strategies for each quadrant 

4. Monitor the risk  

              a. Monitor the supplier‘s metrics 

• Establish proxy indicators & metrics. For example, delivery performance is an excellent measure of capacity & process maturity.  
• Correlation between these metrics (additional below) and the supplier risk are critical to managing risk proactively. Continuous monitoring of the vendor will alert you at the very beginning of disruption.

Having a third party vendor risk management software will help you monitor the risk factors on an on-going basis. 

              b. Monitor the external factors 

• tools like Risk Pulse, Resilience 360, Stat Weather will help your staff to take precautionary actions. Similarly, tools like Geoquant will keep you informed on the political situations around the world. This is particularly helpful as in today’s world, a single organization runs on the materials and help coming from all over the world.  

c.  Based on which factors are turning red, activate the mitigation plan. While the overall plan seems broad, creating the quadrants help focus on areas of high impact and high likelihood. Service providers like Complyscore will help you put these risks together.

This blog was originally posted on https://complyscore.com/blog/supply-chain-risk-management/