Unveiling the Power of a Risk Exchange: Streamlining Third-Party Assessments
If you feel overwhelmed by bespoke security questionnaires, you're in good company. Many understand the value of a third-party risk management (TPRM) platform, but the efficiency gains of a risk Exchange might be less evident.
We sat down with David Wilson, Director of Compliance Assurance at ACI Worldwide, to get his perspective. David’s experience, particularly as someone handling assessment requests, provides helpful insight for both those completing and evaluating the questionnaires.
David shares his thoughts about the challenges of legacy, manual systems, how to gain support for using an Exchange, and how to measure the success. Listen to his podcast episode now:
The Challenge of Assessment Volume and Redundancy
According to Forrester research, organizations expect to share 41% of critical data with third parties in the next five years. With more data sharing comes more vendor evaluation– but for those tasked with completing the questionnaires, it amounts to an overwhelming amount of work.
Ponemon research shows third parties spend an average of 15,000 hours completing assessments yearly. Most risk questionnaires are lengthy and redundant, resulting in inefficient use of staff time. David estimates 90% of the questions they receive are the same from customer to customer.
The Forrester study showed 50% of organizations believed standardized processes would strengthen their TPRM strategy, and 95% said poor collaboration impeded their efforts. David thought the same thing about the assessment process.
Earlier in his career, he remembered a collaborative assessment approach, which would allow multiple customers to assess a third party simultaneously based on an agenda that all external parties had agreed to in advance. “We started to see that there was a lot of advantage in some type of collaboration amongst those customers who were all asking the same thing,” he said.
He began his pursuit of a more collaborative model that would bring efficiencies to his team, and he landed on the CyberGRX Exchange.
How to Gain Support for a Risk Exchange
"Risk exchange" is a powerful concept of sharing information across third-party relationships. But a true risk exchange is more than just collecting and sharing data; it's collecting a standardized set of data to unlock efficiencies for those completing and reviewing the assessments.
The key to introducing a third-party risk Exchange is to focus on ways to save time and reduce friction instead of simply throwing more people, effort, or money at your challenges, advises David.
Focus on Mutually Beneficial Solutions
The inquiring company and the vendor share a similar challenge: Processing assessments promptly—and in a way that doesn't create mountains of extra work.
This is especially important when there’s a never-ending stream of assessment requests going out or coming in. For instance, in ACI’s case, David estimates the company receives about 500 assessment requests each year. And, of course, many companies receive an even larger volume.
Meanwhile, the other side of the table has to process those assessments. Data shows organizations take action on only 8% of the assessments they receive, likely due to the volume.
With an Exchange, both parties benefit.
Because an Exchange is a “complete the assessment once, share many times over” model, the vendor receiving the request can simply share the assessment they’ve already completed. 70% of the time, the customer accepts a CyberGRX assessment.
Similarly, the organization issuing the request can view the vendor’s profile immediately in the Exchange– no more lengthy wait times for a questionnaire to be returned.
“There is tangible value," David said. "Not just for my team and being able to respond to customers quickly, but also in the TPRM resources.” An Exchange with standardized data makes it easier to share, analyze, and derive conclusions from information.
Fostering Internal Adoption of a Risk Exchange
As David puts it, one of the more common challenges companies face is “socializing the concept” of using a different risk assessment model internally. For people on your team who are already busy juggling a lot of balls, the idea of adding a solution like CyberGRX may sound like just filling out another assessment.
The key to addressing this challenge, he said, is underscoring the near- and long-term benefits, particularly the amount of time and energy the solution saves.
For some companies, such as ACI Worldwide, the impetus to adopt a more advanced TPRM program came from outside the organization. David describes how this played out for his company. “We saw multiple customers asking about CyberGRX, which made that internal call a lot easier," he said.
How to Measure the Success of Your Risk Assurance Program
Measuring the success of your risk assurance program is, in part, quantifying the amount of time you save filling out assessments. Suppose you spend an average of 4 weeks completing each assessment. With your assessment on the CyberGRX Exchange, you can share it in seconds.
80% of CyberGRX customers surveyed said they were spending too must time completing bespoke assessments before discovering CyberGRX. An Exchange creates efficiency and eliminates repetition– your success metric is time savings and the ability to redirect staff resources to other priorities.
Evaluating risk is a time-consuming and inefficient process for everyone involved, including the customer receiving your questionnaire. When assessments take weeks to receive, and the customer has to inquire about the status repeatedly, the relationship starts negatively. With data now available instantaneously, the customer can accelerate purchasing decisions– also good for the third party!
A survey of CyberGRX customers shows that 50% of IT organizations were able to reduce time spent on assessment requests, resulting in faster deal flow. In this example, success is measured based on the increased speed of onboarding new partners due to less friction in the process.
Whether you request third-party risk data or provide it, an Exchange makes life easier for your compliance and risk management teams. Those who need risk data can access it, and an Exchange enables vendors to streamline the assessment process, spending a fraction of the time they’d normally invest in filling out questionnaires.
Get Cyber Risk Intel delivered to your inbox each week: