Automating Vendor Risk Assessments – From Data Gathering To AI

December 3rd, 2020 Kimberley Allan Reading Time: 7 minutes
Vendor Risk Assessment

In an environment of increased risk and volatility, organizations are becoming increasingly aware that automation is no longer a “nice to have” for vendor risk management. For most organizations, with more than a few hundred vendors, it is strategically critical. The ability to automate vendor risk assessments is proving particularly valuable during the pandemic as organizations find they have to quickly pivot to new vendors for a variety of reasons, including local lockdowns and disrupted supply chains. Organizations with automated risk assessment processes have been able to onboard new vendors more quickly and efficiently and assess for emerging and changing risks more effectively, while organizations using manual processes like email, spreadsheets, and shared drives often struggled to adapt.

Vendor risk assessments are a critical part of the due diligence stage of onboarding a new vendor. As the number of vendors that an organization works with grows, it often finds that the manual processes associated with gathering, validating, evaluating, and maintaining vendor risk assessment data are resource intensive, error prone, and time consuming. When unexpected events occur, manual processes can break down, the business lacks critical information, and the organization cannot respond with the agility required in a rapidly changing environment. This blog explores why vendor risk assessment automation delivers such value and how vendor risk management teams can take it to the next level with artificial intelligence and machine learning.

How should an organization perform a vendor risk assessment?

About two-thirds of organizations use risk assessments as part of their third-party risk management program, but just 46% of organizations require an initial risk assessment of all their hrthird parties pre-contract, according to Aravo’s 2020 TPRM Benchmarking Survey. Key best practices for the vendor risk assessment process are emerging from within the discipline, although implementation of them varies considerably. Five fundamental best practices are:

  • Maintain a single source for all vendors – Having a single database of all the vendors the organization works with, and the information associated with them, creates a trusted source of data across the entire company. Nearly half of organizations don’t yet have a single inventory of all their third parties.
  • Build a structured approach around assessments – The vendor risk assessment questionnaire should be well-structured and use best-practice question sets. The vendor risk assessment templates should also be relatively stable over time, so that good quality metrics can be built and tracked and trend data accumulated.
  • Learn more from the business about the vendor – Find out about the relationship the vendor will have with the business, such as what the strategic objective of the relationship is, its criticality to the business, the processes it will perform, the IT systems and data involved, and how an issue with the vendor would impact the organization. This will shape an understanding of the risk inherent in the relationship. This in turn will provide data triggers for the scope of the risk assessment(s) required.
  • Select the vendor risk assessments to send – Vendor risk assessments should be conducted at the product and service level. For example, if the vendor relationship involves personal data of customers, assessments that cover data privacy risk, IT risk, and cyber risk should be included. Vendor risk assessments should also cover more holistic risks, such as financial viability.
  • A risk assessment isn’t a ‘one and done’ exercise – The data that is gathered should form the basis of the organization’s vendor ongoing monitoring program. Relationships, business conditions, and risks change and evolve, and changes need to be monitored and assessed. A surprising 83% of organizations are not conducting ongoing monitoring or due diligence on all of their third parties.

Best practices around vendor risk assessments – like those above – can be difficult to implement if the program relies on manual processes. Capturing, processing and analyzing the data involved in these best practices can become cumbersome once programs grow beyond a few dozen vendors and impossible as they grow beyond a few hundred.

Why is automation important for the vendor risk assessment process?

The benefits of automation for vendor risk assessment are considerable, for both the vendor risk management team and for the business. Three core benefits are:

  • Enhanced efficiency – Automating vendor risk assessments through a technology platform completely transforms the manual processes. Time spent on sending, tracking, chasing, and data wrangling is significantly reduced, so that vendor risk management teams can focus their energies on analysis and more strategic outcomes.
  • Increased agility – Technology speeds up the vendor risk assessment process and also makes it easier and faster to share the resulting data. Organizations can determine if the vendor relationship is the right one much quicker and accelerate onboarding processes. This boosts the organization’s agility, potentially increasing operational resilience as well as the ability to capitalize on new opportunities.
  • Improved decision-making – The organization’s executives can have more confidence in the quality of the data they are basing their decisions on when vendor risk assessment data is collected, analyzed and reported through vendor risk assessment software. Data governance is supported, data quality is higher, and the path the data takes is auditable. As a result, business trust in, and use of, risk assessment data will increase.

Automation delivers value for both the vendor risk management team, for the business, and for senior management and the board. Stakeholders have the information they need to make decisions with confidence, delivering enhanced business value.

How can automation be applied to vendor risk assessments?

Third-party risk experts don’t need automation to make decisions. In less mature programs they often gather data in spreadsheets and manually review it. However, because of the volume of third-party relationships and associated data, most begin to embrace some stage of automation, which can range from basic to advanced levels of sophistication.

  • Maintain a single source for all vendors – Having a single database of all the vendors the organization works with, and the information associated with them, creates a trusted source of data across the entire company. Nearly half of organizations don’t yet have a single inventory of all their third parties.
  • Build a structured approach around assessments – The vendor risk assessment questionnaire should be well-structured and use best-practice question sets. The vendor risk assessment templates should also be relatively stable over time, so that good quality metrics can be built and tracked and trend data accumulated.
  • Learn more from the business about the vendor – Find out about the relationship the vendor will have with the business, such as what the strategic objective of the relationship is, its criticality to the business, the processes it will perform, the IT systems and data involved, and how an issue with the vendor would impact the organization. This will shape an understanding of the risk inherent in the relationship. This in turn will provide data triggers for the scope of the risk assessment(s) required.
  • Select the vendor risk assessments to send – Vendor risk assessments should be conducted at the product and service level. For example, if the vendor relationship involves personal data of customers, assessments that cover data privacy risk, IT risk, and cyber risk should be included. Vendor risk assessments should also cover more holistic risks, such as financial viability.
  • A risk assessment isn’t a ‘one and done’ exercise – The data that is gathered should form the basis of the organization’s vendor ongoing monitoring program. Relationships, business conditions, and risks change and evolve, and changes need to be monitored and assessed. A surprising 83% of organizations are not conducting ongoing monitoring or due diligence on all of their third parties.

Best practices around vendor risk assessments – like those above – can be difficult to implement if the program relies on manual processes. Capturing, processing and analyzing the data involved in these best practices can become cumbersome once programs grow beyond a few dozen vendors and impossible as they grow beyond a few hundred.

Why is automation important for the vendor risk assessment process?

The benefits of automation for vendor risk assessment are considerable, for both the vendor risk management team and for the business. Three core benefits are:

  • Data Gathering – A straight reimplementation of a (usually) spreadsheet-based process, whereby every individual answer on an assessment must be reviewed. This stage can also extend to manual review of collected third-party intelligence data (e.g. negative news). While the data collection process is somewhat automated, what you can do with it is highly manual.
  • Business Rules – By putting in place a robust set of business rules around vendor risk assessments in the software, organizations can eliminate the need for manual intervention at key decision points, saving time and human resources. Rules drive the automation process and are based on static thresholds. For instance, if a third party answers “yes” to the question, “will you be processing PHI as part of your services?”, there is a business rule that triggers a data privacy assessment. Rules work well, but trying to create every rule for every contingency in a complex process can be tedious and error-prone.
  • Analytical Evaluation– A mathematical calculation and evaluation are used to drive automation. For instance, a third party’s answers on an assessment are assigned various percentage weights to arrive at a single score. Based on that score, the system determines that the third party is low risk, approves the third party for onboarding, and triggers the onboarding process. Analytical evaluations can also become highly complex to build manually.
  • Machine Learning– The vendor risk management system learns from the actions taken by expert users and is able to make similar decisions without the need to have an explicitly defined model. For instance, when a third party completes an assessment, the system knows how humans would respond based on an analysis of all of the similar decisions that it has been exposed to. This can speed up the vendor risk assessment process even further and reduce the risks associated with building and maintaining either a regime of business rules or mathematical calculations.

The AI approach a team uses within its vendor risk assessment process will depend on a variety of factors, including the maturity of the program. One ancillary benefit of machine learning is that it can also provide insight into the robustness of your human decision-making processes. If the machine’s level of confidence in its decision is low, this could mean there’s been inconsistent decisions made over time by your risk experts, requiring more training or upskilling to course correct.

In conclusion, automating vendor risk assessments through TPRM software can transform the vendor onboarding process, provide the organization with better risk management data to support improved decision-making, and increase the agility of the business. By automating best practices, and applying AI as programs mature, organizations can enable the business to better align vendor relationships with overall strategy, helping it to meet its goals.

Aravo AI

Aravo AI is a configurable natural language processing machine learning platform that is built into the larger Aravo business process automation platform.  As an inherent capability of the Aravo Platform, Aravo AI is available across all Aravo implementations, including ready-to-use applications.

Aravo clients can leverage AI for any use case in which users of the platform are making decisions based on review of particular sets of input data. These decisions made over time are used to train the decision engine to advise on or completely automate that decision-making process.

Why Aravo?

In The Forrester Wave for Supplier Risk and Performance Management, Q3 2020, Aravo was recognized as “an SRPM leader thanks to its domain expertise and AI vision.”

The report noted that “Aravo is ahead of its competitors in applying AI to streamline risk assessment and monitoring.”

Aravo customers benefit from a unique combination of 20 years of experience in delivering solutions to the world’s largest brands and developing award-winning technology.

To find out more, download our whitepaper AI for Third-party Risk Management

Kimberley Allan

Vice President of Marketing at Bidgely

Kimberley is currently the Vice President of Marketing at Bidgely. Prior to this, she served as Chief Marketing Officer at Aravo bringing more than a decade of marketing leadership experience in the GRC space, building brand recognition, thought-leadership, and revenue-accelerating marketing programs.

Vice President of Marketing at Bidgely

Kimberley is currently the Vice President of Marketing at Bidgely. Prior to this, she served as Chief Marketing Officer at Aravo bringing more than a decade of marketing leadership experience in the GRC space, building brand recognition, thought-leadership, and revenue-accelerating marketing programs.

Share with Your Friends:

Subscribe to Blog Updates

Tags
Our Expertise
Expertise
Who We Help
Customers

Ready to get started?

Get in touch for a better approach to third-party risk management