I remember when I first understood the impact that the COVID-19 pandemic was going to have on the world of third party risk management. I was at a meeting in Phoenix in early March and a colleague had just finished a quick call from his office. “Well that’s it” he said, “all domestic travel has been cancelled until further notice.” Sitting in a group of third party risk practitioners our thoughts quickly turned to how this decision, and other similar decisions to come, would affect the ability to effectively conduct on-site assessments. At the time we were hopeful that restrictions wouldn’t last too long and that we would soon be able to resume business as usual.
Unfortunately, three months have passed, and we still have no idea when the type of in person activities like on-site assessments will be able to resume. For that to happen people need to be comfortable with travel, service providers need to be comfortable with non-employees in their facilities, and also be able to provide everyone with a safe and virus free workspace. Undoubtedly that day will come, but in the interim how do we continue to assess and manage third party risk?
For many years we have explored ways to reduce the need for and scope of on-site assessments. Improvements in technology have allowed us to do more with web based meetings – reviewing documents and conducting interviews remotely. While these initiatives have been embraced by many, for others its was simply easier to continue to do what they already knew how to do, continue with on-site assessments despite their cost and inefficiency.
The time has now come, or more specifically been thrust upon us, to find a better way to conduct control assessments without physically being on-site at a service provider. Rather than continue to take an ad hoc approach to facilitating document reviews online, we need a structured approach to Virtual Assessments. During this year’s Shared Assessment Summit, we held a breakout session to explore that specific topic. We heard from companies that were already actively conducting virtual assessments and others who had them scheduled or at least planned. Several important points were consistently raised during that session:
- Assessment planning and scoping is more important than ever
- Assessors who conduct assessments virtually (from planning to completion) need much higher level of skill than those sent on-site
- Testing validation and artifact review require special attention and a different approach
- A much higher degree of collaboration between the outsourcer and the service provider needed in all phases of assessment process
Virtual assessments adhere to very much the same process that on-site assessments follow. And, as is the case with on-site reviews, assessment teams should be ready to adapt when unexpected obstacles arise. This elevates the importance of the qualitative dynamics that should be considered in addition to the more tangible components of the virtual assessment. While virtual assessment protocols vary by organizations, they typically include the following activities:
Shared Assessments is stepping forward to establish standards for conducting Virtual Assessments. We are presenting a two-part webinar series in June and July that will outline the steps you need to take to move your on-site assessments into the virtual world. In addition, we are forming a special Working Group within Shared Assessments to develop best practices and practical tips for conducting Virtual Assessments that will leverage the breadth and depth of our members knowledge to set workable standards for this new phase of Third Party Risk Management.