TPRM automation improves vendor assessment process
Snapshot
TPRM automation protects intellectual property by maximizing accuracy and supporting scalability in supplier assessments
Third-party risk management (TPRM) systems are a vital way for organizations to protect themselves from risks introduced in their supply chains through engagements with outside vendors, products, and service providers. As these risks are largely outside an organization’s control, every supplier relationship must be evaluated as a potential attacker entry point.
Seeking to improve its supplier security controls assessments, a global nonprofit organization with a large amount of intellectual property and private donor partnerships enlisted Kalles Group’s help in implementing a new tool with TPRM capabilities. This work involved automating key tasks to scale up assessment throughput and maximize depth of review.
Challenge
Nonprofit status changes the flavor of TPRM requirements and standards
The organization’s status as a nonprofit put it in a unique position with respect to supplier risk. In most other industries, companies focus on protecting real assets and customer data. In this case, however, the focus is on intellectual property and research, particularly within the medical, agricultural, and disease fields. The organization has entities that operate in a 100% software as a service (SaaS) model, which requires multiple supplier and data access considerations.
With this particular lens, the nonprofit’s TPRM tool needed to be sufficiently customizable to properly assess against different standards and regulations based on the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and other industry standards. The ability to map the controls within these standards and regulations to customized questionnaires and process these questionnaires without an increase in staffing was also a key consideration.
Tool migration and process re-engineering required planning, buy-in, and data mapping
Before Kalles Group became involved, the nonprofit had been using a different (and older) Governance, Risk, and Compliance (GRC) system for its supplier risk assessments. This system only allowed basic functionality for storing spreadsheets and recommending assessment questions, and it was not a good fit for the organization’s needs. The information security team struggled to keep up with business owner and partner interactions that had to be performed manually over email or chat, resulting in a slow, expensive, and difficult-to-scale process.
While assisting with a privacy initiative, the team became aware of an alternative tool that allowed for more automation and promised increased ease of use. Kalles Group stepped in to assist with this tool’s design, data input, and implementation. Starting in January 2023, the KG team’s immediate task was to transfer data from the old system to the new one, achieve a certain level of automation (and less reliance on email), and retrain business owners on the processes and tool interfaces. Some challenges occurring at this point had to do with the following:
- The existing system contained data needing to be retained and normalized for the new system.
- Multiple systems housed information without a system of record.
- There was no formal program in place for any of the entities needing supplier assessments, and each entity recorded results differently on their own proprietary assessments.
- Risk tolerance and appetite were not yet determined (e.g., if a supplier answered “no” to a control, there was no clear way to assess what that meant risk-wise).
Kalles Group’s overarching goal was to establish new processes through cross-collaboration between various teams and use a tool to implement automation in some areas where tasks were previously performed manually. In this manner, the tool would help the information security team scale up their third-party assessment throughput and review suppliers more thoroughly.
Approach
From basic tool implementation to a scaled-up, fully-fledged TPRM function
Kalles Group started by outlining basic, necessary functions within the tool on day one and then implementing it. In this initial phase, the team completed the following actions:
- Defined roles and permissions within the tool.
- Identified integration needs with other tools.
- Normalized and imported supplier data from two existing tools.
- Defined and created workflows.
- Built out email templates and configured the Simple Mail Transfer Protocol (SMTP).
- Uploaded custom assessments into a self-service portal.
- Created two-step REQUEST (intake) and LAUNCH assessments while business owners were trained on the new tool.
- Created job aides and communications for new business owners/users and new suppliers.
- Integrated with a cybersecurity assessment tool.
- Configured rules for stage advancement in workflows and approvals.
After this phase, the KG team incorporated some additional automation, API customization, and other advanced functionality. Kalles Group initially worked on the supplier assessment system’s automation and maturity for a subset of 120 vendors and brought it to the point where it could grow by about 100 vendors a month. A key component of this work involved mapping out phases into a roadmap and successively ensuring the adoption of each phase while allowing milestones and deliverables to remain somewhat dynamic.
The final stage of this project, which will continue in the coming months, involves developing a full-scale third-party risk management program by means of cross-collaboration with multiple teams, business owners, and suppliers across the organization.
Deepening the supplier review process with a questionnaire that plugs into risk algorithms
One of the nonprofit’s key strengths with respect to third-party risk assessment is the thoroughness of its custom questionnaires. With such a strong focus on intellectual property, the organization depends on highly comprehensive supplier evaluations that leave no room for guesswork. The custom questionnaire is designed to ensure that responders answer all questions with the utmost accuracy and specificity.
Although Kalles Group was not involved in creating the initial questionnaire, the team did provide an unsolicited gap assessment that led to a complete revamping of the original version with a set of questions aligned to NIST CSF and Security Risk Advisors (SRA). Risk algorithms can be directly assigned to each response, letting the system automatically calculate the level of risk presented based on the relationship the organization has with the supplier.
Results
Supplier assessment scalability and automation is a win for the organization
The new TPRM tool is a clear “level-up” for the nonprofit. By automating supplier assessments in a scalable fashion, the information security team can rely on more informative assessments completed over a shorter period of time. The automated workflow and file organization saves valuable time for the nonprofit and its assessors.
Kalles Group’s help with implementing and configuring the tool has given the nonprofit peace of mind that the information security team can now track supplier controls and risk compliance with its needs. When activities like sending out, receiving, and scoring questionnaires are automated, the organization simultaneously benefits from more comprehensive supplier evaluation and a scalable process that can be adopted for any assessment that arises, including assessments from regulators.