A large pharmaceutical research & development company used to assess third party vendors with a very manual and tedious process, involving multi-tab spreadsheets that were passed back and forth. When a new program came up where they had to assess 1,000+ third-parties in a year, they chose ThirdPartyTrust to accelerate and scale this process.
This case study describes how we helped meet (and exceed) those needs, helping the company perform 2x vendor risk assessments with the same resources. Below is a recap of our conversation with the Program Manager & Security Consultant for this company, which asked to have their name blinded to protect their confidentiality.
Q: Why was the company in the need for a third party risk management solution?
The process that we had was totally manual. There were spreadsheets sent to the supplier, which had to be tracked by remote and local teams, in an extremely manual and tedious way.
There was a program coming up by which we would have to do 1,000 third-party risk assessments in two years, which was way more than we were capable of. So we started looking for a solution that could help accelerate and streamline that evaluation process.
If it worked for that program, we could transition the tool to our day to day manual process for assessing new vendors. [Spoiler alert: it worked!]
Q: How many questionnaires were you managing?
Probably 300 a year at most. Our volume was estimated to increase over time because of a greater awareness of the requirement to do evaluations, so we knew that we needed to improve compliance with that requirement. And for that, we needed a scalable third-party risk assessment process.
Over time, that amount increased by nearly 50%, which is truly significant. The key being we were able to do any amount of expansion with the same team thanks to ThirdPartyTrust.
When the next large project starts, we’ll need to be initiating 60 vendors a month at minimum, so that will essentially double the numbers of evaluations we’re doing each month.
Q: What does the process look like now with ThirdPartyTrust?
When a business owner wants to engage with a new third party vendor, they have to send the request through ServiceNow (which can be integrated with ThirdPartyTrust via API). A Third Party Security Evaluation Analyst reviews the request and determines if an evaluation is truly required. If it is, they initiate the vendor risk assessment using the connection request functionality of ThirdPartyTrust, that kicks off all the invitation emails and reminders to the supplier.
The supplier needs to register into ThirdPartyTrust and respond to our requirements. Our Subject Matter Experts (SME) then review the answers and mark them as ‘Acceptable’ or ‘Not Acceptable’. For not acceptable cases, a finding is attached and the supplier can let us know when they’re gonna remediate that finding.
The best part is this discussion happens within the tool under the ‘Findings’ tab, and we don’t have to pick up the phone anymore!
Once everything is settled we send a summary report to the person who requested the evaluation to let them know how much risk that supplier would expose our company to.
Read More: What Is Inherent Risk And How To Calculate It?
Q: What other process improvements have you noticed?
The communication back & forth about the findings has much improved. We’re looking at documents in the system instead of email threads. We now have the capacity to do many more assessments than we did before, with the same resources.
All our vendors are in one place and we can monitor their progress and apply filters to focus on what we need to be working on.
The next thing we’re going to try on ThirdPartyTrust is the regulatory requirement to re-evaluate third-parties after a certain period.
Read More: Why You Need to Reassess Vendor Risk on an Ongoing Basis
Q: What feedback have you received from vendors responding to your requirements through ThirdPartyTrust?
For new suppliers we have a very high acceptance rate of 90%. They want to do business with us, so they fulfil our requirements.
We even have vendors that started using ThirdPartyTrust themselves to share their security posture. Once they realize they can upload their insurances, certifications, and questionnaires one time instead of sending them to every one of their customers, the value of ThirdPartyTrust becomes evident.
Q: Why should other organizations choose ThirdPartyTrust to manage third party risk assessments?
I think the best part is the innovation of the tool. ThirdPartyTrust is keeping their finger on the pulse of what’s needed by its customers, which is outstanding.
I have a 40-something-year career in IT and I’m in meeting after meeting with suppliers that will just say: “That’s not how the system works”. Whereas the support we get from ThirdPartyTrust for developing our program is just amazing.
The partnership that we have with ThirdPartyTrust is unlike any other that I’ve had as far as understanding and responding to our needs and improving the product. Every vendor will say they’ll be a great partner. But I’m here to tell you this partnership with ThirdPartyTrust has just been above and beyond.
We wouldn’t have succeeded on our previous programs and we wouldn’t have transitioned to using the tool if it hadn’t been for the over and above efforts of the ThirdPartyTrust partnership.
Ready to take your TPRM to the next level?
Requesting vendors to complete risk assessments should not be a killer.
Get your free strategy guide and learn how to boost efficiency, transparency, and control over your risk management process and business bottom line.
