One of the biggest credit unions in Texas, with more than 350,000 members, was looking to replace a manual vendor risk assessment process with a streamlined workflow. Their goal was to comply with regulations around third party risk in the financial services industry while increasing security across their vendor supply chain.
They now enjoy a centralized workflow with customized requirements per type of vendor, and notifications around upcoming due dates for security documentation.
Read our full Credit Union – Financial Services TPRM Case Study to learn how ThirdPartyTrust accelerated their risk assessment process with improved visibility over the vendor ecosystem.
Below is a recap of our conversation with our customer, Manager or Information Security Compliance at this credit union.
Q: Why were you looking for a third-party risk management solution?
We started with third party risk assessments about a year and a half ago, with a manual process that was not very satisfactory. We had to set up a file storage to keep all the documents that vendors sent to us; we had to set up a separate inbox to send and receive emails with security documentation; and we also used that mailbox for the approval process.
Vendors would send their final report to me, I’d approve it and send it to my boss, and he’d approve it. That whole approval process was time consuming and not scalable.
And of course we had no reminders of upcoming tasks or documents about to expire. I guess we could have used the inbox calendar to set up recurring assessments, but all in all it was a very manual process and we really didn’t like it. So that’s what prompted my search.
Q: Can you describe your selection process?
We looked at 6 different tools, but some were not even in the same game. Companies that score risk based on information they can gather from the internet provide valuable insights, but only when those insights are combined with all the other documents that a vendor supplies.
Having that vendor information available through ThirdPartyTrust is a real bonus. I love being able to automate our workflow and conduct the end-to-end risk assessment process, including document repository, follow up with vendors, and reminders – while also having an overview of different scores and data feeds.
Q: How does your process look like now with ThirdPartyTrust?
The process is more or less the same but it now takes way less time. We still go through the process of trying to figure out who we need to contact at the vendor organization, but then I just need to invite them to the platform. Once they submit their documentation, I can complete the assessment in around 24 hours.
Another great benefit is that when business owners come to me saying they need to do a risk assessment, they often only have the Sales person’s name or the Customer Success Manager’s name. If their company is fully engaged in the ThirdPartyTrust platform, the people that have already joined also get notifications when I send stuff to these Sales or Customer Success representatives. I don’t have to hunt for contacts, they automatically get notified. That part has really been simplified for the participating companies and we’ve received really great feedback from vendors who enrolled in the platform.
One more thing worth mentioning is that before, we had to build our own risk assessment table. It took a lot of time to agree on how to set it up, what factors to consider and how much they should weigh. With ThirdPartyTrust, we just did the setup once, spent a couple of hours refining it to suit our business needs, and we were ready to go.
Read More: Building Requirements for a Customized Risk Assessment
Q: What operational improvements have you noticed?
There’s a lot of hours saved, definitely less back and forth via email chasing vendors to complete requirements. With fully participating companies, I only need to wait for them to upload their documents and I can turn the whole thing around in 24 hours.
I can now rely on the system notifications. I love that my connected vendors get reminders when their insurance certificates or SOC 2 reports are about to expire, so I don’t have to chase them. If they’re really committed to doing business with us, they just keep their documents up to date.
Q: What’s your favorite functionality of ThirdPartyTrust?
The ability to customize the tool and adapt it to our use cases. For example, being able to tag a third party vendor as whether it’s cloud based, in-house or hybrid model, so I don’t have to think about what documents I need to ask of them. The tag has an associated template with specific requirements. It’s really just a matter of inviting people to respond to it.
Another thing I find very helpful is the dashboard, which provides a quick glance of different indicators and analysis of our entire vendor population. For audit and reporting purposes, this dashboard and the ability to download data as CSV is a win.
Q: What are your next steps with ThirdPartyTrust and your TPRM program?
We’re in the financial services industry so we’re very heavily regulated. Third party risk assessments are one of the biggest things they look at, so implementing a tool that allows us to be compliant was a step in the right direction.
Read More: The TPRM Use Case for Financial Services Organizations
Now we need to start analyzing our fourth-parties, as everything is getting so intertwined and information is everywhere now.
Q: Why should other organizations choose ThirdPartyTrust?
After evaluating several tools, we chose ThirdPartyTrust because it had the best balance of functionality and price. It has definitely accelerated our ability to complete risk assessments with the added value of continuous monitoring. Being able to look at the scans from BitSight, RiskRecon, and others and see that nothing drastic has changed for a certain vendor is extra reassurance on the process of checking a vendor’s security posture.
Ready to take your TPRM to the next level?
Requesting vendors to complete risk assessments should not be a killer.
Get your free strategy guide and learn how to boost efficiency, transparency, and control over your risk management process and business bottom line.
