Risk Remediation and Tracking by ComplyScore: How We Do It ?
RENEE ROBINSON, June 2020
Risk remediation is a crucial part of the vendor risk assessment cycle. If incorrectly executed, it will dilute and diminish the effort put into the assessment. A detailed and relevant questionnaire, a thoroughly executed assessment, is a wonderful precursor to mitigation tracking.
At ComplyScore, we have been performing almost 3,000 assessments annually. Our vast experience providing it vendor management services and performing assessments across various industries and working with vendors globally has given us a good perspective on how to effectively track risk remediation. I will be sharing my insights and best practices implemented by us in the following sections.
All clients have different policies and guidelines which must be followed when handling company data. Thus, ComplyScore risk assessments and mitigation tasks vary depending on the client. Slight variations to the assessment don’t change the way one should follow up with a mitigation task. After an assessment is reviewed, a gap report or mitigation plan is sent to either the client or vendor contact.
The amount of time allotted to respond depends on the inherent risk of the vendor, the severity of the gap and the policies of the client It is always preferred to have the ability to track mitigation tasks automatically as the more assessments you need to track, the harder it becomes to track it manually.
Working with Vendors for Mitigation
Gaps & mitigation tasks must be first confirmed by the vendors. Allowing the vendor to clarify mitigation tasks is an important step in the process as well. There are compensating controls that may cancel out the mitigation task. Typically, we offer 2 weeks to the vendor to do the same. We see that 2-3 follow-ups are required before the vendors confirm.
An automated process helps. We send an email before the expiry of 2 weeks that the mitigation tasks would be assumed to be accepted if not confirmed within the allocated time. This evokes a quick response. Within a week of that email, we see a spike in acceptance or clarification of mitigation tasks.
Mitigation tasks that are high risk should be closed quickly. For a tier 2 vendor, ComplyScore provides a due date of 60 days for high-risk findings, the medium should be closed out in 90 days and low risk 120 days.
Tracking all communications in one place is critical. Tracking clarifications, adjustments to impact, or any other aspect of the mitigation task must be captured online. Emails or phone calls do not provide the audit trail that is required in the future. Also, negotiating on completion date is common.
Smaller companies tend to think they are the exception to the rule because they have fewer employees or work from their home. Of course, exceptions can be made after reviewing all factors and ensuring that the company data will be protected. We do not expect everyone to have an ISO or SOC2 Type 2 report like larger companies. Still, things like multi-factor authentication, which is not determined by the size of your company, can be expected at a minimum.
Periodic communication with the vendor is key. ComplyScore sends out email reminders at the midpoint of the task and close to the completion date. While these reminders are critical, what we have found is that a personal email following up on these emails, or even a phone call, helps keep the vendors focused on the tasks.
Once the tasks are closed, vendors must upload supporting documents or present the documents in an online meeting. Besides sending automated email reminders, setting up such meetings is also very important. The more the human touch, the higher the rate of response. While these add extra efforts, the return is high.
Overall, I feel that managing mitigations are as critical as conducting assessments, and consistent communication is the key to get the tasks completed on time and result in a successful it vendor risk management outcome. Contact us to learn more about our vendor management solutions.