RENEE ROBINSON, June 2020
Risk remediation is a crucial part of the vendor risk assessment cycle. If incorrectly executed, it will dilute and diminish the effort put into the assessment. A detailed and relevant questionnaire – a thoroughly executed assessment – is an ideal precursor to mitigation tracking.
At ComplyScore, we perform almost 3,000 assessments every year. Our vast experience in providing IT vendor management services and performing assessments across various industries, with vendors around the globe, has given us a good perspective on how to effectively track risk remediation. I will be sharing my insights and the best practices we implement in the following sections.
Every client has different policies and guidelines that must be followed when handling company data. Thus, ComplyScore risk assessments and mitigation tasks vary depending on the client. Slight variations to the assessment should not change how one follows up with a mitigation task. After an assessment is reviewed, a gap report or mitigation plan is sent to either the client or the vendor contact. The amount of time allotted to respond depends on the inherent risk of the vendor, the severity of the gap, and the policies of the client. It is always preferable to have the ability to track mitigation tasks automatically, since the more assessments you need to track, the harder it becomes to handle manually.
Working with Vendors for Mitigation
Gaps & mitigation tasks must first be confirmed by the vendors. Allowing the vendor to clarify mitigation tasks is also an important step in the process. There are compensating controls that may cancel out the mitigation task. Typically, we offer the vendor 2 weeks to do this. We typically see that 2 or 3 follow-ups are required before the vendors confirm.
An automated process helps. We send an email 2 weeks before the due date, stating that the mitigation tasks will be assumed to be accepted if not confirmed within the allocated time. This evokes a quick response. Within a week of that email, we see a spike in acceptance or clarification of mitigation tasks. Mitigation tasks that are high risk should be closed quickly. For a Tier 2 vendor, ComplyScore provides a due date of 60 days for high-risk findings; the medium-risk findings should be closed out in 90 days and the low-risk issues in 120 days.
Tracking all communications in one place is critical. Tracking clarifications, adjustments to impact, or any other aspect of the mitigation task must be captured online. Emails or phone calls do not provide the audit trail, if one is required in the future. Also, negotiating the completion date is common. Smaller companies tend to think they are the exception to the rule because they have fewer employees or they work from home. Of course, exceptions can be made after reviewing all factors and ensuring that the company data will be protected. We do not expect everyone to have the ISO or SOC2 Type 2 report common in larger companies. Still, things like multi-factor authentication, which is not determined by the size of a company, is a minimum expectation.
Periodic communication with the vendor is key. ComplyScore sends out email reminders at the midpoint of the task and again near the completion date. While these reminders are critical, what we have found is that a personal email following up on these emails, or even a phone call, helps to keep the vendors focused on the tasks.
Once the tasks are closed, vendors must upload supporting documents or present the documents in an online meeting. Besides sending automated email reminders, setting up such meetings is also very important. The more human touch is included, the higher the rate of response. While this does require extra effort, the return is high.
Overall, I feel that managing mitigations are as critical as conducting assessments, and consistent communication is the key to getting tasks completed on time, resulting in a successful IT vendor risk management outcome. Contact us to learn more about our vendor management solutions.