Using Peer Collaboration to Manage Supply Chain Risk

Posted on by RSAC Contributor

Peer-2-Peer sessions give RSAC attendees the opportunity to dig deeply into a single topic area with a group of like-minded peers. Robin Slade, of Shared Assessments, facilitated a P2P discussion on peer collaboration for risk management at RSA Conference 2015 in San Francisco. In this post, Slade continues the discussion from that session.

Professionals in finance/banking, healthcare, insurance, and retail discussed an innovative approach at RSA Conference 2015: Can Peer Collaboration Be Our Next Best Practice for Risk Management?The discussion focused around using peer collaboration to perform assessments on third parties with common shared services.

Today’s companies are outsourcing more critical functions as part of their business operations in today’s complex environment. Every member of the supply chain must be evaluated to ensure they are properly protecting systems and data. With hackers specifically targeting third parties as a way to get to outsourcers’ data, this further emphasizes the need for rigorous information security and risk management programs.

The service provider control evaluation process has long been inefficient and costly.  The verification performed during the onsite assessment is a necessary component to ensure sufficient third party controls in place, but today this process is time and resource intensive, inefficient and a burden on both the outsourcer and the service provider. 

Many organizations share the same vendors, for the same common services; each historically conducting individual costly and time-consuming independent assessments of their service providers risk control environment. Until now…

The Collaborative Onsite Assessment Program
To help companies use peer collaboration to better manage vendor risk, we recently introduced the Collaborative Onsite Assessment program, leveraging the Shared Assessments Agreed Upon Procedures (AUP), the standardized testing procedures of the Shared Assessments Program, as the common onsite assessment vehicle.  During a two-year pilot process, the AUP was augmented to ensure the existing procedures covered 100% of the control requirements of the participating outsourcers who were top tier financial institutions. The “Superset” AUP developed was then leveraged by multiple financial institutions to perform a shared onsite assessment of key service providers—one assessment of a single service provider by multiple financial institutions. Thus creating efficiencies and cost savings for all  parties. Through this pilot process, the Collaborative Onsite Program built a stronger third party risk management capability without diminishing the ability to manage the service provider relationship. As the Collaborative Onsite Assessment Program is being rolled out to financial services, additional pilots are planned cross-industry.   

This powerful, new collaborative assessment tool has the ability to provide long-term cost savings and FTE efficiencies for both the service providers and financial institutions. Both sets of organizations will be able to spend less on assessments and more on maturing their risk management programs by limiting site visit and annual review man-hours. In addition, the service provider has found that the collaborative onsite assessment created a closer relationship with its clients.

Shared Assessments is a member driven organization of industry, service providers, assessment firms and software providers who understand that third party risk management is not a competitive issue. These organizations understand the value of working collaboratively to develop best practices, processes and robust third party risk management tools.  Using peer collaboration can be a cost-effective and efficient way to manage third party risk, strengthen vendor relationships, and protect an organization’s most critical assets.

For more information about the Collaborative Onsite Assessment program, please read the Collaborative Onsite Assessment case study. Please visit the Shared Assessment website for more information:

RSAC Contributor

, RSA Conference

cloud security security operations

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs