At least two participants at Michael Rasmussen’s Third Party GRC Management by Design Workshop in London (hosted by Aravo) felt the impact of the coronavirus first-hand. During the session, they received an urgent question from their CEO: what are our third parties’ preparedness plans for dealing with the spread of the virus?
Because it’s unlikely that any of their third parties were asked this question as part of their onboarding and due diligence, there was a flurry of activity going on at their organization, which had them checking messages throughout the day. We can assume they had a lot of questions to answer. Who did they need to contact? How were they going to be contacted? Who was going to track those responses? Using what tool(s)? What would be done with the data once it was collected?
According to a survey conducted by Aravo and CeFPro, about 40% of organizations don’t have a centralized repository for data about their third parties, and about half are still managing third party data using spreadsheets and emails. The workshop attendees above have multiple systems in which they manage third-party risk data. An organization relying on manual processes or disconnected information silos might have difficulty identifying all of their critical third parties and the key contacts in a timely manner, not to mention the difficulty of finding all of those contacts.
Then there’s the challenge of collecting and reporting on their responses, making that data part of the third-party record, and analyzing the potential impact on the organization. A free survey software would be useful in gathering responses, but it would exist outside of other systems used to manage third-party relationship data. How would those responses, even downloaded to a spreadsheet, be analyzed alongside other important factors, such as criticality? How could you ensure that the process had the right level of oversight and auditing?
Recognizing the need to quickly launch ad hoc questionnaires to gather, score, and analyze data that complements standardized, repeatable risk assessment surveys, Aravo introduced this functionality into its platform last year. With no configuration training, authorized users can build questionnaires using an intuitive Questionnaire Builder or upload a spreadsheet and send them to contacts stored in Aravo’s centralized repository of data about third parties.
If an organization using Aravo were to encounter this same requirement from their CEO, they could respond quickly, and the responses – including any attachments – would be part of the auditable record of the overall third-party portfolio and the individual organizations. If some remediation was needed, the organization could leverage an Aravo workflow capabilities to manage issues and corrective actions.
Even if coronavirus cases begin to decrease, this information would be available in the event of a pandemic, which some experts say is likely. And this is just one use case for Aravo Questionnaires, which could also be used for performance management, RFPs/RFIs/sourcing, and collecting any kind of third-party feedback.
Third-party risk management professionals have to be ready to respond to unexpected challenges from pandemics to regulatory change to things we haven’t even thought of yet. To do that successfully requires a flexible third-party risk management tool with the robust functionality to help you respond to unique and unexpected situations.
Share with Your Friends:
