AUTOMATED INTEGRATIONS FOR THIRD-PARTY RISK MANAGEMENTExtending the Value and Power of Your Platform

PROCESSUNITY WHITE PAPER

AUTOMATED INTEGRATIONS FOR THIRD-PARTY RISK MANAGEMENT

As a standalone solution, your third-party risk management technology delivers immense value: it centralizes multiple processes and data sources into one manageable platform and applies automation to standardize workflows and reduce or eliminate redundant manual processes.

Yet our third-party relationships do not exist in isolation, but within the much larger context of overall business processes including operations, financial accountability and regulatory compliance, among others. Integrating your third-party risk platform with other systems, including internal applications and external content sources, allows you to augment your risk management process with richer data, reduce or eliminate redundant data inputs, and extend the reach of your risk management process into more areas of your organization.

Integration with existing internal systems, such as ERP systems, and Governance, Risk & Compliance (GRC) platforms enables you to:

• Create seamless vetting activities within your procurement and contract processes

• Enable multiple functional areas of your business to collaborate during the third-party onboarding process

• Eliminate data silos, create centralized data sources that can be more effectively managed

• Incorporate risk management into every relevant area of your business

EXPAND YOUR REACH WITHOUT INCREASING YOUR WORK

Integrating external content sources and/or aggregators into your risk management platform helps you:

• Obtain objective, third-party validation of your security, financial and/or reputational information/assessments

• Supplement your own data with deeper content available from external authorities and subject matter experts

• Accelerate the gathering of IT security, financial and reputational risk data without manual “hunting and pecking”

• Sustain ongoing monitoring of your third parties between your own internal assessments

• Identify weak or incomplete areas of your monitoring that require modification or attention

• Reinforce the credibility of your assessments with internal auditors and external regulators

Integration with data manipulation applications for analytics and reporting enables you to:

• Conduct complex analyses of third-party risk data

• Produce sophisticated reports with that data

In the remaining pages of Automated Integrations, we’ll offer a review of the integration basics leading to one simple and welcome conclusion: your third-party risk management platform can connect to anything you want or need, multiplying the value of your platform investment.

AUTOMATED INTEGRATIONS FOR THIRD-PARTY RISK MANAGEMENT

Integration with Your Existing Internal SystemsMost third-party risk management solutions are deployed within a larger structure of enterprise-wide systems that include, but are not limited to:

• ERP Systems and other systems for managing human resources, supply chains and procurement, such as Oracle ERP, Oracle EBS, Ariba, PeopleSoft, SAP, and Workday

• Contract Management Systems that author and track third-party commitments across the enterprise like Novatus

• GRC Platforms to manage risk and compliance efforts and collect evidence that demonstrate conformance with regulations such as PCI and Sarbanes-Oxley like Archer and ServiceNow

• CRM and related solutions to manage client relationships such as Salesforce and OracleCRM

By design, these existing systems have been implemented in ways consistent with each user organization’s goals and processes in mind. Because each implementation is different, there is no “one size fits all” integration path. Your implementation dictates the nature of your integration: where and how you wish to connect to various points in the third-party management lifecycle.

Where to Connect

Just as there are multiple stages in the third-party lifecycle – from initial query through termination – there are different points of contact within your existing systems to manage each stage. Your internal teams need to simultaneously review both your third-party management policies/processes and your enterprise systems to determine where you should make connections that would enable the exchange of relevant third-party data. These lifecycle touchpoints include:

• Requests: how your lines of business initiate requests for new third-parties

• RFX: how your organization assembles and distributes RFPs and RFIs among potential new third-parties

• Due diligence: the vetting of a short-list of candidates through established review and verification procedures

• Contract integration: incorporating contract creation, management, archiving, and reviews within the third-party management process

• Post-onboarding: ongoing third-party management that includes periodic assessments, performance reviews, SLA monitoring and issue management

How to Connect

You also have multiple options for fulfilling the integrations themselves, allowing you to arrive at a balance between functionality and investment consistent with your needs.

Manual Integration Manual integrations are a great way to get started with non-real time data integration and allows organizations the ability to “test-drive” their requirements before investing in IT resources to establish deeper hooks between systems. Defining simple import/export templates that can be run through a user interface on a weekly, monthly or quarterly basis can sometimes be the path of least investment with high yield.

Batch Mode As manual integration matures, and eliminating the hands-on approach is realized, automated periodic data transfers – e.g., weekly or by quarter – move the data you need in a cost-effective way.

Web Services Web Services APIs allow customer IT organizations to programmatically design an integration workflow to push and/or pull data to/from their third-party risk platform

AUTOMATED INTEGRATIONS FOR THIRD-PARTY RISK MANAGEMENT

with ease. If extensive automation and widespread access to real time data is crucial, web-services integrations can make the customizations necessary to fulfill your ambitions.

Regardless of the options you choose, data mapping and/or APIs can make integrations effective. But fundamentally, you must make the crucial judgment calls regarding outcomes and investment that will help you determine the most appropriate integration choice.

Integration with External Data ProvidersBy incorporating external data sources and providers into a third-party risk management platform you gain deep expertise – in security, financial status, and potential risk profiles – without expanding your own resources. Pre-built connectors and APIs make integration easy, helping you reinforce your program with intelligence gathered from credible and experienced experts. The following section offers an at-a-glance review of some of the most popular external data use cases.

Assessment Process

Instead of building your own assessment instruments from scratch, you can use pre-built questionnaires that can be tailored to your requirements. Given their ubiquity, many of your third parties will have already completed these surveys, reducing their compliance burden and accelerating your assessment efforts. Available options include:

Shared Assessments A member-driven body, Shared Assessments offers what has become industry-wide standards for creating third-party onboarding surveys and other evaluation instruments. Its most popular tools include:

• SIG (Standard Information Gathering) comprehensive questionnaire of ~1,695 questions covering security, privacy, and business resiliency

• SIG Core, this level is meant to provide a deeper level of understanding about how a service provider secures information and services. It is meant to meet the needs of almost all assessments, based on industry standards. ~900 questions

• SIG Lite, a shorter version of the above with ~141 questions

• AUP (Agreed Upon Procedures) content with ~100 controls

• VRMM (Vendor Risk Management Maturity Model) with ~100 questions

• Many organizations use a version of the SIG augmented by questions tailored to their organization’s specific needs or industry requirements.

Security Risk Review

You can supplement your IT security risk assessments with ratings and rankings from external content providers who specialize in security reviews. Available options include:

BitSight Through nonintrusive scanning of the third-party’s perimeter, BitSight investigates 21 different vectors of security risk for you. BitSight’s Security Rating Platform analyzes the third party’s cybersecurity posture – defenses in place, potential vulnerabilities – to arrive at a quantified score between 250 – 900.

AUTOMATED INTEGRATIONS FOR THIRD-PARTY RISK MANAGEMENT

SecurityScorecard SecurityScorecard offers an IT security risk score and an overall cybersecurity health rating across the following domains: Application Security, DNS Health, IT Reputation, Network Security, Endpoint Security, Cubit Score, Hacker Sites, Password Exposure, Patching Cadence, and Social Engineering.

Financial Risk Review

A variety of content providers offer objective assessments of third-party financial health/status you can incorporate into your due diligence process. Available options include:

RapidRatings RapidRatings provides empirical, objective ratings (uninfluenced by company bias) for both private- and public-sector organizations. Through advanced analytics and proprietary algorithms, it produces two key measures of a company’s financial health:

• Financial Health Rating: Indicates likelihood of default in next 12 months

• Core Health Score: Reflects operational efficiency and long-term sustainability

Dun & Bradstreet ProcessUnity can integrate with four key scores available from Dun & Bradstreet’s Direct 2.0 content feed:

• SSI Score: Supplier Stability Indicator representing the probability a supplier will experience significant financial stress over the next 90 days

• SER Score: Supplier Evaluation Risk Rating predicts the likelihood a company will obtain legal relief from creditors OR cease operations without paying creditors in full over the next 12 months

• Insolvency Score: AKA “Failure Score” is a predictive indicator of business insolvency

• Rating Score/PAYDEX: A dollar-weighted numerical score that reflects a company’s payment performance as reported to D&B

Integrating SecurityScorecard with ProcessUnity’s Vendor Cloud provides a single, comprehensive view of relevant IT security information to significantly enhance your assessment process.

AUTOMATED INTEGRATIONS FOR THIRD-PARTY RISK MANAGEMENT

Integration with Data Manipulation, Analysis and Reporting ApplicationsConnectors allow you to import/export data into a variety of applications for offline data analytics and reporting. Available options include:

Microsoft Word For “pixel-perfect” professionally formatted reports

Microsoft Excel Provides data manipulation and analytics capabilities

Tableau Advanced analytics through custom dashboards with drill-down capabilities

*Tableau requires a data warehouse which can be an existing in-house solution, or an Analytics Database can easily be constructed for this purpose.

Reputation and Identity Risk Reviews

External partners can provide compliance mandated checks on a potential third-party’s identity, reputation, watch list status, and potential negative news liabilities. Available options include:

Thomson Reuters World-Check A highly structured database of intelligence on heightened risk individuals and organizations, Thomson Reuters World-Check does not produce a score, but surfaces crucial information that supports “Know Your Customer” and third-party risk compliance processes, including:

• Politically-exposed persons (PEP) and entities monitoring

• Sanctions screening/terrorist watch lists

• AML/CFT (Anti-Money Laundering, Combatting the Financing of Terrorism)

• Anti-bribery and anti-corruption

NominoData NominoData offers a reputational risk and compliance search engine, OneClickCOMPLIANCE, that gathers intelligence across a variety of sanctions and watch lists, negative news, PEPs, enforcement actions, WikiLeaks and more.

Embedded External Content

Some public content providers allow users to pull their data feeds into private platforms. While this data cannot typically be incorporated into your risk scoring and calculation engines, it can be embedded within your third-parties’ profiles through a simple, parameter driven URL link. Available options include:

Morningstar An investment research offering that includes mutual fund, ETF, and stock analysis, ratings, and data, and portfolio tools

Yahoo Finance Financial news, data and commentary including stock quotes, press releases, financial reports, and original content

ProcessUnity integrated with Thomson Reuters World-Check enables users to gain a deep understanding of individual and organizational risks to greatly influence your “Know Your Customer” and third-party risk processes.

AUTOMATED INTEGRATIONS FOR THIRD-PARTY RISK MANAGEMENT

Best Practices for IntegrationWith even a cursory review of the available sources, it’s clear that there is no shortage of good data a company can use within its third-party risk management program.

But realizing the value of the data depends on what you do with it. We recommend that organizations consider the following principles:

Determine Your Need

More is not necessarily better. A greater volume of data might offer greater insight (or comfort), but it may make due diligence unnecessarily complex. As a rule of thumb, we suggest: the greater your risk exposure, the more data you need.

For example, if you represent a non-financial institution involved in low-risk work, you may only need enough third-party data to confirm their identities, ensuring they are who they say they are. But if you’re a financial institution who routinely handles sensitive data, you need evidence of third-party controls for security, data encryption, reputational risk, and more.

Automation is Key

Your goal is to reduce the manual effort necessary for due diligence. That’s why mere access to information is insufficient; for the data to be of productive and efficient use, it must be automatically integrated into the workflows and systems you regularly use to manage and monitor risk.

Set Thresholds Matched to Risk Appetite

Not all third-parties, in all contexts, need the same level of attention. Some data sources used to investigate third parties, such as those tapped for reputational risk assessment, are known to produce elevated levels of false positives that may require further investigation on your part. To reduce your own work burden, set thresholds based on your risk appetite; results that fall beneath the threshold may remain unexplored, allowing you to focus on the third parties whose scores meet or exceed your tolerance levels.

AUTOMATED INTEGRATIONS FOR THIRD-PARTY RISK MANAGEMENT

ConclusionYour third-party risk program doesn’t exist in a vacuum and therefore, your chosen technology shouldn’t either. When you integrate your vendor risk platform with enterprise systems, internal applications and external content sources, you gain a more holistic view of your vendor population and can make better decisions that ultimately drive out risk and protect your business.

ProcessUnity’s cloud-based third-party risk management solution helps organizations effectively and efficiently manage the risk, cost and complexity of critical vendors throughout the entire vendor lifecycle. Through its deep relationships and technology integrations, ProcessUnity provides greater visibility into the risk profile of your third parties – before the onset of and throughout the relationship. Whether it’s incorporating data from your procurement system or informing key vendor-related decisions with financial, security or reputational information from external sources, ProcessUnity is the platform of choice for risk professionals at organizations of all sizes.

With ProcessUnity as the hub in your extended third-party risk ecosystem, your program becomes more efficient and effective. No other third-party risk management platform enables you to quickly and easily augment your risk management processes and extend the reach of your risk management program throughout your organization.

To learn more ProcessUnity and third-party risk management automation and integration, contact a ProcessUnity risk management expert at info@processunity.com or visit us online at www.processunity.com.

To see ProcessUnity in action, watch the 5-minute Vendor Cloud demonstration.

Watch the 5-minute Demo