There are time-critical moments when you need to look beyond a single supplier and understand common control weaknesses in your tier one suppliers and extended supply network. This may follow a significant incident when there is often a pressing executive need to identify whether such an incident could occur among other suppliers. Alternatively, this may occur when responding to new regulatory or legislative requirements such as the GDPR, where one expects suppliers to be able to quickly demonstrate that adequate systems and controls are in place.
In recent times, there have been a number of new regulations which require organisations to have a greater understanding of their suppliers’ operation and capabilities. The GDPR is one such example where many organisations need to identify suppliers that would fall ‘in-scope’. In such cases, knowing which suppliers handle customer personal data would be a good starting point. It would also be highly beneficial to have a system which captures key attributes of the service or commodity being supplied to enable a search of ‘cloud service providers’ or ‘suppliers delivering service from outside the EEA’; simply and with confidence.
Abriska Supplier Risk Manager is well known for its automated questionnaire capability to capture and assess control effectiveness on a per supplier basis across multiple control groups including ISO 27001. A further key strength is its analytical capability, which allows swift retrieval and analysis of extensive amounts of supplier data to identify the suppliers of concern for specific sources of risk and report this in a management-friendly way.
Clients have found this valuable in situations such as:
- Identifying high-risk suppliers to GDPR compliance (see Abriska example above)
- Confirming the extent of use of cloud service providers and common control weaknesses
- Pin-pointing suppliers with subcontractors for extended supply chain network analysis and control review
- Locating business continuity gaps among interdependent suppliers supporting a single business process
- Building comprehensive views of the offshore estate for aggregate risk assessment and loss scenario analysis
- Supporting control testing teams in developing thematic review plans based on the control effectiveness profiles.
To avoid a manual process of reviewing supplier data locked in spreadsheets, there is a need to save time and use systems that can provide this information with just a few clicks of the mouse from login to risk insight. An over-reliance on spreadsheets can become an inhibitor to responding effectively and efficiently to both incidents and compliance assurance requests, potentially providing a false picture on the risk profile that the organisation is carrying or equally creating an inaccurate perception of the control environment, even where it is fully effective. There is also a reliance on the quality of underlying data whether in a system or a spreadsheet.
However, a system that is easy to use and seen as part of day-to-day working may well be more likely to be kept up to date than a super-sized spreadsheet with complex macros that only a few people feel comfortable updating.
These are therefore good reasons to build a business case to adopt tools that simplify and automate these risk activities and support improved decision making. So where next?
- To learn more about Abriska Supplier Risk Manager and how it can support your GDPR compliance, please click here or register for our forthcoming webinar on 21 September 2017
- To request a 1:1 demonstration of Abriska Supplier Risk Manager, please click here.
Author: Lee Glendon, Senior Risk & Resilience Consultant, URM