False Hope: Downsides of an Exchange Model for Vendor Risk Assessments

A common complaint of vendor risk assessments is time. The time it takes a vendor to complete assessments, the time it takes the assessor to review the assessments, and the time it takes for gap analysis and remediation. Many companies quickly become fed up with the rat race of vendor risk assessments, lose sight of the intention of conducting these assessments (reduce/manage vendor risk) and turn to the utopian, though unrealistic, promise of checking the boxes with an Exchange model.

But be warned: Although theoretically the concept is designed to reduce time and effort, there are inherent pitfalls for assessors and vendors, and the compliance industry is taking note.

What is a Risk Assessment Exchange?

Think of an Exchange like a library, and the books are vendor risk assessments. And just like any library, not every Exchange includes every assessment, some assessments are old and outdated, and some may be missing pages.

Individuals who try to make a case for this type of repository argue that Exchanges are time saving and cost effective, that it puts a pre-completed assessment right in the hands of the assessor and eliminates repetition on the part of the vendor. But this is only true if the Exchange includes every possible vendor with every possible assessment (including documentation and evidence) geared toward your organization’s needs. No exchange can truly make this claim despite years of effort and billions spent on marketing campaigns telling the industry otherwise.

Pitfalls of the Exchange

 Efficiency may be found by some when using an Exchange model, but more importantly, this type of repository raises questions about efficacy. In the exchange model, speed is often gained at the expense of accuracy and the true intentions of conducting vendor risk assessments are lost. One major complaint about Exchanges is the recency and validity of information. While a portion of the vendor’s risk picture might be included in an exchange, you’ll have no way of ensuring that the data is recent and completely represents the vendor risk while taking your business context with the vendor into account.

If your organization is leaning toward an Exchange model solution, first ask yourself these questions:

  • Are all my vendors listed in this Exchange or will I need to get my vendors to adopt this model?
  • How accurate and how recent is this information?
  • Are my vendors’ assessments inside the Exchange appropriate for the service level they will be providing to my organization?
  • Are there other questions that must be addressed to make the assessments complete?
  • How are risk ratings assigned and do they conform with our organization’s risk guidelines?
  • What remediation efforts have taken place since the assessment was completed?
  • What is the cost of adding additional vendors to the exchange in case they are not found in the initial data set of the exchange?

 Compliance, Audit and Privacy Issues

 Just as you must do your due diligence when assessing vendors, so too must you thoroughly assess a third-party risk management platform. There are many on the market to choose from; however, the Exchange concept runs contrary to the spirit of compliance. Pre-packaged, “fast food” type assessments cannot provide the context needed to avoid compliance, audit, and privacy issues. SOC2 and ISO certifications depend on context.

The data inside the Exchange is owned by the vendor, but the risk is owned by you—the assessor. During an audit, regulators may ask for proof of accuracy of the information pulled from an Exchange, and depending on the Exchange, you may or may not have access to this information.

On the other side, if you are a vendor, you face a wide variety of issues when submitting your confidential information to an Exchange. Some Exchanges provide free “previews” of your vendor risk score, which can seriously impact sales if the Exchange gives you an unsatisfactory rating. You have very little control over who sees your data and how it is used if you decide to participate in an exchange.

Multiple privacy concerns come into play when vendors share sensitive information such as financial data, pen test attestations, architectural diagrams, and C-suite names and contact information in an Exchange. Research must be done to determine if sharing this type of information via an Exchange violates the provisions of GDPR, CCPA, other evolving privacy standards, and your own organization’s policies may prevent exposing this data. Moreover, publicly available data in an Exchange can prove to be a challenge during mergers and acquisition discussions.

 You Get What You Pay For

 The old adage, “You get what you pay for,” rings true when it comes to third-party risk exchange-based assessment platforms. While they provide a perception of speed and completeness in their marketing messages, the reality is far from it. We have seen instances where some of the leading exchanges in our industry have a coverage rate of less than 5% of what they promise and quite frankly, they should come with a “buyer beware” label. This kind of “snake oil” salesmanship paints our entire industry in a bad light.

On the other hand, many assessment platforms, such as ProcessBolt, are cost effective, ensure completeness and accuracy of data, combine assessment with continuous monitoring and capture the true spirit of conducting vendor risk assessments without cutting corners. There’s no “fast food” approach, no quick and dirty answers. You’ll save time and money in the long run by selecting a thorough and efficient solution that mitigates vendor risk, avoids compliance issues and allows you to maintain complete control of your vendor risk assessment program.

If you have been overpromised an Exchange and are tired of the under delivery, schedule a quick, 15-minute demo of ProcessBolt to see how we can help you build a world class third-party risk protection program.