The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
By Madiha Fatima, Director, Third Party Risk Management, Angelo Gordon
How has Covid-19 impacted the ability to conduct on-site assessments?
The pandemic has impacted not only the ability to conduct onsite assessments but also the way we looked at risk management practices as a whole. With the world moving towards remote environment, new challenges surfaced with heightened risk exposure as we are no longer confined to define locations or firewalls. The mass VPN use, local internet connections and community Wi-Fi connections brought additional risk factors into consideration for risk leaders across the globe. This is where innovation and having a risk management strategy that is adaptable, can be easily enhanced and takes emerging risks and trends into account is very important.
Onsite assessments are a vital part of control confirmation especially for your critical service providers that you are dependent on for your ongoing continuity and services. With the emergence of the pandemic, risk leaders have to innovate to satisfy the control confirmation requirements while also revisiting their overall Third Party Risk Management Framework to see where enhancements are required. Onsite assessments majorly involve verification of data security, access control, physical security, business continuity response and testing practices from controls perspective and meeting with management and risk officers as well as reviewing vendor’s risk practices and focus from governance perspective. This of course is difficult to achieve with remote environment, however, not impossible as long as remote environment is utilized to review and evaluate the control confirmation evidence with real time information for example, video call walkthrough confirming the servers are caged in the data center and a two-way authentication is required for access that is only granted to Admin and managed by management per screen share of internal portal etc. Again, not ideal and may require additional time, preparation and resources but that’s where enhancing and innovating your program comes into play. Having a robust onsite assessment process and procedure as well as a remote virtual assessment procedure that translates and reconciles the onsite assessment requirements being met with virtual assessment, taking all the if’s and how’s into account may be helpful to streamline your control verification practices. There are of course other risks you consider and mitigate such as who controls the virtual session, how to stop screen snapshots, what application to use etc. when evaluating and developing the process. In the end, as long as there is an adaptable and robust Third Party Risk Management framework is in place, the show will still go on, probably with increased and improved risk mitigation practices.