Practical wins for optimizing third-party risk management

Managing the risks introduced by third-party vendors can often feel like a tangle of questionnaires, spreadsheets and endless follow-ups. Many organizations find themselves spending valuable time on administrative tasks instead of focusing on actual risk mitigation. This article explores six key benefits of adopting vendor risk assessment software, drawing on real-world experiences to illustrate how these tools can transform your approach to third-party risk management and free up your team to focus on what truly matters: protecting your organization.

1. Minimizing Disruptions & Protecting What Matters Most

Think back to the catastrophic disruption experienced by Maersk in 2017 due to the NotPetya ransomware attack, which originated through a compromised software vendor. The potential for third-party risks to cripple even security-laden, large organizations is very real. This is when vendor risk assessment software helps prevent such incidents by proactively identifying vulnerabilities.

Think about your organization's core; what absolutely cannot be compromised? For The University of Kansas Health System, it's patient care, privacy and safety. As a world-class medical center, their cybersecurity team recognized that risks lurking within their vendor ecosystem could directly impact these critical areas. Their goal was to show decision-makers, especially VPs, the risks associated with each vendor. The team’s prevailing question: How can we show these stakeholders the risk that they are signing up for?

They turned to Onspring to standardize questionnaires and Black Kite to analyze risk data. As a result, The University of Kansas Health System provided leadership with actionable insights that allowed them to make informed decisions.

promo banner for article about vendor risk assessment checklist

2. Embracing Proactive Risk Management

Many organizations can relate to the feeling of constantly reacting to vendor-related issues as they pop up. Manual processes can leave you feeling unaware of vendor-related risks until it was too late.

The effort to be thorough in your manual processes can be time-consuming, and in the case of The University of Kansas Health System’s hcyber analysts, different cross-organizational teams, like contracting or software asset management, would ask if they looked at a particular third party, but often it was the first time they’d heard about it.

Vendor risk assessment software enables a proactive approach through:

  • Automated workflows for systematic contract review and risk assessment.
  • Automatic routing of contract requests to the appropriate teams.
  • Automated sending and tracking of vendor questionnaires.
  • Timely notifications upon receipt of vendor responses, improving efficiency.

The shift to vendor risk assessment software allowed them to build automated workflows that ensured contract requests were systematically reviewed and routed for risk assessment before agreements were finalized. Automated workflows now ensure that contract requests are submitted, filtered and routed to the appropriate team. Questionnaires are sent to third parties automatically, and the team is notified when responses are received, reducing delays and improving efficiency.

3. Making Questionnaires Less Painful (For Everyone)

Let's be honest, nobody enjoys filling out lengthy questionnaires – not your vendors, and certainly not your internal analysts who have to wade through the responses.

The University of Kansas Health System tackled this common pain point head-on by using their vendor risk assessment software to consolidate and shorten their questionnaires, focusing on the most critical control and documentation requirements. Black Kite then automatically analyzes submitted documents, such as SOC and MDS2 reports, to identify gaps and potential risks, reducing the manual workload for analysts. This might be one of the biggest benefits of using vendor risk assessment software.

4. Putting a Price Tag on Risk: Quantifying the Potential Impact


Trying to understand the real cost of vendor-related risks can feel like guesswork. The University of Kansas Health System wanted to quantify the financial impact of vendor-related risks, helping VPs and board members understand the potential costs associated with data breaches, ransomware attacks and business interruptions.

By integrating their Onspring GRC platform with Black Kite’s cyber risk analytics tool, they could quantify these risks and present a clear financial picture to leadership. Black Kite’s ransomware susceptibility index evaluates a vendor’s likelihood of being targeted by a cyberattack, giving the University of Kansas Health System critical data delivered in relationship to other GRC data. And this ability to see a wider picture and to translate cyber threats into potential dollar losses empowers stakeholders to make more informed decisions about risk acceptance and mitigation investments.

5. Connecting the Dots: Integrating GRC and Vendor Risk Management


Siloed risk management processes create blind spots and inefficiencies. The University of Kansas Health System recognized the power of connecting their GRC platform with their third-party risk management solution.

By tightly integrating Onspring and Black Kite, The University of Kansas Health System automated the process of capturing, analyzing, and reporting vendor risk data, eliminating manual data entry and reducing errors.

Once a vendor is identified in Black Kite, it’s continuously monitored and synched every day into Onspring. Onspring automatically pulls in the risk quantification. For The University of Kansas Health System, they have also customized their findings so that any time there is a D or F rating in Black Kite, all pertinent data automatically populates into Onspring.

This integration creates a seamless process where assessment summaries, findings and recommendations can be automatically shared with owners or stakeholders, ensuring that decision-makers have the information they need to mitigate risk quickly.

promo banner for data sheet about third party cyber risk intelligence in Onspringg

6. Empowering Your Team with Real Insights, Not Just Data


Perhaps the most significant benefit of using Onspring and Black Kite is that it empowers The University of Kansas Health System’s stakeholders to make better, more informed decisions. With real-world risk scenarios, financial impact data, and actionable recommendations, VPs can assess whether vendor risks align with their risk tolerance.

The team has experienced much more stakeholder involvement. With this new information, each risk owners at the VP level is able to understand what he or she accepting and then determine if that falls within their risk tolerance threshold.

This means that decision-makers can finally see the potential consequences of engaging with certain vendors and determine if those risks aligned with their tolerance levels. This shift from simply presenting data to providing actionable insights is what truly transforms risk management from a compliance exercise into a strategic advantage.

Big Benefits in Vendor Risk Assessment Software

The journey of The University of Kansas Health System offers valuable lessons for any organization grappling with the complexities of vendor risk management. By embracing a solution that integrates GRC with specialized third-party risk intelligence, they moved beyond manual processes to achieve greater efficiency, enhanced security, and more informed decision-making.

Want to learn more about how Onspring can transform your vendor risk program? Book a personalized demo today.

Share This Story. Choose Your Platform.

Related Posts