Streamlining third-party risk management with AI

Introducing an AI digital worker to your third-party security efforts

Jonathan Dambrot

Jonathan Dambrot

Principal, Cyber Security Services, KPMG U.S.

+1 908-361-6438

Romain Goy

Romain Goy

Manager Advisory, Cyber Security Services, KPMG US

+1 212-954-1482

Companies have grown more reliant on third parties over the years, driven by the desire to contain overhead costs, improve efficiency, allow internal staff to focus on higher value-add tasks, share risks, and boost their competitive positions. However, since emerging privacy regulations now require organizations to identify, address, and mitigate risks that may arise from employing external parties, it is no longer possible to use basic contractual agreements or paper assessments to ensure that suppliers are secure.

We recently conducted a series of polls at our third-party security roundtable sessions. Represented were organizations of all sizes, markets and industries, as well as varying degrees of maturity toward developing third-party security programs. Following are some highlights of the common challenges they face:

  • Time-consuming process: Currently, third-party security efforts involve a manual process that is complicated by several time dependencies and potential bottlenecks. For example, repeated outreach is often needed to get vendors to respond, which delays not only the procurement of services and products from the vendor, but also consumer interactions with the primary business. As assessment questionnaires vary from one company to another, vendors are often frustrated that queries have limited applicability to the services they are providing.
  • Disconnect between third-party security programs and procurement: Although procurement and third-party security reviews are closely related, these two groups have different lines of reporting and disconnected processes. Redlining of vendor contracts can occur without the involvement of the third-party security team, leading to the inadvertent elimination of some security provisions and obstacles to enforcing security controls. In addition, duplicate vendor entries from different parts of the organization can increase the third- party security team’s workload and potentially lead to confusion.
  • Maintaining consistency: Third-party security programs are struggling to keep up with assessments of an increasing number of vendors, as well as to comply with regulations that mandate vendor reassessments to gather necessary data points. And, as the number of required documents increases, organizations are finding it difficult to assess all vendors with the same level of scrutiny.

Enter Artificial Intelligence

Within the third-party security management landscape, organizations already have solutions and data to tackle cyber-security risks introduced by third parties. However, they lack a mechanism for unifying the multiple information systems and automation of low value-add tasks. The answer is an integrated artificial intelligence (AI) solution that can intelligently and proactively identify and address the challenges detailed above.

On the most basic level, an AI digital worker could serve as a the front-end of the third-party security process, answering simple questions posed by internal business teams. Anyone in the company could request that a vendor be onboarded, after which the AI digital worker would guide the user through validating if the vendor already exists in the system.

With robust AI capabilities, coupled with Natural Language Understanding (NLU), the digital worker could further simplify the onboarding process by having the user describe the tasks the vendor will handle for the company. The AI system would then route the entry to the third-party security team for further vetting. Questions related to a vendor contract or issues identified during the assessment process can be answered as well.

Moving to more complex tasks, the AI digital worker can even be used to handle interactions with vendor points-of-contact. Advanced digital workers are “smart” enough to ask follow-up questions based on the services vendors provide, as well as previous identified issues with the vendor in question or even with similar vendors. Ultimately, the questionnaire is tailored to that specific relationship.

Making the business case for AI

The business case for an AI digital worker should address both quantitative and qualitative factors. The overwhelming number of third parties and their associated data is a challenge that has become increasingly difficult to tackle for even the most mature and well-designed third-party risk management programs. In addition to creating efficiencies in the third-party program, the AI digital worker also provides tremendous value in the form of large data processing, insight generation, and allowing a shift in focus to key risk areas rather than repetitive tasks.

Making the business case for AI requires a return-on-investment-driven value proposition that quantifies expected benefits related to streamlined workflows; automation-related efficiencies; reduced overhead, training, and technology costs; and a simplified approach to managing long-term third-party relationships.

In short, introducing an AI digital worker to your third-party security efforts can support operating cost reduction, more effective risk mitigation, and decreased overhead spending. And, by freeing up time and resources, the business can refocus its efforts on continuing to push the third-party security program forward to the bleeding edge.

Additional posts will delve deeper into the specific benefits of AI in the third-party security process. Our goal is to assist organizations with the insights and data they will need to build a business case for introducing an AI digital worker into the third-party vendor management landscape.