2019 CSO50 Awards

How ADP identifies and reduces third-party risk

CSO50 award winner ADP's third-party assurance program helps it manage and mitigate risks posed by suppliers and contractors.

risk assessment - safety analysis - security audit

2019 CSO50 Awards

Show More

Today's modern enterprise is far from a self-contained monolith, but rather the center of a vast web of interconnected suppliers, vendors and customers, all of which introduce risk for a CISO to deal with. Managing that risk is by no means a solved problem, but CSO50 winner ADP's new Global Third-Party Risk Management framework has moved the ball forward.

ADP, short for Automatic Data Processing, Inc., is a global provider of HR management software and services, including business outsourcing services. "ADP’s Enterprise Risk Organization identified third-party risk as a key potential risk," Phani Dasari, global vice-president, Global Third Party and M&A Risk Management at ADP, tells CSO. "Management prioritized third-party risk, funded the program appropriately and pushed all relevant organizations to focus on identifying and reducing third-party risk."

A global, automated approach to risk management

The solution, Dasari says, involves engaging with suppliers to standardize risk management and governance to meet enterprise security metrics. "ADP has taken its Third-Party Assurance Program from a localized program in the organization to a connected global program with end-to-end automation," Dasari explains, "allowing enhanced tracking of all vendor engagements and proactive identification of risks related to third-party engagements."

phani dasari ADP

Phani Dasari, ADP

Automation has proven key to making ADP's third-party risk-management tool effective. Their framework measures the time it takes to perform a vendor assessment and offers visibility into how long each step of the process takes, including sending a questionnaire, analyzing the answers, producing a report and so forth.

Questionnaires can be submitted and managed using ADP's online tool, and the framework automates notifications based on certain triggers. The online portal creates dashboards that make it easier to track assessment progress and analyzes data across vendors to identify trends and potential systemic problems.

"From a business engagement perspective," Dasari says, "the increase in efficiency has enabled the business units to accelerate their engagement with third parties resulting in quicker product launches, process changes, deployment of third-party tools, etc."

Actionable risk metrics reporting

ADP's framework not only collects the right data but creates high-level reports of the resulting metrics to enable corporate leaders to respond to and mitigate vendor risks. Reports include top ten potentially risky vendors, vendor risks by geography and industry, and remediation trends. Security incident handlers also gain greater visibility into third-party risks and are thus able to respond quickly when something bad happens.

The third-party risk management service began as an in-house project that was so successful that ADP now offers it to clients around the world. Key elements of the framework include a standard risk assessment framework and a standard remediation framework that all risk assessors and remediation coordinators are trained to use. Guidance documents outline the overall governance process and detail roles and responsibilities throughout the organization. ADP also developed questionnaires for specific kinds of vendors such as law SaaS, printing, cloud hosting, and law firms.

ADP's Third-Party Risk Management Framework is Dasari's brain child. A long-time ADP executive, his responsibilities include "leadership of diverse and geographically spread-out teams of senior leaders, assessors, consultants and oversee program activities to ensure effective risk management and mitigation throughout the third party life cycle," ADP said in a statement. "He provides thought leadership in redefining the risk assessment process and supports the continuous improvements of both programs."

Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)