2019 CSO50 Awards

How ADP identifies and reduces third-party risk

CSO50 award winner ADP's third-party assurance program helps it manage and mitigate risks posed by suppliers and contractors.

Today's modern enterprise is far from a self-contained monolith, but rather the center of a vast web of interconnected suppliers, vendors and customers, all of which introduce risk for a CISO to deal with. Managing that risk is by no means a solved problem, but CSO50 winner ADP's new Global Third-Party Risk Management framework has moved the ball forward.

ADP, short for Automatic Data Processing, Inc., is a global provider of HR management software and services, including business outsourcing services. "ADP’s Enterprise Risk Organization identified third-party risk as a key potential risk," Phani Dasari, global vice-president, Global Third Party and M&A Risk Management at ADP, tells CSO. "Management prioritized third-party risk, funded the program appropriately and pushed all relevant organizations to focus on identifying and reducing third-party risk."

A global, automated approach to risk management

The solution, Dasari says, involves engaging with suppliers to standardize risk management and governance to meet enterprise security metrics. "ADP has taken its Third-Party Assurance Program from a localized program in the organization to a connected global program with end-to-end automation," Dasari explains, "allowing enhanced tracking of all vendor engagements and proactive identification of risks related to third-party engagements."

Automation has proven key to making ADP's third-party risk-management tool effective. Their framework measures the time it takes to perform a vendor assessment and offers visibility into how long each step of the process takes, including sending a questionnaire, analyzing the answers, producing a report and so forth.

Questionnaires can be submitted and managed using ADP's online tool, and the framework automates notifications based on certain triggers. The online portal creates dashboards that make it easier to track assessment progress and analyzes data across vendors to identify trends and potential systemic problems.

"From a business engagement perspective," Dasari says, "the increase in efficiency has enabled the business units to accelerate their engagement with third parties resulting in quicker product launches, process changes, deployment of third-party tools, etc."

Actionable risk metrics reporting

ADP's framework not only collects the right data but creates high-level reports of the resulting metrics to enable corporate leaders to respond to and mitigate vendor risks. Reports include top ten potentially risky vendors, vendor risks by geography and industry, and remediation trends. Security incident handlers also gain greater visibility into third-party risks and are thus able to respond quickly when something bad happens.

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!