Text transcription
Taking the ‘Risk’ Out of Vendor Risk Management Sherry Jones, Reciprocity
Third-party vendors pose one of the greatest security threats to any enterprise.
Monitoring vendor risks and risk-mitigation efforts can be challenging, especially for an organization using spreadsheets to track many different entities at once. Using a quality, well-designed governance, risk and compliance software such as ZenGRC can greatly sim- plify the task, as international pharmaceutical wholesaler AmerisourceBergen recently discovered. Using ZenGRC starting in January 2018 revolutionized the way AmerisourceBergen does risk management and compliance, in particular vendor risk management, Cyber Risk Manager Christian Stevens says. The tool has greatly increased efficiencies, enabling his team to cut labor costs while expanding its managed-vendor list by more than 800 percent—from 60 vendors to more than 500. ZenGRC helps at audit time, too. When measuring and monitoring regulatory compliance—its own as well as that of its many vendors—Amerisource Ber- gen found that ZenGRC gave auditors a big-picture view in one glance, and provided supporting documentation with just a few clicks. These features, combined with ZenGRC’s intuitive, easy-to-use format has saved the company time, worry, and costs, freeing its personnel to devote their focus and the company’s valuable resources to more pressing matters, such as satisfying customers and boosting the bottom line.
About AmerisourceBergen
Formed in 2001 by the merger of pharmaceutical companies Amerisource and Bergen Brunswick, AmerisourceBergen boasts a long history on the technological cutting edge: parent company the Bergen Drug Company in 1959 became the first company in America to use computers for inventory control and accounting. The company routinely does business with numerous third-party entities including physicians, health systems, pharmacies, manufacturers, and those in the animal health industry. The U.S. regulatory frameworks governing its policies, procedures, and practices include the Health Insurance Portability and Ac- countability Act (HIPAA), Sarbanes-Ox- ley Act (SOX), European General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and Health Information Technology for Economic and Clinical Health Act (HITECH).
Juggling Spreadsheets: What a Hassle
Throughout its operations, AmerisourceBergen relied on spreadsheets and word-processing software to track its regulatory compliance and risk management controls as well as those of its vendors. When the company hired Stevens in October 2017, its approach to compliance and risk management changed significantly. “We had a fledgling third-party risk management system,” Stevens says. “We had thousands of vendors, and keeping track of their risks and risk ratings was complex and difficult.” Managing vendors using spreadsheets was awkward, confusing, and time-consuming, and potentially exposed the organization to a myriad of threats, especially cyber- crime, Stevens says. Before he came on board, AmerisourceBergen’s executives had already begun stepping up their cybersecurity program. They recognized how vulnerable their business might be because of their outmoded vendor risk management tools and techniques. They put Stevens in charge of modernizing. “Managing vendors should be imperative for anybody,” Stevens says. “If you look at a lot of the breaches, they come from vendors who haven’t embedded security into their systems. In this ecosystem, the risks to the systems are connected to weaknesses in connected vendors. Especially in the pharmaceutical industry.” AmerisourceBergen routinely sends highly confidential information regulated by HIPAA—millions of records—to thousands of vendors, some of whom are small, mom-and-pop businesses without adequate security controls, Stevens says. AmerisourceBergen also sends out vendor questionnaires. Previously, personnel had to enter the answers manually, then scan resulting spreadsheets to spot problem areas and trends. The process was unwieldy, Stevens says, time-consuming, and often confusing—even to auditors. There had to be a better way. Tasked with developing a vendor risk management program for Amerisource- Bergen, Stevens sought a digital GRC solution to replace the old hunt-and- peck spreadsheet method. He tried various software, including a well-known Integrated Risk Management platform, but found the others lacked the user-friendly qualities and return on investment the company sought.
Technology to the rescue
Reciprocity ZenGRC, on the other hand, had all the right ingredients …
Easy to set up
Although ZenGRC is a complex pro- gram providing comprehensive compliance and risk services, its designers gave it a simplified interface for a smooth, seamless user experience. “Setup was pretty straightforward: Just sign the paperwork,” Stevens says. “It was easy to provision access— not a lot of training involved—and the wiki was pretty straightforward. I was able to start adding things, and map- ping things, pretty easily.” And because ZenGRC is a cloud- based software-as-a-service, no installation was required. Reciprocity sent its ZenGRC user website link to AmerisourceBergen Pharmaceuticals, and with a few clicks Stevens and his team had gained access.
Simple to use
“Easier to use than your traditional GRC,” is how Stevens describes Zen. Its color-coded “single source of truth” dashboards, automated data collection and controls mapping, and integrated management across multiple applications make risk and compliance management as simple as point-and-click. “It was intuitive,” Stevens says. “Zen is not unwieldy like other tools. Someone with above-average intelligence can use it without weeks of training. It’s a functional, really-easy- to-use tool.”
Fully supported
AmerisourceBergen hasn’t needed to call Reciprocity’s support team often, but when they do, someone is always there to help. Opening sup- port tickets is easy, and Stevens says that AmerisourceBergen’s dedicated technician provides any assistance Stevens or his staff might need in a consistently straightforward and responsive manner.
Cost-saving
Ease of use means less work for personnel, as well, enabling AmerisourceBergen to reduce labor expenditures and increasing its ROI. Sending customized vendor surveys and subsequent reminders to its many vendors required a huge amount of work and time when employees used a spreadsheet system. Now, when AmerisourceBergen staff create vendor questionnaires, they do it in ZenGRC—and the software takes it from there. It sends the questionnaires, collects those that return, and logs and categorizes answers. And at audit time, supporting documents auditors may need are avail- able in moments, with just a few clicks: no more tedious, time-consuming sorting through analog or digital files.
Zen: More, Better VRM
ZenGRC’s easily-customizable “single source of truth” dashboards have proved invaluable for providing AmerisourceBergen with over- views of vendors’ compliance status and issues. And its use of uniform data fields adds flexibility so analysts can mix-and-match data at will, organizing information for fresh insights and tracking progress where issues need resolving. “The biggest challenges we faced with managing vendors was keeping them in one area, on a single pane of glass.” “Instead of going to a folder in email with an Excel or Word attachment, we’re able to put all our vendors on a single, cohesive form in Zen. We have the same fields for every vendor, and can do risk ratings and slice-and-dice as we need to.” The application’s functionality enables AmerisourceBergen’s risk management team to easily report up through the organization on its risk posture and how different vendors are affecting it, Stevens says. And while using spreadsheets limited the number of vendors the company could monitor and manage, ZenGRC has enabled Amerisource- Bergen to expand its managed-vendor list from 60 to 500+ in its first year of use. And counting. Knowing which vendor is doing what, and how, is essential to man- aging risk, especially for a company in the medical arena. Stevens says that ZenGRC allows him to see, for instance, which compliance issues a particular vendor has, how many vendors are in compliance with a specific framework such as PCI DSS, or which compliance issues are trending among a number of vendors. “We wouldn’t be anywhere near where we are in our risk management program without ZenGRC.” “With Zen, it’s easy to put those metrics together,” he says. “It gives the data we need to be able to report up to our management team.” Using ZenGRC, Stevens’s team can quickly find the answers to vendor-related queries using data collected in customized questionnaires and other sources. “Zen allows us to be more proactive. Instead of having to dig through months and months of old emails and documents, we can go to a single place and see the whole lifecycle of any vendor.” AmerisourceBergen personnel can check the compliance status of specific vendors, see their risks and which issues they have resolved or not, and in return feel more confident regarding the company’s own risk posture.
Highly recommended: ZenGRC
Ask Christian Stevens for the name of a quality GRC tool, and he will extol the virtues of ZenGRC: simple to set up, easy to use, high-value. “If you’re looking to get your feet wet in GRC, Reciprocity is the place to go.” “A lot of companies get intimidated by GRC: the cost, the scope, and the difficulty in implementing it. But anybody in the risk and security fields can have ZenGRC up and running and providing value in a couple of weeks.” “Other tools cost too much to support. Zen is a much more palatable GRC solution. Running it doesn’t have to be a full-time job.” To learn more about ZenGRC and what it can do for your risk- and compliance-management pro- gram, contact a Reciprocity ex- pert today.
About Reciprocity
Reciprocity provides ZenGRC to the world’s leading companies. Our cloud-based solution uses fast, easy deployment, unified controls management, and a centralized dashboard for simple, streamlined compliance and risk management, including self-audits, without the hassle and confusion of spreadsheets. Contact a Reciprocity expert today to request your free demo, and embark on the worry-free path to regulatory compliance—the Zen way.
Project Details
This case study for my longtime client Reciprocity explores pharmaceutical company Amerisource Bergen’s experiences using ZenGRC software to track and manage its many vendors for compliance with regulations. I interviewed a company GRC specialist and Reciprocity’s VP of marketing sat in on the call. Client: Reciprocity Format: Case study