Automation has been an absolute game-changer for third-party risk management. It can almost seem like a superhero on your team, speeding up processes, catching errors, and allowing full-time employees to focus on strategic tasks. However, even with the rise of automation tools like artificial intelligence, it’s essential to remember that even superheroes need sidekicks. While automation is powerful, human intellect and review remain essential in due diligence.
Why You Need Human Reviews in Vendor Due Diligence
Computers can’t replace human expertise
Today, automated processes can help your team collect and scan vendor due diligence questionnaires and documentation, and potentially flag items that may need to be added or completed. Utilizing automation to complete the first documentation pass can be an excellent place to start.
Here’s why automated processes aren’t always dependable when it comes to analysis and assessment:
- The automated process is only as capable as it’s programmed to be, and even in best-case scenarios, it's impossible to incorporate the endless variety of details and considerations that arise in due diligence.
- Experienced subject matter experts (SMEs) and due diligence analysts can identify inconsistencies or discrepancies in the information they review – whether it's due to an unintentional misrepresentation of facts or, in some cases, a deliberate attempt to mislead or exaggerate. Someone with the proper credentials must review documents thoroughly and provide a qualified opinion. This requires affirmation that they’ve reviewed and evaluated the information and feel comfortable with the results.
- Computers aren’t always able to comprehend certain sections of complex documents. For instance, in a financial statement, the notes section may contain crucial information that cannot be read by a computer algorithm but can be easily understood by humans.
While technology can be helpful in many ways, it's essential to seek out the expertise of a qualified professional to ensure your financial reviews and SOC reports are accurate and reliable. We still need humans to provide the level of analysis and insight necessary to ensure everything is in order.
Automation isn’t the same as problem-solving
There may be instances where vendors aren’t able or willing to provide you with specific information. In such cases, you’ll need to use creative thinking or problem-solving skills that computers aren’t currently capable of.
For instance, some organizations may be reluctant to share sensitive information, such as their business continuity plan, network data flow diagram, marketing plans, or customer activity. However, they may be willing to answer questions if you schedule an on-site vendor visit or video call. Finding a solution to the problem of vendors who are hesitant to share essential data requires more than just automation. It demands nuanced critical thinking and, most importantly, relationship-building skills.
Machines aren't a replacement for nuanced analysis
Although we strive to create intuitive systems that accommodate a wide range of scenarios, there will always be exceptions. Regulators establish best practices and standards that may not be practical for all vendors, particularly due to factors such as the organization's size or industry. Sometimes, all it takes is a conversation to understand why a small business might operate differently than a larger, more robust corporation.
These scenarios typically require extra analysis and critical thinking to determine whether they align with your expertise or regulatory requirements. These focused evaluations can save organizations time, money, and stress by avoiding unnecessary or inappropriate expectations for their business model.
Human expertise in vendor due diligence is crucial
Undoubtedly, performing due diligence is a crucial task that demands significant time and effort. However, treating due diligence as just another task on the to-do list can pose real risks. While automating the process of collecting documents and putting them through a standardized pre-programmed review may seem appealing, it’s crucial that qualified humans with sufficient experience in the specific risk domain review and scrutinize information thoroughly. Replacing human expertise with programmed automation can lead to unfavorable outcomes and negative consequences.
Example: To demonstrate the importance of human expertise and logic in due diligence, let's consider an example of a vendor who accesses, processes, and stores personal identifiable information (PII) using screen scraping. This is a technique that uses automated software to extract data from websites by parsing the HTML code. This can be a riskier method, as data may be inaccurate or out of date. It may also be illegal if it violates website terms of services.
It’s crucial to have a qualified SME review the vendor's information security measures. The SME would likely identify that this vendor requires a more extensive compliance review. In this case, understanding the due diligence requirements requires expertise in recognizing the differences between screen scraping and regular direct data collection and comprehending the risk implications beyond information security. Automating this scenario's detailed and nuanced analysis would be extremely difficult.
While automation has undoubtedly impacted and improved many third-party risk management processes, it can’t wholly replace human expertise and analysis. An efficient due diligence process may utilize automation, but to also be effective, human review is necessary to ensure accurate and reliable results.
As technology advances, it’s essential to remember that human intellect and critical thinking will always remain integral to the process. By utilizing the right combination of automation and human expertise, organizations can conduct effective due diligence and mitigate risks effectively.
