Third Party Vendor Risk Management: How are CIOs managing their third party vendor risk? Moving from spreadsheets to one cloud hosted option to track all of their risk management with Eplatformtech Third Party Vendor Risk Management.
One of the realities I’ve seen is that the healthcare CIO is largely a vendor manager. I’ve grown that view a bit to include the management of people, but that’s the majority of a CIO’s job. Manage the people that work for the CIO and manage the vendors that work with their organization.
This is not a knock on CIOs. This is really important work that they’re doing. Although, it is a recognition that much of the risk they take on as CIO is dependent on the vendors with whom they work. This is true from an innovation perspective where the innovations of the vendor will either make the CIO look really good or really bad. However, it’s also true from a multitude of other financial, legal, security, and reputation standpoint as well.
How then are CIOs managing their third party vendor risk?
I’m sad to say that the reality for most organizations is simply: a bunch of spreadsheets.
Chew on that for a minute. A CIO’s third party risk is being managed by a bunch of spreadsheets. I love a spreadsheet as much as the next person, but we know that a file on Sharepoint is the place where documents largely go to die. Plus, managing hundreds of spreadsheets across a wide variety of vendors is brutal.
This is why I was intrigued when the opportunity to meet Eplatformtech Third Party Vendor Risk Management. Plus, I was able to meet with two of their customers: Aaron Miri, CIO at The University of Texas at Austin, Dell Medical School and UT Health Austin, and Joel Vengco, SVP & CIO at Baystate Health.
For those not familiar with it, Eplatformtech offers the Third Party Vendor Risk Management Software platform for healthcare. Both Aaron and Joel gave the strongest recommendation for a software that I’ve seen from a CIO in a long time. Likely because they’d lived the life of managing risk using spreadsheets and the pains associated with such a process.
I asked Ed Gaudet to share what areas of risk management they covered in their platform and he shared the following:
“Eplatformtech Third Party Vendor Risk Management provides risk questionnaires for pre-purchase initial risk assessments and post-purchase reassessments. These questionnaires assess 5 risk areas: Financial, Legal and Regulatory, Information Security, Availability, and Resiliency. Each risk area has 1 or more assessment domains. All questionnaires are based on and map to industry standard frameworks and regulations such as NIST, ISO, HIPAA, GDPR, and PCI.
Questionnaires support several product types: on-premise software/hardware, cloud software/hardware, hybrid, medical devices, mobile applications, consultancy. Eplatformtech Third Party Vendor Risk Management also supports healthcare-specific use cases such as assessing the risk of affiliated physician practices, internal software development projects (SDLC), information exchange between covered entities, institutional research board (IRB) initiatives, and internal enterprise risk assessments.”
As Aaron Miri told me, “It’s so simple and useful, you wonder why no one had done it before. ”Sometimes it’s the simplest ideas that are the best. The power to me is that it provides one cloud hosted option to track all of your risk management in one place. Just having that standardized process is a huge help on its own.
However, talking with them I learned of some other nice benefits. The first is the ability for healthcare organizations to collaborate with other healthcare organizations to ensure compliance. Lest you think they’re sharing compliance data, they’re not. Each organization has their own compliance efforts. However, Joel Vengco pointed out how he loved Eplatformtech because it provided him the opportunity to collaborate with people like Aaron Miri who may have already dealt with compliance with a certain vendor or other risk management situation. Basically, Joel can discover things he should consider asking or making part of his risk management and compliance efforts from others who have been through the process before.
Needless to say, I was impressed by what Eplatformtech Third Party Vendor Risk Management has accomplished. It really is a simple idea that provides a lot of value to healthcare organizations. Plus, it standardizes a tedious and challenging process and streamlines it as much as possible for both healthcare organizations and vendors.
The only bad news for Eplatformtech Third Party Vendor Risk Management is that if they’re doing a good job, we won’t hear anything about it. The risks will be mitigated and tracked appropriately and CIOs will sleep a little better at night.