For a Leading Cancer Research Center

Streamlining Third Party & IT Risk Management with IBM OpenPages

Client Profile

Florida’s inaugural National Cancer Institute- designated Comprehensive Cancer Center, the institution stands among the top 30 elite cancer centers in the U.S. that are part of the National Comprehensive Cancer Network. The research center is a global leader in the fight against cancer. With its integration of world-class researchers and care specialists working collaboratively, the center is uniquely positioned to revolutionize cancer treatment, elevate care, and save more lives.

Project Overview

With a mission to contribute to the prevention and cure of cancer, the center engages in cutting-edge biomedical research and provides comprehensive patient care. It collaborates with a vast network of third-party vendors, including suppliers of biomedical research tools, IT services, HR applications, and other essential services, to support its multifaceted operations. Additionally, the center recognized potential hidden risks from subcontractors or service providers that their third-party vendors rely on, known as fourth parties. [To gain a deeper understanding of the role of Fourth Parties in Third-Party Risk Assessment, download our eBook.] The cancer research center aimed to improve its risk management processes, particularly for third-party and internal IT applications, while considering the added complexity of fourth-party risks. However, the institution faced significant challenges due to the limitations of its two separate legacy systems, which managed vendor and internal IT risks independently. To address these issues, the center implemented IBM OpenPages with the assistance of iTech GRC, an IBM OpenPages certified and premier partner.

Challenges

The research center faced significant challenges in managing the risks associated with its third-party vendors and internal IT applications due to the limitations of its legacy systems.

Challenge 1: Vendor Risk Management

Manual Processes: The team was manually generating and sending out questionnaires to assess the risk, cybersecurity threat and regulatory compliance implications of hundreds of vendors. These were sent annually and resulted in a time-consuming and labor-intensive cycle.

Manual Follow-ups: They had to continually follow up with vendors to ensure questionnaires were properly filled out and submitted. This led to a lot of redundant leading back-and-forth communication that introduced delays.

Risk Profiling: Vendor responses had to be manually entered into the legacy systems. Using the STRIDE and DREAD metrics, they created risk profiles for each vendor:
- STRIDE: This threat modeling framework categorizes potential threats into six types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
- DREAD: This risk assessment model evaluates threats based on five criteria: Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability. Vendors were rated on a scale of 1 to 10 based on these metrics.

Cumbersome Reporting: The team then analyzed the data and generated detailed vendor risk reports manually, which was a time-consuming and error-prone process.

Challenge 2: Internal IT Risk Management

The team performed annual assessments of internal IT applications, evaluating them based on a set of cybersecurity and risk controls. These assessments were conducted both at the individual application level and across the entire enterprise. For each internal application, the team assessed and rated its risk and control measures manually. They then aggregated these evaluations to assess the overall risk and control environment of the enterprise, using approximately 60 different criteria. After completing the assessments, the team manually generated comprehensive reports.

Difficult Data Management: The legacy system’s inefficient data export functionalities and non-user-friendly interface made data management cumbersome. This hindered the team’s ability to generate and analyze reports effectively, consuming valuable time and resources.

Lack of Trending Analysis: Using the legacy system, the team could not compare control and risk ratings over time. This lack of trending analysis made it difficult to gain insights into risk management improvements or emerging threats.

Solution

The cancer research center implemented IBM OpenPages, facilitated by iTech GRC, an IBM OpenPages certified partner. This comprehensive solution addressed their challenges by providing an integrated and automated risk management platform.

Streamlined Third Party Risk Management

Automated Questionnaire Distribution and Follow-ups: IBM OpenPages automates the process of generating and distributing questionnaires to vendors. Initially, requests are generated within the system, and surveys are sent out automatically. Vendors then submit their responses directly into the system where required validations are enforced and requisite notifications are sent upon successful submission. This process eliminates the need for manual follow-ups, significantly reducing the time and effort involved.
Integrated Risk Profiles: Once the responses are collected, IBM OpenPages consolidates the vendor risk profiles, enabling comprehensive and unified reporting. This integration provides a holistic view of vendor risks across the organization, facilitating better decision-making and risk management.
Automated Reporting: The collected data is then used to automate the generation of detailed risk reports. This automation saves considerable time and effort, ensuring accurate and timely reporting. Audit reports can be generated for end users, managers, or their compliance committee and each can include as much detail or data richness as required by the audience.

Improved Internal IT Risk Management

Snapshot and Trending Analysis: IBM OpenPages offers snapshot capabilities, allowing the center to capture and compare control and risk ratings over time. During annual assessments, snapshots are taken to enable year-over-year trending analysis. This process provides insights into risk management improvements or emerging threats. For example, they can now take snapshots of GDPR control ratings and compare them annually to identify trends.
Enhanced Data Management: IBM OpenPages enhances data management and usability with its user-friendly interface and efficient data export functionalities. As assessments are completed, the team can easily generate and analyze reports, freeing up their time for more strategic tasks. This improvement streamlines data handling, making the process more effective and less time-consuming.

Business Outcome

The implementation of IBM OpenPages resulted in significant improvements for the cancer research center:

Unified Risk Management: By integrating the functionalities of the two legacy systems into a single platform, the center successfully retired the separate systems. This eliminated data silos, improved operational efficiency and saved money
Improved Workflow Efficiency: Real-time notifications for vendor responses and streamlined workflows automate questionnaire distribution. This reduced the manual workload and improved the accuracy of data entry.
Advanced Analytics: The snapshot and trending analysis capabilities provides valuable insights into risk management over time. The center now tracks changes in risk profiles and makes informed decisions based on historical data.
User-Friendly Interface: The enhanced UI and data export features of IBM OpenPages has improved the overall user experience. This makes it easier for the team to navigate the system and manage data effectively.