Schoeller Allibert efficiently mitigated supply chain risks, thanks to 3rdRisk

Ranadeep Sarkar is Schoeller Allibert’s Information Security Officer (ISO), responsible for IT and OT security globally. He works together with Nick DeFreitas, information security specialist, who is responsible for managing all vendor due diligence activities and 3rd party risk assessments. They explain the challenges they face, how 3rdRisk help them resolving these challenges, and why they chose 3rdRisk.

Limited control over third-party risks

"Schoeller Allibert began its information security journey in 2019, focusing on creating robust protection mechanisms. This involved not only securing the 'front doors' but also enabling comprehensive information security practices.

Despite our proactive measures, we faced challenges in managing third-party relationships. The 2019/2020 supply chain attack involving SolarWinds serves as a significant example. We were one of the affected customers using SolarWinds, and while we were able to respond effectively by patching the system quickly, the incident underscored our vulnerabilities. When the zero-day exploits for Microsoft Exchange was uncovered in 2021, it became evident that supply chain risks should be elevated to the top 10 risks for every CISO.

Although it wasn’t a struggle to manage the risks posed by the major vendors like Microsoft and SolarWinds, the smaller vendors that were 3rd and in many cases 4th party entities remained a potential risk for us.

The complexity of our relationships with multiple vendors raised an important question: How can we establish genuine control over these associations, particularly when engaging with unfamiliar entities? The assurance of secure collaboration with such vendors remains a primary focal point for our organization, a point emphasized in the annual audit from our external auditor.

The challenge we faced was a lack of capacity to implement a third-party risk management policy. While downloading a policy might be a straightforward task, its implementation is an entirely different and much more complex endeavour within a global company like Schoeller Allibert. For the number of vendors we had, it would have required the full-time commitment of multiple employees to manage effectively.

With limited manpower, allocating existing team members to this task was not a feasible option. This constraint emphasized the importance of finding a solution that could help us navigate this complex landscape without overtaxing our resources. We immediately recognized the need for a tool that could assist us in this process.

Comprehensive tool packed with best practices

To address the challenge, we set the selection process and criteria using the principles that would satisfy all requirements of ISO 27001 to remediate the third-party risk management findings and help us with a clear view on the supplier risk management.

The 3rdRisk platform emerged as an essential asset in this context. 3rdRisk offered a comprehensive tool that had all the essential elements of such a platform. The tool blended quite well with our supplier risk management process. The built-in questionnaires are set up with a lot of experience and were appropriate to use without altering them too much. We would never have been able to do these activities, let alone with so little effort on our part.

Automated process minimising the workload

The onboarding process unfolded with remarkable efficiency and speed. Within a matter of weeks, we gained oversight of our most critical third-party relationships and were able to send out the first assessment. The platform's capability to track adverse news further helped us to gain control over emerging third-party related threats which we otherwise would have missed.

Nick and I are looking ahead to an efficient year, expecting to perform due diligence activities for over 50 vendors. Thanks to 3rdRisk this substantial task will only require a few hours of our time each week, allowing us to maintain this high level of oversight with minimal investment of resources. The 3rdRisk platform automates third party risk management in such a way that it minimises our workload while maximising results. The tool is exceptionally user-friendly, easy to understand and its implementation is straightforward. It is designed to provide the best possible outcome with the least amount of effort.