This customer is a global, vertically integrated eyewear retailer formed in 2018 from the merger of two other large companies. The combined company has more than 190,000 employees globally, owns 200 e-commerce platforms and more than 18,000 corporate retail stores, and works with a network of more than 300,000 third-party retailers. They have operations in 150 countries around the world, with business units covering the Americas, Asia Pacific, Europe, the Middle East, and Africa.
The Challenge
The retailer’s Americas business unit had built a manual third-party risk management (TPRM) program using SmartSheet™ to send out questionnaires to their vendors and track responses. According to the senior director of information security for the Americas region, this included vendors in Canada, the United States, Mexico, and Central and South America.
The manual TPRM process was working well enough for them prior to the 2018 merger, according to the company’s senior director of information security. However, when the merger happened, the newly formed organization quickly ran into problems with their third-party risk management processes.
“Our original companies were two very large organizations, so it was a struggle to understand who their vendors were and merge those two lists. Even to the point of understanding who the two companies were working with. We had potentially thousands of vendors we were working with. We just didn’t have good coverage of all those third parties,” the senior director said.
The program included custom questionnaires that the integrated retailer developed in-house. These worked well enough at the time, but the need to merge two giant companies into a unified program meant that the senior director and his team needed to adapt fast.
On top of that, the company was not remediating risks as effectively as they should have been. There simply wasn’t enough bandwidth for them to fully remediate the risks that they discovered through the questionnaire responses.
The Solution
The integrated eyewear retailer used Mitratech’s Third-Party Risk Management Platform to bring their program into focus. By using Mitratech, the retailer was able to cover more of their vendors with risk assessments, continuously monitor the entire Americas region for risk events, and remediate risks more consistently.
“The response and the support we got from Mitratech was just so much better than everyone else. We felt better with the interactions. Mitratech provided training when we did a proof of concept, and we’d get responses to questions very quickly,” the senior director said.
Switching to Mitratech also empowered the retailer’s team with an expanded library of surveys to assess a broader range of risks. The in-house survey developed over many years did not go into the same level of depth that Mitratech’s surveys did. This included assessing vendors based on standardized industry and regulatory frameworks.
“We did not have specific surveys according to certain frameworks like NIST, ISO, Privacy, or HIPAA. We came into it not even thinking about using those surveys, and now they’ve become a big part of our third-party risk management program,” the senior director said.
The company also outsourced their risk remediation tasks to the Mitratech Risk Operations Center (ROC). This managed service has saved the company a lot of time operationally, ensuring that the senior director and his team can focus on more strategic value-added tasks for managing and mitigating their vendor risk.
ROI Savings & Benefits
The senior director said the improvement in reporting was huge. This empowered him to more clearly communicate about the TPRM program with his managers and showcase the value they provide to the organization.
“The amount of time the team has saved by using Mitratech is just massive. It’s enabled us to focus on so many other things, and the team now doesn’t have to worry about going out and getting assessments back,” the senior director said.
The company is also considering replacing some legacy risk data providers with Mitratech sources. By tapping into the monitoring data offered by Mitratech’s unified solution, the organization can save money and score their risks more efficiently.
The senior director praised the Mitratech Risk Operations Center, noting that they’re able to remediate risks more efficiently now that they’ve outsourced the process. He also appreciates that the ROC can assign tasks related to remediation to his team in-platform, saving time for the retailer’s TPRM team.
The retailer has been so pleased with Mitratech in the Americas that they’re planning to deploy the solution in the rest of the company’s global regions. The senior director praises the account team in Mitratech for their involvement in the retailer’s TPRM success.
“I felt like we were really handheld for the first few months. We really needed that support. Now we meet with our account manager every two weeks. They have just been amazing and a real partner,” the senior director said.
Third Party Risk Management 
Vendor Risk Monitoring 
