For more than 39 years, AutoZone has been committed to providing the best parts, prices, and customer service in the automotive aftermarket industry. Their rich culture and history of Going the Extra Mile for their customers and community now includes “driving” third-party risk management (TPRM) operations with OneTrust Vendorpedia.
As a Fortune 500 business, AutoZone has 100,000+ employees across 6,625 locations with more than 38,000 third-party vendors (2,500 with technical and/or data privacy risks). Due to the nature of being a publicly traded company with a reliance on third-party vendors, AutoZone must keep detailed records of compliance with PCI DSS, GDPR, CCPA, LGPD and more. Stakeholders expect that AutoZone and its third-party vendors will use customer and employee data responsibly, and in alignment with these global regulations. OneTrust Vendorpedia is essential to meeting these expectations.
Third parties are integral to almost any business, but some vendors are more complex or essential for business continuity than others. AutoZone’s Third-Party Risk Manager, Ryan Walker, sat down for a OneTrust Champions webinar fireside chat with Nik Fuller, OneTrust Analyst, to discuss approaches to TPRM and more.
“When it comes to third-party vendors and data, we take a ‘share with care’ approach,” said Walker. “We take a standardized method to third-party risk management and involve all relevant stakeholders in the assessment process when determining which vendors we work with. Each prospective vendor goes through a series of gap analyses for global regulations and frameworks, while also cross-referencing their risk against business criticality. A high-risk vendor, like a customer relationship management vendor, will face more scrutiny on the data they hold and transfer, as opposed to a low risk, office supplies vendor. The ability to assess all types of vendors while conducting the proper due diligence is key to managing risk while efficiently providing tools and goods to customers and employees.”
That said, Walker does not believe check-the-box compliance is the best way to conduct a mature third-party risk management program.
“Spreadsheets and check-the-box compliance won’t cut it,” added Walker. “For example, if you’re in retail and you have consumer driven obligations to fulfill, you’re going to reach a point where data mapping is required for the regulatory compliance. As a result, you’re going to need the technology to create and maintain evergreen data inventories. To boot, if you have a small number of team members, you’re going to need to rely on automation, which is driven by the technology. So, once a smaller organization gets started managing third-party risk, I recommend implementing a technology for productivity. Once a business has the technology, their maturity model will go up exponentially.”
