Best Practices for Third-Party Risk Remediation

Melissa: My name is Melissa. I work here at Prevalent Business Development. And we are joined today by a very special guest or guests, Jeff Kramer from um Ford Motor Company. I’m sure you’ve heard of it. So, he is uh the head of third party cyber risk management. Welcome, Jeff. And um we also do have Mike Yaffy joining us and he is our chief marketing officer here. Hello, Mike.

Mike: Oh, hey.

Melissa: I’ll figure that one out soon. Um and then last but not least, one of my favorite people here on this call, specifically Scott Lang. He’s with us today. Scott is our VP of product marketing, and he will dive into maybe a little bit about how prevalent might be able to help you. Um, so I mean, a little bit of housekeeping. This webinar is being recorded. You will get the slideshow afterwards, so don’t worry. You don’t have to take notes or anything. And, um, yeah, you’re all muted, so if you have any questions, just throw them in the Q&A and we’ll try to chip away at those as we see fit. And without further ado, I will pass things over to Jeff. Go ahead.

Jeff: All right. Thank you very much, Melissa. I appreciate it. And I appreciate the opportunity to um to speak to uh what is a increasingly larger crowd here. So, um it I’ve been uh I’ve been with Ford now for 34 years and been doing this uh for third doing thirdparty risk uh management at Ford for the past four years or so and it’s uh quite a a growing field and uh quite important So, I’m glad to share some uh uh some of what we’re doing here at Ford. Um and um you know, look forward to some of the questions. So, uh I don’t know if Melissa, if you could change next slide. So, always like to come up with some uh some introductory. Uh again, my name is Jeff Kramer. Work for the Ford Motor Company. Um graduated with a couple degrees in computer science from Central Michigan University in 1984 and uh Wayne State University. university in uh in Detroit um with a masters in uh computer science in 1991. Um I uh do live in the uh Detroit area um uh suburban Detroit and uh just uh things about me, been married uh for 38 years now. Um have three adult children. And I will say uh throughout most of my life, I’ve been annoyed by people that um uh provide pictures of their grandchildren all the time. And uh that stopped when I actually became a grandfather. So,

Melissa: So, you’re that guy now, right? You’re that guy.

Jeff: I am exactly that guy now. And so, uh so I have two uh two granddaughters, uh two adorable granddaughters. Uh you see their picture there. The one-year-old, that’s about as close as we can get to getting her to sit still for a picture. And her uh 5-year-old sister is a little bit annoyed by that. Thought that was a pretty nice picture from our Fourth of July gathering. Um the little more about myself. I’m a sports enthusiast, which um living in the Detroit area for the last 10 years or so has been challenging. Um but uh we do have um some uh opportunity here that we’ve never had before. Our our NFL team has never been to the Super Bowl ever. It’s been around for 60 years and we’ve never been there. Um not even really close. Uh but they’re getting better and this is going to be the year. So, Um, you’ve heard it here first if that happens. Um, and then then hell might freeze over at that point, too. But we’ll see. Um, as far as professional experience, uh, out of coming out of college, I I spent four years at the National Security Agency in Fort Me, Maryland. Um, got a lot of really good experience there. Um, but we wanted to come back to southeastern Michigan and and start a family. So, ended up getting a job as an agency employee uh, at Ford Motor Company doing a little bit of programming um, for the transmission division. Uh and about a year later uh they hired me in. So uh started at Ford in 1989. U been doing several different roles over the years from um setting up uh token ring networks to um setting up our first IBM PS2 model8s, working with uh Windows 3.1, all those really old types of things. Um um all the way through and did a lot of PC support, did a lot of uh Unix support. Um And then um sometime in the late 90s I I started working with Oracle databases and and um and and I uh led a team of Oracle database administrators and and part of that was making sure that you know everything was secure with our databases. So I got a lot of um a lot of exposure to what’s needed to um make sure that what your infrastructure is doing is uh is secure. Um when I about five year no more that eight years ago now. Uh I uh decided that I was um getting getting tired of doing uh 24 by7 uh uh support uh being on call. I wasn’t always on call, but being the supervisor, you’re the first person, the on call person call. So I was uh I was getting a little bit tired of that. And I I ended up moving into cyber security, so out of an operations role. And uh did some work with some of our plans for for uh for for, you know, their cyber security needs. But then, um, about four years ago, we had an issue with a, um, with one of our suppliers at our, uh plant uh plants where we built um the F-150s. Now, uh, if you, uh, know anything about Ford, uh, you’ll know that the F-150 is our money maker. When that shuts down, when that line shuts down, it uh, it gets the attention of a lot of people. And, um, and we had, uh. We had a line shut down for uh for a couple of shifts uh because of a um uh of a a ransomware attack of one of our suppliers um directly. So uh one of the things that they wanted to uh to do they came to our CESO and said uh we need to incorporate uh uh cyber risk into our supplier risk management processes. Um they you know um purchasing um our purchasing organization, our supply chain organization uh does a really good job of um addressing supplier risk and has always done that u for things like uh you know financial uh sustainability are they u mining materials correctly um you know just all these all these types of things uh but cyber risk was never part of it. Um so um our management tked me to uh start leading the team to to uh to provide some of that risk information to our suppliers. Um so um so that’s uh so that’s why we are where we are today. I have a team of um seven people and uh we we go out and we do assessments. A lot of them are on the line today giving me great support and uh and uh so we’re I’ll just wanted to talk a little bit about uh what it is we do um how we prioritize our suppliers, what kind of level of assessments we send out. Uh how we deal with uh suppliers that we see as problematic and uh just uh some questions that we had about um you know some of our challenges and and uh some of these other things that uh that we wanted to uh share with you today. So if Melissa you can go to the next slide. So so what we uh what we uh decided that we wanted to do is that we wanted to send uh some assessments out to our suppliers. Um, but one of the things about uh Ford is that um we have and and this number fluctuates on a daily basis. We have roughly 14,000 suppliers. Very daunting task to go out and uh assess all of them. And in fact, we’ve never done that. What we’ve done is um now we are um we’ve prioritized and we continue to prioritize which suppliers we send assessments to. Uh and that’s based upon some of the risks. And some of the things that we look at were are um you know we have um we have uh uh purchasing uh applications that provide some uh some indication of the types of services that uh each of the purchase orders that go out provide. And uh we’re able to take a look at that and and we make some determinations based upon this code uh of we call a commodity code um as to what services are provided and we we identify some of the ones that we’re most interested in. And I mean some of the ones that we’re most interested like uh engineering suppliers um the suppliers that do transportation for us um some of our marketing suppliers spend a lot of money on marketing uh and um and like companies that do consulting. So those are some of the suppliers that we do put up on kind of a higher u level um suppliers that um manage Ford’s data and IT services for us. One such example of that would be prevalent. Um they um it’s a SAS or u a SAS offering and uh they manage uh this data that is for its data. They do that for us. Um so we have uh many um suppliers that do that. Um Prevalent is not a uh they don’t hold a lot of our any of our secret information. information, but we do have suppliers that do um you know, health care, uh employee benefits, um some that have a lot that have some customer data, some perh personalized information. So, um those are also suppliers that we do, um, uh we do uh prioritize and uh and then also um I mentioned that there were suppliers that do uh that have the ability to if they shut down their operations, um it would have a negative impact upon uh Ford’s operations. and uh and so our our production um you know if if we don’t have um transmissions or or wiring our seats to put inside of vehicles that’s a problem and a lot of our suppliers have very I’m sorry a lot of our plants have um uh very distinct plans and u and for sequencing as the cars go by uh they’re building for an order so it has to have this kind of seat um that’s going into the to the vehicle this kind of engine or um or anything and if it’s not there it shuts down the plant. So um we with the help of our um supply chain organization um we’ve identified those uh those particular suppliers. Um the assessment that we chose um is the u is the the an industry standard uh called the SIG light. And I’m just going to check to make sure that I’m still being heard.

Melissa: Yep, we hear you uh live loud and clear, Jeff. Just had a little snafu with the slide there. We’re getting it back online.

Jeff: Okay. Yeah, no problem. I just uh I didn’t know if they I have had issues at times with my own internet provider. So, I am I am in in in my home today. So, I’ll I’ll just keep going and I think uh Melissa will catch up. Um so, uh and I think it’s back a couple or back one. Yes. So, um so the assessment that we chose was is the um is the SIG light um what we consider to be an industry um standard assessment. Um and and even over the the years when we first started um I think there were you know the full SIG light had about you know over 250 to 300 questions depending on you know what you’re answering. And um and over the the years now we’re in um you know 2023 they’ve they’ve really condensed that made it a little less cumbersome um but still provide the information that we need in order to u provide the risk information uh to our purchasing partners. So um but what we found was that um some of the questions even didn’t pertain to some of our suppliers. For instance um there were a lot of questions with in the sigalite that says well how do you handle uh scoped data scope data being the data that Ford is providing to you for you to manage and a lot of our production suppliers that provide us with those seats those wiring harnesses they don’t manage our scope data and and they don’t know even know what scope data is. Um so they were answering some questions that what we determined wasn’t really appropriate to even to even ask them. It doesn’t provide any uh uh any more um information. It’s just it it just causes churn and um and confusion in the whole system. So, uh so what we decided to do was to come up with even four levels of the uh of the SIG light um uh the full if if the if it’s one of these uh one of the services one of the uh suppliers that provide IT services um they get they get the full SIG light um for uh the produ production suppliers that do have the potential to shut down Ford applica Ford operations. Um they get really the full SIG light also but all the questions about scope data uh are taken out because they don’t really pertain to them. Um and then we have a couple of other levels. The other the the uh the fourth level third level uh basically is um uh a little bit less detail um kind of doesn’t go as as far into the um into the SIG light and uh And those are it really is almost like a catch-all on that third level. Um we have a minimum level also and that that really is just uh do you um does this does this supplier provide just the rudimentary things that we would expect any company to do? We don’t really use that because we’re prioritizing our riskiest suppliers. We only use it now with um some of our uh pre-sourcing um uh presourcing uh processes where Um, you know, if a if a if a buyer would like to see um some of this uh some of this information, uh we’ll send them a the 20 question minimum and they’ll get that uh they’ll get that information.

Mike: Hey, Jeff, can I interject around profile and tiering? It just look I I feel like a lot of the folks that we talked to that have either done something and failed or they’re doing spreadsheets, um that seems to be the biggest challenge, right? And I’d just love your opinion on this. Nobody’s saying when you do third party you kind of uh you do the whole universe at once, right? You you have to understand who’s most important and you’re asking people different sets of questions and the frequency, the type um and how you go after somebody who provides something to, you know, the F-150 versus something that’s, you know, marginally impactful to your org is very different, right? And

Mike: most people start with just trying to figure out how do you do this effectively? within a certain tier before expanding globally. I just, you know, how important was tiering to you?

Jeff: Well, um, very important. And as it, uh, as it went on, um, we we realized that how much more important it was, right? So, I mean, originally, we’re just sending out um um assessment, the same full assessment to everyone. And again, the questions just did not uh pertain to everyone. So, we tried to make it make sure that we it pertains to everyone. But, but how we set that up, it’s it’s still challen ing. I’ll I’ll say that, Mike. I mean, with with regard to um you know, the the number of suppliers that we have and um we’re getting a lot of information from a lot of disperate systems that um and it’s not really all tied together. There’s a lot of activity around doing that. Uh we’re not there yet. And u and I know in talking to some of our colleagues, that’s a that’s a fairly common uh fairly common issue amongst um uh amongst companies of of of our size for sure, but even even smaller companies um that have a lot of the same issues. We’re trying. Um not there yet, but it it it’ll be there someday.

Mike: And that’s okay. I mean, that’s the way it is, right? Got to put a

Jeff: The term I continue to use with this is muscle memory, right? It’s not necessarily

Jeff: a built-in um capability within an organization. And you kind of have to teach you’re not only teaching yourself and your team but you’re teaching the organization how to consume deal with and as it goes. Sorry, didn’t mean but I I thought it was no by all means if there’s if there are questions that even if you see them in the chat if if it’s uh particularly important and something I’m talking about please feel free to to jump in. Gives me a chance to get a

Mike: take a little water break catch your breath your thoughts a little.

Jeff: I also did want to ask Melissa why you and I were neither of her favorite people but we can save that for another time.

Melissa: I will address that at the end of this.

Jeff: Okay.

Mike: Well, I just met Melissa, so I’m hoping I’m getting getting up there. Um uh so, uh just the last thing on here. I mean, we have expectations of our suppliers for sure. One is that um when we we send them uh this assessment that they they complete it and they complete it truthfully, right? Um quite honestly, this is a self assessment given the uh number of people that we have and the uh and the the number of suppliers that we have. Um we can’t we can’t go out and review evidence. If someone says they have a a a business continuity plan, we we can’t we can’t review all of those. So this is a self assessment and what what we’re as what we expect is that the supplier will um will uh complete it with integrity. Um certainly we have um within our um uh terms and conditions. We do have a uh clause that says that you will complete this um assessment complete um the various assessments on a on a regular basis. Um and and essentially we give them with a month to complete it. Um certainly if people need more time we do it. Um and uh and then um we uh and then we they’ll come then they’ll they’ll get some uh some reviews. Um and I I think I just saw a little snippet at the bottom uh from the chat that uh perhaps we um about certifica asking about certifications and uh just mentioning here that we um it doesn’t make a lot of sense for us to uh send an assessment out to a team and then they come back and say well we have this uh this ISO 2701 certification we got we went through the time and effort and money to do this um why why are we uh why are you sending us this assessment? Why should we complete this assessment? And essentially, we say, well, that’s a good point. There’s really no reason. If someone uh independent has reviewed your um your assessment uh reviewed your uh cyber security posture, we will take that in lie of your u completing this assessment. It it saves us time and it saves them time for sure. Uh and there’s and and things like we mentioned it’s reviewed um There are um we do accept SOCK 2 type 2 reports and potentially there could be um exceptions within that report and we do review that for exceptions and do uh manually create risks within the system and ask them to address those. Okay. Um next uh next slide please Melissa. So when the assessments um you know uh are sent out um within a set period of time. They get completed by the supplier uh and they get uh submitted. It uh it goes to the prevalent risk operations center first and and they review it uh you know fairly quickly for um for completion. Um I mean we ask for u things like uh whether or not uh any of the uh u replies that come back is not applicable. If there’s comments around it for um uh for uh you know to to tell us why it’s not applicable. That’s something that we uh that we ask for. Um so um they do a quick u quick uh uh search through the assessment as it’s submitted. If there’s concerns, they’ll they’ll pop it back to the supplier. If not, they uh put it in the queue for um for my team to take a look at and to uh to review. And um and and what what we do is u uh a few things. Um first of all, if there are comments or notes within um uh some of the answers um and and I will say that uh you know in the SIG light I mean if you’re not familiar essentially it’s and it’s probably true with everyone is basically we’re asking yes no right yes no not applicable um generally one of the yes nos is a risk response um and uh and and when that risk response is uh completed, it generates a uh a a risk record. And sometimes uh suppliers will put in notes that say, “Okay, here’s here’s a compensating control. We don’t have this, but we do have a compensating control for this.” And they uh designate that. And uh and then we we just we review those and uh I mean, if if it’s uh suitable, uh we’ll we’ll mark that risk as remediated. But generally um there’s not a lot of that. There’s there’s it’s mostly comes back as yes, no. And within the SIG light, what we found was a couple different types of questions and uh and these are kind of our own terms. U so it doesn’t may not make a lot of sense. One is anformational question and I mean essentially that is does a situation exist where a risk may occur right so things like um do you use uh servers internally on your data center to uh do you use Unix servers to um um uh at all within your data center. And um and so if if that’s the case or if uh or if you have some kind of a DMZ um where the where if there there’s data shared externally, uh does a DMZ exist and things like that. If they answer yes, well, a risk record gets generated. Um but there may be uh policies, procedures, standards in place that would mitigate that risk. And um that’s what we we’re calling here is the policy questions. And that’s those are just exactly what I mentioned. Do you have this policy in place? Do you have this procedure? Do you have a a a standard or uh some process that would help mitigate um the potential risks as as I was uh just saying. I mean, these are things like uh do you do access reviews? Do you have uh physical security in your um in your um uh in your facility so that visitors have to sign in or is the doors just wide open? So um so a lot of cases theseformational questions that generate risks um will get mitigated based upon the policy questions that are associated with them and we review that on a yearly basis as to okay theseformational questions would generate rate of risk. What do we think um would be a uh compensating control the controls that would help mitigate that risk?

Mike: Hey Jeff, I you know I I came from I’ve I’ve done I’ve worked in information security. I’m a marketing guy so that means I don’t really know what I’m talking about but enough to kind of dangerous but look I go all the way back to penetration testing and in creating kind of exploit toolkits so people wouldn’t spend 40 hours writing Python code and then they could actually run it. You know

Mike: the reviews and the collecting I think is where a lot of people get stuck with thirdparty risk right? Right. It it seems daunting because of the manual labor. Um, look, I I completely advocate the hybrid approach or some type of thing where you and your team are reviewing results. I sorry, and I could be off, but I just think it’s a waste of time for you guys to be out there trying to get people to say, can you please answer question 38? And D, you know, you guys are too smart for that. I mean, how do you integrate that type of thing? What’s your vibe on where you down on that?

Jeff: Well, um, so we as far as like answering individual questions or getting the the assessments done, we do rely on prevalent uh to do that with a lot of their the automation for um, you know, if if there’s a two weeks left, we send them an email. Um, if there’s a week left before the due date, uh, or if the the due date is the next day or if you uh if you haven’t started uh within the next within a couple weeks, um an email gets sent out to the contact. Um so, uh we don’t do a a lot of of that, but we do rely on our our purchasing uh partners that have uh people and and actually own uh the relationship with uh these suppliers and uh and they do have um some uh say in uh and how these well, they have a lot of say, but they do a lot of the the cajoling also uh to get some of these things done. So we try not to get uh too involved in that uh because yeah that’s not really um that doesn’t really leverage the strength of of our team and and we like to do we make sure that we’re doing things like reviewing the assessments as they come in. Um and then also I’ll talk a little bit about how we uh engage with the suppliers if they we deem them to be uh problem IC. But does did that answer your question, Mike?

Mike: Yeah, it did. I look I just not I have a big thing that there’s however you get there, it doesn’t matter. It’s it quite honestly it’s it’s sausage making. Your guys have have bigger problems to fry than,

Mike: you know, and getting people to answer questions. You guys should be reviewing results and making risk based decisions and who to fix and tell what people to do so the business stays on track, not spending a ridiculous amount of time uh with silly tasks quite frankly.

Jeff: Yeah. No, understand. Uh so and I’ll just uh I’ll I’ll go quickly through this. So just there’s a risk level determined the number of uh total risk records, number of uh critical risks. And again we we we do some adjusting with regard to what’s a critical risk and what isn’t uh based upon some um uh feedback that we get from our purchasing uh purchasing partners or or any of our um um colleagues within cyber security or or just our own experience. So um so we do that and then just the the number of risks determine whether it’s a red yellow green status and um and if it’s a red status then then we do u some engagement with the supplier and I think that’s the next slide Melissa.

Melissa: um before we do hop to that next one um two questions came in that were asking the same thing people are curious how large of a team do you have working on third party risk management?

Mike: so they’re actually I saw those. Jeff, can you give kind of a a um a view of what people’s responsibility are? Because my guess is you’re kind of at the the top end, right, of of having support in terms of manpower. So, kind of identifying what each person does or group does would be awesome without obviously

Mike: getting too.

Jeff: Yeah. So, yeah. And and quite honestly, like all of our team does a lot of these types of reviews for sure. Um but there’s a lot of different uh types of activities where I’ve uh uh you know given um sub teams or individuals the um uh the uh uh responsibility of uh of uh you know coming up with uh different solutions. I mean we we have people looking at um you know every year the same light changes and uh we have we have people looking at that. Uh we have uh people looking at um you know just the uh the the process that we use um how we um how they uh can we make it more efficient. Just the the process of even identifying um we have people we have people within uh purchasing and systems that identify who our contacts are at the suppliers but we have to take a look and uh just ensure that um we’re sending to the right people. Uh and then when we do a campaign we’re you know there’s the we have quite a few people that um that are involved in in going through that. Um overall, my team has um is uh seven people besides myself. And you’re right, I’m up there. They don’t, you know, I I try not to screw things up um by doing any of the work, actual work, but um but uh you know, they they do a great job and we meet often on uh on some of these uh these subtasks. Um so, does that does that work for you, Mike?

Mike: Yes, sir.

Jeff: All right. All right. And uh I think I answered the questions um um from Melissa from the team from the participants. So yeah. Okay. Red status meeting. So uh yeah. So if we determine someone’s a red status supplier uh and uh so what what we do is we ask purchasing to uh uh to create a meeting and uh uh and a lot of times we have the uh the purchasing or purchasing liaison in that meeting. There are times where we have like the buyer that is um uh with from within purchasing who is um most uh who works the most and owns that relationship with that supplier. And then it’s uh from the supplier end uh you know we ask for uh people that are um uh that completed the assessment and anyone else that’s appropriate. Um during the initial meeting we we review the risk focusing mostly on the critical risks. and we’re asking them to um to to make a commitment to completing this and going back and making a uh coming up with some kind of a timeline as to when they may uh remediate these risks. Um we know that uh for a lot of these uh a lot of the suppliers it’s it’s not an easy task. It’s not something that can be done in a month in two months and six months sometimes. But what we ask for is uh is progress to uh to continue to be made and uh and We ask for communication to kind of go back and forth from within the the prevalent platform. It does a real good job of uh of uh communicating uh of of facilitating that communication uh from within the platform and we have then we capture our communication and we uh we have it available for anyone who needs to take a look at it. Uh and uh and so uh so that’s that’s the our main method of communication between us and the suppliers. And and then after that meeting we do have a a follow-up meeting where uh we’re asking them to put into the comments what their timeline is for the remediation and we review those at that follow-up meeting and really answer any questions as they dig deeper into uh what uh what they need to do. Um if they have any questions, we uh we uh do that uh we we answer those during that uh during that follow-up meeting. But um but we try to stay engaged throughout until this remediation happens and the supplier moves out of red status and they clear out their uh critical risks. Uh and we do that by uh again uh dumping uh uh comments within the the risk records kind of on a monthly basis afterwards to see um what what they’ve been doing. If they want to have a uh another meeting, we’ll we’ll do that too. But uh generally after the first couple meetings um we handle it through email and or mostly through the the platform. Um we’ve had some fairly good success in doing this and in a lot of ways um I see that as where we add as much value as anything else. Um realize so we’ve we’ve had over um over a 100 suppliers. We met with over 250 of our suppliers over the last year or so and um we’ve had about 120 of them that moved from a red status into um something more uh compliant and uh and and that’s that’s where we like I said I think that’s where we uh add value. We know that it’s a small subset of our suppliers for sure. Um but it is raising the level for everyone in in my opinion.

Mike: Hey Jeff, we’ve gotten three questions and I think we’re going to get to our kind of Q&A segment where I ask you questions, but we’re happy to uh take audience questions too. Um

Mike: first one deals with the the taring a little bit from what we talked about. I’ll just read it. Uh many procurement teams use a tiering approach, right, to segment the company’s vendors. How do you tackle the issue where business stakeholders feel that the lower tier vendor are not as critical from a cyber perspective than a higher tier? My guess is, you know, they they they don’t want their folks in a in a top tier vendor and where they’re getting overly scrutinized.

Jeff: Yeah. Well, we I mean there there’s like classic examples sometimes times that you you try to site um with u um you like HVAC companies that uh uh that uh you know had some um issues that um where where um where hackers got into um a uh

Jeff: yeah I’ll say that’s the target that’s the target thing. So so that’s that certainly is the um

Jeff: uh is is kind of the uh the main uh example that that we use. But uh but it but again it’s just it’s explaining that uh you know this the threats are everywhere. The threats are against everyone. Uh it’s not always about um even you know the the hackers coming in u u through uh through a supplier. A lot of times it’s not uh that they don’t even have a connection. Um but we need to make sure that that’s the case. Uh one of the questions that we’ve uh we’ve augmented uh that that we’ve added to the sig lighter. One addendum we made to a question was uh do you have a disaster recovery plan and does it in involve um coming to our um uh our search team our incident response team with an email? Do you have that in your plan? Um and that was uh that’s just a a way that we know that uh that they’re um that that that our interests are are there for that. So um We need to check that for for all suppliers and um and really um and then there are other suppliers that uh that would have a negative impact on our business or our manufacturing facilities and um you just uh and a lot of times you just you just don’t know where the uh the threats are coming and what the impact might be. So

Mike: yeah,.

Mike: um we uh let’s see uh we got a question from Janet and an anonymous attendee. It’s deals with the same one, how do you capture uh evidence of risk mitigation and how and I’ll take this one a step further. How are you able to enforce mitigation? I always find that TPRM programs are challenged because you can identify something, but if you can’t enforce the fix, right, it it sometimes it can lack teeth. So, uh how do you capture it is the first question and then how do you enforce how do you enforce remediative activities? Um so uh so I mean those are great questions uh for sure. Uh and I I wish I had a really great answer for that and and the answer is um we we don’t capture I think I mentioned that like the siglet is a self assessment and with the volume of the people uh of the suppliers that we have we just uh we just uh we we can’t do that. So what happens at Ford I’m not saying that we just say hey whatever uh whatever the supplier does but from a service level. Um so if a supplier has um you know provides Ford with an IT service um the business owner uh has a separate u assessment uh or separate uh well I guess it is an assessment that needs to be done from that service level. Uh and in that that’s where they capture uh evidence that these things are done. It’s up to the business owner at that point for that particular service. Um from our standpoint we don’t uh we don’t ex we well we we just don’t have the the resources to do this and and at this point we don’t have the mandate to do that also was there a second part to that question also?

Mike: no I you answered both we got.

Jeff: okay.

Mike: followup on the u to add to my procurement often procurement teams assign tiering based on cost however even suppliers who cost a little can have major cyber issues or major impacts I completely agree with that but Jeeoff wouldn’t that be something like you would have to just put forth a criteria that’s somewhat binary. If you create anything relating to the F-150, you’re a tier one. Full stop. Like I, you know, because if we can’t build the F-150, and I believe there was a German manufacturer over COVID that couldn’t get a part and had to shut down. So,

Jeff: Right. Right.

Mike: I mean, that feels like it what it would be, but I’m not the expert.

Jeff: Well, um there there’s certain criteria that we use to evaluate the the priority. Um cost is one of them, but that’s not certainly not the only one and certainly not the major one. Um but we we do have um you know, we we have uh you know, we get from purchasing a list of the F-150 suppliers, those get to the top of the line. Um we have uh you I mean any any other like sequencing suppliers that uh require the inventory there to make that um to make that part, those get prioritized. Um uh how much we spend with them That That’s one of That’s one of them. I’d say that’s probably down the line though.

Mike: Yeah. It’s cost isn’t the thing. It’s impact to the business, right?

Jeff: Yep. Exactly. Yeah.

Mike: Um, so how do you deal with a business owner who wishes to accept the risk rather than drive the supplier to remediate? I don’t know if you have any I don’t know if you have any say over that, but.

Jeff: No, we don’t. Um, like I mentioned, it’s a um we’re feeding information to the supplier risk management team. They have their risk acceptance uh policies and processes. Um and and we don’t uh really have a part of that, but that that does happen for sure. I mean, business priorities a lot of times are are uh paramount.

Mike: Um interesting. You know, we’re seeing this more and I’m starting to see, you know, I’m just out there talking to customers and folks that there do seem to be the fabrication of more kind of purchasing centers where you’re seeing somebody from procurement, somebody from legal, somebody from risk, somebody from security.

Mike: as they onboard vendors, they’re starting to think about this more cohesively as opposed to,.

Mike: you know, I I ran a done in Brad Street. We ran that site, right? Oh, you got this.

Mike: done, right?

Jeff: Yeah.

Mike: Versus, you know, do we need business level risks? Do we need a whole bunch of other things that, right, could impact this?

Mike: So, I’m I’m turning this into a little bit of a larger question from Joel, but does the legal department have a role in your third party risk management and that can be yes or no and explain it, but who else gets a seat at the table, right? Or the program has been fabricated, continues to evolve, what would what would your ideal configuration be for that matter?

Jeff: So, I mean, we do have some governance um uh boards that that that we report up to up through some of our management and and the the people that you you know you say are are really uh at the table. There’s uh there’s our OGC certainly um you know they there’s you know contracts with these teams and we need to make sure that we’re not overstepping what uh what their obligations are. Um and uh and and there’s uh there’s there’s purchasing supplier risk management. There’s um there’s just general purchasing operate our operations team. Um our um our IT team that supports purchasing uh our CISO um and uh and really those are the those are the people that are involved uh teams that are involved in the decision-making on what we do going forward.

Mike: Got it. Um somebody asked uh so one of the things that we see here when we do you know I I know you’re all in our database right and we send you out a lot of emails the compliance stuff drives a disproportionate level of interest NIST ICE So um you know that type of stuff. So how is the how have the regulators received your um approach and process? Like is there anywhere that you think maybe if you had it over you could do? Has it been a pretty smooth transition? Just curious.

Jeff: Um so I I know that one of if if we were to do over again I think I would probably have a better communication plan both internally and externally uh within.

Jeff: um well because I mean there are times where I mean we’re relying a lot of times on our uh purchasing management right so it’s kind of the trickle down for this is what’s going to happen um we’re sending out these assessments uh and a lot of times it doesn’t trickle down so you’ll get a supplier rightly so coming back and going to their buyer and saying hey um we got This looks like fishing. Um, it comes from a Ford um, you know, because we had a email relay where it comes from afford.com. But boy, this looks like fishing. I’ I’ve done my training and I need to make sure that this is right, which is appropriate. Um, but then our our buyers in in cases don’t know, right? They they don’t know we’re doing this and it’s a global company and there’s different, you know, so I I would probably have done the communication plan better um um, you know, both internally and Well, mostly internally from what what we’re trying to do. So,

Mike: just question.

Jeff: Yeah, it did. And um you know, we always ask the uh I my one of my favorite questions if you’re a king for a day or if you could go back in time and you know, give yourself that advice. I did just watch the Flat. So, you know,

Jeff: so besides giving myself a promotion with that.

Mike: Yeah, there you go.

Jeff: Okay,.

Mike: there you go. Or maybe not have Barry Sanders retired too early. But that’s a different conversation for a different day.

Jeff: That’s a different conversation.

Mike: You guys are going to be good this year, but that’s beside the point. Hey Melissa, we’ve been firing questions at Jeff for a pretty extended period of time. I know we we had more, but I wanted to give Scott an opportunity. I know we have a um uh you know, Scott an opportunity to just fill everybody in on prevalent for just two minutes, ask the last poll question and let everybody maybe re get a drink refresh before we uh get to the bottom of the hour. So, would it be okay to pause here for a minute and take the next steps? I just, you know, look, Jeff, maybe we’ll just do a QA. You know, I know this this took a while. We got a lot, but you know, I I we have never had so many active questions throughout, so there’s clearly a demand to to hear what you had to say. So, maybe we just have a Q&A with you or sometime. And careful, we hadund and something people on, so your email might be getting blown up soon, but.

Jeff: Okay. Not not surprising, you know.

Melissa: Yeah. Um, yeah, and not unusual, so no worries.

Scott: Uh, awesome. Yeah, great. Thanks, Mike. Uh, and thanks, Jeff. I’m just going to take, uh, you know, just a couple of minutes to talk about, you know, prevalence approach to addressing the third party risk management challenge. And then once I’ve kind of walked through a little bit of our approach, then we’ll pass it back over to Jeff and I imagine there’ll be some more questions to answer. So, Melissa, if you could move to the next slide, please. Um, ultimately what we’re trying to help organizations accomplish is to three primary uh questions or issues or to address three primary goals and the first of those is to uh get the data you need to make better insights. You know, maybe you’ve got it in silos. Maybe different departments are managing uh the vendor relationship. Maybe you know your procurement team uh owns the relationship but it’s IT security or risk management that executes the uh the actual assessments, right? Bringing that information together into one place uh that helps you make good uh informed decisions on um you know risk scoring, risk posture, remediation and next steps with vendors. Item number one. Item number two kind of relates to number one is increasing team efficiency and breaking down silos. You know you’ve got uh you know as I mentioned procurement might own a vendor relationship, excuse me, it might execute on the assessment. You finance might be involved. You’ve got the external auditors to deal with and everybody has a little piece of the puzzle that they’re that they’re playing with here. So pulling everything together into a single uh platform that enables you to action risk uh execute on reporting efficiently um is uh is is one of the ultimate goals here. And then third and the big one frankly is evolving and scaling your program over time. Uh whether you’re adding suppliers, making an acquisition, did a devestature, you know, reducing suppliers, going through rationalization process, whatever, you have to be able to have a a nimble and agile program that kind of flexes with uh you know, business requirements. Uh and that’s what, you know, a a a TPRM platform like Prevalent uh can can really help you accomplish. Next slide, please. Um so our approach is to and you can build it out a little bit more, Melissa, till you see the little blue bars at the bottom. There you go. Uh what we what we what we really talk about is and what we see in the market is that there are distinct risks at every stage of your third party vendor and supplier relationship. You know, you see risk during sourcing and selection. These guys have a kind of a a early sock 2 report or some spotty financial issues, maybe poor credit rating or maybe they’ve got some sanctions or reputational problems you have to address. That’s a very different type of uh risk to look at and manage and frankly sometimes a different department to take a look at that risk than at the top of that uh graphic right there in the assess and remediate function where you’re doing a much deeper dive on your on particular due diligence topics, you know, uh security um uh policies um ESG program um data privacy and protection policies you know financial compliance and more. You know every one of these stages around this this this life cycle presents its own unique challenges mostly related to a lack of insight not having stuff you know kind of pulled together having a very manual uh approach and then the solutions are also unique to every one of these wedges uh in this life cycle as well from being much more prescriptive about getting intelligence uh into your RFX processes to onboarding and contracting and building in the right uh right right to audit clauses automating your assessment processes enabling continuous monitoring of data so that you’ve got feeds of information coming into your environment continuously in between your regular assessments or your triggered assessments monitoring the SLAs’s and the KPIs and the KIS for each of those vendors make sure things are followed up on appropriately and then eventually as all relationships do um you know and they come to an end and you know what are the specific tasks and process that have to be addressed before you, you know, uh, you know, terminate a particular contract. At the end of the day, we’re trying to accomplish for you, you know, a a simplified and sped up process for onboarding vendors, getting you to a single source of the truth, closing gaps and processes, excuse me, and then unifying uh, everybody in the organization uh, around the third party life cycle. Next slide, please Melissa. You know, we address uh, a whole host boost of risks in a prevalent platform. Here are six categories of them. And this is just a sample of what I could squeeze in the tiniest type I could find on a slide. Uh but it just gives you an idea of how um elastic the platform can be in uh managing risk whether you’re issuing a dedicated assessment for one of these categories or you’re consuming you know monitoring feeds to make decisions. Next slide please Melissa. Um you know what we actually deliver as far as solution is really three-part harmony. Uh first is the expertise that we deliver uh through our risk operations center which Jeff mentioned uh you know earlier on in the presentation. You know this is this is our managed services organization that does a lot of the hard work for you from onboarding uh assessment and scheduling uh collection and management uh analyzing responses and evidence and documentation and then helping you define the right remediations to go back out to your to your vendors with. Um a whole host of data sources that we pre-integrated ready on your behalf. So you don’t have to try and tie a bunch of data feeds together into the platform. We pump it all in there for you right into the same risk register that your assessment responses appear in with some correlating between uh the the disperate findings so you can then take action on on uh you know potential gaps or or problems when you’re validating uh assessment controls with uh with outside monitoring data. And then finally we has it all in one platform that enables you to get great workflow uh reporting and then risk management guidance. um to share with the rest of the organization. Next slide, please Melissa. I mean really at the end of the day, our objective is to help you um make good well-informed decisions, be smarter uh by giving you comprehensive risk and performance insights, great analytics and role-based reporting for your internal and external stakeholders to unify your teams under a single source of the truth. To look at the life cycle on a unified basis from onboarding to offboarding and then give you descriptive guidance and intelligence to help you to understand what to do with the risks you find and uh and how to dispose of them of uh and uh and triage them from there. So honestly that’s our approach to thirdparty risk management to take a look at the life cycle address those risks at every life cycle and then give you you know the the process the intelligence uh and the guidance to help you improve that program over time and I think that’s pretty well representative of of some of the capabilities we’ve been able to uh to deliver forward And I’ll kind of pitch back over to Melissa if you want to open up for questions or Mike.

Melissa: Um before we hop into those questions and I see we have a a few of them piling up. So I’m going to launch our second poll question. Um keep the questions coming you guys. And um you know we’re curious. Are you looking to augment or establish a TPR and program? Like I said be honest. We do follow up with you. Like it’s physically me. I’m a real person. I’ll follow up with you. Um and I you know I want to make sure that we don’t let anybody slip through the cracks. So, just answer that best you can. Um, get that out of your way and then I think we might have time for maybe two more questions. So, Mike, if you want to comb through a few of those or Jeff um whichever you think are going to be the most valuable, I will pitch it over to you guys.

Mike: Yeah, let me take a look here just um this is a good one from Katherine. Um, when performing your annual annual reviews, How do you ensure that SLAs’s are being met? If they’re not, what steps do you uh take to ensure that the supplier is getting back on track?

Jeff: Well, um again, uh what what happens is that we uh I mean, we provide a lot of um uh a lot of emails that come to uh reminder emails and and even we uh we’re going to be looking to we look to purchasing to send a couple of emails after the um the assessment period window has ended. A lot of times we’ll get uh we’ll get a assess we’ll get uh a request to extend that and we certainly would would do that. Um I mentioned a red yellow green status. There’s another status that purchasing uses that is orange status and orange status means that they were not complying in completing the assessment. Um they didn’t uh they didn’t complete in time. They didn’t maybe didn’t even start. Um and we had a and this is the first example I’ve actually heard of this happening. uh was that a supplier was uh working with the buyer to um uh to uh you know to for on a purchase and uh the buyer saw that there was an orange on the dashboard next to the supplier name to say they didn’t complete the assessment and uh they they stopped the purchase and that becomes a motivated supplier at that point. So um we leverage that as much as anything.

Mike: Um all right this will be the last question again uh just want to give everybody and then Melissa will turn it back to you, but um I I like this one. Has you ever basically It’s a long one, but have you ever not assessed somebody because they’re someone like Microsoft? Um what are your thoughts on that?

Jeff: Yeah, they pretty much ignore us. I mean, the big ones, uh uh Cisco, um Microsoft, Amazon, Oracle, um I mean, they don’t ignore us for for sure. I mean, generally what happens is the um each of those from our management team or the IT management team. Um I I mean up through our CIO um a lot of the management has um uh is kind of the relationship manager with some of the big guys like Microsoft and all the others and uh and we uh we work with them to uh to ensure that we’ve got the right um uh you know they they’ve got everything in in place that they need and and generally they they do that through other other managers. So other uh methods uh and So, um, it they don’t they don’t fill out a sig light, quite honestly.

Mike: I bet they don’t.

Jeff: Yeah,.

Mike: I bet they don’t. Hey, uh, let me put video back on just It’s my internet’s been wonky. But Jeeoff, this was just awesome. Thank you. Um, you know, the the amount and the quantity and quality of questions I think represents the desire to hear from someone like you in an established program and you did a great job and I just appreciated uh the personal touch. up front. So that was awesome. So thank you from everybody traveling. It was great.

Jeff: Okay. Thanks, Mike. I appreciate it. And it’s um I think uh the uh the deck is going to be sent out. Is that is that correct?

Melissa: Yes, that is.

Jeff: All right. And I believe I have my email address in there. So I’ll be looking forward to emails.

Mike: There you go. Melissa, anything else?

Melissa: You know, I just I really do value this uh interaction. I think it’s very useful for compared to, you know, all the Q&A that we tend to get. This is quite a bit. So um hopefully all found it valuable. Um maybe we’ll even be lucky enough to have him on, you know, in the future. So, um stay tuned everybody. Thanks Mike for hopping on. I know you’ve got a lot to do today and Scott as well. Um and then one last time, thank you Jeff. And um we’ll see you all at a future webinar and in your inboxes. So, take care guys. Have a good day.

Jeff: All right. Thanks. Bye.