FCPA Compliance Report interviewt Brad Hibbert

Tom Fox: hello everyone this is Tom Fox back for another episode and I’m thrilled to have back with me Brad Hibert Brad is the president of prevalent and more importantly we’re here to talk about prevalent third party risk management study so Brad first of all welcome back Brad Hibbert: yeah thanks for having me back it’s great to be here Tom Fox: Brad this is an annual study done by prevalent provides a lot of great information for the compliance professional both in terms of what’s going on out in the marketplace at least as you got I see it but the thing I like about it one you get to see what’s going on in the marketplace two you can Benchmark your program against what others are doing along the lines of best practice but also maybe gives us a teaser or hint as to what some of the biggest challenges are so with that could you tell us what is the report how do you guys generate it and maybe even why do you do it Brad Hibbert: yeah sure so this is the fourth year that we’ve done the report so again my roles one of my roles as the chief strategy officer so part of that is working with customers and analysts and partners making sure that we’re building the right Solutions and what the report allows us to do is cast a wi net to really understand the broader challenges that that organizations are are coming across to make sure that we’re building a strong Foundation to help customers overcome those challenges but also to make sure that we’re building a strong foundation and that we’re on the Forefront of innovation to really handle some of the upcoming challenges and opportunities that we’ll get into a little bit more today Tom Fox: so what I may me start with any surprises that you finders is almost consistent with what you were hearing from your customers and clients for the past year anyone Brad Hibbert: yeah we’ve doing a recort for a long time been in this space for a long time as well and I think one of the biggest surprises again we can certainly talk about a bit more detail is just the number of respondents that are still Ry on spreadsheets and doing this manually so I think that was probably one of the biggest I think the other one is the third party space continues to mature but the other observation is that the programs in the market itself are still somewhat fragmented Brad Hibbert: so we’re seeing lot to comp companies that are approaching third party risk management from different teams with different lenses and using multiple different disconnected products to try to manage these risks throughout that that third party or that vendor life cycle and again we could certainly talk about some of our recommendations from that respect and I think the last one I’ll just mention we always tell people to try to move beyond the compliance check box so I think the last one is really there’s a pretty significant gap between people that are identifying risks and attracting those risks and those are remediating performing the remediation right so I think again that kind of speak to the relative immaturity of the market and some of the programs that are organizations have in place it’s all trying just to get the assessment under the belt and haven’t gotten around to actually really digging into to the risk and remediating those risks with their vendors and supply chain Tom Fox: let me pick up on point number two because I see that in my Consulting practice as well companies for either Legacy reasons will have disperate systems that really don’t talk to each other but it really leads to a non integrated approach and one of the reasons I’ve always enjoyed talking to you and your team at prevalent is you guys really talk about an integrated approach to thirdparty risk management you just said a little bit about that in terms of it starts with a risk assessment but it only starts there and then from there you build out a risk management strategy you implement Monitor and then upgrade or update you continue his Improvement as appropriate but when you sit down with clients do you have to have that basic kind of conversation hey guys this is a business process that requires a process approach not a disperate we’re going to do a risk assessment or we going to put a platform or we’re going to do something else where nothing talks to each other Brad Hibbert: yeah I think when we talk about third party risk management as you mentioned it’s not a product it’s a program and it really has to take in consideration the entire life life cycle from on board in a third party to offboard a third party and through that relationship there’s diff Brad Hibbert: erent departments that have a different lens so they have different uh job responsibilities they’re interested in different types of risks they have different workflows and processes that they follow and so how do you bring all of that together throughout that entire life cycle and we think unifying that information and comprehensive risk profile that the different teams can tap into and share information throughout that Journey or relationship is the way to do that now most people don’t want to you don’t have to start with the entire life cycle but you got to pick the pieces that are most important to your organization and start there but you have to have the foresight to look out a few years and understand where do you want to take this program and make sure you’re building those foundations today so you’re not stumbling in two or three years when you try to scale with the quality that we’re looking for Tom Fox: maybe a to step back and start with an even more basic question do the people who are still using spreadsheets understand that third parties are still seen as the number one risk under anti-corruption laws such as the fcpa it’s still 90% of all enforcement actions involve third parties Brad Hibbert: yeah I think if you take a look at our study this year I think what you’ll find is that 41% of the respondents impacted that they had an impactful third party data breach in the last 12 months and that that impact was costs associated with remed identifying or remediation remediating those risks and so that’s certainly driving a lot of awareness and visibility for these programs and why a lot of people are getting them kicked off and when you dig into it even a little bit further what’s the top concern that organizations have with third parties again 71% of the respondents indicated that a security breach a security incident due to poor vendor or security practices is still the top concern so I think that they realize that security is top concern of course compliance is another big driving Factor behind this but security risk are the top concern of many organizations really driving these programs in the growth within within the market right Tom Fox: could we maybe go through the the top findings you guys found in this year’s report Brad Hibbert: yeah Brad Hibbert: sure so again the idea for the report is really to provide insights to organizations and they can provide peer line baselines they can Baseline where they app with the program to let them know that they’re not alone other companies are facing these challenges and then to provide actionable insights on what they can do with the challenges that they’re facing I think from a a high level perspective there there’s five key findings that we have in the report with a lot of kind of backup detail in the full report

• An erster Stelle stehen weiterhin Datenverstöße, wie ich bereits erwähnt habe. 41 % der Befragten gaben an, dass sie in den letzten 12 Monaten von einem Datenverstoß durch Dritte betroffen waren und deshalb radikale Maßnahmen ergreifen mussten. Dies sorgt für viel Aufmerksamkeit in diesem Bereich, insbesondere bei hochkarätigen Fällen wie LastPass, OpenSSL oder OCTA.
• Das zweitwichtigste Anliegen, das den Markt antreibt, ist die Sicherheit. Etwa 71 % geben an, dass dies ein wichtiges Anliegen für die Umsetzung des Programms ist. Dies ist eine Veränderung gegenüber der Situation vor etwa 15 Jahren, als die Einhaltung von Vorschriften der Hauptgrund für diese Programme war (z. B. SOX, PCI-Vorgaben).
• Die dritte interessante Erkenntnis ist, dass etwa 70 % eine stärkere Beteiligung der IT-Gruppe angaben und etwa 71 % angaben, dass die Informationssicherheit tatsächlich für das Programm verantwortlich ist. Dies ist sinnvoll, da Programme in der Regel damit beginnen, dass die Informationssicherheitsteams die Sicherheitskontrollen rund um IT-Anbieter validieren. Dies deutet auch auf eine verstärkte Einführung von Risikomanagement für Dritte und Bemühungen zur Standardisierung von Sicherheitspraktiken hin. Die vorherrschende Meinung betrachtet das Risikomanagement für Dritte als eine weitere Sicherheitsebene, ähnlich wie das Patch-Management oder die Perimetersicherheit.
• Die vierte Erkenntnis ist, dass 48 % der Unternehmen weiterhin Tabellenkalkulationen zur Verwaltung des Drittanbieterprozesses verwenden, was weniger effizient und effektiv ist als automatisierte Tools, insbesondere angesichts sich ständig ändernder Compliance-Vorgaben. Die Zahl der Personen, die Tabellenkalkulationen verwenden, ist seit 2021 sogar um etwa 6 % gestiegen. Dieser Anstieg in Verbindung mit einem Rückgang der Befragten, die nichts für das Risikomanagement von Drittanbietern tun (von 10 % auf 4 %), deutet darauf hin, dass viele Unternehmen ihre Programme starten und dabei häufig mit Tabellenkalkulationen beginnen, was ein natürlicher Teil der Reifung ist.
• Die fünfte wichtige Erkenntnis ist eine erhebliche Lücke bei den Abhilfemaßnahmen, was bedeutet, dass es einen großen Unterschied zwischen denjenigen gibt, die Bewertungen durchführen und Risiken identifizieren, und denjenigen, die diese Risiken während des gesamten Lebenszyklus von Drittanbietern aktiv beheben.

Das sind einige der wichtigsten Ergebnisse, aber es gibt noch viel mehr Details dazu, Tom, in der ausführlicheren Studie, die Sie auf der Website finden. Dort erhalten Sie sicherlich alle weiteren Informationen, die Sie dazu wünschen. Tom Fox: Was waren einige der wichtigsten Empfehlungen, die Ihr Team auf der Grundlage der Ergebnisse ausgesprochen hat ? Tom Fox: Brad Hibbert: Ja, natürlich gibt es noch viel mehr Details, aber ich denke, auf hoher Ebene haben wir festgestellt, dass Unternehmen wirklich proaktiv einen Plan aufstellen und verstehen müssen, wie sie vorgehen werden, wie sie Abhilfemaßnahmen ergreifen oder wie sie auf Vorfälle reagieren werden, wenn diese auftreten. Die Zusammenarbeit mit Dritten, um Risiken zu identifizieren und zu mindern, bevor sie sich auswirken, ist der effektivste Ansatz, um Unternehmen und Kunden zu schützen.

• Es ist wahrscheinlich, dass ein Anbieter oder Lieferant trotz harter Arbeit und Maßnahmen zur Risikominderung von einer Datenverletzung betroffen sein wird. In diesem Fall kann eine Verkürzung der Zeitspanne zwischen Entdeckung und Risikominderung die Kosten senken und das Risiko begrenzen. Dazu müssen die Reaktion auf Vorfälle automatisiert und Pläne oder Vorgehensweisen festgelegt werden.
• Zu den Empfehlungen gehört, in Verträgen festzulegen, dass Anbieter Verstöße offenlegen müssen, da dies manchmal übersehen wird. Es ist auch sinnvoll, Dritte und öffentliche Websites auf Offenlegungsmitteilungen zu überwachen.
• For proactive measures, cyber monitoring tools can provide indicators of compromise to help get ahead of a breach by identifying vulnerabilities that can be closed off before an incident. These are basic steps organizations should have even before a more robust solution. Brad Hibbert: I think the other thing Tom and you Brad Hibbert: mentioned it to have a single source of Truth really start to knock down those silos whether those be technical silos whe whether those be process silos between the different teams to really extend that risk visibility across the entire life cycle so from onboarding to offboarding allow your teams to collaborate and really share that information to be more effective in the way that they’re handling third party risk management so that’s another big one that that I think and again we can certainly talk about how to do that and you mention some or program and program design given up the spreadsheets I think a lot of people start with the spreadsheets which is great right it gets you going it lets you identify the risks but as you try to grow scale your program over time the spreadsheets are just not not the best way to share information right it’s very static as I mentioned a lot of the time when you’re creating RI out of those spreadsheets you want to map those to difference compliance mandate and so on it’s very difficult to do that with a dynamically changing regulatory landscape right so try to get some tools in place to help you automate that process the more you can automate the discovery and it frees your team up to actually do the important part which is remediating the risks and today I think a lot of teams are really stuck in just identifying those risk manual processes and they don’t have enough time to to remediate the risk and so I think that ties into my my my fourth recommendation which is really push your teams and really push your organization to move beyond that compliance checkbox to try to reduce the risks associated with these third parties and and I think that I think that as you start to grow your program to support these oncoming compliance requirements and again Tom some of these compliance requirements are pushing team to move Beyond just point in time assessments to doing ongoing monitoring right so you’re going to have more information coming in more information coming in more risks being created the more you can automate that front end the more you’re going to be able to start remediating those particular risks and that could be actual remediations or making sure you have appropriate Brad Hibbert: compensating controls in place so those are just some of the high level risk recommendations that are covered in the in the study Tom Fox: let me go to one of the things I think you touched on which is having a response team or a response ready should the need come for a response in terms of a breach do you find that and I talked to a lot of data Security Professionals you say you absolutely need to prepare and you absolutely need to be to to whether you have practice runs whether you have a Playbook whatever it might be that if something happens somebody knows who to call who to notify who to get together in the room is that something is that a message that you find is resonating with your clients that hey guys it’s not if but when and you really need to be ready almost as a critical response that you would for a physical disaster or some something along those lines if they understand the need for critical response team that you can immediately call into place when you determine a breach has occurred Brad Hibbert: yeah that’s right I think it goes for the breaches so that’s certainly something that we’re seeing just ourselves we do assessments and we do monitoring we’re finding more and more organizations out of the gate when they start their program now are implementing monitoring along with the point in time assessments but they want that continuous those continuous insights and they’re kicking off workflows that that don’t just cover the data breaches but other types of events that may happen as well so could be could be things like sanction events it could be things like ESG violations those sorts of things so making sure you understand those different risks and making sure you have the workflow appropriate to the right team that that’re responsible for handling those risks I think it’s important to have those things well defined in the design and plan planning stages of your third party program Tom Fox: you’ve used another phrase I wanted to pick up on for a couple of questions as well you talk about scale scaling up and I often see a company that may start with a small program and as you suggest they may have actually started with a spreadsheet yet when they think about scaling it through National and even International operations that Tom Fox: ‘s where the thinking really breaks down how do you help a client think through we either through acquisition grew we either grew organically or we need to roll this out across literally the globe how do you help a company think through that process of literally scaling up their program Brad Hibbert: yeah thanks I think a lot of it comes down to don’t try to boil the ocean from day one I think that’s the biggest mistake I think a lot of companies make hey I’m starting the program this year I want to make sure I assess and remediate 20,000 suppliers and third parties around the globe year one and sometimes thousand but but in practice it’s very difficult to do so what we recommend is think about where you need to start and where you want to get your program over the next three to five years and then Pro get your vendor supplier lists in order sometimes that’s the most difficult piece is who are your most critical third parties so start having those discussions between the different teams to curate your your sort of your your third party repository if you will then profiling tier those third parties because not every third party not every relationship’s the same so really identify the ones that would be most impactful to your business and maybe that’s 50 maybe that’s 100 maybe that’s a thousand but whatever that is those are the ones you want to start with then take a look at what resourcing you’re going to require internally and what you have available to you to actually not just assess them to get the risks but to go the next that to remediate those risks and then just plan how do you want to scale it over time that if you can manage 50 this year start with 50 better than doing zero if you can start with more so we really try to show them how we can get things up and running through a pilot phase work through those workflows that you mentioned earlier as well so make sure you really lock those down and get those efficient make sure you implement automation so you can have different checks and balances in place and then start to scale once those those foundational elements are validated and and proven so so again don’t try to boil the but start doing something Tom Fox: I might actually have to cut that answer out and make it its own p Tom Fox: odcast that was his F answer I think I’ve ever heard you’ve done that before that was Brad unfortunately we are near the end of our time for this episode but before we leave I wanted to ask you our listeners wanted more information we’re going to link to the report of the show notes but what would be the best place or places for them to go Brad Hibbert: yeah look could go to our website www.prevalent.net and as you said we suggest companies come up there use the data in the report to Benchmark their organization and their program their efforts against their peers I try to adopt some of the best practice that that we that we outline in the report we also have a resources page with lots of insights and blogs on different compliance mandates and things that are coming up coming around the B website’s a great place to start Tom Fox: well Brad I wanted to thank you one for doing this or prevalent for doing this report it’s always a great resource for the compliance professional and I’m G to ask you that or tell you I look forward to our next conversation as well Brad Hibbert: absolutely maybe ESG or something around that date would be great Tom Fox: okay thanks very much Brad Hibbert: awesome awesome thanks Tom thanks for having me