Getting Your Internal Stakeholders to Care About Third-Party Risk Management

Melissa: Hello and welcome. It’s great to see everyone start joining. Um I’m going to give you a minute while we wait for people to get situated and connected. Uh in the meantime, I’m going to launch our first poll. Here we go. It’s going to pop up on your screen here hopefully. Oh, perfect. I love how it’s not working. It’s my favorite part. All right, there we go. You’ll see it now. Um we’re curious what’s bringing you to today’s webinar. I’m always excited to see that. Is it you know, educational. Are you in the beginning stages of your third party risk program? Are you a current prevalent customer? Let me know. And let’s begin by getting some introduction started. My name is Melissa and I work here in business development. And today we are joined by a returning guest and senior vice president and head of thirdparty risk management at Valley National Bank, Rodney Campbell. Welcome back, Rodney.

Rodney Campbell: Thank you. Mike Yaffy: Yeah. And we also have Mike Yaffy here, chief marketing officer of Prevalent. Hi, Mike. Mike Yaffy: Hello. know I’m talking and waving. Melissa: Wow. Amazing. And last but not least, we do have Scott Lang, our very own VP of product marketing. Hi, Scott. Scott Lang: Hey, Melissa. How are you? Melissa: No wave. I just see that only one thing at a time, right? Next time. Um, today we have Rodney and he’s going to explain how to get your initial stakeholders to care about thirdparty risk management. Um, as you can see, you know, as a little bit of housekeeping, it’s being recorded this webinar, so you’ll get it along with your slideshow uh shortly after everything’s all wrapped up. And lastly, you’re all muted, so just use the chat if you need to communicate something that is not a question for the Q&A box. So, if there is a a pressing question, please use that Q&A box. We’d love to have things to be pretty interactive. And without further ado, I will let Rodney and a little bit of Mike go ahead jump into it.

Mike Yaffy: Yeah. Right on. Let’s get into the slides, guys. So, here’s what we’re going to do. Rodney’s got a ton of experience as opposed to um having present. We’re going to do a little bit interview style today, which hopefully makes it a little bit more fun, a little bit more light. We were commenting Rod is much better dressed than I am. Now, he works at a bank. Now, we work in high-tech, so the fact that I’m dressed in, showered, and not wearing a hat, right, is that’s the pinnacle of getting dressed up for me. So, Rodney’s not wearing a tie today, so he’s he’s going cash. So, um Melissa, can you share out the slides? Um that would be fabulous. the look the first question um that we’re going to get into and we’re going to talk a lot about getting people aligned with TPRM. I think one of the things Rodney that we’re seeing and that we want to talk about today is it’s kind of a convergence right between compliance security risk uh procurement um and everybody needs to kind of assess their vendors, their supply chain um you know people who keep them in business as I like to say. So uh first question it’s a softball right? So In your opinion, let’s talk a little bit about how important is it to have the internal stakeholders actively involved, right? Obviously, if the answer is no, we can just end the webinar here. So, um but look, how do you do it? Why do you need to do it? Why is it so important to do?

Rodney Campbell: Well, I’ll say you should always do it. It’s required. You have to look at it from a holistic perspective. These are interconnected activities. So, interconnected activities require connection in collaboration between people, process, and technology. Uh, think about all of the risk control functions that you may have within your organization. You want to make sure that the control functions are actually speaking to one another. You want to make sure that you that they’re aware of what’s going on within the organization or the risk that’s potentially posing uh by a product or service engagement to your organization. I can tell you that if you do not connect the dots between your risk control functions, compliance, um your internal audit, and just your TPR program, you’ll run into many problems because we have to look at it from two lens. There’s external risk, right? So, third party product service engagement is the external lens of risk. What about the internal impact that it may have on your day-to-day business operations? Now, if

Mike Yaffy: Rodney, we’ve seen it too and and I would say one of the biggest problems we’ve seen of people who are in TPRM and they’re a little siloed, they can’t get the freaking vendors into the product because they don’t even know who to go to or how to start because they have no connections built with people across their organization. Rodney Campbell: Well, I think that goes back to your corporate governance, right? So, whenever you are engaging a new vendor or third party for a product or service engagement, you want to make sure that your governance is in place. How do you engage stakeholders? Who should be engaged? You need to make sure that when decisions are made, these decisions aren’t being made in a I guess a siloed environment. You want to make sure that these decisions are collaborative. You want to make sure that the functions who are actively responsible for receiving the product or services are providing maintenance and support for those product and services are actively and equally engaged so that in the end your decision is holistic but it’s also informed.

Mike Yaffy: So talk to me about so the downside so the downside of not connecting to people is you have no support for the program right you maybe you can’t get your vendors identified um what else is it does it not become strategic does anybody care about it? Like what do you see as the Rodney Campbell: the major if you’re not willing to kind of come out with an olive branch and work together? What what what happens? What are the what’s the downside risk here? Rodney Campbell: Oh gosh, the olive branch. You need multiple olive branches. I’ll tell you the downside of that is you’ll miss out on identifi identifying vendors. You’ll miss out on identifying the risk associated to product and services and also mitigating the risk that’s associated to your product or service engagements. You need to make sure that your stakeholders, not just the business functions that are supporting or receiving the product or services but the individuals who are tasked with protecting uh and providing support for the organization against the risk are responsible for mitigating risk. If you do not have them involved you will not mitigate risk um to the fullest extent. You will misidentify risk uh that posed to your organization by the product or service engagement and there’ll be an overall mis uh qualification or quantification of the risk associated to your product or service engagement.

Mike Yaffy: So, I’m not that smart. So when you talk about misinterpreting risk, misquantifi, like what do you really need? Like simple words Mike Yaffy: like and I say this like look I I’ve done a bunch of things but explain it like you’re explaining it to me who works in marketing, right? But explain it like you’re explaining to your mom. So what is that? And I do mean that. Like what does it mean in the in the simplest terms? Rodney Campbell: Well, if if I explain it as I explain to my mom, I’m gonna need a Snuggie and some tea.

Mike Yaffy: Oh my god. Yeah. My my wife has a Snuggie. You cannot underestimate a snuggly. Rodney Campbell: Yeah. So, so let’s look at it from this perspective. You want to make sure that you and your business functions because again we’re going to go back to interconnect activities and you want to make sure that in order to protect and mitigate risk associated to those interconnected activities, you need to make sure that the connection between your people um the process and technologies in place. So the stakeholders are very very important because if you don’t identify the right people, if the right people are not sitting at the table, You will not have a holistic or informed decisioning. Your decision may be made by one person. It may be made specifically by the business. It may be made by a risk function.

Mike Yaffy: Okay. So, what you’re saying is right, I just want to be sure I understand it that if you don’t have the right group, you don’t have all the pieces that you need to make a completely informed decision. Rodney Campbell: Absolutely. Absolutely. Mike Yaffy: I mean, that makes sense, right? And you’re leaving out somebody that could care or kill the program, right? Rodney Campbell: Absolutely. And you need to look at it from too. If you engage a particular third party for a product or service engagement, do you really want to bring a function or a risk control group into the fold after the fact after the contract is done? Um the risk mitigation that should happen prior to contracting you’ll miss out on. So you want to make sure that you engage stakeholders at the very beginning. Make sure that your decisions are informed and make sure that it’s a collaborative approach.

Mike Yaffy: So in contracts, you know, we’re seeing more. I don’t think it happens enough, but the two things that you know people are we’re seeing a little bit more in contracts are the right to mitigate the right to kind of retest and right the the the need to continually update and they have to continually provide this it’s not a one-off but it’s also right they’re they’re required to mitigate what you guys find right or there’s consequences do you see that do you guys have that did are you seeing more of that I I I think across the industry I can tell you that it happens more than a little bit. I think this goes back to the collaboration and having your stakeholders involved when you are inherently risk assessing a particular product or service engagement is very very important. Make sure that all of the due diligence all of the issues the risk that you identify inherently you want to make sure that you are taking that into consideration when you’re executing your contractual agreement between you and a third party. Um I can tell you that we our organization here at Valley National bank. We have taken a collaborative approach for engaging third parties for all products and services. We want to make sure that the decisioning isn’t made by just one particular business function. It’s something that

Mike Yaffy: who’s involved who’s involved who’s who’s part of your collaboration? Who’s part of your core team? Out of curiosity. Rodney Campbell: Okay. So, the core team number one is the business because business are owners of the risk. They own the relationship. You want to make sure that it’s second line of defense. Whether that’s your information security, your cyber risk, your TPRM group, your compliance or regulatory group, that they’re also involved. But we want to make sure that we involve the right people for the right reasons. You don’t want to involve let’s say a compliance control function and a in an engagement or potential or prospective engagement with the product or service where there isn’t required. You want to make sure that for each control group. It’s also aligning to the risk that we identify with potential product or service engagement. So that will vary.

Mike Yaffy: Okay. So just again to be clear, it’s right everybody’s not involved in everything. You’re kind of persons out who you know the groups but everybody in the infos obviously you’re not inviting a whole infosc team but you’re inviting particular people Mike Yaffy: for particular reasons but you’re trying to keep them involved is there any group how when you’re onboarding vendors do you make them are you making the decision as part of a group to onboard the vendors do you have like a kind of an onboarding committee where you would cycle it through and I’ve seen this too we’ve spoken to a bunch of folks and I’ve I’ve not seen it like centralized versus decentralized. Do you have like a procurement group, a legal group, a risk group and a security group or is it like procurement onboards them and then we kind of do downstream after that?

Rodney Campbell: No, certainly again this is a collaborative approach. So we do have a sourcing and procurement function that works directly with the business when vetting uh prospective third parties. Um again the vetting is separate but a part of the overall onboarding process. You want to make sure that when we’re taking into consideration any respected third party that were performing all of the right or the light level of due diligence tailored to that product or service engagement at the very beginning. So yes, it is definitely a source of procurement business and also respective risk control function uh collaboration.

Mike Yaffy: Um Melissa, go to question three. We’ve already gone this one is one. Number two, I know we’ve we’ve covered question three. I’m going to get to it in a second. Mike Yaffy: Another thing that has come up interestingly enough is we look in our business, we see people they engage us generally the infosac side and then like 80 75% then 25% on the procurement side. While ESG um and things like that aren’t necessarily the lead function, we see a lot more questions kind of bleeding into surveys um and assessments and continuous monitoring. Are you are you doing a continuous are you doing an ESG function just out of curiosity now? Is it something that’s kind of led into it. Is it a distinct function or is it something like look you’re you’re looking at and you’ll you’ll get to?

Rodney Campbell: Well, the approach that we’ve taken is making sure that we take all areas of risk into consideration or categories of risk. Um I think ESG is one of those topics that many organizations are currently in the process of maturing. Some may have already matured it. Um Mike Yaffy: trust me, not many like we were on the phone with Gartner analysts the other day. We speak to a group of five independently and Mike Yaffy: where we see because a lot of people are talking about it and and there’s a lot of buzz on it and nobody’s doing it or they’re everybody’s evaluating it. So,

Rodney Campbell: you’re right. I I will I will definitely use the air quotes on evaluating there. I I I I can agree with you more. I can tell you that we’ve been talking about it for some time now, but I do think when we’re looking at other categories of risk that we do not generally take into consideration or talk about or risk assess, we need to start moving into actions. Um we can identify areas of risk related to ESG or potential areas of risk associated to ESG. Even if you don’t have a necessary ESG program in place, you want to make sure that you identify the indicators or potential areas of risk at the very beginning. You have a product or service. Where is your product or service being made? Uh who’s making it and what’s taken into account for delivering your product or service? Those are simple questions that has simple responses, but you want to make sure that those simple responses don’t lead into larger indicators of risk for your organization.

Mike Yaffy: Yeah. And look, Rodney had asked me during our trial everybody if he’s like are you gonna speak I’m like oh maybe a little bit and then I’m like I get on I’m like I can’t help myself as you probably as Scott and Peter and everybody who I’ve worked with probably knows but look you talked about this this is one of my soap boxes in infosac I’ve done infosac marketing and then marketing right but enough to be dangerous I think the challenge we have is and look I saw this in vulnerability penetration testing crypto all these market segments where people get distracted with the new shiny ball and especially with RSA coming up start talking about, oh, I want to do ESG, I want to do that. You need a fundamental backbone of a program that’s a well functioning program that integrates everything Rodney’s talking about and will talk about to do this correctly before you get to ESG. You’re like, are you assessing your tier one vendors against something on a regular basis, right? And do you have a plan for your tier two, tier three, and then, you know, fourth parties? Fine. But what’s your program? What’s your plan, then get to the ESG. You know, people, well, maybe we’ll do No, it’s okay to say we have to build the program first. Crawl, walk, run, whatever you want, Rod, but you you got to have a plan and a program in place or otherwise you’re you’re just flinging crap against the wall, quite frankly.

Rodney Campbell: No, I I couldn’t agree with you more. I think we also need to examine the competencies of the individuals who are assessing and running these programs. It’s one thing to buy the latest and greatest technology and say, “Hey, Hey, this is what we’re doing. But if you can’t interpret or aggregate the data, that technology, and utilize it in a way that’s beneficial for your organization, it just becomes another expenditure. It becomes another piece of you have, and it’s totally useless.” Mike Yaffy: You know, it technology should help you scale and go faster. And if if it’s not, you don’t buy it. That goes for prevalent, too. Don’t buy it. Uh we got a question from Ed. And guys, I I again, I know I’ve said a few times, I’m a marketing I think I can walk and chew gum at the same time. So, uh, if you want to fire in questions as we’re talking about a topic, I’ll happily try to get to them, uh, in real time. So, we got a question from Ed. Uh, when we were talking about the groups before, Rodney, uh, the the distinct groups that are involved, um, as as part of your committee, do these groups have the power to reject a prospective vendor based on their due diligence? So, I imagine each of the groups would have different types of due diligence that they would want to see before onboarding a vendor. So, how does your process work there? I

Rodney Campbell: I think taking into account the risk profile of your product or service engagement in addition to the risk appetite of your organization uh the risk functions. If a particular or prospective third party or product or service engagement pose too much risk uh that’s greater than your risk appetite and greater than any mitigates that are in place could potentially handle then yes that that would be the case. But you want to make sure that this isn’t just an isolated we don’t agree and this is something that the business function other respected risk control groups in addition to your executive risk committees are made aware of any decision and to not go forward with an engagement uh due to identified risk or heightened areas of risk. You want to make sure that all of your stakeholders are involved and they equally or collaboratively agree.

Mike Yaffy: Yeah. Uh I would agree. I look I it’s all about expectation setting, right? Like if we find sanctions, if they’re under SEC investigation, if we finds out they’re using child labor in a country, right? We all agree in advance that these are things that would prohibit us from engaging with this vendor, right? I I think it’s a it’s about sit down. It’s about uh communication and agreeing is what I’m hearing. Rodney Campbell: Y Mike Yaffy: Okay, let’s get to question two. We’ve been on 18 minutes. We’re on quest the second red question. So, um Oh, wait. Go back to where you wherever you were. Uh wherever you were.

Melissa: Uh no, we already did that one. Yes. Leave it on. Yes. Yes. Mike Yaffy: Yes. Okay. I I was speaking to Rodney, Melissa, sorry. Melissa: Oh, just kidding. Mike Yaffy: I was Yeah. Yeah. Faking me out there. Um, how can So, Reed, how can T how can you establish the necess I know you talked about it and we talked about olive branches. Mike Yaffy: Give people specifics here. Like I my hypothesis is a lot of people get dumped into TPRM or it’s their first goaround in TPRM, right? Or they were, you know, it’s it’s a it’s a really important thing to do, but It’s an emerging segment, right? So people there there there aren’t a lot of people with 20 years of experience. I you know I know five of them at shared assessments, right? But I’d say on the industry there’s a lot of first- timers. So be very clear again

Mike Yaffy: on what you did, how you did it, how did you get these groups to the table? I mean is it meetings? Is it phone calls? Is it going to lunch? Is it doing team building activities? I mean like how do you kind of get corporate inertia Rodney Campbell: in in a positive. Rodney Campbell: No, that that that’s good. So, again, going back to the olive branches and some free lunches, many free lunches, unfortunately. Uh you want to make sure that your organization understands first and foremost what third party risk management is and what it means to your organization what is the potential impact. It’s hard to get individuals within your organization or or even individuals that you may collaborate externally to buy into something that they do not understand. So, that understanding is first and foremost. You can build a framework. You can write a policy, but you need to make sure that the fundamentals of that is in place. So, for example, third party risk management, you said it yourself, Mike, was handled and manages an administrative process in many organizations. And there’s some organizations right now that are still handling and maintaining an entire inventory via Excel spreadsheets, but we’ve also seen in parallel in the industry, whether you’re part of a regulated entity or you are under some regulatory restriction.

Mike Yaffy: Everybody’s under by the way. Mike Yaffy: Scott, I’ll ask you, Scott wrote this compliance manual And Scott, how many It’s legislation that impacts third party risk. How many pages in your novella now, Scott? Scott Lang: Uh, it’s it may or may not be around 200 pages. Mike Yaffy: And by the way, there only three or four two or three pages or four pages per compliance. Scott Lang: Yeah, Mike Yaffy: it’s insane. Melissa: Wow. Mike Yaffy: How many pieces of legislation or guidance Mike Yaffy: are now directly calling for for third party risk? So, I gotta believe everybody’s under something.

Rodney Campbell: They are. I totally agree. But I can tell there’s organizations that are under the belief or the impression that they’re not uh they’re not regulated by a particular regulator whether it’s OC FRB FDIC but I do think that your activities are regulated and I think we need to be clear what are those activities and what are the risks posed by those products and service engagements so again going back to your point you need to make sure that individuals understand the nature of risk that’s posed by by engaging prospective thirdparty products and services um so for me what I’ve done in the past many times is make sure that Hey, what what is your view of thirdparty risk management? What do we do? Um what is our RARI? Because you want to make sure that your RORI is important. Your RARI isn’t just vendor management because if your organization sees or deems your process is simply an administrative approach to managing our suppliers, then you will miss out and you will also uh be misinformed on mitigating and engaging risk.

Mike Yaffy: Yeah, Rodney, I I’ll tell you after speaking to and again my background was really in security, but we spent the last year talking to a lot of procurement um executives And I think the one thing that became clear is if you onboard a crappy vendor Mike Yaffy: and they blow out on you like you know it can be the equivalent of having a you know a single sourcing like some car manufacturers in the Ukraine like you know risk is not just you know financial stability and maybe a few look a few looks around it’s kind of a continual thing especially look all vendors aren’t created equal but if you have a tier one vendor that’s sourcing that’s super important to you. You better have a consistent and regular way to just ensure that that that you’re not going to run into any problem.

Rodney Campbell: Totally agree. So what happens when a problem does occur? That mean the individ who have no idea uh what happened or what should have happened are tasked with addressing or resolving uh or remediating the issue at hand. And these individuals have not been engaged at the forefront. They’ve had no understanding of what the product or service is. But But they have a responsibility not just a fiduciary but also an organizational responsibility to address the risk. So now they’re trying to address a product or service engagement or the risk or an incident as a result of engaging a third party product service engagement and have no fundamental understanding of the what’s hows of the who’s.

Mike Yaffy: It reminds me of you know um software development you know they always talk about if you catch the bug in development it’s a onetoone cost. If it goes into compiling it’s 5 to one. If it goes into production it’s a 10 to one right so if you can understand that a vendor right as you’re onboarding or pretend plan to on board there might be something versus 18 months later you’re locked into some contract with them and all of a sudden crap blows and look I’m not saying it happens a lot or all the time but my god you know all these companies when you talk about breaches it’s just a matter of time right I mean it’s it’s a little bit of you’re playing with fire there

Rodney Campbell: I I I couldn’t agree with you more But again, if you don’t have that collaboration and make sure you identify the right people in your organization that should be a part of that conversation that should be sitting at the table, you Mike Yaffy: then they’re going to point fingers if you haven’t. If they weren’t there before, you can bet your you know what that they’re going to be pointing absolutely after the fact. Rodney Campbell: You want to avoid the finger pointing before the fact and not after the fact. Mike Yaffy: Right. Right. That makes sense. Hey, we got a corre question from Teresa. Um cloudbased. She’s in cloud-based startup. Um what’s the best way to get an exe buyin and understanding the importance of TPRM.

Rodney Campbell: Okay. So this to so Mike Yaffy: it sounds like your organization didn’t care and you had to sell it. Yeah. Rodney Campbell: Your exact team. Rodney Campbell: How how first before trying to sell how important it is to have it. I also asked the question of of how critical and detrimental is it to not have it in place? What happens when you don’t have a TPR program? Mike Yaffy: The consequences of inaction. Rodney Campbell: Absolutely. I can tell you that it’s easier to approach it that way than to try to sell all the wonderful things because I can tell you there’s many things there’s many pros as to why you should have a TPR in place. We all know it. We talk about it all the time. But I think what we don’t talk about a lot is the consequences. What are the consequences of not having a TPR program in place? What are the consequences of not making sure that you have adequate governance? Making sure that you have a framework that can protect your organization, but also something that’s in place to provide some corporate governance throughout all these interconnect activities. and processes.

Mike Yaffy: You know, I will also add to that that I think on one hand, look, and maybe this isn’t the popular answer, you can’t always make every organization care, right? I, you know, when I used to go into security teams, I’m like, what kind of shop are you? You know, are you the are you the type of organization that deals with it or is it like until you’re backed up against the wall, you don’t want insurance? I mean, look, at the end of the day, security to some degree is insurance, right? You you’re trying to prevent you know, the least the the most easy or least common denominator type of attack.

Mike Yaffy: So, it it does depend on your organization. I will tell you, Teresa, that most of the business is is typically driven by compliance or audit, right? So, it’s compliance to be compliant with whoever you’re working with or internal as an organization. There’s an audit failure or finding tends to drive this. Security increases It’s trit to say, but like 65% of breaches now are happening through third parties. So, you know, your organization is either going to say this is something important and I believe that we probably need a better process to evaluate this as you talked about early Rodney. Do they accept or deny this risk?

Mike Yaffy: Right. Like I’m willing to live with everything you just said and I’ll roll the dice or not. Um I will say fines, audit fail ‘s fines typically motivate people, but look, there are some people who just won’t have it at the end of the day. Rodney Campbell: No, that that’s absolutely the truth. And I I think that what you should always what you should also do or take into consideration is if you’re dealing with one stakeholder, that’s probably a lot easier than dealing with five, six, seven, or eight. In some cases, you may be dealing with one. And you can’t you can’t sell the story of the value to everyone. Um, but it’s important that you kind of stay the course and do what you need to do to protect your organization. So, you are responsible for building a program that stakeholder needs to be well aware does this product or service support something that’s significant accord to your day-to-day business activities and what happens when this goes wrong or what happens in the event it does go wrong

Mike Yaffy: are you willing to live with this t vendor Mike Yaffy: being breached Rodney Campbell: absolutely Mike Yaffy: and I’m okay and look from a non-emotional standpoint I talk a lot about stuff like that but it’s like and I think that’s a look we could have a breach of this vendor hypothetically it’s the you know the one that ides the flux capacitors, right, for the for the the Deloreans. Mike Yaffy: So, if you’re willing to accept that we can’t get flux capacitors anymore or they have a breach and has a material impact, then I’m okay. But we have to have a policy that says we we accept this risk, that’s where people tend to get squirly when they when they have to put their name on something and accept risk.

Rodney Campbell: And and Mike, let’s not forget, do they understand that they are responsible for managing the relationship? Because I can tell you that utilization, there’s no way they do Mike Yaffy: different completely different. So you want to make sure they understand that. Mike Yaffy: And look, I would start I don’t know about the organization, but I found look sometimes it works against me, but I found working with the CFO or legal, right? Because the CFO understands the, you know, the the risk and the potential negative impact, right, for doing this, right? If we had an event, it would it would be X and Y. And here’s the financial implications. Um, you know, it’s it’s the way you have to make people give a crap. Right. Sometimes and and um it’s it’s the con it’s a consequence and some you know and I hate to say oh if you’re breached the average cost of a breach is a million. Okay we get it.

Mike Yaffy: How do you contextualize that to your organization would be my best advice quite frankly. Mike Yaffy: Um Melissa why don’t we go to the next Oh there we go. So okay. Um I think this is good. You know you talked about it. But what about you? You you talked about transparency as something we need. Agreed. How do you get there though? Like how do how do people sit around the table and actually have open and honest conversations? Rodney Campbell: You think one thing we I think as organizations or across the industry you need to do is whenever you are assessing a particular product or service engagement, you need to make sure that the transparency, the results, the findings from those risk assessments from your due diligence activities are communicated across the board. It it serves you nothing If the stakeholders who are responsible for saying yay or nay have no idea what’s going on from a due diligence perspective, they have no idea what was identified inherently or residually. If all you’re doing are performing these activities just to check the box and say we did it, we’re good to go. Then that serves you no purpose and you’re actually taking the wrong approach. So you need to make sure that everyone who’s involved that this is a transparent but also an engaging process. If you are a stakeholder, you have a responsibility and sometimes the best thing that you can do is pro by the hard facts and the hard truth. No matter how much we love this particular product or service, you need to be honest. And I know it’s going to be hard to deliver that that what may be perceived to be bad news, but you got to do what you have to do. And this is how you keep your program honest, but also continue to work towards protecting your organization.

Mike Yaffy: Yeah. I I I got nothing there. You’re it’s it’s the honesty, right? It’s just look, here’s the good, here’s the bad. And I think unemotionally binary, Mike Yaffy: but it goes back to what we said before. I think setting the criteria and then kind of it holding everybody accountable to that. Rodney Campbell: Absolutely. I I think without the governance, you can’t execute these activities the way that they need to be. You want to make sure that you can optimize and maximize on what you’re doing as far as stakeholder engagement. And again, you can be as transparent or believe that you’re transparent as one, but transparency means providing the hard facts. Uh you don’t have skin in the game. You are TPRM. You are a TPR professional or you’re part of that collaborative approach in making sure that you identify, assess, and mitigate risk. But you need to make sure that you’re honest with your stakeholders. They need to have full understanding so that they can make informed decisions.

Mike Yaffy: Yeah. And that’s your job. That’s what the job is, right? I mean, at the end of the day. So, great answer. Great answer, Melissa. Why don’t we go to the next one? Um, you know, I I I read this and now I’m rereading it. I’m like, I don’t like it. But I’m gonna ask the question in a different way. First of all, do how high up What’s the level of visibility um the TPRM program has or supplier management has at your or does it go all the way up to the board and does the board care or does the board care in so much as like we don’t want a vendor breach like uh you know what’s what’s the level of visibility does this ever get presented even on one slide right um or anything

Rodney Campbell: I I can tell you that it does go up to the board as far as our GPR and program it goes up Mike Yaffy: what what metrics So does the board care about relative to the like how do you measure success with the board would be an interesting side. Let’s finish this but then get to that too. Rodney Campbell: Okay. So now there’s multiple approaches for measure measurements of success. I do think first and foremost making sure that you’re providing the right amount of transparency to your board. Not too low level uh not too high level but you want to make sure that the board is aware of the risk profile of your TPR program. They should understand uh the inherent risk of your vendors. They should understand the financial viab looking stability of your third party. They should have a clear understanding, transparency into who are your critical and core suppliers. That’s important. Who are the suppliers that we rely on uh to keep the lights on to perform our day-to-day BAU activities? That’s very important. You want to make sure that any issues that risk events or remediations or heightened risk associated to high risk in your critical vendors are identified and provided to the board as well. But the delivery of that information needs to be very important because again, this is the board and And I’m assuming that some organizations uh second from the board or prior to getting to the board may have some form of the executive risk committee. You want to make sure that that risk committee or any other committees that you have outside of your board are well aware of the overall TPR and program health.

Mike Yaffy: How do you so two questions there. One, how how do you quantify the overall health of your TPRM program? Is it x amount of vendors in the green? Is it everybody get It’s an eight. Like, how do you like like honestly like how do you So, you have this program. Rodney Campbell: Yeah. Mike Yaffy: How are we here or here or in the middle? Rodney Campbell: I would love to say that every vendor gets an eight in its screen. Uh, that would be a perfect way. Mike Yaffy: By way, I’m making stuff up. It could be one to 100 and then you could be like, Rodney Campbell: but I do think benchmarking is important. Like what are your measurements of success? Because if you don’t have any measurements, nothing to benchmark, then success would only be uh pretty much subjective. It be your opinion and if you are responsible for running a TParn program, I’m sure that your opinion will be the best in class. So you want to make sure that you have something to measure success. So what are your metrics to qualify and quantify that this is good versus this requires some attention, this isn’t so good. Showing something to your board or any executive or committee or senior leadership and I do want to be clear green or let’s just say what is your ideal of perfection or good from a metric perspective doesn’t mean that your TPR and program is good. You also want to make sure that you can identify what isn’t good, what requires some attention um of the board or senior leadership or the business function. So, I do think having hardcore metrics to say these are the amount of your total vendors. This is what the residual risk assessments are. Here’s your total overall inventory compliance. How do you measure how many risk assessments were done? How how do you measure what is completed or what completion looks like? What is your turnaround time or due diligence, for example, or Are you identifying, collecting, and assessing the right information to have an accurate risk profile for your inventory? You want to make sure that you have true to form measurements so that you can actually provide what the total value or overall measurement of success of your program is to your board and senior leadership.

Mike Yaffy: So, a really good answer. Um, how does it differ with the executive risk committee than from the board? Like do you is it just more depth? Rodney Campbell: Definitely should be more that right so we talk about executive risk committee and it may be in your organization an executive risk committee some form of emerging risk committee which I’ve been a part of you want to make sure that the risk committees they are generally comprised of multiple individuals from different risk functions throughout your organization this is an opportunity to take a collaborative approach and have a holistic understanding of the risk that pose to your posed by the product or service engagement um to your organization so you want to make sure that all those individuals who are in the room we’re discussing topics. We have true transparency, collaboration, and full awareness of what the product and service engagement entails and any risk that may potentially be identified during throughout that throughout the duration of that product or service engagement, I would say.

Mike Yaffy: Okay, right on. Uh, we got a question. Anonymous attendee, my favorite type. Um, how do you get larger companies like Microsoft and Amazon to come to the table to complete a risk assessment? Uh, in the past, they haven’t been traditionally great at this. Wow. If I could I probably ask the same question. Uh I think for for us what I would say and what I would recommend or suggest other organizations is going back to that collaboration. I know we talked about that internal collaborative model but let’s talk about that external collaboration. When you are establishing a new engagement with a third party for product or service engagement, you can take two approaches. One may be the standoff approach. We communicate through email. We know what we need. You give it to us and we’re done. Contract is signed. Or you can engage and I mean actively engage a service provider. Let them know what’s important to you in your organization. What do you need to measure success or at least understand the external or sufficiency of the external control environment? You can do that at the beginning. Now asking for that information doesn’t mean you’re going to get it because if that were the case I I think me and my team we would get everything that we want and request under the sun. But I think that’s a start that collaboration making sure that you’re actively engaged. You establish that relationship at the forefront and work on that continuously. The same way that you perform continuous monitoring, you continuously engage your third parties, especially if it’s significant a core, assuming Microsoft would probably be a significant core or high-risisk uh supplier for your organization. But I do think that engagement model matters. And again, I don’t want to say that engaging or collaborating with the best intentions is going to get you what you want or need, but I do think that’s a good start.

Mike Yaffy: Okay. Uh Melissa, skip the next one and then go to the skip one. question and then go to the next one. Um I think this is good and and maybe metrics is the answer and we just talked about it. But Mike Yaffy: um I would love a subjective and an objective answer here if you have them right. But to me even in marketing we measure everything, right? Did we get a lead? Did we get a deal? Did something go into pipeline? Not everything is a deal but like how many impressions did we get? Right? So there there has to be a way to benchmark and and I think you know I had a CEO in my past and the one question he always used to ask me and it was a it was a good one. I didn’t particularly love the guy but it was a good question but it was is that a good number or a bad number? Right? You can say oh we we sent out 5,000 assessments. Okay. How many vendors do you have? How many tier ones? You could be like well we sent out 5,000 but we have 10,000 vendors and we only surveyed 500 of our tier one. So really 5,000’s a terrible number. Right. So, how do you and sorry to be so leading on this one. How do you subjectively and objectively showcase value and effectiveness?

Rodney Campbell: I I I do like the objective approach. I do like approaching things as if the individuals who are reviewing it have little to no understanding of the program or uh already have their difficulties in understanding. Mike Yaffy: Get your snuggy get your Snuggie out is what you’re saying. Rodney Campbell: Get your Snuggies out. Get the Snuggies in your cupcakes. Mike Yaffy: There you go. our rallies perfectly. I will tell you this for us in the Lafer Valley National Bank, our third-party risk management program, we want to make sure that in order to demonstrate and showcase the value of our overall program effectiveness, we need to do more than just show you how many risk assessments we completed. Now, yes, you’re going to go across your tiers. You have critical, high, moderate, low, and you’re going to have a demonst you’re going to be able to demonstrate this is what we risk assess uh within this quarter. That’s fine. Everything is good. But what happens When you risk assess and everything is green, but there’s still issues, there’s risk that have not been identified and are reported or misreported, you want to make sure that your program showcase value of the overall relationship. So, what about your renegotiations, your renewals, because your RORI is more than just risk assessments. You have to understand if you’re a TPR professional, you’re performing risk assessments and you’re also doing this within a riskbased frequency of that contractual relationship with the supplier. So, if you want to demonstrate the true value, if you are identifying risk, And let’s talk about risk or continuing to heighten throughout the relationship. Shouldn’t you be using that for your contract renewals and renegotiations perhaps for price?

Mike Yaffy: Absolutely. And people don’t enough, right? That to me is it’s such a miss. Rodney Campbell: It is a big miss. Mike Yaffy: It’s a huge miss. Like you have all this data on if they’re doing a good job or a bad job and it should factor into your contract renegotiation. Hey, guess what? Your SEC thing is under it gives you leverage if nothing else. It gives you more than this. Rodney Campbell: I mean what you have to think look at this holistically. What is the point after the contract is done and now you’re performing your annual periodic reassessments, your continuous monitoring activities. All this information, all this data is being collected throughout the duration of that relationship up until the point where you’re deciding or decisioning to renew the contract and none of that information is used. None of that information is memorialized into that contract renegotiation or renewal process. So you perform all of your required or regulatory mandated activities, but not to your not to your benefit. Um, actually, it’s to your detriment because you you’re not utilizing any of that information to renew your contracts um to particularly look for alternative suppliers. So, the value uh the overall value is missed. So, again, just get out the risk assessments. We can assess something point in time. We can perform continuous monitoring, but how are you applying that to the overall contractual relationship between Can I fix something that I find? If I find something on you, do I have the authority to enforce

Mike Yaffy: a fix on your end, right, as the vendor? And then use the damn information you have at contract renewal. I think those are the two biggest things that TPRM if I, you know, again, soapbox, but if you can get those two things, you’re going to have a really successful program. Rodney Campbell: Absolutely. I cannot tell you that more. Don’t wait until after the fact because after the fact uh of identif ing risks that you should identify in the beginning so that you can appropriately manage and monitor those risks to see if those risks heighten or change in any way that may potentially be detrimental to your organization. You just miss out on so much. So your value is more than risk assessments.

Mike Yaffy: Right on. All right. So uh we got 1243. What I’m going to do is turn it over to uh Scott Lang. Uh he’s VP at Prevalent. And look, hope you’ve enjoyed the webinar. He’s gonna do like three to five minutes on us and then Rodney and I will stick around. We’ll answer any more questions uh that we get in during that time. So, you get 3 to 5 minutes, fire away. Rodney’s been awesome. So, this has been super helpful and um then we’ll take it from there. Okay. So, Scott, over to you, bud. Scott Lang: Awesome. Thanks, Mike. Um listen, you can advance to the next slide, please. Um look, guys, everything you heard about today is about building a collaborative and agile thirdparty risk management program in your organization, including multiple stakeholders, understanding different perspectives on risk, understanding what the stakeholders want as far as reporting goes, risk mitigation, ultimately remediation, who’s responsible for what invariably throughout that process. When we talk to our customers, they tell us they want to accomplish these three things as it relates to their programs. Number one, help them get the data they need to make better decisions, whether that’s, you know, where risks are coming from, how to calculate a proper, you know, risk exposure, um, scale your risks to, you know, what the appetite is for the business. business and you know get good data to prescribe some remediations, right? Getting good data. Second, increasing team efficiency and breaking down silos. A huge part of what we talked about today. Um and that’s all about um you know getting people together in uh you know a single version of the truth for processes for workflows uh and for data. So we’re all in effect singing from the same himnil. And then third evolving and scaling your program over time. You know these three things are what customers tell us they want most frequently out of their third party risk management program. The ideal end state, if you will, have that program be agile, able to expand and accommodate uh new vendors and suppliers, new third parties that you’re bringing on um and you kind of scale and and support the business about what’s next. Next slide, please. But what we find really gets in the way, and you can build this out one more uh as well, Melissa, this is a builder slide, you know, click and then click again. Um You know what we find is that these challenges that organizations face are somewhat unique to every stage of the life cycle. So you want to accomplish those three things. What gets in the way of you accomplishing those objectives for your TPRM program. Let’s look at it from a from a um you know process perspective. There’s a life cycle of that that relationship. As you’re throwing and selecting vendors, you’re probably dealing with limited risk insights, a lot of silos, manual processes, We’re looking at vendors as you’re performing your intake and your onboarding. You’ve got different teams, different processes and tools in place to make it happen. Manual processes and a lack of insight for calculating inherent risks to determine what that baseline is to allow you to then make good decisions on what type of risk assessment and strategy you want going forward. And then, you know, goodness gracious, the breads and the manual processes involved in the assessment in the remediation phase. You know, we do an industry study every year um to who assess the um state of third party risk management you know in the industry and we ask a very specific question in this study every year and it is you know are you currently using spreadsheets to assess your third parties and I am really disappointed uh to say that that number keeps going up every year two I guess three years ago was 42% last year was 45% this year 48% almost half the people that we serve in the industry are using spreadsheets to perform their assessments uh of their their third parties. Two ways to look at that. Number one, you know, that manual processes isn’t going to help you achieve those three objectives we mentioned earlier. Getting good insights, bringing people together and then scaling. I guess maybe the glass half full way to look at it is, hey, maybe more folks are doing third party risk. Anyway, as you progress through this life cycle relationship, you know, you you then move into the constant monitor ing and validation of controls phase and you you’re looking at disjointed tools and inefficiencies. You’re looking at measuring SLAs’s and performance and you’ve got SLAs’s uh sorry silo uh teams and manual tracking and very limited contract enforcement or no tieback to an overall risk profile and then inevitably as every relationship comes to an end um you’re going to want to offboard and terminate that relationship and you know that invariably is going to mean that you know you’ve got to um you know follow some sort of manual process to make sure that the final items are tied off. Anyway, those are the challenges that we see. Uh Melissa, click one more time. You know, what Prevalent delivers is the ability to do three things here. To simplify and speed up onboarding with a single source of the truth and a process to help you manage that third party relationship from the point you source and select them to the point where you offboard and terminate them. Second, deliver you a very streamlined process that closes gaps in risk coverage for these different teams in these different risk domains that you want to see covered at every one of these phases, be it onboarding, management or offboarding. And that really leads to the third benefit of unifying teams across the life cycle, right? Getting everybody together in a single solution, single set of data and processes uh to ultimately execute on the life cycle of that relationship. Next slide, please Melissa. We deliver it through a combination of um expertise in our people. We help uh do the hard work of thirdparty risk management on your behalf from on reporting, assessing, remediating and managing that vendor if you choose that. Uh we give you the the the most data available in the industry to help you make good decisions. More than half a million um uh profiles of vendor intelligence we have uh you know in our library. Constant inflows of information from the cyber business financial ESG and and reputational risk side. And we don’t just give you the data, we correlate it, we harmonize it, help you make good decisions. And all those decisions are helped to facilitate or facilitated through the platform. The third pillar uh of what we deliver all the workflows, all the automation, all the reporting, you know, are all centralized. So, a combination of the people, the data and the platform is how we help uh to address that problem we we talked about before. Next slide, please, Melissa. Ultimately, there are three things we want for you uh that we deliver in our solution. The first is to give you the comprehensive risk, performance, insights, analytics, and reporting to help your team be smarter in its decisioning processes. Second, to unify assessments, monitoring, and the life cycle to give you a single source of the truth of the enterprise to unify your program and to deliver you a program that is prescriptive and not just has built-in intelligations and automate automated workflows. We’ve got a whole army of experts uh behind that to help support you every step of the way. So, good intelligence, great automations, a prescriptive process. You know, we could help you from the from the point where you want to start building your program to you want to optimize it, you know, through its life cycle. That’s our approach. That’s what we do to help from a third party risk management perspective. I think it ties in perfectly to the theme today on building some organizational alignment, getting people rallied around a single set of processes, truths, and uh and data sets to make good risk based decisions. All right, that’s what I just shared today. I’m going to pitch it back over to uh Melissa. Melissa, I think we’re probably gonna open up for questions for uh for Mike and for Rodney.

Melissa: Yep. Um that you read my mind. Um in the meantime, I’m going to launch our second poll. So, you know, just like the first one, um, we do want to see Okay, I don’t know what was going on with my poll today. Uh, let’s see. I ended Mike Yaffy: open day jitters, Melissa: you know. That’s it. This is not my first rodeo either, so I don’t know what’s going on, but Mike Yaffy: day jitters can’t beat it, right? They get the butterflies every year, Melissa: you know, new season fresh start. Um, are you guys looking to augment or establish something? You know, especially if you’re still in those spreadsheets, are you ready? to get out. Um, let us know. And please be honest. We do follow up with you. We’re not just doing these polls for fun. Um,

Mike Yaffy: it’ll actually be Melissa. Melissa: It won’t be me. I I promise this is not just, you know, a random robot. Mike Yaffy: And say no if you don’t want to talk to Melissa. She won’t bother you. If you’d like to talk to Melissa, say yes. Melissa: Stop putting me in your spam folders, too. Um, but, you know, I do have Rodney. Mike Yaffy: Do the finger point, too, when you say that. Melissa: Hey, let me turn my camera on so you can really see my expression. But I know we’ve got some questions, you know, in the pipeline. um you know if there’s anything that you guys wanted to address that wasn’t in the slide deck this is your time to speak and and you know it’s anonymous if you want to ask a question you guys don’t be afraid this is interactive

Melissa: um we did have one I it was more of a statement from a Kevin out there um you know he Rodney he was talking a little bit about partnerships right don’t abuse your partners right so that that’s that’s great advice I’m tongue and cheek but he’s right right don’t take advantage of that. So, you comment on that? Rodney Campbell: Yeah, I I I totally agree. I think that when we talk about third-party risk management, oftentimes we we position suppliers as being kind of the the alter. And what I mean by that is they’re the ones who are presenting some of the issues uh the risk and their engagement or lack of engagement is potentially creating or generating more risk for your organization. But you have to look at it from this perspective again going back to collaboration. You need to make Make sure that the relationship between your organization and that supplier is one that I assume you want to be a healthy and fruitful relationship. So in the beginning collaborate make sure that they have a full understanding as to what you need not just the product but how can you support that product or service make sure that they’re aware of what you need from an auditing perspective from a due diligence perspective. Tell them this stuff. Tell them all this information in the beginning and let them supplier third party or vendor come back to you and and kind of meet your needs or meet your demands. But you want to make sure that the relationship between your organization and their organization, it’s a collaborative relationship because it’s not just about you no more than it is not just about them. It’s something that should be established u for the betterment of your organizations together.

Mike Yaffy: I think that’s a great wrap question anyways. So you tied that really up nicely, put a bow on it. So um see we did get one more question. Uh yeah, we can ask this. Um what approach do you have considers risk beyond third party meaning risk posed by their third parties. So end parties. Rodney Campbell: Okay. So here’s where I I’ve I’ve suggested or at least um explain to many going back to the beginning the earlier stages. Now there’s two parts. There’s going to be relationships that you already have in progress. Contract is signed. Perhaps the third party risk management activities or management responsibilities were not yours. It was someone else before you. So now you’ve inherited this process that you’re coming to understand. But let’s go back back to the beginning. In the beginning, when you are vetting suppliers, if this is a supplier that may potentially be a core or significant supplier for your organization, wouldn’t you want to know whether or not your critical or core third parties have critical or core third parties? What suppliers do they need, do they rely on to deliver the product and services to your organization? That’s something that you should ask in the very beginning. Now, going through your due diligence process for existing third parties, even if you haven’t asked that in the beginning, you want to asks that who are the subservice organizations. You should want to know what are the dependencies not just critical dependencies but what are the dependencies that your third party relationships rely on. You want to make sure that that data the access to data because it isn’t just about dependencies. It’s also understanding that these dependencies may potentially pose a risk as far as access to your data, your organization’s data. You want to know what are the controls around protecting that data. Now we know that everything isn’t uh perfect but you want to make sure that you have some visibility and understanding of those third parties who may potentially be accessing your data aside from those that are just critical dependencies for your third party organizations.

Mike Yaffy: Right on. Um, no more questions, closing thoughts. Ryan, Rodney Campbell: uh, I I would say I I know that many uh, tune in prevalent because these are individuals who are in the process or in progress of building their programs and I I know that your goal is to make sure that the importance of your program is understood throughout your organization and it isn’t easy and can be more difficult than I can put into words right now. But I can suggest that you just stay the course. Uh keep doing what’s right. Make sure that as you build your program, you bring stakeholders in and do that do that through transparency. Uh do that through facts. Um not what you want the program to be, not something that’s conceptual, but facts and transparency and collaboration. I can tell you that in doing that, you will build a program that you need to build for your organization. It won’t happen tomorrow, but it will come out and turn out to be the right program for you.

Mike Yaffy: Awesome. Perfect. Thank you so much, my friend. This was fantastic. I love the pace. It was fun and uh I think we got through a lot of topics. So, thank you so much for doing this. Melissa, anything um we need to do before we let everybody roll. Melissa: No, I mean, everyone has a baseball game to watch today if you’re into opening day. Um you know, I had a great time listening to Rodney, Mike, and of course, Scott, so I will be seeing you all in your inboxes shortly. And um Yeah, I’ll see you guys soon. Take care. Bye everybody.

Rodney Campbell: All thanks again. Melissa: Take care.