Wie man die Lücke zwischen Drittparteirisiko und Vertragsmanagement schließt

Melissa: Einen schönen Donnerstag euch allen. Es ist wirklich toll zu sehen, dass Sie alle hier sind. Und wir werden ein wenig warten, bis die Leute sich eingelebt haben, sich verbinden und sicherstellen, dass sie ihre Tasse Kaffee haben. Ich beginne jetzt mit unserer ersten Umfrage. Es gibt zwei. Hier ist also unsere erste. Während Sie so geduldig warten, ähm, wenn Sie schon einmal an einem unserer Webinare teilgenommen haben, wissen Sie, wie es geht. Aber wir sind immer neugierig zu erfahren, was Sie zum heutigen Webinar führt. Geht es um Bildung. Stehen Sie noch am Anfang Ihres Drittparteirisiko-Programms? Sind Sie ein aktueller Kunde von Prevalent? Ich weiß, dass ich einige von Ihnen heute Morgen bereits in diesem Boot gesehen habe. Lassen Sie es mich also einfach wissen. Ich werde diese Umfrage hier oben lassen, während ich ein wenig mit der Einführung beginne. Wir haben einen ganz besonderen Gast hier, Tom Rogers. Wie Sie sehen können, ist er der Gründer von Vendor Centric, was Sie wahrscheinlich in erster Linie hierher geführt hat. Er gilt als Vordenker in Sachen Vendor Life Management und ist ein zuverlässiger Berater für Unternehmen in den gesamten USA. Wir haben auch Scott Lang, unseren eigenen VP für Produktmarketing hier bei Prevalent. Ähm, und ich selbst. Mein Name ist Melissa. Ich arbeite in der Geschäftsentwicklung und bin normalerweise diejenige, die sich nach diesem Webinar mit Ihnen in Verbindung setzt. Mit einigen von Ihnen habe ich sicher schon gechattet. Wenn nicht mit mir, werden Sie von Amanda, Landon oder Null hören. Halten Sie also Ausschau nach ihnen. Und heute wird sich Tom mit dem Thema beschäftigen, wie man die Lücke zwischen den Risiken Dritter im Vertragsmanagement überbrücken kann. Zur Erinnerung: Wir wollen Ihre Zeit wertschätzen, also nutzen Sie die Fragen und Antworten für Ihre brennenden Fragen. Sie werden im Chat verloren gehen, also nutzen Sie die Fragen und Antworten. Auch dies wird aufgezeichnet. Sie werden sie also im Laufe des Tages oder morgen in Ihrem Posteingang finden. Und schließlich sind Sie alle stummgeschaltet, nutzen Sie also den Chat, wenn Sie etwas mitteilen möchten, das nicht in die Q&A-Box gehört. Ansonsten werde ich die Umfrage unterbrechen und unserem Experten Tom den Vortritt lassen.

Tom Rogers: Awesome. Thanks so much, Melissa. And uh welcome everyone. Good morning, afternoon, or evening depending on where you’re coming in from. Uh as Melissa mentioned, I’m Tom Rogers. I’ll uh be your guide through today’s webinar. Um and the topic we’ll be covering is really bridging the gap between thirdparty risk and contract management. Uh but really we’ll be talking also kind of holistically around thinking about other components of how your managing vendors in addition to risk and contract and all those other pieces that fit in because this topic isn’t just about thirdparty risk and contract it’s really about holistically uh managing those vendor relationships. I’ll be talking specifically about some areas where risk and contract tie in. Um but this whole topic around a more holistic approach to vendor management is is a big area right now as a lot of organizations are either getting something started and up and running off the ground or they’ve got an existing program and they’re they’re trying to take it to the next level. So, let me give you kind of a quick overview of what I’ll be covering today in the uh webinar. So, uh there’s really three goals I’ve got. Um one would be uh giving you a sense of where TPRM and contract life cycle management along in the uh align along the life cycle of kind of managing those relationships. with third parties. So, where do those pieces come together, right? And then as you think about where those pieces come together, what are the types of control points that you can put into place to really help create better alignment between contract and uh management and thirdparty risk management? Um, and and what does that look like? And then lastly, as you’re looking to potentially put some of these control points in place, where does that fit within the overall governance structure of managing those vendor and thirdparty relationships to make sure that the types of things that you do as you want to enhance controls and create better alignment kind of stick right and that’s where the governance piece comes in and I’ll talk about that a little bit on the back end um I’ve got uh the webinar is kind of broken down into into two parts uh the first part is really talking about the uh kind of the the why and the the what and the back part really talking about the the how. And so, um, as Melissa had mentioned, if you have questions along the way, just pop them into chat. Um, there’ll be some natural points in which we’ll, uh, we’ll break for questions, but, uh, Melissa will pop in if there’s something that comes up that she wants to bring up as well. Okay. So, with that as a background, let’s just hop in. So, the first part here I want to talk about is really um, uh, why it makes sense to to align and kind of wear those key alignment parts are in that that contract management relationship. So the way we think about contracting and um is really it’s broken down into into two parts, right? So you kind of have all the things that you do on the front end of a of a relationship with a with a new third party. So that can include everything from uh sourcing, going out and finding somebody, determining who you want to work with. It can include diligence on that third parties. So doing those risk assessments and and diligence on them before you go into contracting and it also includes you know the process for negotiating those contracts and deals. So all those things that happen on the front end those pre-contract activities then is once you get those contracts in place right and then it becomes all the activities related to managing those relationships. So it’s SLA management it’s managing to deliverables invoices things like that. But it also includes things like managing contract modifications um when there’s changes to scope. Uh and it includes also on the back end making sure that once a contract is done and terminated that there’s a a way to close it out and uh kind of remove that that contract and and do it in a structured way so that you’re offboarding the relationship. So that that contract management piece uh isn’t just once the contract signed, it’s all the things that get done on the front end and all the things that get done on the back end, right? So, there’s a lot of stuff that happens as you’re managing these contracts with the third parties. So, when you think about risk, risk really presents itself throughout that whole relationship, right? So, there’s pre-contract risk and diligence that needs to be done to evaluate what you’re getting into and making sure those risks are identified and and appropriately mitigated. And then there’s the ongoing monitoring of those risks on the back end, right? And making sure that as things come up, uh, that there’s alignment there and that those risks are being managed and mitigated and effectively dealt with as part of the general management of the contract, too. So, so risk doesn’t just happen at a point in time. It really happens through that that whole relationship from end to end. Um, so it’s important that those risk activities and these contracting activities all kind of come together and and have tight alignment. Um, Um, but what we typically find in a lot of our clients and the organizations that we’re working with is that there are lots of gaps that happen along the way where misalignment can occur and and risk and contracting aren’t working together. Right? So, let me give you a couple uh quick practical examples of where we see that and where some of these common gaps are. And I’ll focus really around this diligence piece here because this is probably what a lot of people are doing right now. So, so think about um when you’re entering into a contract, right? Everybody’s got standard contract provisions. This is one which um it was from a client of ours and it’s around a term and termination provision. And you can see on the on the bottom part here, there’s an actual requirement that they have for the vendor that they’re working with that that vendor is going to return, request or delete with written certification, deletion any protected information in their control. And they even go on to say that any protected information in possession of their affiliates and subcontractors. Right? So you think about the typical contract process. We’ve got, hey, we’ve got a contract. We’re negotiating with this third party. We’re we’re asking them to comply with this. So where risk comes in is, hey, we’ve got to make sure that this third party has the necessary policies and controls to live up to the requirement. Um, oftentimes though, these contractual requirements go into place and and there may not have been a full risk assessment that’s actually done around these contractual requirements. Risk assessments get done kind of in their own silo. Contract standards and provisions get done in their silo and there’s not a connection between the two. So what’s important here and where gaps occur is when organizations have standard contract terms, they’re not aligned to the risk assessment procedures that are done. And so something’s missing in here in this part of the process. And then if you look at this bottom part here where they’re requiring this of their affiliates and subcontractors, part of this risk assessment needs to ensure that they’re evaluating this vendor’s management of their own third parties, right? So how does this vendor kind of go through and manage their third parties? Are they require those third parties to have contractual provisions that align to what the actual uh client is requiring of them? and that those all flow down throughout the process. Right? So this is one area in where we see that there are definite gaps that happen where you know vendors are being requested to comply with certain contractual requirements but the risk assessments don’t always support their ability to to uh know whether they have the right policies and procedures to do it. So that’s that’s one area. The kind of the flip side of that would be in cases where um you’re doing a risk assessment and do the residual risks that come out of that risk assessment actually make their way into the contract. Right? So in this case, this is another example from a client. They’re a a large international NGO and they have requirements to um kind of receive and evaluate financial statements for certain types of third parties that they work with. So you can see down here they have a a due diligence question where they ask whether uh the third party had any ificant deficiencies or material findings in their most recent audit report. So the risk assessment is did they find anything? If they do though, what makes its way from that risk assessment into the actual contract? This is another gap that we see occur where the folks that are actually managing the risk assessment process, whether it’s the vendor management office, third party risk, maybe it’s finance is doing this, maybe it’s infosc is finding something up here that there’s community unication between those that are doing the risk assessment, those that are negotiating and actually creating the contract to ensure that this these risks that need to get remediated make their way into the contractual language. Right? So these are just a couple of gaps that we see on on a regular basis where risk and contracting really need to be aligned and oftent times there’s not. So either language doesn’t make its way into the contract or or certain risk assessment procedures are not done. So the way we we kind of talk about all right so what do you do and how do you start to close some of these gaps is really by creating structure that aligns contract management with thirdparty risk management and that’s where a framework comes in. And so um a framework enables you to really bring together operationally all the different components of managing that vendor relationship. So cont contract and third party risks don’t live individually. They actually come together under a common structure and common framework in how they’re managed, right? So, there’s lots of different frameworks out there for managing third parties. This is ours and the one we use. And as you can see on the uh the just to kind of orient you as to how this is set up. So, on the outer ring here, we kind of have the the life cycle stages. So, basically u the different activities and flow that goes through and managing the third parties, right? All the way from sourcing through doing risk assessments and due diligence through contracting and and onboarding that vendor or third party, making purchases, doing ongoing management and monitoring all the way through termination and offboarding, right? So, the stages kind of are the different activities that need to get managed that are inclusive of thirdparty risk and contracts. And then the inner part is really operational governance that that holds it all. together. So these are where you’re creating policies and standards, right? They’re not standalone policies for contract and not standalone policies for risk, but really policies for managing that that end to end relationship supported by standards, supported by procedures, supported by the people, skills and training that need to get the work done, the technology and reporting that you need all the way through kind of oversight and and management of everything as well. So this framework creates kind of the the I guess the glue or the structure that kind of pulls everything together and helps to support that alignment of the third party risk activities with the contract management activities. Right? But within the framework and within these different areas, there are really certain key points that are really important to align contract and third party risk management together. Excuse me. Because while they happen through about the whole process there’s there’s specific points in which third party risk and contract management really really come together and that’s where the alignment truly needs to happen. So as you think about the framework and as you think about where those points are there’s three that are really important. So one obviously is when you’re doing the initial risk assessment and you’re doing the the contract development right and I talked to that kind of on the on the early stage there. um is that not only do we need to make sure that any contractual provisions that we’re requiring the vendor to comply with are uh kind of evaluated from a due diligence standpoint, but that anything that comes up from a residual risk standpoint also makes its way into contract when contractual language is required. So, this is a is a key point of alignment. The second key point of alignment between risk and contracting is once that contract’s up and running, kind of the the ongoing management and monitoring of both risk and contract performance and making sure that um there’s the right procedures that are established and the right communication that’s happening uh to kind of take risks that come up and take contractual issues that come up and and have those folks coordinate on those to to manage those effectively as well. Then the last uh area of alignment is really on the back end here and that’s the termination and offboarding. And I think as we, you know, as I think about the types of organizations that we’re working with, a lot of them are um we have some clients with some mature programs, but we have a lot of clients that are just on the front end of this and just getting things going. And I think this last piece, this kind of termination and offboarding is where we see the least maturity out of most of our clients. There’s there’s no formal structure in place to go through and really ensure that all contractual obligations have been met. And as certainly that all those risk pieces that that are still in the contract like data destruction like maybe return of uh or transfer of intellectual property things like that that that happens in an organized and structured way so that um so there’s a d-risking of that relationship right so that’s a key point of alignment in the in the life cycle as well so so really as we think about um where can contract and thirdparty risk come come together in a much better way. It’s these three places that we we really focus on and then really determine what types of practical processes and controls should be in place to help support that alignment better. And so that’s what I’m going to um kind of start getting into on the on the back end of the presentation here. But I wanted to just pause for a second. Melissa, I know some things have been coming in through chat a little bit and see if there might be any any questions so far.

Melissa: Äh, im Moment ist nichts Dringendes zu tun. Ähm, jeder freut sich darauf, die Dias am Ende zu sehen. Also überlasse ich das Ihnen und schaue, womit Sie einverstanden sind. Aber bis jetzt ist das Engagement positiv. Ich lasse Sie also weitermachen.

Tom Rogers: Okay. Fantastisch. Fantastisch. Das ist also sozusagen das Wichtigste, richtig? Wir haben, wissen Sie, einen Grund, warum man das Risiko Dritter mit der Auftragsvergabe verbinden sollte. Es gibt verschiedene Punkte in der Beziehung, die wirklich entscheidend sind, um diese Verbindungen herzustellen. Jetzt geht es also darum, was wir tun können. Wie können wir diese Verbindungen besser herstellen? Was sind einige der Kontrollpunkte, die wichtig sind? Und darauf möchte ich mich im zweiten Teil der Präsentation konzentrieren. Ich habe also vier Kontrollpunkte, die ich mit Ihnen durchgehen möchte. Ich beginne mit dem ersten, nämlich der Vertragsgenehmigung. Wenn wir also darüber nachdenken, werde ich nur kurz zurückgehen. Wir denken also über die anfängliche Risikobewertung und die Vertragsabschlüsse nach. Es geht darum, wie wir sicherstellen können, dass alle Restrisiken in den Vertrag einfließen. Und das geht am besten, wenn man während des Vertragsgenehmigungsverfahrens einen guten Kontrollpunkt hat, oder? Denn das wird dazu beitragen, dass die Restrisiken beseitigt werden. Wir sehen uns die Vertragstexte an, um sicherzustellen, dass sie enthalten sind und alles geregelt ist, bevor Sie die Vereinbarung mit dem Anbieter unterzeichnen. Praktisch geschieht dies durch eine Art Kontrolle während des Genehmigungsprozesses. Was Sie hier sehen, habe ich mit ein paar Illustrationen versehen, die ich mit Ihnen teilen möchte. Das hier ist ein Musterformular von einem unserer Kunden. Es handelt sich um ein großes Versicherungsunternehmen. ähm, sie haben es automatisiert, es ist also kein manuelles Formular, aber ähm, das Formular ist im Grunde genommen ein Prozess, bei dem sie bei der Genehmigung eines Vertrags ähm, einige grundlegende Informationen über den Vertrag sammeln, um das Profil, die Zusammenfassung, den Vertragsnamen und so weiter zu erstellen, aber Sie können hier unten in diesem unteren Abschnitt sehen, bevor der Vertrag genehmigt wird, machen sie auch einige Dinge in Bezug auf Governance und Risikomanagement für die zukünftige Vertragsbeziehung. Sie wollen also nicht nur sicherstellen, dass die Restrisiken in den Vertragstext einfließen, sondern auch, dass es eine Kontrolle gibt, die z. B. die Zuweisung eines Vertragseigentümers, d. h. eines designierten Kundenbetreuers, ermöglicht. Sie stellen also sicher, dass jemand nach dem Vertrag dafür verantwortlich ist, diese Lieferungen zu verwalten und sie auch tatsächlich zu benennen und die Verantwortung zu übertragen. Daher wird hier die Verantwortung für die Risikoüberwachung und die vertragliche Überwachung klargestellt. Und hier werden auch einige andere Dinge im Zusammenhang mit der Segmentierung und der Risikobewertung getan. Und dieser letzte Teil hier im roten Bereich stellt sicher, dass es einen Schritt im Prozess gibt, in diesem Fall ist es das Vendor Management Office. Dort wird überprüft, ob die Risikobewertung durchgeführt wurde, ob eine Restrisikoanalyse vorgenommen wurde und ob irgendetwas aus dieser Analyse in den Vertrag aufgenommen werden muss. Der VMO ist also für die Freigabe zuständig, und wenn es irgendwelche Probleme gibt, sind sie diejenigen, die die Federführung übernehmen, um herauszufinden, was vor der endgültigen Vertragsgenehmigung getan werden muss. Ähm, Melissa, ich habe gesehen, dass Sie aufgetaucht sind.

Melissa: Ich habe eine Frage an Sie. Eine der größten Herausforderungen, die ich typischerweise sehe, besteht darin, dass Vertragsabschluss und Due-Diligence-Prüfung entweder parallel erfolgen oder dass der Vertragsabschluss erst nach der Prüfung des grünen Lichts erfolgt, was einige Zeit in Anspruch nehmen kann, und das ist das Problem. Was ist Ihrer Meinung nach die sauberste Methode für die Auftragsvergabe/Bewertung, entweder parallel, bei der der Vertrag ausgehandelt, aber erst nach Abschluss der Bewertung unterzeichnet werden kann, oder nach dem Wasserfallprinzip, bei dem die Auftragsvergabe erst dann beginnt, wenn die gesamte Due-Diligence-Prüfung genehmigt oder gebilligt worden ist?

Tom Rogers: Wow, das war eine wirklich gute, gut geschriebene Frage. Das war großartig.

Melissa: Ich habe es nicht geschrieben. Also,

Tom Rogers: Ja. Nein, das war großartig. Tolle Frage. Also, hier sind meine zwei Cents. Ich denke, dass sie praktisch parallel laufen, richtig? Also, ähm, es ist so, ich meine, sehen Sie, Geschäftsinhaber brauchen Dinge. Sie können nicht warten, bis eine vollständige Due-Diligence-Prüfung abgeschlossen ist, um eine vertragliche Vereinbarung auszuhandeln. Was wir also in der Praxis typischerweise sehen und was wir im Allgemeinen empfehlen, ist, dass die Vertragsverhandlungen mit der Due-Diligence-Prüfung Hand in Hand gehen, so dass Sie diese Dinge vorantreiben können, aber am Ende eine abschließende Prüfung und eine Pause einlegen, um sicherzustellen, dass der Vertrag tatsächlich ausgeführt und unterzeichnet werden kann, bis ein Genehmigungsprozess und die Due-Diligence-Prüfung abgeschlossen sind und alle Restrisiken ebenfalls behandelt wurden. In der Regel läuft das also parallel, und ich denke, das ist der praktischste Weg, damit umzugehen.

Melissa: Perfekt. Und haben Sie noch Zeit für eine weitere Frage?

Tom Rogers: Natürlich.

Melissa: Das ist eine einfache Frage für Sie. Was bedeutet Verkäufersegmentierung?

Tom Rogers: Okay. In diesem Fall ist die Segmentierung der Anbieter wirklich ihre Risiko-, Entschuldigung, ist wirklich ihre Risikotarierung. Sie verwenden also eine hohe, mittlere und niedrige Risikostufe, die sich aus ihrer inhärenten Risikobewertung ergibt. Und genau das haben sie hier festgelegt. Dies war ein manueller Prozess. Sie haben das Formular erstellt und es dann in ihre Softwareplattform eingegeben, um alles zu automatisieren. Die Risikobewertung wird also automatisch durchgeführt, aber sie wollten einen Platzhalter, um sicherzustellen, dass dies in das Profil des Anbieters aufgenommen wird.

Melissa: Perfekt. Also gut. Ich lasse Sie weitermachen.

Tom Rogers: Sure. Hopefully that answered those two those two questions. So, thanks guys. Keep keep the questions coming. That’s helpful. Um, so, so this first control point around contract approval is is important. This is where we’re aligning contracting with the risk piece. So, a couple some keys to think about here. Um, so one of which is is to make sure that that the process is actually documented, right? So, um, a lot of times m the the misalignment that happens and the gaps happen because there is no documented process and there’s no clarity on roles and responsibilities and who’s to do what. So, uh documentation of that and being clear on the process with a supporting form or workflow is really important, right? Uh secondly is also um in a in a best case scenario would be to also have contractual standards that kind of match back to some of the your most common residual risks that come up. So that for example, if somebody, you know, if you’re if you’re going in and you’re doing a a risk assessment and you would normally expect that the vendor would have a sock report and let’s say they don’t have a sock audit, kind of what are you going to do, right? So there’s probably some additional diligence that you might do, but you also might have some contractual language that says, you know, you’re allowed to come out for an on-site visit, things like that, right? So if you know what those contractual standards are, are when some of your most common residual risks arise, you you make that process a lot smoother and it makes it much easier to kind of bake those into the contract once your risk assessment is done. So that’s a second thing. And then uh the third thing is is that um making sure not only is the risk assessment process documented, but that contract review and approval process is documented as well. And so you know where the misalignment can happen is if you’ve got third party risk policies and procedures and contract management policies and procedures. Our approach and and how we work with our clients is we bring everything together into one set of holistic policies and procedures for managing the endto-end relationship. So that includes everything from sourcing through risk assessments through contracting and onboarding oversight all the way through the backend um contract termination offboarding as well. So to the extent that you can not only define these but bring them together into one holistic view of managing that endto-end relationship that really helps as well but documentation here and and having these standards is a big part of supporting this this contract approval control okay so that’s control point one and that’s dealing with the front end prior to entering into a contract uh the second control point that I wanted to to talk about is really on the contract management side and once the relationship begins, right? So, here’s where we want to have a process in place to kind of communicate and escalate risks that present during contract management. And this is where um we see a lot that communication starts to break down because you’ve got different people in different roles and different departments within the organization that are doing different types of oversight and monitoring uh and management of either risk or the contract and they’re not kind of talking to each other and there’s no process to be able to support them to do it. Right? So in this case, this is a a just a screenshot. This is actually from the prevalent platform that monitors certain types of risks, right? So you know in this case, you know, you might have a vendor that’s being monitored and some issues came up around regulatory and legal risks. So what do you do and how do you who’s monitoring this. So, is this the vendor management office that’s monitoring it or thirdarty risk? Is this uh compliance that’s monitoring it? Is it the business owner? Right? So, who’s kind of monitoring the different pieces that happen during contract management? And how do you have a a a system and a process to be able to bring those together to kind of make some decisions and escalate them? So, the alignment here is really about creating structure to this process and being clear on who’s monitoring what and how to escalate issues as they come up. So, some of the keys that that we kind of talk about here during this contract management process, again, it gets back to roles and responsibilities on who’s doing the monitoring. And this is especially for newer programs and they’re trying to figure out kind of the roles of different subject matter experts and um who looks at financial statements versus who monitors systems like this versus who’s monitoring information security risks, things like that. It’s creating those roles and responsibilities as to as to who has has those uh um uh those responsibilities, sorry, as well as the contract and the service level agreements and deliverables, which is typically the business owner. So clarifying those is key. Um and then once you’ve clarified those, being able to have systems that when those risks come up, when those issues come up, that they actually can be either automatically identified in the system and then communications kind of go out to provide line of sight to all the different stakeholders involved or a way that if a risk presents itself and uh needs to be say manually entered into a system like a contract problem that it can actually do that be entered into the system and then some communication to go out to provide visibility to all the different stakeholders as well because it’s all about providing line of sight and keeping those communications open as to what’s going on. And then once things come up, it’s really figuring out, all right, so is this issue uh something that needs to be dealt with or not? And if it is, who kind of runs point on all of that? And and this is a big challenge for a lot of organizations, especially if folks are trying to push it down to the business owners because the business owners are typically not going to be the ones to know how to deal with a lot of the issues that come up. not information security experts, they’re not financial health experts, right? So, so who runs point to actually determine when a risk requires escalation and how it gets dealt with? Our approach is is that should really be centralized somewhere within the vendor management office or the third party risk group and that they should be the quarterback to figure out what to do with that and to get the right people involved in the process so that you’ve got all the right stakeholders that can kind of come together, make decisions, and decide what they what they want to do. But having the the the vendor management office or third-party risk office, whatever you might have in your organization, kind of be the quarterback to do that, right? So, they’re running point to figure out how to get the risk dealt with. And that might mean contract modifications, right? Or it may in worst case scenario potentially mean contract termination. So, the last key around risks that might come up during contract management and how to deal with them is if you have risks that um can potentially be dealt with through some additional controls, great. If there’s requirements you need to place on the third party to be able to do that through mods in the contract, but you also want to have a way that if you if something does come up that is beyond your risk appetite that’s really going to create an issue that the contract vehicle needs to have a way for you to be able to get out of it when that happens. Um the most common way to do that is through some type of um uh you know termination for convenience language. Uh generally there’s always stuff in the contract for termination for cause. Um but you want to give yourself some flexibility here in the contract that if there’s something that just can’t be mitigated and you need to get out, you need to have the ability to do that. So this control point is all around when risks present. Um how do you kind of centralize How do you have line of sight to the right stakeholders? Who should be the quarterback to figure out what to do with them? And then how do you modify or get out of the relationship if you need to? So these four keys kind of support uh this whole contract management control point here. Okay, pause there. Melissa, any questions on that?

Melissa: Ja, eigentlich perfektes Timing. Wer trifft Ihrer Erfahrung nach normalerweise die endgültige Entscheidung, ein bestimmtes Risikoniveau zu akzeptieren? und dann von der Rückerstattung in Klammern gesetzt und am Ende unter Vertrag genommen. Sind es die Geschäftsinhaber? Hat die Rechtsabteilung oder ein TPRM-Team ein Vetorecht? Gibt es einen Risikoausschuss?

Tom Rogers: Ja, das ist auch eine gute Frage. Ehrlich gesagt, das ist ganz unterschiedlich. Ich denke, es hängt zum Teil von der Größe der Organisation und dem Reifegrad ab. Letztendlich muss es vom Risiko abhängig sein. Es sollte also ein Verfahren vorhanden sein, mit dem die entsprechenden Stakeholder entscheiden können, ob sie das Risiko akzeptieren oder nicht, und das kann ein Ausschuss sein. Einige unserer Kunden haben Risikokomitees oder Risikokomitees für Dritte, in denen, wenn ein Risiko auftritt, das nicht von, sagen wir, dem VMO und dem Business Owner gelöst werden kann, es an dieses Komitee eskaliert, und dann können sie gemeinsam diese Entscheidung treffen. Dem Ausschuss könnten also Leute aus dem Vendor Management oder dem Third Party Risk, der Compliance, der Rechtsabteilung oder der Informationstechnologie angehören, also verschiedene Leute, die diesem Ausschuss angehören können. Viele unserer Kunden haben jedoch nicht so viel Struktur. Ich denke, das ist typischerweise größeren, reiferen Organisationen vorbehalten. Sie tun es also eher ad hoc. Normalerweise ist es so, dass derjenige, der die Leitung des Vendor Management Office innehat, dafür verantwortlich ist, die richtigen Stakeholder auf der Grundlage des Risikos zusammenzubringen, und diese Stakeholder treffen dann gemeinsam die Entscheidung. Die Geschäftsinhaber treffen diese Entscheidung also nicht wirklich. Sie müssen natürlich ein Mitspracherecht haben, entschuldigen Sie bitte. Aber wir wollen nicht, dass sie eine Entscheidung über etwas treffen, das ein Informationssicherheitsrisiko darstellt. Oder? Wir brauchen wirklich Infos, die eine Rolle dabei spielen, oder Compliance-Risiken oder so etwas. BMO ist also die Anlaufstelle, die diese Stakeholder zusammenbringt, und das geschieht in der Regel eher auf Ad-hoc-Basis, wenn der Bedarf entsteht. Sie ermitteln die Rollen aller Beteiligten, damit sie wissen, wer die Ad-hoc-Gruppe ist, die zusammenkommt, wenn diese Probleme eskalieren. Das ist also eine lange Antwort. Ich würde sagen, ich habe beide Seiten gesehen. Ich sehe weniger von der Ausschussstruktur, es sei denn, es handelt sich um eine größere, reifere Organisation, die das tut.

Melissa: Perfekt. Ich danke Ihnen.

Tom Rogers: Awesome. Thanks, Melissa, and thanks for the question. All right, so let’s see. How are we doing on time here? All right, so let’s go through um I’m going to go through the next two control points and then I’ll I’ll pause for questions there and I’ve got one thing to kind of finalize from the back end. So the control point three here. All right, so we talked about risk the present. So what about contract mods? Right. Um, this is an area where I think it’s easy to to have a gap that comes up. Um, especially primarily when there’s a scope change, right? So, so what we’re what we’re concerned with here is that a business owner goes through and does a contract mod that changes the the scope of the relationship that may bring more risk into the organization based on the scope change, right? Um, and if Uh, and if there’s more risk that’s brought into the organization, there needs to be a an alignment and a pause with thirdparty risk to say, hey, we’re making the scope change. We’re adding, you know, let’s just say we we hired a vendor to do a project and now we want to outsource something to them, right? Or we hired a vendor to do some initial consulting work and now we’re going to be buying software from them. So that that scope change creates a different relationship potentially with more risks if you’re outsourcing. something or if you’re leveraging technology, maybe the the front-end diligence that you did didn’t include those aspects because they weren’t present in the initial scope of work, but in the new scope of work, they are. So, this modification alignment is important here. And it’s basically saying, hey, look, when we have a contract modification, there needs to be a process in place to to kind of stop, see what the the scope change is and whether it it changes the nature of the relationship to the extent that we need to reassess the risk. Right? So, in this example, this is just kind of a sample change order from one of our our clients again. Um, and they they’ve made some change where they’re doing a they’re licensing and implementing some software, right? I kind of clean this up. Um, but that would be one example. So, so what we really need to do is is pause, make sure that whoever’s managing the contract mod, notifies risk that the mod is happening. and that they’re able to get together and and really say what’s the details of the scope change. Is it enough that it’s changing the inherent risk that we’re accepting and do we need to go through and do additional level of due diligence based on this modification? Right? So, so that’s what we’re getting at there and what we want the control to be. So, some of the keys here again process making sure there’s a documented process for contract mods, right? And that there’s also a process to go through and redo that inherent risk assessment to see whether there’s new risks that need to be assessed based on the scope change and that if there are new risks and if the due diligence shows that there’s some residual risks that need to be remediated right that we we bake that into the contract. So it’s a similar process to what we talked about before it’s just happening for for the modifications right uh so that’s a control point that’s important around the mods. Um, and now as we work our way through the relationship, we’re on the back end and uh you’re getting towards termination, whether the termination is uh proactive, where you’re doing it because of a of a breach or for convenience or whether it’s just naturally expiring is that last control point that we want to get in place, which is to make sure that as the contract winds down, whatever risks uh remain are are kind of being uh alleviated from the relationship uh to the extent that you can as the the contract obligations are being closed out as well. Right? So um this was the same example I showed you guys earlier around term and termination where we’ve got this um you know they have to delete uh let’s see return or delete with a written certification all the PI right so in this case risk needs to be aligned with contracting to make sure that this was actually done. They get the attestation um and that that that risk can kind of be removed from the relationship and that that third party either no longer has that that data, right? Um or that they’ve returned it, right? And that they’ve attested that they’ve done it as well. So So syncing up on here is is really around making sure that there’s a formalized documented process can sense a theme here, right? Documentation. Um, and then also as you’re thinking about one of the things I didn’t mention is based on the nature of the relationship from a risk standpoint, you also want to make sure that if this is um this is a critical vendor, right, that you’re terminating that you should have a contingency plan in place already for the vendor. Um, and that the contingency plan was enacted prior to determination. So if you’re winding down that relationship of somebody that you’ve outsourced something to or or if they’re providing a key key software, right, that there’s already been uh some discussion and planning in place on how you’re either have a new vendor in place to kind of handle that outsourcing and provide the software. Maybe you’re going to bring some of that inhouse so that there’s no risk to um pausing or or creating problems. with operations with that that that vendor’s contract being terminated, right? And we’ve seen some issues with this before where something happened with a vendor, somebody moved quickly to terminate, and then the client was left with a major um disruption to their operations that they had to quickly try to uh uh to resolve. So, contingency plans are important here. Um also, you know, a lot of focus uh with with risk management, risk ments is around data, but remember there’s lots of non-data risks that need to be addressed as well. So that might be transfer of intellectual property if there is any something as simple as badging, right? So did a vendor have access to your office, right? Okay, get the badge back so they no longer have access or or turn off those rights. So all these things should be factored into a formal uh termination and closeout process that’s documented, right? Um and then there should be some final control in place. Um, again, this is oftentimes the vendor management office can be the the quarterback on this, the business owner might be kind of running it and responsible for it, but somebody needs to just make sure that everything’s done. And while client while organizations will try to push that on the business owner, practically it just won’t happen because they either have too many things on their plate or they’re not going to be held accountable for it. So, if you have a fun like a VMO that can support this. It’s great if they can kind of provide that that final check as well to make sure all these things are done. You you’ve derisked that relationship as well as got all the contract deliverables and obligations that that vendor was responsible to do. So, so creating that connecting those dots around d-risking and and offboarding the contract here at the end is important. Okay. So, that kind of uh you know in summary of those control points. As you think about that life cycle, right? We’ve got here during contracting and onboarding, we need an approval process. Uh where the risk and and third party uh sorry where risk and contract management come together. Again around contract management when risks present, they need to be escalated and how does that make its way into the contract if needed. Uh the third one is around the modifications. If there’s scope changes that need to be addressed, they are in the contract. And then lastly, it’s making sure as the contract winds down, all the the kind of the d-risking activities happen in in concert with that as well. Okay. Um, so that’s that’s my um my thoughts on kind of where the alignment’s really important between third-party risk and contracting. Some of the things you can do from a uh a control standpoint to support that. Obviously, all the stuff really needs to be um baked into some type of structure uh um that that kind of is the glue that holds it together so it’s not just done on an ad hoc way. Um and so that kind of is a good segue into my last point which is really around all right so as you think about all the different places where you need to make that alignment how do you make sure they kind of fit together right uh and and stick and that’s where this this governance comes into play. So this is kind of the inner side um the inner circle of the framework that I showed you earlier uh where really it’s it’s the glue that that ends up holding all those activities together. So when I talked a lot about documentation policies and procedures again bringing everything together into one common set of policies and procedures for managing these vendor and thirdparty relationships that’s where you can start to really get alignment between CLM Don’t treat them as separate. Bring them together into a common set of policies, standards, and procedures. Right? Secondly is um a lot of our clients find this very helpful is as you’re starting to build out roles and responsibilities. One way is to kind of make that more granular with a lot more clarity is to create REI charts. Um and REI charts are simply the REI stands for responsible, accountable, consulted, and informed. And it’s just a a way to really define what stakeholders are involved in different parts of the process around contract and thirdparty management, what they’re supposed to be doing. Are they responsible for something or should they just be consulted and informed and creating that clarity so everybody knows what their roles are throughout um third party risk and contracting, right? Uh then a third piece here on the on the governance piece that helps hold it together is to to really establish and integrate systems around around managing vendors both from a risk and contract management standpoint. And so that could either be, you know, two different systems that kind of come and talk together so you have one source of truth, right? Or it could be one single system that allows you to support both those contract and thirdparty risk management activities, which would make it even easier. But but you can’t have contract systems and thirdparty systems live separately. They they should be coming together to create a cohesive source of truth view for that relationship and all those activities that need to be involved. And then on the back side here, you think about kind of the structural stuff. There’s just making sure that there’s the appropriate oversight and reporting. So that gets back to do you have a risk committee um or not? Or maybe you have a a a management committee that might be responsible for that, right? What type of reporting should they be getting? How do you escalate things? All that happens kind of over here when you establish control and in doing it together with thirdparty risk and contracting. And then the last piece is um you know for again for more mature organizations if you have an internal audit function something like that is to really to make sure that they’re aligned and things are working as they should is to do those periodic assessments and testing of um um of all your activities to ensure that everybody’s kind of doing what they should be doing and then cleaning up any any gaps or areas where you need to make improvements. So, so that’s a kind of that’s my last um bit of uh kind of thought I wanted to share with you was really this governance structure is is key to everything. It’s the glue that holds it all together. If you don’t have these things, it’s really easy for for misalignment to happen. Um not only with contract and and third party risk, but with compliance and term and all the other pieces that go into managing that vendor relationship. So, um, so that’s that’s really what I’ve got primarily on the slides I wanted to share with you today. Um, Melissa, I see we’re at 12:49. So, um, maybe we have time for one quick question or I can turn it back over to you and Scott.

Melissa: Ähm, ich überlasse Scott das Wort und dann sehen wir mal, ob wir noch etwas Zeit für Fragen und Antworten haben.

Scott Lang: Großartig. Äh, Tom, wenn Sie bitte meine Folie umdrehen und den Anfang verwenden könnten. Wie auch immer,

Tom Rogers: ähm

Tom Rogers: Entschuldigung. Und ich habe, äh, ich denke, wir werden dieses Deck gemeinsam nutzen, nicht wahr, Melissa?

Melissa: Das liegt ganz bei dir. Um

Melissa: Wir teilen uns das Deck. Ja.

Scott Lang: Ich wollte es nur.

Tom Rogers: Ja. Sie können sich also an mich wenden, wenn Sie noch Fragen haben oder etwas nachfragen möchten. Aber trotzdem, danke. Und ich übergebe es an dich, Scott.

Scott Lang: Yeah, you can uh keep going. Um and just, you know, we’ll flip over to me. I’ve just got a couple points I want to cover on what prevalence perspective is on aligning uh contract life cycle with third-party risk life cycle. Um and it might be good for me just to kind of walk through a few things here, talk about our perspective and give Melissa a chance to kind of triage all the questions that came in. Fantastic engagement everyone from all the questions you’re asking. Definitely keep it up. Keeps these discussions lively, real, interactive and and kind of grounded in actual situations. So thank you for the engagement. Keep it coming. you know, from our perspective, you know, Tom kind of walked through a very holistic approach to looking at, you know, how managing a contract, how managing CLM relates to managing a vendor. And, you know, we, if you want to sum it up, you know, it’s a very timeconsuming manual process. You’re probably using a CLM tool uh in a silo that maybe doesn’t have great interaction with the way you’re assessing your vendor. What that leaves is um some disjointed views of the risk a vendor brings to you from a contractual perspective. Are they meeting their SLAs’s? Is the right contractual language in there? Uh versus how you’re assessing the risk that the vendor brings to you inherently. Security, IT related risk, data privacy risks, reputational risks, whatever. Um it’s also a version control nightmare that you want that you well understand better than anyone else. But um what it results in is that you know you can’t really track details very effectively. Really doesn’t give you great visibility into the contract to the liv cycle and what what ends up happening? You got folks going rogue in the organization, maybe going outside of established contracting and purchasing cycles um maybe you know signing some paper they shouldn’t be signing and you know it leaves the business unprotected um from a you know potential you know contractual problem in the future. Uh it leaves you not in se in sync and you know it it it can introduce a lot of business risk with all those real business consequences kind of backending that. So I Guess the point I’m trying to make is if you’re looking at CLM and TPRM differently, uh, you know, bringing them together holistically is the is is the better path to go. Tom, next slide, please. You know, so um, you know, our our approach on this is to offer a solution that fully integrates with the thirdparty risk management life cycle and the solution is called contract essentials. Um, at the heart of the solution is the ability to centralize uh the creation distribution, discussion, retention, and review of vendor contracts. We’ve implemented workflow into our solution that helps to automate the progression of that contract through its life cycle. And you can see a bit of a representation of that on the right hand side. So at the end of the day, you can treat contracts with the same level of discipline as you’re treating uh other types of risks that come through um you know, the regular engagement with the vendor. So you know, got couple of high level capabilities available in the solution. You know, built-in workflow to again help you automate the progression of contracts and review uh until a signature is obtained. And then the ability to then extract key um uh contractual provisions or language that you can then automatically implement into, you know, S contractual SLA monitoring, for example. Uh it’s got built-in version control to allow you to, you know, make changes and re-upload new uh new versions and then implement discussion tabs in there as well so that if you just want to simply ask a question to the contract manager uh or internal procurement person you know you can do that as well. Next slide please Tom. You know we see contract life cycle management um is its own thing of course and so is thirdparty risk but we see contract life cycle touching multiple stages of the third party risk life cycle. It isn’t just about sourcing and selecting good vendors or simplifying the process of negotiating and kind of version control and and upload and such, but also from an onboarding perspective, it’s all, you know, making sure that you’ve got the review, the redlinining and approvals processes in place so that when you make a decision on a vendor, you can quickly execute and get them on boarded uh come to a contractual provision uh agreement and then agree on what SLAs and then move forward to more uh comprehensive due diligence uh which means it’s totally appropriate as you’re measuring SLAs’s and performance throughout the life cycle, right? Okay. Sourcing and selecting vendors, intaking and onboarding, performing some level of inherent risk, doing due diligence assessments and remediation, validating those results through continuous monitoring, monitoring their performance over the life cycle, and then finally speaking to something that that I think Tom is really clear about in the in the slides was uh offboarding and termination. Uh that gives you a central repository that’s tracking not just um you know final contractual requirements and obligations that have to be met. but how that aligns with the rest of your third party, you know, risk tasks, breaking access, cutting off physical access to systems, you know, things like that. Next slide, please, Tom. Um, you know, multiple different people throughout the enterprise is uh or can you know benefit from uh the integration of CLM and and thirdparty risk. You know, legal folks, you folks who are managing contracts on a regular basis, you know, they save a lot of time by automating those cumbersome processes. and more importantly keeping their stakeholders updated involved. Procurement shortens purchasing cycles by making sure everybody’s adhering to the process uh by offering it centrally and requiring everybody to kind of play into that system and then looking you know at uh contractual risks as well as business risks. And then IT security and risk management teams as well uh have a derivative benefit of reducing the risk of a downstream business disruption by making sure contracts have the provisions that are enforcable in the contract and can measure that throughout the life cycle as well. Next slide, please, Tom. You know, and that just kind of aligns with the rest of our approach on managing thirdparty risk. You know, we start out by uh offering you the ability to um source and select a vendor appropriately through, you know, RFX essentials, intake and onboard and contract with contract essentials and then perform deep uh, you know, inherent risk and then ongoing due diligence, assessment, and remediation in our platform all the way through the life cycle so that you can continuously reduce risks not just from a contract perspective but from a holistic risk perspective. Next slide please. You know at the end of the day our approach is is founded on three driving principles. Number one we hope to make you know you smarter with regard to risk through a very datadriven and comprehensive approach that adds context uh to help unify your processes and teams and break down silos not just your risk and thirdparty teams but also now legal and procurement teams as Well, and to do it in a way that’s prescriptive with built-in intelligence, recommendations or mediations so that everybody knows what’s happening to everybody else at the same time and you can produce great reporting uh improve your organizational consistency and process and eventually close the loop on risk from contracting, you know, uh onward to offboarding. And that’s really our approach uh to kind of how we address, you know, thirdparty risk and and CLM together. Um I’ll stop talking now. You know, we can open it up to questions if you guys have questions for Tom. especially or even a few for me. I’m happy to take those as well. Melissa, back to you.

Melissa: Fantastisch. Ich danke dir, Scott. Wir werden uns jetzt an die Fragen und Antworten machen, aber bevor wir das tun, habe ich noch eine letzte Frage an Sie. Haben Sie vor, 2022 oder sogar Anfang 2023 ein Risikoprogramm für Dritte einzurichten oder zu erweitern? Ich kann nicht glauben, dass dieses Jahr schon zur Hälfte vorbei ist. Ähm, antworten Sie also ehrlich. Wir sind einfach nur neugierig, und wir werden das weiterverfolgen. Wie bereits erwähnt, werde entweder ich oder einer meiner Kollegen, Amanda, Null oder Landon, diese Aufgabe übernehmen. Was die Fragen und Antworten betrifft, so habe ich eine Frage an Sie, Tom. Wie handhaben Sie die Vertragskontrollpunkte mit Ihren kritischen Lieferanten im Gegensatz zu den Hochrisikolieferanten?

Tom Rogers: Ähm, Vertragskontrollpunkte. Äh, also ich denke, die Frage ist, wenn ich es richtig interpretiere, sind es die vier Kontrollpunkte, die ich vorhin erwähnt habe, richtig? Und gibt es einen Unterschied zwischen der Verwaltung von kritischen und risikoreichen Anbietern und anderen Anbietern? Ich denke, das könnte die Frage sein. Also, ich werde meine eigene Interpretation machen. Also, ich würde sagen, die Kontrollpunkte sind die gleichen. Es gibt also keine Änderung der Kontrollpunkte in Bezug darauf, ob der Lieferant kritisch oder nicht kritisch oder mit hohem oder mittlerem oder geringem Risiko behaftet ist, richtig? Ich weiß, dass wir nicht viel Zeit haben, aber ein kurzes Beispiel könnte sein: Hey, wir haben eine Änderung. Ursprünglich wurde der Lieferant vielleicht als geringes Risiko eingestuft, oder? Aber sagen wir mal, die Änderung macht ihn zu einem hohen Risiko, weil Sie sich jetzt entscheiden, etwas an ihn auszulagern oder ein System von ihm zu kaufen. Es geht also weniger um die Risikoklassifizierung und die Kritikalität, sondern vielmehr um den Kontrollpunkt. Und das sollte man konsequent auf alle Anbieter anwenden. Ich hoffe, ich habe das richtig interpretiert, aber es sollte keine Änderung der Kontrollen geben.

Melissa: Perfekt. Nun, ich meine, Sie haben das perfekt getimed. Wir haben noch etwa eineinhalb Minuten. Ähm, kann ich noch eine Frage stellen?

Tom Rogers: Ja, sicher. Ich werde es in 60 Sekunden oder weniger machen.

Melissa: Okay. Ich lese so schnell ich kann. Können Sie ein wenig mehr darüber sagen, wie Sie Ihre Risikomemes und Vertragsexperten mit Geschäftsinhabern zusammenbringen, die, wie Sie sagten, vielleicht nicht so ein differenziertes Risikoverständnis haben. Gibt es irgendwelche schnellen Best Practices, um sicherzustellen, dass nichts in der Übersetzung verloren geht?

Tom Rogers: Ja, das ist wie ein stundenlanges Gespräch. Das ist eine tolle Frage. Das ist schwer, oder? Es ist wirklich schwer. Und wissen Sie, je größer man wird, desto schwieriger ist es. Ich weiß also nicht, ob ich darauf eine schnelle Antwort habe, außer zu sagen, dass wir festgestellt haben, dass es wirklich gut funktioniert. Ich habe vorhin schon ein bisschen über Rennen gesprochen, und dieser Prozess hat vielen unserer Kunden sehr geholfen, weil er sie dazu bringt, ihren Prozess durchzugehen und wirklich zu definieren und auch festzustellen, welche Stakeholder an welchen Punkten beteiligt sind und wer wirklich einbezogen werden muss und wer nur informiert oder konsultiert werden muss. Meine schnelle Antwort wäre also, damit zu beginnen, herauszufinden, wer die Beteiligten sind und welche Rollen und Verantwortlichkeiten sie haben. Vielleicht ist die Verwendung eines strukturierten Modells ein guter Ausgangspunkt. Und dann geht es darum, sie dazu zu bringen, zusammenzuarbeiten, das ist ein ganz anderes Thema. Und das erfordert ein gewisses Maß an Veränderungsmanagement und Schulung sowie die Koordinierung durch den VMO als Quarterback, um sie mit ins Boot zu holen. Ähm, aber diese Schnelligkeit wäre wahrscheinlich ein guter Ausgangspunkt, wenn Sie so etwas noch nicht haben, weil es wirklich hilft, alles zu klären.

Melissa: Perfekt. Nun, mehr Zeit haben wir für heute nicht. Ich hoffe, dieses Webinar hat Ihnen gefallen. Vielen Dank auch für Ihre Interaktion. Ich bin sicher, wir haben Ihnen eine Menge zum Nachdenken gegeben. Und wir sehen uns in Kürze in Ihren Posteingängen. Auf Wiedersehen.

Tom Rogers: Danke, Melissa.

Melissa: Tschüss.