Wie man ein Lieferanteninventar von Grund auf neu aufbaut

Melissa: Hello everybody. Welcome. It’s great to see you all start joining. Melissa: Um I’m going to give you a minute while we wait for people to get situated and uh connected. Melissa: In the meantime, I will launch our first poll. Melissa: Um I’m curious to see what’s bringing you to today’s webinar. Melissa: You know, is it educational beginning stages of your TPR and program? Melissa: Maybe a current prevalent customer. Melissa: Maybe you have no idea where you are. Melissa: Just let me know there. Melissa: And uh I will begin by getting some intro started. Melissa: My My name is Melissa and I work here at Prevalent in Business Development. Melissa: And today we are joined by a special guest, Bob Wilkinson, founder and CEO of Cyber Marathon Solutions. Melissa: Hi Bob. Bob: Hi Melissa. How are you? Melissa: Good. Melissa: And I cannot forget about Scott Lang, our very own VP of product marketing. Melissa: Hi Scott. Scott: Sorry. Scott: How you doing Melissa? Scott: Sorry. Scott: On mute, off mute. Scott: Who knows, right? Melissa: It was a pop quiz for you. Melissa: All right. Melissa: A little bit of house. Melissa: keeping it’s being recorded um as you can see in the upper lefthand corner of your screen. Melissa: So you’ll get this along with a slideshow shortly after the webinar and you are all muted. Melissa: So use the chat if you need to communicate something that is not a question for the Q&A box. Melissa: So if there is you know a pressing question throw it in the Q&A and we can get to it either during the webinar or at the end if we have time. Melissa: So without further ado I will let Bob jump into it. Melissa: Go ahead. Bob: Okay. Bob: Thanks Melissa and welcome everyone. Bob: Today’s topic is how to build and maintain a vendor inventory. Bob: So let’s just jump right in and uh we’re going to cover a number of topics today. Bob: Uh the reason that we have this as a topic is that having a vend a complete vendor inventory with reliable information is really one of the key foundational elements of a thirdparty riskmanagement program. Bob: So today we’re going to talk about uh the different systems and and sources of information and teams that are involved in uh the uh collecting this information and managing vendors. Bob: We’re going to uh talk about a number of organizational resources that you can use to help as you build and validate your inventory. Bob: Um some of the processes that are key in order to creating at central vendor inventory. Bob: Some of the associated risks that come with uh having a less than complete vendor inventory. Bob: The value that’s derived from categor categorizing vendors based on the risk that they represent to your business. Bob: How important it is to maintain continuous visibility into that inventory. Bob: And then what are what is some of the data and the data analy analytics that you can use to tell the story of your vendor inventory in support of your uh thirdparty risk management program. Bob: The one thing that I’d like to stress at the beginning and I’ll stress throughout this is that if you manage your vendor inventory effectively, you can lower both the cost and the risk of your vendor risk management program. Bob: One of the biggest challenges that doesn’t get talked about enough is the unfettered growth in the number of vendors that businesses use. Bob: If uh your organization when you look at the numbers you see that your vendor population is growing by 10% a year, are you getting 10% more resources in order to deal with uh that influx of vendors? Bob: And the answer is almost certainly for everybody no. Bob: So how you manage the vendors you have, how you help the business understand what the existing inventory looks like before they go out and hire yet another vendor becomes an important aspect in the sustainability of your overall vendor risk management program. Bob: So when we talk about uh vendor risk management uh the vendor life cycle the first component of that which I call planning and discovery is you have to identify what your supply chain inventory is. Bob: It’s not just about your immediate vendors, your third parties, but what about all the subcontractors that they use? Bob: One of the things that happens is that we focus so much on third parties that we neglect who the subcontractors are that our vendors use, particularly for what we define as our critical business processes. Bob: When we dig deeper into the data, what we find is that many of the security incidents that we have are tied to our vendors. Bob: But when you start to peel back the layer, you find that the security incident many times far more than people recognize starts with the fourth and fifth party. Bob: So just like we know we have to secure our vendor relationships, the bad actors also know what we’re doing and they also know know that we don’t look at those fourth and fifth parties. Bob: So that is an important element of your inventory and you can’t just focus on your vendors and say okay I’m done. Bob: Another aspect is making sure that you have contracts for all of your vendors and likewise that’s a source that you can use to validate your inventory against. Bob: Uh you may discover contracts you have and the vendor is not in your inventory and vice versa. Bob: both of which are equally important. Bob: So, one of the things that’s important here is the the ideas of risk appetite and and risk tolerance. Bob: When we talk about risk appetite, what we’re talking about is the board of directors in companies is supposed to define just like they do goals with management, they’re supposed to define how much risk the overall organization is willing to take to achieve a specific level of reward and that’s what we call risk appetite. Bob: That risk appetite is communicated by the board to senior management with the expectation that all of the lines of business and other areas of the company will understand what the risk appetite is. Bob: Now the second part of this risk tolerance is how much deviation for a specific risk or a specific project a business might be willing to take on. Bob: And one of those risks is the risk that comes from outsourcing business processes. Bob: So if you have a business process that’s defined as critical and you’re thinking about outsourcing it, you should be that information, not you specifically, but That information should be presented before the de decision is made and signed off to the board of directors so that they’re they are aware that critical business processes will now be performed by a vendor uh slash vendors. Bob: So this is an important concept before critical outsourcing initiatives proceed awareness and concurrence and approval needs to occur right up through the top of the organization and too often that step is neglected. Bob: By the way, as I go through this, if you have any questions, please do um send your questions to Melissa and we’ll stop and talk about them along the way. Bob: Now, when you’re thinking about your vendor inventory, there are many different stakeholders in the organization who play a role in determining uh that inventory. Bob: We just talked about the board and senior management, but the the key organization here are the business unit managers who make a decision to outsource particular work or functions to a vendor. Bob: And one of the challenges that comes up here is that business units when they make the outsourcing decision, they often wash their hands. Bob: of the relationship and therein lies a lot of the problems we see with uh vendor relationships. Bob: The business may outsource it but they cannot outsource their accountability or responsibility for the overall management of that relationship and they need to be held accountable for the business decisions that they’ve made. Bob: Procurement and and your sourcing organization are critical resource sources in helping you to determine and validate your inventory. Bob: Ideally, your procurement/sourcing organization has all of the information about all of the vendors that your company works with. Bob: Now, I said ideally because in reality, many companies have exception processes which allow their businesses based on certain criteria not to go through the typ ical procurement uh and sourcing process which means that vendors can be onboarded that you might not have any visibility into it. Bob: One classic case is where you base going through the procurement process based on spend. Bob: So if you’re spending for example less than $25,000 in a vendor relationship, it may be considered outside of the nor normal procurement process. Bob: But if it turns out the functionality of one of those vendors, they’re handling for example the transport of confidential information, that could lead to a very serious security incident down the road. Bob: So it’s important to work with your procurement and sourcing people to understand which vendor relationships may not meet the threshold to go through your procurement process. Bob: Um, information security obviously here responsible uh sometimes it’s with procurement but responsible for doing the due diligence on new vendors that come into the organization. Bob: So they play an absolutely critical role and I’ll talk more about that later. Bob: Business continuity and disaster recovery. Bob: It’s important when new relationships are established that sufficient redundancy from the vendor is available. Bob: particularly if the relationship is associated with a critical business process. Bob: Likewise, when you’re trying to start building your inventory and you’re not sure where to start, one of the really useful places to start is by talking to your business continuity and disaster recovery staff because they know who the critical vendors are in your organization, it and disaster recovery functions uh are responsible for ensuring that services for critical business processes can continue to be delivered. Bob: Likewise, that’s a great place to start when you’re trying to determine who your critical vendors are. Bob: Finance and accounts payable. Bob: For me, this is one of the uh really good ways to ensure that you’re validating the inventory that you’re trying to build. Bob: If you go go to your accounts payable department and you say, “Give me the list of all the vendors we paid for the last two years.” Bob: That’s probably the most effective and easy way to get the list of who your vendors are in your organization because if your organization is writing a check and paying a bill to a vendor to someone, then that’s a pretty good place to start to figure out what your vend vendor inventory is. Bob: So that’s a really good way to get insight into your full vendor population. Bob: Um, legal, well, legal helps you negotiate contracts. Bob: They can be a source of information as well. Bob: So, between legal and procurement, figuring out what the contracts database is, where it is, and how complete it is is another useful strategy. Bob: Likewise, your compliance department has to be included in the process uh for managing the vendor inventory. Bob: Because if you’re going to attest that your organization is compliant with rules and regulations that you need to comply with, you better know who all your vendors are. Bob: And you better have a process in place at the end of the day to make sure that they are compliant as well. Bob: Because outsourcing to a vendor and then the vendor doesn’t comply with relevant rules and regulations is not an excuse for you and you will not be off the hook when uh things blow up potentially and your question about those relationships. Bob: And then if you have an enterprise riskmanagement function in your organization, what we sometimes call the second line of defense, working together with them, they can help you and they can increase a awareness in the organization of where uh issues are, where opportunities for improvements are, and they can help you get that message out across your organization. Bob: So, they’re useful for that. Bob: So, to finish up here, again, ultimate accountability lies with the business. Bob: They can outsource, but they cannot outsource their responsibility or accountability for vendor relationships. Bob: Now when you look at your organization, organizations operate with different business models. Bob: Understanding what business model is in effect in your organization is really useful for helping you determine what your vendor inventory is. Bob: If you work in a centralized organization, you have one set of policies and standards. Bob: Everybody follows them and things are executed consistently across the organization, it’s much easier to build and maintain your vendor inventory. Bob: Many organizations, however, operate on a federated uh operating model, which means business units act autonomously within the corporate structure to meet their business objectives and at the same time end up managing their inventory of vendors on their own. Bob: Now, part of the challenge there is how you pull the inventory from each of the business units so that you have a comprehensive view of the organization so that you can understand duplicative relationships and that offers the opportunity to rationalize your vendor population when you realize for example that you might have multiple master services agreements in different business units with the same vendor. Bob: When you get to decentralized operating model uh where business units or even individuals can enter directly into relationships with vendors to provide services, things become much more complicated and it’s much more difficult to maintain a centralized inventory and to execute against the policies and standards that you may have put in place. Bob: So the point being understand how how your your organization does business and that will give you insight into some of the challenges that you have that you then need to address as you go about building your vendor inventory. Bob: So, how do you go about creating your vendor inventory? Bob: Well, the classic way was you survey your business, you get back some Excel spreadsheets and then you uh either maintain a centralized Excel spreadsheet. Bob: Uh it’s really important that that you pick a tool that you can use to automate the process and along with that since many of these list may have started off manually that you enter the correct inver information about vendors. Bob: So one of the things that can happen is that the information can be incomplete that has a whole set of problems itself. Bob: The thing about a vendor inventory that you always have to remember is it’s not entering the name of the vendor and the corporate address where they’re located. Bob: It’s entering the details about where the vendor is providing the service that you’re using. Bob: How that how that applies. Bob: So you may for example uh use IBM as a vendor. Bob: You don’t put the the corporate address in Armon New York as the information. Bob: What you want to know is that they are managing that process and it may be in Nebraska, it may be in Mumbai, India, it could be in any one of a number of places. Bob: Understand where the service is being delivered from and make sure that information is complete. Bob: Again, leveraging your accounts payable can help you validate any list or inventory that you may already have of your vendors and that’s a great way to check it. Bob: Now, When we get to the question of your full supply chain and we’re talking about fourth and fifth party subcontractors, that information can be much harder to obtain. Bob: Many of us are struggling with just getting our list of vendors. Bob: So there there are tools available in the marketplace that can help discover business relationships which would allow you uh to benefit in understanding where you might have vendor relationship. Bob: that you were unaware of. Bob: Another thing that you can do is whenever a new vendor is onboarded, ask upfront if that vendor is using any subcontractors to provide services to them based on the contract that they have with you. Bob: And there are two topics that I use to determine criticality of of a vendor. Bob: The first one is Do they have access to any of my sensitive information? Bob: Because if that information is compromised when it’s in the hands of a vendor, then it it directly impacts our organization. Bob: The second uh criterion that I use is does the vendor have access to my infrastructure, my networks, my servers and databases because again that’s another source of compromise. Bob: So there are other criteria that you might choose. Bob: to use. Bob: But for me, the simple definition is does a vendor have access to my data or does the vendor have access to my infrastructure. Bob: I’ve talked already about the importance of visibility into the extended supply chain. Bob: Many of the security incidents that we’ve seen over time are tracked to our vendor population somewhere, you know, depending on which numbers you look at 50 60% of all security incidents are tied back to vendors. Bob: When you do a deep dive into that, you see that the compromise often begins with a subcontractor that you may or may not have been aware of. Bob: And as a result of that, excuse me, it becomes very important to understand who those subcontractors are that are tied to your business uh critical processes. Bob: So, it’s not just it’s nice to know, it’s absolutely critical to understand where information flows to, who has access, and how far down the supply chain starting with your critical business processes that information is accessible from. Bob: So, what are some of the key vendor inventory risks that you might face. Bob: Obviously, having an incomplete inventory. Bob: One of the things that happens is that businesses might make requests for exceptions to the procurement process. Bob: And this touches on one of the key difficulties that companies have with vendor risk management. Bob: And that is the speed at which vendors can be onboarded. Bob: I’ve yet to talk to a company that says, “We have a great onboarding process and everything works smoothly.” Bob: Businesses either come to the vendor risk people at the last minute, sometimes after they’ve already signed a contract, and sometimes they just don’t talk to you at all, and you’re unaware of those relationships. Bob: And they may in fact be critical relationships for your business. Bob: So the whole idea of exceptions and relationships that are established outside of the procurement process is a key risk that you need to deal with. Bob: Likewise, businesses will skip over the procurement process because they’re doing a pilot with a vendor. Bob: So we’re just going to see if the functionality that the vendor is offering us actually works. Bob: We’re only going to let them have access to a handful of our records. Bob: Well, the problem is everything goes well and then the business ramps up the pilot to become a full-blown implementation. Bob: Meanwhile, they don’t let anybody know that they’ve done that. Bob: So, all of a sudden, a pilot that started off with a vendor handling 10 records, now they’re handling 10 million records and nobody bothered to tell you. Bob: So, changes in vendor relationships is an, as I just mentioned, is an important topic, but what often happens is vendors will swap out the subcontractors that they deal with. Bob: So, the third parties that they’re using today that you’re using today, their their third parties or fourth parties, they change them as they need to, but they don’t necessarily provide you any information or visibility into the fact that they did it. Bob: So, what you can do to address that is ensure that your contracts with vendors are uh have a clause in them that state that if they change any of the third-party relationships that they have that they have to notify you prior to uh ensure that you approve in writing of the change in the relationship for those third, fourth, fifth parties, whatever the case might be. Bob: So that’s an important contractual aspect to help you mitigate risk. Bob: Another key risk is that uh you may have a lack of automation in maintaining your inventories. Bob: I touched on this a little while ago. Bob: Uh also the fact that business units may maintain based on their operating model inventories of vendors at the local business level which you don’t have visibility. into. Bob: So understanding again your operating model and being able to obtain that information is an important thing that you can do. Bob: And then uh the reality of many organizations is that they have an incomplete supply chain inventory because they’re struggling just to understand who their immediate vendors, their third parties are, and they haven’t even tried to tackle the larger supply chain issue. Bob: When it does come time To address that, the best way to do is if you’ve identified your critical business process, always focus on those first to understand the full depth of your supply chain. Bob: The vendor onboarding process, this is a a key control in how you maintain your inventory. Bob: So understand your whether your organ organization has a single process that they have to follow for how they onboard vendors or whether there are exceptions to the process or whether there are multiple processes that they use for vendor onboarding because that becomes a key checkpoint in control and how you can ensure the accuracy of your uh third party your vendor inventory. Bob: But it also offers what I consider one of the most critical aspects of vendor risk management. Bob: It offers you the opportunity to say, “Do we already have an approved vendor that offers the same service to our organization?” Bob: For example, how many call centers do you need to have in your business? Bob: Do you really need to have five relationships when two might be sufficient? Bob: And if you’re able to point out and work proactively with your business partners to say, “We already have a relationship with a company. Bob: They’ve already been through our due diligence. Bob: We’ve contracted with them.” Bob: Uh, it allows the business most importantly to move quicker to establish the relationship for whatever they want to do. Bob: And again, that’s the sorest point in all of this is how can we go faster to get vendors onboarded. Bob: So having a complete inventory and understanding what those vendors do for you and that you can offer options when they come to you and say I want to onboard a vendor to do X and you say we already have three. Bob: What it’s going to do is A, it allows you to move faster. Bob: B, you will get better pricing and have a more strategic relationship with your vendor by providing more work to them. Bob: And C, for me the the really important things is it decreases the number of vendors that have access to your information to your infrastructure and that directly correlates to a reduction in risk. Bob: Along with that, less vendors means less work for the vendor risk management team which means that you improve your efficiency and you better manage costs for your your organization. Bob: as a whole and for your team and it just makes for a more sane process. Bob: So the vendor onboarding process offers you the opportunity to say do we have somebody who already does it and if we do we can move faster. Bob: We have less risk because the de our information is exposed less and it will cost us less less in the long run because we’ll have to do less risk management around that vendor relationship. Bob: So some questions that you might want to consider and ask yourself again prior to onboarding is there already a vendor who provides the service we require? Bob: Another aspect of this and in larger organizations this is definitely true. Bob: When your company does an acquisition what generally happens is you inherit a new company and all of the vendor relationships that they had. Bob: One of the things you need to do very early on and if you can when you’re doing due diligence before an acquisition is to understand what their vendor inventory looks like and there’s going to be potentially duplication. Bob: There’s going to be relationships you no longer require and rather than taking a significant increase in your inventory as the the acquisition is incorporated into your organization, you have the opportunity to rationalize the vendor population and really bring significant benefits as part of the deal to your organization. Bob: Um, another aspect that you always have to do when you’re entering into a new relationship is understand what the criticality of the proposed vendor relationship is to the business unit that’s bringing them in and if they are critical that you will likely have higher due diligence requirements that you’ll need to do around that relationship. Bob: But if you don’t capture the criticality of the relationship when you do that, you will potentially have additional risk introduced to your organization. Bob: Another question you’ll want to ask yourself is which stakeholders do you work with when you onboard? Bob: new vendors and where might there be any gaps in the onboarding process that you’re going through and are all the right people notified and part of the process everything from uh legal contracting through compliance and and and the need to ensure you’re aligned with regulation. Bob: All of these factors come into play. Bob: Another aspect of this is what I call risk domain categorization of vendors. Bob: And what I mean by that is understanding the risk that a vendor represents to you based on the functionality that they’re providing to your organization. Bob: This helps you in a number of ways. Bob: And when when you build your vendor inventory, understanding a what the functions are that they’re providing to the organization. Bob: And B, do they have access to sensitive information? Bob: And what is the volume of information that they have access to? Bob: And does any of that information have legal regulatory uh requirements associated with in banking, personally identifiable information in health care, personal health information, and then where is the service being delivered? Bob: from. Bob: You want to know where your vendor is providing the service from and particularly if it involves data leaving the United States and being housed in another country, there are certain legal regulatory implications that come with that decision. Bob: So, as part of your vendor inventory, you should be very clear on what’s onshore and what’s offshore. Bob: And that conversation should have occurred at the time of onboarding. Bob: Having this uh information available to you is also helpful when a when a business unit wants to onboard a new vendor so that you can turn around and say yes we already have vendors that are doing this you know based on the function or the product that they’re providing and offering the business the chance to move faster. Bob: So it’s a way to mitigate your risk and improve the productivity of your vendor risk management program. Bob: And it also offers the opportunity to manage and mitigate specific risk uh more effectively because depending on the relationship, the sharing of data etc. Bob: There are certain critical controls that you can focus on in a much more narrow way to understand what the risk is that’s represented by the vendor. Bob: In order to have an effective vendor inventory management program, you have to automate. Bob: You you can’t rely on spreadsheets etc. as you go about building your inventory. Bob: You have to have a degree of automation and not just to maintain the inventory but also enable to in order to address the process of assessing risk associated with onboarding new vendors and ongoing vendor relationships. Bob: You have to have automation in order to effectively manage the volume of data that you need to deal with. Bob: So if you don’t have automation, you’re not going to be able to scale your program very effectively. Bob: Uh you really need to make some key decisions if you’re starting out on this journey that you know what information you have to capture that you have an automated inventory that you can rely on that if you don’t have a single process workflow for onboarding new vendors that you understand where the gaps in the process are so that you can put compensating controls in place to capture and not lose that data. Bob: That you categorize your vendors effectively and that also to the extent possible that you valid day that for all of the vendors you have in your inventory that a contract exists and someone actually has a copy of that contract. Bob: Key performance indicators and key risk indicators. Bob: What I will say about this is that when you think about having performance indicators to manage the performance of your program or risk indic indicators to measure the risk that exists within your program. Bob: Whatever indicator you’re using has to answer one simple question, which is so what? Bob: What is the number telling me? Bob: Is it actionable information? Bob: And if it’s not actionable information, then is it really worth collecting? Bob: What you want to show with your key performance and key risk indicators is trending that gives insight into the health of your problem, your program where problems may exist in the program so that actions can be taken to mitigate that risk. Bob: That is an absolutely critical criterion to use as you look at your program and decide how to manage risk. Bob: So again, why are you collecting it? Bob: So what is it giving me actionable information and trends? Bob: Now, some of the useful measurements that you might capture to help you with this, one thing that’s really insightful is the growth in the overall use of vendors over periods of time within your program. Bob: So, if you have a 100 vendors that you’re using this year and then next year you have 120 vendors, why is your program going 20% of year, that’s great if your business is really growing rapidly, there’s a need for the functionality, etc. Bob: But if it’s fairly static and you’re seeing that ro rate of growth in your vendor population, that’s a problem and you’re not going to get the resources that you need to be effect able to effectively manage it. Bob: So understanding growth in the overall number of vendors in your program and then if you categorize your vendors. Bob: You can break it down in to growth within different functions or products or by business lines. Bob: Why is this business line growing their vendor per uh population so dramatically as opposed to other lines of business? Bob: Measuring the completeness of your inventory. Bob: Are you having more growth of the vendor population the inventory through exception process? Bob: ies. Bob: Are you discovering vendors along the way that your process is not capturing adequately? Bob: Why is that? Bob: And who’s responsible? Bob: Then perhaps the most interesting measurement of all is the time required to onboard a vendor. Bob: So this this is the friction point always with the business. Bob: This is the friction point in the whole process. Bob: Why does it take so long to get a vendor on boarded? Bob: I’ve seen situations where companies have a very bureaucratic process and it will take them three months to onboard a critical vendor. Bob: If it was a critical vendor, they needed to move a lot quicker so that they can benefit from whatever technology process etc that that vendor’s offering to the organization. Bob: So measuring how long it takes to onboard vendors becomes a very insightful and useful measurement to share throughout the organization to understand where problems are occurring. Bob: So in summary, a few key takeaways. Bob: Understand and leverage the key sources that you have in your organization to determine your vendor inventory. Bob: Understand what your business model is. Bob: Understand that you can obtain useful information from many resources from your business continuity and disaster recovery teams to identify criticality through your accounts payable department to understand who’s getting paid and if there’s any gaps between that list and your inventory. Bob: You need to continuously validate your inventory. Bob: It is not a fixed and unchanging thing. Bob: You should at a minimum and always starting with your critical vendors Focus on any changes in the relationship year overyear which may result in changes to the criticality of vendors and how they’re managed. Bob: Ensure that as you go through the onboarding process, you understand the criticality of the vendor who’s being onboarded. Bob: Base it base it on information access that the vendor may have, infrastructure access, access to your network, your systems, your databases, vendor inventory and software. Bob: This is an important topic which has really exploded in the last year. Bob: A number of the security incidents that we’ve seen everything from solar winds to log 4j. Bob: Those security incidents involved vendor software and when they occur there’s a fire drill and everybody’s organization who works with those vendors to figure out if they’re using the effective the affected software. Bob: It’s very disruptive and can go on for a period of weeks. Bob: Everybody’s required to stop everything they’re doing and jump into the process to understand what what the impact of that potential security incident is. Bob: Many organizations have an inventory of what the software is that they use. Bob: within the company. Bob: Tying that software inventory back to your vendor inventory can be very very beneficial when you have events such as a security incident like Solar Winds to quickly determine which of your vendors might be using some of this software, how you can react more quickly to those situations and how you could potentially limit the damage to your organization. Bob: Don’t forget along the way that automation is the key to effectively managing a vendor inventory on an ongoing basis. Bob: And make sure that as you select your key performance indicators and your key risk indicators that they’re telling helping you tell the story of your program and where it’s going. Bob: Not where it’s been, but where it’s going. Bob: And then always check before onboarding to see whether you have a vendor who can provide that service that’s already been onboarded in your organization which will allow you to move more quickly on behalf of your business to do what you need to do. Bob: And at that I’ll wrap it up. Bob: Melissa, Melissa: I I see we have a ton of questions. Melissa: So that’s good. Melissa: Um but I’m going to go ahead and throw it to Scott right now. Melissa: Okay. Melissa: that’s cool with you. Melissa: And then Bob, if you want to in the meantime filter through these questions and see which ones you think are going to be the most valuable, I’ll let you do that. Melissa: But off to you, Scott. Scott: Awesome. Scott: Uh, and Bob, I’d like to share my screen. Scott: If you could stop sharing yours, I can flip over to me. Scott: Oh, Scott: awesome. Scott: Just a quick check. Scott: Can you see my screen? Scott: Okay. Scott: Awesome. Scott: All right. Scott: So, what I wanted to do is share a little bit about what prevalent can do to simplify the process that that Bob talked about today. Scott: Uh specifically what happens at the earliest stages of the vendor life cycle, building a vendor inventory, centralizing that information, and then, you know, getting it into one place that you can make some effective decisions from. Scott: When we talk to our customers, they tell us unequivocally three things they’re trying to accomplish with their programs. Scott: Number one is getting the data they need to make good decisions. Scott: Uh increasing their team’s efficiency across the enterprise. Scott: People, you know, everybody has a hand in thirdparty risk in some level. Scott: Uh and breaking down some silos and then evolving and scaling their programs over time. Scott: Unfortunately, this can’t be done with uh traditional tools like spreadsheets or you know siloed information or you know outdated data sources, things to help you make decisions. Scott: And unfortunately, we see a lot of companies just around 50% trying to manage this process, you know, using some of these kind of antiquated tools. Scott: I get it. Scott: It’s difficult. Scott: A lot of you are in this space right now. Scott: The opportunity is, you know, it’s a new year, time for a new uh new mindset on third-party risk. Scott: Our approach is to look at risks uniquely at every stage of the vendor life cycle. Scott: And that begins with the sourcing and selection phase or the very earliest phases of the process in building your vendor inventory. Scott: You know, our approach uh is one that helps mult different groups throughout the throughout the enterprise for procurement, vendor management, supplier management folks who are um you know on the hook for centrally managing a relationship to the security team who is on the hook for performing security and privacy assessments. Scott: And then finally the data privacy legal or compliance teams that may be required to produce attestations or understandings of you know what that vendors or third parties um uh you know processes look like. Scott: At the end of the day our objective is to help you achieve three objectives by unifying and centrally managing your thirdparty risk management program from end to end and that is simplify and speed up your onboarding uh with a single source of the truth and process which I’ll get into a little bit more in just a second help you streamline that process and close gaps and risk coverage and then bring your teams together throughout the enterprise uh you know all in lock step you know throughout the third party life cycle very specifically to what we talked about today is you know, our ability to help you simplify and accelerate the onboarding process and then profile and tier all of those vendors that you discovered and categorized and inventory from kind of all your different sources. Scott: You know, it all starts with, you know, getting them into a single place and that’s either, you know, uploading a spreadsheet of vendors, uh, leveraging our built-in open API to connect to different systems, whatever system of record you have, accounts payable, others, uh, or, you know, extending an intake form uh to pretty much anybody in the enterprise who can populate information about those uh those vendors um centrally in the platform. Scott: Uh second step in the process is using a very simple out-of-the-box assessment uh to give you an inherent risk score for all your third parties and enable you to tier those suppliers according to those scores and dictate the further levels of diligence. Scott: And again, all this is done automatically. Scott: You don’t need spreadsheets anymore. Scott: All this happens, you know, through workflow and and alerting. Scott: The next step in the process is building a comprehensive supplier profile and that includes industry and business insights, beneficial ownership and then through passive scanning helps to map fourth party technologies or relationships that might be a play that could potentially expose you to, you know, risk during thirdparty data breaches down in the in the future. Scott: As well, we incorporate, you know, consumer or sorry, corruption perception index scoring, uh ESG scores, modern slavery statements, and more. Scott: into a central vendor profile which then you can extend throughout the enterprise and you suddenly have you know a single source of the truth for everybody to leverage and manage for all the basic you know vendor information that you need you know throughout the life cycle. Scott: You can house contracts and documentation there certifications and attestations and then execute your assessments based on that information uh and conduct your monitoring and then get some data back to help further kind of qualify that third party and manage them throughout the life cycle. Scott: That’s our approach uh to helping you kind of accomplish that in the earliest stages of the relationship. Scott: You know, we deliver this capability to you through a combination of three things. Scott: Number one is our expertise. Scott: Number two is the rich and comprehensive set of data that we have that we incorporate into our platform to help you make decisions. Scott: And then third, the platform itself that includes the analytics, the reporting, the central management, the document man document management uh and more. Scott: You know, we talked about that comprehensive set of data that that we incorporate the platform. Scott: Here are six risk domain areas that we assess or monitor for or incorporate as data feeds in our platform. Scott: And what I think this speaks to is the comprehensiveness of the platform and the fact that it can be usable across the enterprise by multiple teams you know not just potentially your team and to help you create you know that single source of the truth. Scott: At the end of the day our objective is three-fold for you. Scott: Number one uh to deliver you deliver you a smart solution to help you make good risk based decisions. Scott: They help you unify your internal teams around the single source of the truth. Scott: And third, to give you the prescriptive intelligent recommendations and remediation guidance to help you reduce risk uh throughout the vendor life cycle with all of your third parties. Scott: Uh that’s our approach to addressing thirdparty risk management, how we help you at the earliest stages do vendor inventory, categorization, and onboarding. Scott: And you would love to answer any questions you have or pitch it back over to Bob. Scott: Bob. Melissa: Hey, real quick. Melissa: I’m gonna go ahead and launch our last poll. Melissa: So, you’ll see that pop up on your screen. Melissa: Please answer honestly. Melissa: It asks, “Are you looking to augment or establish a TPR and program in the coming months? Melissa: Yes, no, I’m not sure.” Melissa: And we do follow up, so answer truthfully. Melissa: Um, and then after you do that, I’m going to let Bob sift through. Melissa: We do have a few really good questions. Melissa: I’m going to go ahead and let him choose which questions would be the most valuable. Melissa: So, go ahead. Bob: Thanks for letting me choose, Melissa. Melissa: You’re welcome. Melissa: Don’t get used to it, though. Bob: Never. Bob: Not with you. Bob: Um, one question. Bob: What type of reviews do you conduct on a third party subprocessor once you receive it received notice that there is a new one? Bob: So, this gets to a much deeper question, which is what due diligence are you doing for your subcontractors anyway? Bob: So again I come back to the question of critical business processes and if a subcontractor is associated with a critical business process particularly if information is being shared with that subcontractor or that subcontractor has access to your infrastructure your networks your databases the due diligence that I would do on them is no difference than I did on the third party. Bob: Now I know that seems like a very high bar but it gets into another topic which uh I think we’ll cover in another one of the the prevalent webinars but it’s really the question about uh risk assessment and continuous monitoring. Bob: So if you have limited resources and you’re aware of this and you have a continuous monitoring platform that you use in your vendor risk management program, start monitoring them there. Bob: Let see what kind of information you can learn from that and until the point that you can get around to actually doing if you can a risk assessment on that subcontractor by putting them into continuous monitoring at least you’ll be aware of a number of aspects of risk associated with the use of that vendor. Bob: Next question um is a rather long one. Bob: Uh building our vendor list and we make payments to various garnishment sources, state, local, counties, etc. for tax and other required payments, but they’re not contracted related vendors and we don’t do risk assessments for them. Should we have them in the third party um inventory? Bob: So, my take would be yes, you should you can acknowledge that you’re not doing an assessment on them. Bob: But at the same time, any vendor that you have a payment process with is a potential risk for fraud. Bob: So I’m always very skeptical when I hear about, you know, payments that are made to third parties and looking and understanding the mechanism by which those payments are completed. Bob: This is an ongoing source of fraudulent transactions. Bob: And if you, you know, if I were a bad person, I would understand all I could about a company, including who they pay, and then what could I do to potentially influence or alter the information for the payment, I would keep an eye on those things, but that’s my opinion. Bob: Um, next question. Bob: Uh, any advice for dealing with shadow IT? Bob: SAS solutions, vendor processes paid by corporate credit card or that don’t require a contract. Bob: Well, the easy advice is stop doing it. Bob: But uh I realize that this is the way some businesses are done. Bob: And uh first of all, you should never be using free SAS solutions without doing due diligence on the quote free solution because it invariably o offers and uses open-source code. Bob: code and if it uses open-source code, what due diligence have you done to ensure that that code is in fact sound, has not been altered. Bob: There’s all kinds of problems that you can get into by doing that. Bob: You know, when you have uh vendor processes that are paid by corporate credit card, this is what I was talking about business operating models. Bob: That’s a decentralized environment. Bob: It is problematic and there’s no simple easy answer when You don’t need a contract. Bob: You can you can buy services with a credit card. Bob: It makes it very difficult to manage. Bob: So, what I’ll say on that is you have my sympathy, but it is a difficult topic to manage. Bob: Um, oh boy, I got questions all over the place here. Bob: Um, uh, I’m not quite sure what this person is getting at. Bob: you stratify your six risk domains by criticality. Bob: What I would say when I you know are you getting at you know different uh risks in terms of cyber business continuity ESG etc. Bob: There are you know risk domains within third party that you look at from that perspective or are you talking about risk domains for uh categorization. Bob: If it’s categorization, I always start with who has access to my sensitive data. Bob: Always start with that one. Bob: Who has access to my infrastructure? Bob: Other examples are um who has access to employee data. Bob: I see problems again and and again with the access and controls around um employee data. Bob: So that’s you know there are different ways to think about that uh generally in in these days in vendor risk management everybody starts with security and goes down the list from there. Bob: Security, business continuity, operational resilience and everything else. Bob: But everything else is very important. Bob: Financial risk is particularly important and a degradation in the financial performance of a company can have a big negative impact. Bob: Um I’m s I’m surfing around the questions. Melissa: Well, we do only have about a minute left, but um Bob, is there a like an email that you can blast out? Bob: Yes. Bob: Oh, yeah. Bob: Yeah. Melissa: The last most important slide. Melissa: Scott, give me it back. Melissa: This is his hobby is answering these questions. Melissa: So, we’re lucky to have him on here, but um I’ll give him a second to go ahead and throw that on the screen. Scott: Can I share, Scott? Melissa: Yes, sir. Melissa: There you go. Melissa: Sorry. Scott: Okay. Scott: Now, all I have to do is find the deck, Melissa: pass the toggle. Melissa: Um, Melissa: or you can put it in the chat, Bob. Melissa: Whatever you’re Whatever’s easier for you. Melissa: Or Bob: Yeah. Bob: Yeah. Bob: That might be the easiest way to do it. Bob: So, uh, Bob: let me see. Bob: Let me go. Bob: Yeah. Bob: I get so excited about the material, I forget to tell you how to talk to me. Melissa: I know. Melissa: And I know you do enjoy that part of the uh, interaction as well. Melissa: So, I want to make sure you get that get that fixed from your your fans essentially. Melissa: But um Bob: Yeah, my boobies, right? Melissa: You guys will get a copy of the slideshow anyway. Melissa: And I’m 99% sure his email is in there. Melissa: Right, Bob? Bob: It’s on the last slide. Melissa: Oh, the last one. Melissa: Okay. Bob: Bobcybe.net. Bob: And it also has my phone number and I always answer. Bob: 862-6861210. Bob: So if I didn’t get to your question here and I apologize, feel free to bug me and I will definitely get back to you and we can have a nice conversation. Melissa: Thank you so much, Melissa: Melissa Scott, everyone from my perspective. Melissa: Thanks. Melissa: I really enjoy talking about this stuff with all of you and looking forward to when we do another one. Bob: Yep. Bob: It’ll be soon, I’m sure. Bob: But, you know, thanks again, Bob, and everybody for attending. Bob: And I’ll see you in your inboxes shortly and hopefully at a webinar. Bob: Bye, guys. Bob: Take care. Melissa: Bye. Scott: Thanks, everyone. Melissa: Take care.