How to Streamline Your Third-Party Risk Management Metrics

Ashley: My name is Ashley. I work in business development over here at Cre and joined with a very special guest, our very own VP of products and services, Alistair Parr. Ashley: And he will be joining us shortly, but our very own VP of product marketing, Scott Lane. Ashley: Um, just recorded and we’re gonna send out the recording along with the presentation slides. shortly after the webinar. Ashley: Uh you’re all currently muted, but we’d love participation, so please put any questions in the Q&A box so we can go over them at the end. Ashley: Uh today, Alistar is going to be sharing his best practices to build effective TPRM metrics. Ashley: So Alistar, I’ll go ahead and hand things over to you.

Alistair Parr: Lovely. Alistair Parr: Thank you very much, Ashley. Alistair Parr: And good morning, good afternoon, good evening, wherever you may be in the world today. Alistair Parr: Uh so for those who haven’t had the the joy, of course, and the luxury of sitting on a webinar with myself in the past, Uh I am Alistister Parr. I am the SVP of products and services over here at prevalent. Alistair Parr: And um why am I qualified to talk to you about this is I have had the um the pleasantries I suppose of managing and supporting the management of many hundreds of third party programs over the years. Alistair Parr: Uh I tend to be spending time with some of the program design elements talking to sea level execs and of course the broader business about what they’re trying to achieve. Alistair Parr: And through that I’ve seen what’s been fruitful uh what’s been less so and um everything in between. Alistair Parr: So I will do my very best today to try and impart and share some of the insights that I myself have seen uh but equally across the broader prevalent community as well. Alistair Parr: Just to reinforce again what Ashley kindly mentioned at the start, do feel free to ask any questions in the Q&A. Alistair Parr: Uh and as much as I’ll try and weave some of those into the talk track today, uh we will leave sort of five 10 minutes depending on on how we get through uh at the very end for any additional questions that come up. Alistair Parr: Great. Alistair Parr: So, I’m going to get this mug shot out of the way for you. Alistair Parr: We don’t want people to start dropping off too soon. Alistair Parr: But today specifically, what am I going to cover off? Alistair Parr: I will be focusing on really the five key criteria that we tend to see and considerations associated to uh Tara and metrics. Alistair Parr: So, personas a very logical starting point. Alistair Parr: Who we actually targeting with these metrics and KPIs and KIS? Alistair Parr: Uh what are they actually interested in? Alistair Parr: What does that look like when we translate it into tangible metrics? Alistair Parr: How do we actually report on that in any meaningful way? Alistair Parr: How often do we do that? Alistair Parr: And what are the mechanisms we have to do so? Alistair Parr: And then of course, what are the most common challenges associated to that that we tend to see? Alistair Parr: So, it’s a bit of a journey to today. Alistair Parr: So, to reinforce, you know, we are covering off the top building blocks and effective criteria for TPRM metrics. Alistair Parr: And uh just to preface it and set the scene really for for some of you who might be le less exposed to third party risk management or in you know the advent of your your journeys and careers but um of course when you start looking at the entire space third party risk management is ever growing ever evolving and ever maturing. Alistair Parr: So us here at prevalent what we tend to be focused on is being able to support organizations to scale and do it in an automated way and people are asking us to do that because of the fact that third parties are becoming an extension of the business. Alistair Parr: People are outsourcing a lot to various third parties of course And uh the challenges associated to that is that the entire environment is getting more complex. Alistair Parr: People struggle doing things at scale. Alistair Parr: People struggle to process large volumes of information. Alistair Parr: And that’s two of the most significant elements that contribute to third party management. Alistair Parr: We’re dealing with hundreds, thousands, tens of thousands or hundreds of thousands of different third parties. Alistair Parr: And we have requirements associated to those. Alistair Parr: We’ve got different business owners demanding that we do things. Alistair Parr: Uh we’ve got different regulators, customers, demanding that we do different things and they’re demanding that we’re looking at different criteria anti-prim corruption ESG health and safety sanctions etc. Alistair Parr: So a lot to do against a lot how do we make sense of the broader mess of it so a brief recap as well for those who also have not had any direct exposure specifically to KPI and KRI management. Alistair Parr: People tend to throw KPI and KIS around um a fair bit as an acronym but we’re talking specifically here about key performance indicators and key risk indicators. Alistair Parr: What is the difference between the two? Alistair Parr: So a key performance indicator is centered on the entire program and how effective the program is being. Alistair Parr: And a key risk indicator is focusing on the data that comes out of it. Alistair Parr: So the specific risks themselves. Alistair Parr: So to give you an example, a key performance indicator might be for example, how is the plat uh sorry, how is the program sending out assessments, capturing information, driving um driving guidance and getting interactions. Alistair Parr: How is the team reviewing the results versus key key risk indicators which are focusing on what is the most common problem that’s facing the organization? Alistair Parr: Distinct areas and usually what we see is businesses start with key risk indicators and are more vague on key performance indicators. Alistair Parr: They start to uh to percolate up over time once the business starts to realize the maturity of their program. Alistair Parr: You know, are they good are they bad? Alistair Parr: What can they improve? Alistair Parr: And they’re looking at efficiencies. Alistair Parr: Now, what we do typically recommend, and you’ll see that as a bit of a reoccurring theme as we go through today, is that both risk indicators and uh performance indicators are necessary in an effective program, not just for it to be successful, but also how we communicate it to the broader business. Alistair Parr: And then one of the most common areas before we dive into some of the criteria here, uh one of the most common errors that we tend to see here is the fact that people struggle in being able to take this information and present it in a coherent way. Alistair Parr: Uh when we’re dealing with technical specialisms and specialties, when we’re dealing with a volume of data, it’s very very straightforward for people to lose sight of what they’re doing and overcommunicate. Alistair Parr: So you end up with business owners, department leads, uh procurement, CISOs, the board, whoever it may be, ultimately lacking the insight and visibility that that um that they actually need because it’s too detailed, it’s too complex. Alistair Parr: So, we’ll touch a bit more on that as we go through the session today as well. Alistair Parr: Righty home, the more keen eye of you at the very very start, you notice I did have an agenda and the very first point on that agenda was identifying personas. Alistair Parr: So, when I’m talking about identifying personas, let me just clarify specifically what I mean. Alistair Parr: So, the personas here is really the personas of the business who have a vested uh interest in getting reporting metrics from the entire program. Alistair Parr: Now there is a complication in fact two complications that we see when we start trying to actually identify uh the personas who are associated to this in the business and the first is the fact that when you actually look at and there’s a bit fuzzy so I apologize for that but um when you actually start looking at the programs they are evolving historically it was quite segmented people focus on third party risk management as a discipline. Alistair Parr: Now it’s gradually evolving into third party life cycle management. Alistair Parr: What’s the difference is that if you look at this uh this this fuzzy uh circle of sorts here, people are focusing on the assessment and the remediation piece in the center. Alistair Parr: Now you have business partners and parties who have interest in that broader uh set of the workflow. Alistair Parr: So it’s procurement compliance etc. from the onboarding process identifying who the vendors are profiling and tiering uh doing things performance management, SLA tracking, checking them for compliance and even offboarding on the tail end of it. Alistair Parr: A program historically was reporting on risk. Alistair Parr: So those who were listening earlier on I said people start with risk and that’s typically why they’re starting with risk management. Alistair Parr: But when you start looking at life cycle management, there’s more personas, there’s more people involved and on top of that uh you’re also tracking how effective you are in that life cycle. Alistair Parr: And to reiterate some of the complexity that we see tied to those personas is we are actually getting more and more criteria and metrics that contribute to our results. Alistair Parr: So historically, if you go back a fair bit of time, people might typically just be sending out an assessment. Alistair Parr: Great. Alistair Parr: We can look at control failures and results from assessments. Alistair Parr: But a vendor profile now as it goes through that life cycle typically has evolved. Alistair Parr: So we’re looking at personas. Alistair Parr: You might have people consuming cyber monitoring information, business monitoring data, so who are they? Alistair Parr: What are they doing? Alistair Parr: What’s the zeitgeist of that organization? Alistair Parr: How are they maturing? Alistair Parr: financial data. Alistair Parr: So are they actually healthy from a financial position? Alistair Parr: Broader events. Alistair Parr: So are there any other changes associated with them? Alistair Parr: Need to be mindful of zero new vulnerabilities that sort of thing. Alistair Parr: What certifications they’ve got and of course going into the end party. Alistair Parr: This is a simplistic way of looking at it. Alistair Parr: So if you look at the uh you the prior information that we shared when you actually dissect that down into composite bits here on the left hand side you know there is a broad set of disciplines. Alistair Parr: So We have lots of personas. Alistair Parr: We have lots of people who have a vested interest in understanding what the program is doing. Alistair Parr: Each of those people have the advantage of driving uh the program forward, being a sponsor, being a supporter of it, and therefore supporting in the allocation of additional resources to get it done. Alistair Parr: And when you distill those personas down, the most common ones that we tend to see and we tend to fixate on infosc uh at the very very start there, they tend to be more risky. Alistair Parr: of course with controls at the forefront uh audit and compliance so the people have the regulatory obligations and that can include to some extent privacy there as well procurement focused more on the upfront and some of the performance management to an extent the business owners themselves who really care about I’ve bought this vendor for a reason I want them to perform a service which is going to make my life easier in some description so they tend to be more focused on the performance and resilience and then of course the execs so the people who tend to be seeing it as their money in that respect and owning the budget and the uh the allocation there. Alistair Parr: So they want to see is it effective? Alistair Parr: Are we spending the money wisely? Alistair Parr: Uh and am I going to go to jail because we’re not doing something that we should be doing. Alistair Parr: You know those sorts of criteria there. Alistair Parr: So they of course as you expect have very very different focus areas and therefore very different reporting needs. Alistair Parr: Equally their subject matter expertise is going to differ. Alistair Parr: The executives might be looking for a more broader higher level picture versus infosc. Alistair Parr: They’re going to be very targeted on their set discipline. Alistair Parr: lots to consider and lots to factor in when we start looking at focus areas on the next stage. Alistair Parr: So at this point as I said at the start I would like to weave in some insights on what we’ve seen. Alistair Parr: So Prevent conducts a study every single year where we start looking at uh the space specifically uh we do more broader detailed insights. Alistair Parr: Of course if you would like um some exposure to this if you’d like a copy of the report feel free to reach out to us. Alistair Parr: We would be happy to elaborate on it. Alistair Parr: We wanted to call out um one of the metrics from this year’s study specifically. Alistair Parr: So as you see on the right hand side here we’re looking at different personas of the organization here. Alistair Parr: Infosc risk management compliance and audit procurement business owners and execs. Alistair Parr: Now we’ve ultimately asked the audience are they more or less involved in third party risk management? Alistair Parr: Now generally speaking they’re either the same or increased as in the gray boxes at the very bottom there are pretty small. Alistair Parr: So they’re either maintaining or they’re growing from a uh from a contribution standpoint. Alistair Parr: So when we start looking at personas really what are we expecting to see is an increase in collateral material KPIs and KIS that are targeting these different personas. Alistair Parr: So again useful data and I’ll weave in more from our various studies and our insights as we go through today but just reinforces the fact that we do need to start broadening horizons when we’re building the KPIs and KIS of our program so that we can educate all the various personas of the organization and that can be externally as well. Alistair Parr: So we also talk about regulators as well or customers where you may want to start exposing what you’re doing well. Alistair Parr: You’re seeing more and more of that with things like sock 2 reports. Alistair Parr: Right, moving onwards to our next focus area. Alistair Parr: So we’re going to talk a bit now about uh ascertaining what they care about. Alistair Parr: So the specific focus areas of these communities. Alistair Parr: So I pull up one more stat from our study to fill something that’s particularly relevant as we start to go through this. Alistair Parr: Uh, and that’s specifically on what their involvement tends to be. Alistair Parr: Now, there’s a lot of information in this, so I’m going to spend a little bit of time dissecting this before I move on. Alistair Parr: But just to bear in mind, what we’re looking at here is on the blue bar, are they involved in the strategic program design and strategy? Alistair Parr: Uh, the purple bar is whether they’re actually using the information and using reports associated to that. Alistair Parr: Uh, the yellow bar of course is their execution of third party assessments. Alistair Parr: So are they actually consuming assessments? Alistair Parr: And then uh the gray means they’re more consulted than anything else. Alistair Parr: So focusing on the reporting aspect, you can see by and large the entire community there has a broad expectation to be involved and use the information that’s coming out of the program. Alistair Parr: Now when you factor in the consultant uh sorry the consulting aspects as well, there’s there’s a reasonable exposure to this particularly with execs that tend to be less involved dayto-day but certainly are consuming the information. Alistair Parr: around it. Alistair Parr: Interesting enough, you tend to see the programs being driven more by information security and risk management at the outset. Alistair Parr: And when we start looking at the customer base that we tend to see and of course our for our partners etc most people tend to be starting with infosc historically over time we’re seeing more and more procurement initiatives but historically it was infosc as a focus. Alistair Parr: Now I’ll touch on this and some of the challenges later on but a common challenge we see here is the fact that because it’s taken roots in a part of the business, it tends to be somewhat skewed and biased towards the needs of that persona and that community. Alistair Parr: So we focus again very heavily on those KIS uh rather than the KPIs that might be more beneficial to some of the broader business sets. Alistair Parr: So what we’re seeing and what we’re seeing generally be quite effective here is that people are ultimately factoring in that as much as it might start from a business area We do need and we are seeing an increase in that uh in that blue bar of beyond infosc and risk management compliance procurement and business owners and even execs getting more involved in the day-to-day workflows in ad activities. Alistair Parr: Okay, moving on. Alistair Parr: So we did ask part of some of our studies about what the goals are for these teams specifically on third party risk management because when we’re looking at the focus areas of these teams, we need to really understand understand what they’re trying to achieve, you know, what’s what’s the driver because that’s going to feed into our KPIs and Kis downstream anyway. Alistair Parr: So, first and foremost, the risk management teams want to achieve compliance and address the risks of working with vendors. Alistair Parr: You know, that was the majority of responses there for risk management. Alistair Parr: Compliance and audit want to achieve compliance. Alistair Parr: You’d hope so. Alistair Parr: 79% of them as well as the executives and the business owners. Alistair Parr: The executives of course are focused on compliance on the basis that quite often they are ultimately you know that the final resting point of any blame. Alistair Parr: You know, when you see the fact that an organization’s not compliant or it’s had a significant issue, it tends to be the execs and the firing line. Alistair Parr: And you might tend to see a shift of headcount from a sea level and and above in some cases. Alistair Parr: The procurement teams own the relationship, not the program, but they really really care about speeding or simplifying new vendor and boarding 74%. Alistair Parr: Now, this is where the KPIs are getting more and more interesting. Alistair Parr: uh because the performance indicators are very much being driven by procurement. Alistair Parr: Although it adds value to the entire workflow and cycle you know when you have KPIs getting driven as a as a core initiative as part of your reporting metrics all it’s going to do is apply focus in being efficient and scalable ultimately and we’ll talk a bit more about that when we look at things like program design as a metric point later on and program maturity but this is one of the benefits that we’ve seen in the last 12 months when we look at these programs where historically it’s a case of we will get through all the data as and when we can from a risk management perspective to how can we do this at scale and effectively using tools uh appropriate reporting and appropriate analysis of the environment and then execs are primary concerned about uh third party risk sorry mainly consuming third party risk reports. Alistair Parr: So this is an increase so historically they were more high in the sky from a a focus point uh but we are now starting to see them starting to drill down into some of the detail and part of that’s coming from the fact that they have uh the obligations or responsibilities themselves to start reviewing u the associated output and they have a general interest in some of the things that have been found out it’s not just a a cyber focus or it might not just be a you know a specific discipline focus with things like ESG with things like enterprise corruption modern slavery the passive monitoring insights that we tend to see there’s more business centric consumable data that’s seeing that can roll up as well to our metrics KPIs that makes it more ultimately accessible to the community. Alistair Parr: So when we start looking at these as to what they actually need based on that so different personas here now I’m going to focus on really sort of three core areas here the CISOs who quite often are as I mentioned earlier on the starting point of these programs and quite often the budget might actually come from you the CISO in their community and the CIOS they really want to get an in-depth view of the associated uh compliance and risk associated to them. Alistair Parr: They want to understand what the threat posture is to their environment which they can then map against their risk appetite. Alistair Parr: So they really care about what’s our risk appetite versus what’s our current uh risk portfolio and then ascertain what’s the delta, how do we address the delta to get to a point where we’re comfortable and then they’ll drive remediation in order to get to that point. Alistair Parr: And what they want to see how effective everybody is at driving remediation. Alistair Parr: Why do they care is because they need to hopping over to the far right present that information to the board to show that they’re doing their job sufficiently. Alistair Parr: You know, the CISO needs to be able to present to the board that risk is being managed. Alistair Parr: It’s proportionate. Alistair Parr: Nobody’s going to jail anytime soon, at least not for information security and uh third party risk management. Alistair Parr: And then of course the board needs to feel confident on the fact that the entire critical supply chain from a resilience standpoint doesn’t mean there’s going to be a dramatic loss of revenue in the near future. Alistair Parr: If we have an unfortunate situation such as a pandemic again in a few months time. Alistair Parr: Have we got the appropriate resilience to protect us? Alistair Parr: Have we got all our eggs in one basket in one provider? Alistair Parr: Uh which might be in our geopolitical or geoenvironmental situation as well. Alistair Parr: And tied to that boards generally want to see graphs going up or going down. Alistair Parr: And in this case, they want to see risk graphs going down and the scale of the program going up. Alistair Parr: So they want to see nice charts that show progress ultimately whatever that progress may be and where there’s lack where there’s lacking support whether it’s funds or initiatives or buyin you know the board needs to be presented with that very clearly and articulate articulately to be able to say okay I need to participate and I need to help and then when we dive into the actual business then in the middle of course we need to make sure that the business understand the real time situations that might impact their workflows and what they’re doing so is a core provider for them that’s part of their revenue generating services at risk They need to be able to do deep dives on those vendors so they can make informed decisions on whether that is really the vendor they want to select through that procurement cycle. Alistair Parr: And in the event that they are a must have, we must have this new service from them. Alistair Parr: Great. Alistair Parr: That’s fine. Alistair Parr: Here is the path that we’ve committed with them. Alistair Parr: Help us drive that as the business sponsor in order to get it to a point where it’s tolerable and we’re happy. Alistair Parr: So just to reinforce here, you know, different personas have different needs, different focus areas that we’re trying to deal with. Alistair Parr: And then when you start looking at um that from a sort of a a broader level, it really sort of falls into four core areas and we’ll drive into these into a bit more detail and highlight some specific metrics that going to be able to support that. Alistair Parr: So when you’re looking at KPIs and KISS here, they really fall into the four buckets of risk, threat, compliance, and coverage. Alistair Parr: And what am I actually saying here? Alistair Parr: Risk of course is about understanding the KIS. Alistair Parr: Uh do we have the appropriate controls in place to be able to mitigate the concerns that we have sufficiently, you know, from an insurance uh policy perspective uh and does that vary business by by business area? Alistair Parr: For example, are some more risk adverse than others and can we leverage that from a threat perspective? Alistair Parr: What does our threat landscape look like? Alistair Parr: So, for example, using our uh our passive scanning capabilities or our knowledge of zero days or emerging events and threats, what is the current landscape associated to that? Alistair Parr: Context driven compliance. Alistair Parr: So, based on where we’re operating against, what we’re doing, how compliant are we? Alistair Parr: Do we have any glaring holes? Alistair Parr: And if we found them, how on earth do we plug them before the regulators start complaining about it? Alistair Parr: And how do we demonstrate that back to our customer base? Alistair Parr: And then of course coverage. Alistair Parr: Something that’s very often overlooked specifically here from a KPI standpoint, which does fact in fact impact the KIS as well, is are we actually addressing uh the the entire estate, the entire population? Alistair Parr: Where are the gaps? Alistair Parr: Uh can we go deeper? Alistair Parr: Can we look at end party We look at other disciplines and uh subject matter areas that have interest across the broader business. Alistair Parr: ESG, modern slavery, enterprise, corruption, privacy, whatever it may be. Alistair Parr: So, do we have the breadth of coverage and do we have the depth of coverage? Alistair Parr: So, quite often you can have the situation where you’re reporting on the first three, everything looks peachy and rosy. Alistair Parr: We’re all very happy and then we realize we’ve only actually engaged with 15% of the population, the vendor population every single year. Alistair Parr: Yeah, there’s so much there that could be uncovered and unpicked that it would be concerning. Alistair Parr: Okay, so to summarize on that part, when we start looking at focus areas itself, you know, the net takeaway I’d ultimately say on this is the fact that these different personas originally started to stem from an infosc standpoint with the advent of uh procurement getting more involved in these programs. Alistair Parr: We’re starting to see a bit of a shift from KIS to KPIs and a better awareness of the fact that coverage is a contributing factor as well as supplier resilience postcoid as well. Alistair Parr: So the needs are different uh but ultimately you have different personas as part of the business who want to consume that information in different ways. Alistair Parr: Okie dokie. Alistair Parr: So we are now going to move over into some specific metrics. Alistair Parr: As much as I can sit here and talk about the abstract, you know, the the art of what’s possible here, I appreciate that some people like very definitive metric points and I’ll highlight some of the ones that we commonly see. Alistair Parr: And again, Prevalent is happy to share some uh collateral, white papers, etc. related to this if you want to dive into it in a bit more detail. Alistair Parr: Uh but I’ll certainly cover off some of the key ones for you in just a moment when I’ve had my sip of water. Alistair Parr: There we go. Alistair Parr: Suitably refreshed. Alistair Parr: I’m going to dive into risk metrics. Alistair Parr: So essentially what we’re going to do now is we’re going to dive into some of these key areas. Alistair Parr: Risk metrics, threat metrics, compliance metrics, and coverage metrics. Alistair Parr: And these are the most common things that we tend to see in a successful efficient program. Alistair Parr: So to begin with when we look at risk metrics we really want to understand the percentage of suppliers by tier. Alistair Parr: Uh what do I mean by tier is that 1 to four is an example here. Alistair Parr: We’ve seen all sorts but uh 1 to three or 1 to four is certainly the most common but we’re wanting to understand uh what is the segmentation of our supplier base. Alistair Parr: If you see it being disproportionately weighted one way or the other then you might need to adjust your ting models. Alistair Parr: Uh but typically you’re looking at around 10% for a tier one. Alistair Parr: I’m looking at a free tier model here. Alistair Parr: 10% for a tier one. Alistair Parr: 30% tends to be a tier 2 and then you’re looking at about 60% for the tier 3es and tier fours on this basis. Alistair Parr: So you have a pyramid pyramid of sorts which essentially is outlining what your supplier base is. Alistair Parr: If it’s an upside down pyramid then the odds are you’ve potentially misered. Alistair Parr: The business is not necessarily giving you the right information or you might be uh misfocusing on your vendors. Alistair Parr: You’re dealing with subset of your uh your ecosystem, your your vendor landscape that’s not comprehensive enough. Alistair Parr: So that’s usually a good indicator about what our coverage looks like, what the breadth looks like, uh and what the health is of our tiering and profiling process. Alistair Parr: Next, looking at the percentage of suppliers that have completed an initial onboarding inherent risk assessment. Alistair Parr: This ties to the former. Alistair Parr: So quite often people can’t do the former metric because they haven’t qualified who the vendor is and what they do. Alistair Parr: So we do recommend that people ultimately have a process whether that’s being driven by the third party who populate it or by the business owner who’s requesting it that they go through that inherent risk assessment the IRA. Alistair Parr: It should be simplistic enough so that people can’t misunderstand the responses. Alistair Parr: It should be simple enough that you’re able to uh remove any interpretation but not so simple that you aren’t capturing some of the most common uh criteria. Alistair Parr: And I’ll touch on some of those a bit later on. Alistair Parr: But if you’re looking at low percentages on that and I appreciate If you’re starting a program from scratch, you’re going to have low percentages because it tends to be done when you on board a third party rather than as part of the uh you know retrospective life cycle. Alistair Parr: Uh but you do want to get that percentage up whether it’s initial or whether it’s a an iterative one. Alistair Parr: When you’re renewing contracts, you want to understand who is the vendor, what are they doing for you. Alistair Parr: You don’t want to just focus on spend. Alistair Parr: Next, number of suppliers that have passed or failed the initial onboarding inherent risk assessment. Alistair Parr: So, we might reject some and the first criteria is here is we need to have a um a risk appetite. Alistair Parr: So are there certain ones that simply mean based on what what we’ve captured from them uh isn’t fit for purpose and we need to review them and make decisions about them. Alistair Parr: So you can have past fail criteria where you actually include some control-based uh criteria in the first question set or it might be just uh discovery which is fine in which case you might not have that pass fail criteria but if you do look at controlbased questions you to ascertain what your risk appetite is. Alistair Parr: Uh so you can see what ratio people are passing or failing. Alistair Parr: Where people fail usually means doesn’t mean that you have to basically not use them. Alistair Parr: It tends to mean that you have to do extended due diligence against them and they might fall into a higher bucket or a higher tier than you would have otherwise expected. Alistair Parr: And the next very important metric and this is the one I think where people are spending a lot of time and focus in the current uh third party ecosystem across the across the uh community. Alistair Parr: is the mean time to complete supplier assessments. Alistair Parr: People spend so much time focusing on risk analysis. Alistair Parr: They’re not really thinking about are we asking and getting these risks in the right way. Alistair Parr: So of course you can use passive insights, but to really dig the surface of a company, you do need to do a degree of supplier assessments. Alistair Parr: That could be taking a sock two report from them and translating it into controls and risks. Alistair Parr: Fine. Alistair Parr: Or it could be sending out them sending out an actual assessment to them and then tracking the the lead time and response. Alistair Parr: A good program is usually getting responses within a week to two weeks when you have an active community. Alistair Parr: Of course, bad programs mean you have such little engagement with the vendors that it sits there in the ether and never gets completed at all. Alistair Parr: So, we always recommend tracking that because it shows your vendor engagement and it also shows how effective you are. Alistair Parr: So, it’s a more of a behavioral metric as much as as much as anything else. Alistair Parr: And you can use that to understand of are we asking the right questions? Alistair Parr: Is our process sufficient? Alistair Parr: And do we need to imp improve the broader engagement with our supply chain. Alistair Parr: Okay. Alistair Parr: Uh moving on to a couple of other risk metrics. Alistair Parr: Just to elaborate a bit on this, you do of course want to focus on what your priority one security incidents have been in the last quarter. Alistair Parr: This is something you will very often report back to your your seuite or your board. Alistair Parr: Uh and this is typically focusing on zero day vulnerabilities. Alistair Parr: So something where you need to react uh to something in the in the community that could be a react reaction to a passive monitoring insight. Alistair Parr: Company A has had a data breach or company B has had a major outage. Alistair Parr: Uh or it might be something that’s communitywide or technology wide. Alistair Parr: So a solar winds or similar for example. Alistair Parr: You do want to understand if there’s trends and if it’s something that you could avoid or not based on mitigating uh mechanisms to see if you could could have ever got ahead of those rather than react to them. Alistair Parr: Numbers of vendors within the supply chain with a high score. Alistair Parr: Uh what do we talking about here is just trying to understand of well what’s the actual risk appetite of our um of our community. Alistair Parr: Are our vendors generally good or bad? Alistair Parr: And that might mean that well a they’re bad uh but b it might mean that um our interpretation of risk is excessive. Alistair Parr: So it’s more of a question response to that rather than actually uh treating it as a a positive or negative thing. Alistair Parr: Number of suppliers that present a continued high risk following successful on boarding. Alistair Parr: This shows again engagement from a uh vendor perspective. Alistair Parr: Are they actively working with us? Alistair Parr: Are they improving or are they just generally sitting there comfortable because they’ve got that contract in hand and they’re getting paid so they’re smiling and they are happy. Alistair Parr: I’m going to pause for a moment for a bit of water. Alistair Parr: Thank you for your patience everybody. Alistair Parr: So inherent risk from each security domain and category. Alistair Parr: Now what we’re talking about here is domain areas. Alistair Parr: So we’re segmenting things based on their focus areas. Alistair Parr: You can see there access control asset management, physical security, uh, information systems acquisition, etc. Alistair Parr: We want to understand if there’s a particularly risky area that we can focus on. Alistair Parr: Why is that helpful? Alistair Parr: Because then we can start doing targeted approaches. Alistair Parr: If we generally see people have problems with physical security, we might provide guidance and packages to support them on that or do a broader focus in the sense of let’s go and try and remediate as much of those as we can do. Alistair Parr: Equally useful to know if there’s a particular area of risk associated to the business. Alistair Parr: And then Finally uh looking at the residual risk. Alistair Parr: So residual risk here being once they’ve applied any mitigating controls that we’ve identified, where are they? Alistair Parr: You know, are we in a tolerable level or not? Alistair Parr: Are we still in an unacceptable level of risk that we need to address? Alistair Parr: You know, this of course is focused on more the risk management and infosc focus areas to some extent. Alistair Parr: Uh but these are all criteria that are really really important when we’re looking at our supply chain. Alistair Parr: So I will on risk management from that perspective. Alistair Parr: I was going to pivot over to some of the fret metrics that we do tend to see and for us the fret metrics uh to start with percentage coverage of supplier base by tier with threat intel much like you store on the risk metrics is a case of what insights do we have passive monitoring insights that would suggest zero days data breaches challenges etc. Alistair Parr: You know you tend to see a majority of your tier ones with coverage maybe a lesser extent for your tier threes or tier fours or there might be more point in time but nonetheless you want to understand Yeah, ultimately threat intel and passive monitoring combined is your heartbeat against your vendors. Alistair Parr: They aren’t going to volunteer stuff to you very often. Alistair Parr: So, use that as that heartbeat check without that uh implicit involvement from them. Alistair Parr: Next, mean time to action. Alistair Parr: Uh so, this for the risk. Alistair Parr: This is an internal KPI. Alistair Parr: This is about trying to understand is the business responding in a timely way. Alistair Parr: Something has happened. Alistair Parr: We’ve had a zero day. Alistair Parr: Are we panicking? Alistair Parr: Are we sitting there? Alistair Parr: Are we actually out for the weekend for a nice long weekend and realize when we come back on a Monday? Alistair Parr: You know, these are the things that we need to be mindful of as to whether we resourced effectively and whether our response processes are effective or not. Alistair Parr: Uh our best customers tend to have a uh a process in place so that even unfortunately on a weekend they might get um that call to action to react. Alistair Parr: They’ll have the ability with threat metrics and threat intel and um passive monitoring to see the uh the impact against the organization and then can with it accordingly. Alistair Parr: Accuracy of threat intel sources is measured by the number of false positives. Alistair Parr: A very useful metric and it’s something that’s typically overlooked in um a third party risk management program is the threat intel feeds out there are doing their best based on passive insights. Alistair Parr: There are going to be false positives and more concerning they’re going to be false negatives associated to these. Alistair Parr: So both false positives and false negatives need to be tracked to give us some insight into the quality of the data. Alistair Parr: It’s no if you get 100,000 monitoring events and only 5,000 of those are actually useful. Alistair Parr: Uh so it’s about having an understanding what the accuracy is for false positives and false negatives and then working against that downstream. Alistair Parr: Next, so looking at some of the key risk indicators here, the percentage difference between supplier self attistation and threats based on intelligence sources. Alistair Parr: So what we’re talking about here is what have we discovered versus what are they actually reporting? Alistair Parr: And this can quite often come from the assessment workflows. Alistair Parr: something we do a lot of in prevalent and we have what we call red flag analysis which is essentially where I might ask supplier A how good are you at data loss prevention and they respond back and say we’re fantastic we have enterpriseleading DLP technologies with uh established rule sets that that cover all egress points uh and endpoints in the business great sounds wonderful good job and yet they would then go look at their threat metrics and their threat intel and they’ve had seven data breaches and their their records are being shared everywhere That type of red flag, that type of contradiction is very very important to track because self attestation will get you so far. Alistair Parr: The value in it is it’s going to find the needle in the haststack vendors who are gaming your system rather than actually being pragmatic and reasonable and those are ones to watch out for. Alistair Parr: The number of tiered vendors with active high threat intel indicators. Alistair Parr: So I again tied to how quickly we actually remediating these. Alistair Parr: We want to understand well what’s the percentage of them uh and then react to those you know that’s our priority. Alistair Parr: popped for threat intel. Alistair Parr: And then this is a bit of a blend of a key risk indicator and performance indicator. Alistair Parr: Uh but the uh the meantime to resolve. Alistair Parr: So once we identified it, whether it’s a false positive or a false negative, how are we actually getting it uh to closure? Alistair Parr: You know, the form is focused more on how we responding to it. Alistair Parr: This one’s more focused on great, we’ve responded to it. Alistair Parr: The vendors come back to us and said, “Oh dear, that’s wrong.” Alistair Parr: Or we’ve now done X to resolve it. Alistair Parr: Good metrics to understand what should the business advert might be, you know, are we being pragmatic and realistic? Alistair Parr: Now, these threat metrics are getting more and more prominent. Alistair Parr: So, to call back on our lovely prevalent surveys that we’ve been doing, uh we’ve actually seen the number of companies that are not monitoring, not being the operative word here, decrease. Alistair Parr: So, in 2022, I think we were looking at about 12% of third party programs not tracking third party breaches, uh using some of the threat metrics and passive monitoring. Alistair Parr: We are down now to 4%. Alistair Parr: So, the vast vast majority of programs in some shape or form are tracking these third party breaches and then hopefully reacting to them. Alistair Parr: Now, we’ll touch on a bit later on, but I don’t think nearly enough people are reacting to them, but the data is there and the data is being consumed. Alistair Parr: Very useful metric there. Alistair Parr: Okie dokie. Alistair Parr: And moving on to our compliance metrics. Alistair Parr: So, when we’re looking at our compliance metrics, we’re looking at again from a performance indication standpoint, the number of the suppliers that are categorized as in scope for a compliance program. Alistair Parr: First port call here is actually understanding well what are we regulated against? Alistair Parr: What are our obligations? Alistair Parr: Whereas it’s PR P socks PCI GDPR NYDFS there’s enough acronyms out there with regulations attached to them. Alistair Parr: We do need to talk to the broader business to understand that and what we can start doing then is actually building dashboards that segment accordingly uh to the various frameworks and regulations we’re tracking against. Alistair Parr: So you want to understand of how many are in scope and then we can start drilling into that data on how many are actually in risk. Alistair Parr: Qualitative compliance returns from supplier uh by tier. Alistair Parr: So this is about understanding where are the gaps. Alistair Parr: So I might have reached out to a thousand of a thousand vendors uh associated to my my socks compliance. Alistair Parr: Now of those 50 haven’t come back or haven’t answered all my questions. Alistair Parr: I’m sat there smiling because I’ve got all my responses and everything’s good and rosy. Alistair Parr: We do want to check and make sure that we have good data and complete data back from people because when you go to audit that’s the stuff that’s going to get picked up. Alistair Parr: You don’t want gaps in your audit programs. Alistair Parr: And from a key risk indicator perspective, yeah, we’re of course looking at the number of suppliers outside of tier one with compliance obligations. Alistair Parr: So these are the ones who are not classified as high priority or high risk to the business but still have compliance obligations. Alistair Parr: Why is that important? Alistair Parr: Because there might be some of these that haven’t been scrutinized efficiently. Alistair Parr: So There might be a tier four that just happens to be providing a service that’s otherwise considered lightweight. Alistair Parr: Uh but we do need to add some additional due diligence against them and potentially move them around the tiering models. Alistair Parr: And then the number of suppliers within all tiers that have outstanding intel or controlled efficiencies not under management. Alistair Parr: So really what are we saying here is uh that how many suppliers have we actually got associated risk against that we need to go and deal with. Alistair Parr: So on my last list of drill down metrics to call out and then we’ll move on to of the program governance perspectives there and how we actually report on it and do it in a meaningful way. Alistair Parr: So I wanted to touch a little bit on um the coverage piece. Alistair Parr: So these to me are very very important metrics. Alistair Parr: These are key metrics as much as anything else and some people overlook these. Alistair Parr: So the percentage coverage of the supply chain globally you know a good program should be every year addressing at least at least 20 to 25% of their entire third party estate. Alistair Parr: The reality is there’s a good percentage that don’t do that. Alistair Parr: Uh but that’s every year. Alistair Parr: So you might have those rotate each year. Alistair Parr: So you end up with coverage usually over sort of a three-year period at least of your tier ones, twos, you know, the top tiers. Alistair Parr: The number of suppliers receiving payment that do not have an onboarded status. Alistair Parr: So these are the ones that have basically slipped the net. Alistair Parr: They might be legacy vendors that we paid and are smiling because we haven’t spoken to them. Alistair Parr: You know, those are the ones that we need to on board. Alistair Parr: Those orphan vendors, very sad. Alistair Parr: And then the meantime to on board. Alistair Parr: So This is a very interesting metric. Alistair Parr: I’m talking fast. Alistair Parr: I’m going to slow down and pause a bit on this one. Alistair Parr: So, the meanantime on board is becoming very very topical and we’re hearing about it far more by procurement and by the boards and the exacts. Alistair Parr: They want to know how long is it taking to from the point of the business going quick, we need to pay this this organization immediately because they’re delivering value to the teams going great, we can pay them and progress. Alistair Parr: The business is demanding this to be short as short as possible. Alistair Parr: Uh but we have of course a process to follow. Alistair Parr: We need to do our due diligence and we need to operate this in a you know a meaningful and risk averse way. Alistair Parr: So we have this compression of this process meaning we need to be more efficient and ultimately people want to see this start reducing and the challenge is getting it to reduce without uh affecting the quality of the engagement cycle. Alistair Parr: And then on a key risk indicator perspective number of suppliers in use without a detailed profile. Alistair Parr: So where are the gaps? Alistair Parr: based on our passive monitoring or insights. Alistair Parr: Number of tier ones that have not returned self attistation. Alistair Parr: That’s a big red flag. Alistair Parr: Ideally, you’re not paying them until they do, in which case they tend to respond. Alistair Parr: Uh if it’s a legacy one or if it’s a, you know, midcycle, you those are the ones where you need the business to to uh to get involved and escalate to the VPs and similar of the business lines. Alistair Parr: And then the numbers not covered by threat intel. Alistair Parr: Really, this should become less of an issue when you’ve actually profiled and tiered things effectively and you’ve established your workloads for reach, but ultimately you do want to understand where those potential caps are. Alistair Parr: So, I’m going to go up a level now. Alistair Parr: We’re talking about very specific metrics here across the areas. Alistair Parr: We generally get asked for these. Alistair Parr: So, of course, I wanted to make sure you had some exposure to what we consider important. Alistair Parr: But a very very um important aspect of this as well is the maturity of the program. Alistair Parr: You know, those are the trees that make up our metrics, but to look at the wood, we need to start thinking about um the broader maturity of it. Alistair Parr: Something that’s very effective is starting to look at program maturity, whether you’re using the Carnegie capability maturity model or your own proprietary or something that you found on the web or asking chat GPD, up to you. Alistair Parr: But you want to consider the coverage of your estate, the content of what you’re sending out, the roles and responsibilities and races of the team members that you’ve got and whether they’re fit for purpose, the remediation cycles that you’ve got and the risk um the risk tolerances that you defined, and then the governance process. Alistair Parr: So, how are you actually getting those metrics? Alistair Parr: How are you using etc? Alistair Parr: It’s all well and good building these, but if we don’t use them, is there a gap? Alistair Parr: So, as much as I talk about all of these specific metrics, I would just strongly advocate to everybody on the line, please, please do build a program level analysis and metrics associated to that. Alistair Parr: Are we good? Alistair Parr: Are we funded sufficiently? Alistair Parr: Have we got the right resources in house that we need to be able to action this? Alistair Parr: Are we able to actually talk to all of the critical vendors? Alistair Parr: And do we need other business involvement in in order to be more effective. Alistair Parr: Those are the types of things that should be coming out of good program level metrics and those are the things that the execs and the seauite are going to want to see because it can quite easily be quantified into please give me more money or please give me the ability to uh recruit subject matter experts in these disciplines or please help me get this part of the business to do their job and help me out. Alistair Parr: So I strongly strongly ask you all to to consider and focus on those program metrics. Alistair Parr: Okie dokie. Alistair Parr: When we actually look at these metrics, how on earth do we report on them in a meaningful time scale? Alistair Parr: Um, and a big challenge in this is when we actually start looking at the, you know, the life cycles of a program. Alistair Parr: You have that initial creation point. Alistair Parr: People understand what mature looks like, what they’re trying to achieve programmatically, and then build those key metrics and then they go for the scoping and the building of the service lines and standardization and the assessments and the planning. Alistair Parr: And this is a ual cycle that we see in the program definition phase. Alistair Parr: The challenge here is you see those def the defining key metrics and maturity definition here quite early on in the cycles that is point in time and that’s slightly dangerous. Alistair Parr: So what we always recommend and we position now and this is typically supported by technology is that you look towards more realtime tracking here. Alistair Parr: So you want to follow this implement review and enhancement model. Alistair Parr: So you should be reviewing your metrics in line of your program mur reviews um at least every year, ideally every quarter to see if it’s being consumed and how effective it is. Alistair Parr: And you want to use things like dashboards, etc. that have real-time insights to give you data points on what the risks are, who’s doing good, who’s doing bad, etc. Alistair Parr: So, the two takeaways for reporting cadence here is don’t focus on having it as the advent of the program up front and do focus on making sure that you’ve got the capabilities whether it’s PowerBI or Tableau, Quicksite, whatever it may be, to be able to present dashboards to the different personas of the business. Alistair Parr: You you’ll have different dashboards for different people that could be and should be simple enough and and u focused on their data set. Alistair Parr: Uh but we strongly encourage that. Alistair Parr: Okay. Alistair Parr: So, moving on to actually some of the common challenges that we see and there’s no point in having a challenge without having an answer for some of those challenges. Alistair Parr: Uh but the first challenge that we tend to see is focusing on establishing those profiling and tiering methodologies. Alistair Parr: I spoke a bit about it when we were talking about the uh KPIs associated to to risks etc. Alistair Parr: But so many people are focusing on establishing those um those tiering models based on total contract value uh which is a bit simplistic and not indicative of the true value of that third party and they’re doing that because they haven’t necessarily had the opportunity to do profiling and taring or an inherent risk assessment. Alistair Parr: So we encourage you if you are retrofitting a program to try and look at things like what part of this business are they supporting? Alistair Parr: Uh what what they actually offering, what region are they based in? Alistair Parr: And that could feed into understanding the compliance obligations or function specific regulatory obligations and then consider internally well what can we actually deal with here? Alistair Parr: You know, do the teams have the capability to be able to um interpret that data? Alistair Parr: What is our risk appetite based on you know the criteria we’ve identified? Alistair Parr: Uh and then identify any resource constraints. Alistair Parr: So we recommend that initial exercise to understand what data have you got to profile and tier retroactively and whether you’ve got um any baseline criteria you can define for each business line or each service line being delivered. Alistair Parr: The next challenge that we tend to see and I think this is pretty prominent has been for years it’s not a a new thing here is endparty mapping. Alistair Parr: I think the space has been talking about this for best part of a decade on this is what people will be doing in the future but The reality is the budgets aren’t there, the resource capacity isn’t there. Alistair Parr: We’re only maybe starting to now just get back to the point with passive mapping and scalability where people are able to do a percentage of this. Alistair Parr: But it’s about understanding are there additional periphery subservice third parties that actually have a real impact to us. Alistair Parr: And um we are finding more and more when we’re looking at these uh these metrics that there are particular vendors where we have concentration risks and we want to report back these con concentration risks as part of our um our metric reporting. Alistair Parr: So it’s worth considering at least some basic endp party mapping in your assessment workflows or in your journey just so that you can weave that into your uh your metrics and analytics. Alistair Parr: Hard to understand your risk appetite without that. Alistair Parr: But by far and large the biggest issue when you’re trying to build and collect these is the fact that a lot of these programs are broken. Alistair Parr: So we need and this again is being drawn from analysis that we’ve done across the market. Alistair Parr: So If you want to get um insights into this, please feel free to to look at the third party study on the prevent website. Alistair Parr: We’ll be able to share some insights for you. Alistair Parr: But uh only 50% of participants felt that the program was meeting the needs of all departments. Alistair Parr: That’s because program metrics aren’t necessarily tailored to report back on stuff they’re interested in. Alistair Parr: And of course, the programs don’t support that. Alistair Parr: The majority aren’t able to assess risk at every stage because they haven’t got the visibility necessary and that’s not reported back effectively. Alistair Parr: 45% uh are able to assess risks across security, business, and reputational categories. Alistair Parr: So, the majority don’t have the means to cover the the gamut of risk domains that they’re looking at. Alistair Parr: 62% deliver automation and reporting necessary to effectively demonstrate compliance. Alistair Parr: Getting better, but still circa 40% don’t have automated tools sufficiently enough to be able to demonstrate compliance without manually having to review. Alistair Parr: Uh 42% helping you be more proactive in third-party instant response. Alistair Parr: 42% have feel it is effective at the moment. Alistair Parr: So nearly 60% feel that the incident response process that that threat intel based work is not fit for purpose and is more reactive. Alistair Parr: So the reporting metrics support that trending and importantly here only 43% feel that it’s satisfying the board demands. Alistair Parr: So what we tend to see is that there’s a lot of programs out there that are actually doing better than they appear but they’re not communicating it effectively enough. Alistair Parr: They’re not sharing the insights. Alistair Parr: They’re being siloed. Alistair Parr: They’re not helping each other. Alistair Parr: So when you actually start looking at from a general final thought perspective here is that a good healthy program is understanding the personas. Alistair Parr: It’s understanding what people are interested in. Alistair Parr: They’re trying to avoid having disengaged business owners as well as execs and they’re making sure that they’re ultimately their data sets are accurate and complete. Alistair Parr: To do that you need to sit back and really look at those personas. Alistair Parr: You need to be considering things that people are interested in which is not just risk as much as many of you may be risk professionals. Alistair Parr: They’re also looking at performance management on the whole and equally so we need to continually improve and continually review that. Alistair Parr: We can’t just look at point in time. Alistair Parr: We need to make sure that we are actively tracking and improving those over time and the metrics meet the needs of new regulatory frameworks or requirements. Alistair Parr: And then finally, one thing I really encourage you to do is that be visible. Alistair Parr: Share the information. Alistair Parr: Don’t overshare, but share the information with all the communities, the personas. Alistair Parr: Get their buy in because they’re really going to make life easier as we build these metrics and they’ll also tell you what they’re interested in and what they’re not interested in. Alistair Parr: So, we will get through uh some of your questions here. Alistair Parr: We’ve got a fair few in the Q&A section. Alistair Parr: I’ll try and reserve five minutes for that. Alistair Parr: Uh but uh we’re just going to have a a brief moment. Alistair Parr: We’re gonna have the lovely Scott Lang give us a bit of insight into how Prem actually addresses some of this. Alistair Parr: Hello, Scott.

Scott Lane: Hello, Alistair. Scott Lane: Yes, that’s not the first time you’ve called me lovely before. Scott Lane: I I I appreciate your uh your advocacy. Scott Lane: I I appreciate Yeah. Scott Lane: Uh, you know what? Scott Lane: As I’m kind of uh getting in through my presentation here, I I just wanted to uh call out a couple of questions that were asked that I can answer uh for you. Scott Lane: A question was asked regarding program metrics uh the component of the presentation. Scott Lane: Um any further reference material to dive into uh you know for closer understanding and interpretation? Scott Lane: The answer to that is yes. Scott Lane: We have a an ebook that reviews the 25 most common KPIs and KISS for third-party risk management. Scott Lane: We have an accompanying spreadsheet that goes with it where uh you can kind of map your your your existing performance on those 25 KPIs into the spreadsheet and kind of identify where the deltas are uh as part of the followup to this webinar. Scott Lane: We’ll provide you a link to that as well. Scott Lane: And then, you know, information on uh you know, kind of the broken programs component. Scott Lane: All the research that Alistair uh addressed or called back into for this webinar is in our annual thirdparty risk management study uh that was published I think back in the May time frame if I’m not mistaken. Scott Lane: So, you know, we’ll get uh we’ll get those links out to you in the future as part of the follow-up to this. Scott Lane: So, let me real quickly kind of walk you through the the prevalent platform. Scott Lane: Um you know, a a goal of a third party risk management program should accomplish, you know, three things, right? Scott Lane: Get you the data you need to make um good business decisions. Scott Lane: Uh give you a a uh you know the ability to bring different teams together to address thirdparty risks regardless of the department involved and their concerns. Scott Lane: For example, IT security is their concern, procurement is their concern, risk management, audit have their concerns to kind of unite these things. Scott Lane: So good intelligence to make good decisions, the ability to knock down silos and bring teams and and data and and analysis and risk management together. Scott Lane: And then third, you know, some programmatic processes to help simplify your life and move uh the program from kind of an autom uh a uh kind of manual based approach to more of a workflow uh driven process to to kind of simplify and that’s kind of at the heart of what we have utilized as we built out the prevalent platform. Scott Lane: There’s those three tenants. Scott Lane: Um you know ultimately what we’re trying to help you achieve with your program is not just to reduce thirdparty risk because you know why would you deploy a solution if it didn’t do that but automate and scale your program with quality. Scott Lane: Do more with the resources. Scott Lane: You have employee workflow remediation uh and automations to uh to kind of speed to resolution an acceptable risk profile for your third parties to operationalize uh thirdparty life cycle management. Scott Lane: Uh and that is to transform what could be a manual process into something much more uh you know automated and and integrated with your enterprise risk management uh workflows as well. Scott Lane: And then automate compliance and and privacy activities. Scott Lane: as well. Scott Lane: And we do that by uh uh including templates to more than 200 different questionnaires in the prevalent platform enabling you to you know ask a series of questions and then map those to common regulatory requirements and and uh and kind of meet that. Scott Lane: It’s all built on a cloudnative framework that has you know common uh criteria and capabilities that shared between you know our risk assessment uh which is the assessment workflow capability I mentioned risk monitoring which is continuous monitoring of not just uh uh cyber security but also business operational and um uh financial risks, reputational risks and then all ex all all kind of tied into the life cycle based approach where we address and see risks at every stage of the life cycle from sourcing and selection all the way to termination uh and offboarding. Scott Lane: Alistister, next slide, please. Scott Lane: I do want to speed through it just because I want to make sure that uh we’ve got time to answer questions. Scott Lane: So maybe one more uh slide Alistister on the uh on the life cycle. Scott Lane: there. Scott Lane: Um, you know, I mentioned that that we see risk at every stage of the life cycle from sourcing and selection all the way to offboarding and termination. Scott Lane: Uh, that includes very discreet capabilities to not just automate RFX processes for new vendors and suppliers, but also adding intelligence to balance out whether or not the that that vendor that new vendor is fit for purpose, but also fit a fit for your uh risk profile. Scott Lane: You know, automating onboarding uh and intake processes, scoring inherent risks, uh automisting uh and remediating vendors across a myriad of different assessment types utilizing monitoring uh and uniting it together and ultimately giving you the ability to kind of offboard and terminate those those vendors with some discipline and rigor uh while incorporating good SLAs’s and and and contractual measures. Scott Lane: So we do this across the landscape of u teams internally processes uh as well as uh you know risk types. Scott Lane: So again I don’t want to get in the way here. Scott Lane: I want to make sure we’ve we’ve plenty of time here to answer questions. Scott Lane: So I’ll kind of stop uh stop there. Scott Lane: Ashley, go ahead.

Ashley: Thanks, Scott. Ashley: You guys might have noticed I went ahead and launched our second poll so we can follow up with you regarding any initiatives or projects that you may have. Ashley: Uh we’d like to see if you’re looking to establish or augment a third-party risk program within the year. Ashley: And please be honest because we do follow up with you. Ashley: But uh Alistair, it looks like we have some questions uh left in the chat. Ashley: So, let’s go ahead and and dig through some of these. Ashley: Um Um Vincent asked, “What are the major lessons learned from the pandemic that could be useful in the future uh if business destruction reoccurs?”

Alistair Parr: Yeah, it’s a it’s a good point. Alistair Parr: So something that we’ve seen a big focus and increase on is is resilience and um I’ve seen there’s a couple of questions associated to that as well um tied to third party disruption, security, supply, etc. Alistair Parr: is we’ve certainly seen it as in pandemic related material drove supply chain resilience questions. Alistair Parr: sets a couple of years ago, people did a mad rush to try to understand uh what the uh the landscape looked like and naturally business were reacting to it. Alistair Parr: Uh and that was very much a reactive mechanism. Alistair Parr: So we’ve now seen that getting woven into the very fabric of the process itself. Alistair Parr: So it’s a much more focused discipline. Alistair Parr: Previously it was almost a subdomain of some of the uh controlbased question sets. Alistair Parr: It’s now sitting there as its own distinct pillar with um ESG, anti-rac slavery, privacy infos in operational resilience. Alistair Parr: So, it’s um it’s definitely at the forefront. Alistair Parr: We’re seeing organizations report it more and more now and we’re seeing the uh the COOs, the CTO, the CTO’s and uh the CIOS starting to own that. Alistair Parr: So, it’s a definitely a more mature landscape and I know we’re short on time so I’m going to take one other question there which is uh you do you agree that some ordinary KPIs uh also serve as KIS at the same time and um I think it’s a very good question to almost end today on which is absolutely so Kis and KPIs very much complement each other. Alistair Parr: So when you’re building these, they should be enabling the talk track for each other. Alistair Parr: You know, why are we taking forever to do this? Alistair Parr: Because we have this risk landscape and this is our risk appetite. Alistair Parr: Um or even vice versa. Alistair Parr: You know, why is um why is this happening quickly or it’s associated to risk? Alistair Parr: So you’d always look at them in tandem. Alistair Parr: They both add value and they both join up the story that you’re trying to present. Alistair Parr: And really when you’re looking at what these metrics do, they should be telling you a story and telling whoever’s trying to consume it something that’s going to help help them understand what you’re doing and enable them to drive actions on the tail end of it. Alistair Parr: So, great questions and great points and apologies for those who I didn’t get to your questions. Alistair Parr: Thank you. Alistair Parr: Back to you, Ashley.

Ashley: Thanks, Alistair, Scott, and everyone for all of your questions. Ashley: Uh, they both gave us some great information to take in today. Ashley: So, I hope to see all of you either in your inbox or at a future prelimin webinar. Ashley: Cheers everyone. Ashley: Have a great rest of your week. Alistair Parr: Cheers. Alistair Parr: Thank you.