Sustainable Third-Party Risk Management Part 3: Triage, Assessment, and Monitoring

Melissa: All right, welcome, welcome everybody. Uh, happy Wednesday. It’s great to see you all start joining. Um, as we do wait for people to trickle in, I’m going to go ahead and launch our very first poll. I’m sure if this is not your first rodeo, you’ve seen this before. Um, but we just want to know what’s bringing you to today’s webinar. So, is it educational? Are you in the beginning stages? Um, current prevalent customer, let me know. Um, I’m going to leave that poll up just for a minute or two and quickly get some intros started. We have our very special guest here, founder and CEO of Cyber Marathon Solutions, Bob Wilkinson. Say hi, Bob.

Bob Wilkinson: Hi, Bob.

Melissa: We also have our very own Scott Lang, uh, VP of product marketing here at Prevalent, as well as myself. My name is Melissa. I work in business development, and I’m usually the one who will follow up with you after this webinar, and I’ve chatted with some of you before. Um, so you might have heard my voice. Sorry about that. And you have probably either heard from that or Amanda or Landon or Null. So, be on the lookout for us. Um, today Bob’s going to go ahead and dig into part three of the topic entitled triage assessment and continuous monitoring. So, if you sadly missed the first two parts, we can make those recordings available to you. Um, quick reminder, we want to value your time, of course, so please feel free to use the Q&A for all those questions that you might have. They will get lost in chat, I promise. So, just make sure you’re utilizing that Q&A um to the best of your abilities. Um this is also being recorded, so you know, don’t worry. This will be in your inbox later today or tomorrow. Um lastly, you are all muted, so use the chat if you need to communicate something other than a Q&A. Um other than that, I’m going to pause this poll and I will let Bob take over.

Bob Wilkinson: Thank you very much, Melissa. Okay, so as As Melissa said, this is part three in a four-part series on building a sustainable thirdparty risk management program. So today we’re going to cover a number of topics including what I refer to as supply chain risk domains, triage, risk assessment, continuous monitoring, and the third-party um program automated automation checklist. As automation is a key factor in the success of your uh thirdparty riskmanagement program. So, as we get into this, we’re going to start by talking about the criticality of third parties. So, do you know which of your third parties and associated extended supply chains are tied to your CR critical business services and products? And then looking at third parties and how are they broken down and classified within your organization. ation. And what we’re driving at here is different than a procurement or supply management um categorization uh based on function. This is based on risk and then how we might triage based on the risk domain that a third party falls into to accelerate and simplify the process of onboarding third parties. Then we’re going to talk a little bit about um periodic risk assessments and events that trigger a third-party reassessment of which there are a number that we all need to be aware of. Then we’re going to delve a little bit into data science and analytics and how that can become a critical part in helping you to quantify the risk that exists in your third-party inventory and how that can be a driver for the actions that you take going forward. From there, we’re going to go into continuous third-party monitoring, how you get started, um a checklist of important factors for continuous monitoring, and then wrap up by talking about the role of automation in a third-party risk management program and some of the key items that that automation should be addressing. So, starting with criticality of third parties. Depending on the size of the organization that you have, you can have anywhere from a small number to literally tens of thousands of third parties in your supply chain. So when you think about how you assess the risks associated with them, it becomes an exercise in determining which ones are the most critical. for your business and how do you identify and focus on them. So it could involve a third party’s role in some of your key operational processes, the function the third party provides, the classification of information that they handle. And as you look at these different third parties, it’s really important to have a starting place. And one of the things that you can do in terms of identifying the starting place for a definition of criticality is working with your disaster recovery and uh continuity of business people because they usually have a list of what the critical processes and services are that your company provides and that would give you some initial insight into which of your third parties are defined as critical. There are a number of other ways you can do that. But when you’re looking to get started, that that for me often provides the easiest way to get that information. When you understand which of your critical third parties are associated uh with different business processes, don’t stop there. Look at what fourth, fifth, and sixth parties might also be providing service to that third party that’s involved with your critical business proc. process because it can be a case where the third party may be sharing access to your infrastructure or may be sharing your confidential information with fourth, fifth and sixth parties and you may not be fully aware of that and that in itself extends the risk for those critical business processes further down into your supply chain. So thinking of The full impact of what those critical third parties and nth parties might have on your organization gives you a good basis for where to start looking at third-party risk in your program.

Scott Lang: Hey Bob.

Bob Wilkinson: Yes.

Scott Lang: Got a couple questions already. That’s good.

Bob Wilkinson: Okay, let’s go to it.

Scott Lang: They’re they’re ready to talk. So, how much emphasis should be put into reviewing fourth parties? Should they be riskranked as well or how much due diligence review slash ongoing monitoring should be required?

Bob Wilkinson: Okay, so it’s a really challenging question because say you start with a 100 third parties, you go to fourth parties, you might have a thousand, you go to fifth parties, you might have 5,000. So it becomes an unmanageable number and that combined with the the normal growth in the number of third parties that your company uses uh poses a significant challenge. And as we go through the presentation, we’ll talk about that more. But the act of tying forth parties to the critical services and products that your company provides is key on where you need to focus. And as we go through the presentation and we talk about the role of continuous monitoring, that’s where we have the opportunity to really leverage and further monitor those fourth and fifth parties. So that’s a partial answer which I’ll expand on. as I go through the presentation.

Melissa: Okay. And then what about fourth, fifth, and sixth parties? How would you define that?

Bob Wilkinson: Those are the subcontractors to your company or to your third party. So, say you’re working with IBM and IBM outsources some of the functionality to AWS who’s doing the hosting for whatever that software or application is. that IBM uses. So in that in that conversation, AWS would be a fourth party to you. They would be a third party to IBM.

Melissa: Got it. Cool. And then do third and fourth parties have any obligations to respond to an information request?

Bob Wilkinson: Well, that all depends on whether you have a contract in place which obligates them to do that. Now, the important thing there is the extent to which you can standardize your contract language with third parties and how you communicate to third parties that any other fourth, fifth, and sixth parties that they use are bound by the terms of the contract that you have with your third party. So when we look at contracts, there’s three important things to do. The first is the right to audit, which gets at addressing this. And what you want to ensure with your third party is that they are performing sufficient due diligence on those fourth parties etc to ensure that they are adhering to the standards of the contract that the third party has with you. So that’s u that’s an important aspect that you obligate them contractually because if you don’t then they can say well you have no right to do it and there’s nothing in the contract. So that’s one way to address it.

Melissa: Got it. Okay. Thank you. Okay. So let’s talk about risk domains. Now when I talk about risk domains, I’m differentiating from uh product domains, if you will. So it’s not uncommon in procurement organizations that they would come up with classifications of third parties based on the services provided. This is a similar concept, but the important differentiator is it’s based on risk. So when we think about this, there are numerous ways and it will to some extent be driven by the type of business your organization is in how you would classify that. But you could do it based on functions, products, services. Um so some examples might be uh you classify all of your call centers that provide customer support. It might be payment processors. It might be software developers which is very very important and I’ll talk about more in this presentation. You also might have risk domains that are structured based on the information that you share with your third parties. You might also do um and some companies in fact do this. You might have a risk domain based on employee information that’s shared with third parties because you want to get that granular. You might do it based on those companies that have access to your infrastructure. The point being that there are numerous ways to classify risk domains, but by doing it that way, um, as you’ll see in another slide or two, you have the opportunity to focus on the controls that are most critical for that risk domain. And that’s where you can really leverage the process to be more efficient. Now, one of the challenges that all third part risk management programs have these days is the organic growth in the number of third parties. Many of the companies I talked to say that their third parties increase uh anywhere up to and above 10% a year. Now, if you think about that, if you have a thousand third parties and you’re getting 100 new ones a year, how is your organization prepared to do the due diligence? and incorporate and onboard all of those new third parties. That in itself becomes a challenge. If you go back to your management and say, “Well, the program’s growing 10% a year, so I need 10% more a year in my budget.” Well, good luck with that because that’s uh not a high likelihood that you’re just because the program is growing that you’re going to get that additional funding. So, we have to work smarter about how we deal with the risk. And that ties back to the criticality of the service provided. But by focusing on risk domains, you are better able to manage the volume of third parties and third party due diligence that you need to manage. Now, there are two important factors here. By more efficiently managing your third-party inventory, you’re able to better manage the costs associated with the program. But the other point is by defining um into risk domains who your third party third parties are, you’re also able to see where you have duplication. So, and I’ve talked about this before, the the key point when a business unit comes to you and says they want to onboard a new third party, the first question you should always ask is, well, do we already have a third party that provides the service that you’re looking for because if we already have a third party that provides the service that you’re looking for, you can eliminate the due diligence. You’re likely going to get better pricing because you’re expanding the relationship with an existing third party and it just makes everything more efficient. And in the process of doing that, you’re also decreasing risk. So from my perspective, this is a win-win. You manage the number and the total cost of doing the due diligence on the third parties while you’re also li limiting the amount of risk. So how do we do this? Um this is what I call risk triage. So when we have third parties categorized by risk domains, we can focus on those specific controls which are most important to the type of work and the risk that’s involved with that particular risk domain. So what I’m saying is you can ask a smaller number of questions and you can focus on the key controls that are involved with a particular risk uh domain to determine whether you need to go deeper. So what we’re trying to do here u when we when we take a step back and we look at our third party risk programs is we’re trying to be more efficient. We’re trying to help the businesses because if the businesses aren’t being successful in getting the third parties on board that they need to do their business and take advantage of opportunities, then it’s not going to be too long before that we don’t need a third party risk management program because the business is not successful. So, in streamlining our approach to how we manage the third parties we have to deal with and by focusing on the key controls that are involved In managing risks associated with those risk domains, we can be much more efficient in how we onboard and how we manage on an ongoing basis the risk that’s associated with using third parties. Now, that ties directly into data science and analytics. So, everyone hears that, you know, we’re doing more things with data science and analytics. Here’s a way that it converts into how you manage your third party risk management program. So if I have a a a set of questions that I apply to a specific risk domain, say I’m looking at uh third parties who use confidential information. What are the what are the critical controls, the key controls that I care about there? Well, how is that information being transmitted? What is that volume of information that’s being shared um what do we know about the third party and their level of security? …

Bob Wilkinson: By um by doing that what we uh what we do is we focus in on the the most important aspects of the relationship. And using data science, we come up with a weighted value for those key questions that we’re focusing on. So for example, if I care about confidential information, how much weight do I associate with how securely that information is being shared? How much weight do I associate with um the volume of information that’s being shared and what what this process does and the key differentiator from the way a lot of things um are done today is that what we’re doing when we ass The key controls associated with a risk domain is the marriage of our internal data with data from external public sources such as some of the cyber uh monitoring tools and some of the broader risk management tools which only focus on publicly available data. When we can take publicly available data and we can combine it with internal information that we have then what we can do is really have a very clear view on what the risk is that a particular third party represents to to a company. Now in doing that what we what we get is we get the ability to come up and set thresholds for how much risk that we are willing to accept in our various risk domains. So for example on a scale of one to five where if five is good and one is bad, we would set our threshold for the use of confidential information say at four. So if when we ask these questions regarding key controls in the risk triage process, we get a score below four, then we really need to look and do more due diligence because of the sensitivity of the information and the apparent gaps that a third party has. Now we can do that at the individual level. Scoring an individual uh third party, we can score the amount of risk at the risk domain level. All we do is take the number of third parties that are in a risk domain and come up with the average score or we can score the risk for our entire third-party portfolio, the whole inventory. And once we’re using data science, we can at any given point in time, calculate the risk score for our third-party inventory.

Bob Wilkinson: And the important thing of that, it it allows us to see how we’re trending in risk from the use of third parties for our organization. Now, this is much more complex to do and and in this webinar, we don’t have the time to go deeply into this topic, but what I’m trying to do is give you a flavor for a different way and a more quantitative way to set up and measure risk and be able to communicate that to your various stakeholders to say okay the risk in the portfolio is going up or the risk in these areas are going up or the risk with this individual third party is going up. So there are advantages to defining risk by domain and focusing only on the key controls. Instead of looking at every possible control that might be associated with a third party when you’re doing either your initial uh company selection for for third parties or when you’re looking to onboard a specific uh uh organization after you after you’ve done this process. So I’m going to move on from here and when we get to the situation where we decide that the risk threshold for a given company in a particular risk domain has been exceeded, then we want to look deeper. And that’s where we go into, let’s say, a full-blown risk assessment of an organization where that third party raised sufficient questions from the answers that they provided to the key controls associated with a risk domain that you feel the need to go deeper because there are open questions about what their posture is around managing the key risks for that risk domain. So when you look at that you have to decide okay what’s the questionnaire you’re going to use. Do you have a proprietary question or you going to use some of the various industry standard questionnaires that are available but you should do it in a standardized way. The second thing is How are you going to approach the performance of those those risk assessments? Are you going to do them on-site? Well, that hasn’t happened much uh since we’ve been in the COVID phase. Um or you going to do it remotely or use some mix? Um are you going to use your own organization resources to perform risk assessments? Are you going to use staff augmentation and outsource this process?

Bob Wilkinson: Are you willing to use offshore resources because you’re trying to more efficiently manage the costs associated with the program. Will you use risk assessment services companies and there are a number of them out there which would uh perform the risk assessment and provide you with a report and make reliance on that. Um then you get to the the point where issues are identified in your risk assessments and those issues have to get fixed. And let me be very clear on my view on this point which is that the reason we assess risks is so that when we identify them we can fix them and mitigate the risk to our organization. So from my perspective the point of a third party risk management program is to identify and mitigate risks and too often uh stakeholders in the organization look at thirdparty risk management as a compliance exercise. Okay, we assess the risk associated with a vendor. We can tick the box and say we’re compliant because we did the risk assessment. That doesn’t do anything to help you manage or mitigate risk. It’s a compliance exercise. And compliance is fundamentally different than risk management. So focus on the risks, their identification and then their mitigation and then validate that the risk that you identified were in fact mitigated. That’s the critical step that reduces risk. Now, after you’ve assessed and onboarded a third party, there are a number of trigger events that may occur which will make you want to go back and reassess a third party that you’re doing business with. And the most obvious one of them is a data breach. Um, any any negative news like that, you need to ensure that your third party or fourth, fifth as the case may be have taken the appropriate appropriate steps to mitigate the risk that led to the data breach or ransomware attack or whatever the case might be.

Bob Wilkinson: Other events that can potentially trigger a reassessment are a change in ownership, merger and acquisition. When you get into potential regulatory and reputation risks that emerge from new legislation and regulations that regulators in various industries are implementing, you’re going to want to make sure that your third parties are also going to be compliant because use of third parties does not absolve you of the responsibility for legal regulatory complian clients. Other events that may happen that could trigger a reassessment include moving a data center to a new physical location or any thirdparty service to offshoring or increasingly as we see more applications migrate uh to the cloud that becomes an important area where you need to have a very good understanding of the controls that are in place. Another aspect is when you periodically review your third parties where there has been an expansion of the relationship either new functionality or a significant increase in the volume of information that’s shared with the third party you need to be aware of that and that in itself might necessitate you wanting to perform another risk assessment. So if you had a relationship with u a third party where you were sharing a 100 customer records and Then a year later you’re sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sh sharing 10 million. Uh things have fundamentally changed and the risk profile and the risk rep that that third party represents to you is very significant. And then on top of that you have the situation where a third party’s financial cons uh situation deteriorates because if a company’s financial situation deteriorates and you need to move to a new third party or bring a service back in house. That’s not something you’re going to be able to do overnight. And that brings up another important point is when businesses outsource to third parties to per to perform specific functionality, they still have an obligation to retain the knowledge that if needed to bring that function back in house that they can do that and for critical service providers to have a plan. to do that.

Bob Wilkinson: And if you don’t have a plan, then you’re potentially vulnerable if a third party goes bankrupt or some other event occurs. So let’s talk about shift gears a little bit and talk about continuous third-party monitoring. So the reality of managing third-party risk is that it changes on a daily basis. And when you think about performing periodic risk assessment, that means for one day of the year, you know what your third party’s risk posture is, but you don’t have good insight the other 364 days a year. And with the amount of risk that we’ve seen increasing so significantly, and it’s not just about cyber risk now, we have to think about uh business disruption risk, operational resilience, um everything in including ESG risk. Now that you have to monitor at at least for your critical service providers at a higher level than doing an annual risk assessment that just doesn’t make sense in terms of how you manage risk. So how you implement a continuous monitoring solution uh there are a lot of tools out there. The different tools provide different functionality, but the key point is if you’re looking at implementing continuous monitoring, you need to understand how that product or platform that you might use is going to be implemented into your organization so that the results of continuous monitoring are going to flow into the right business process. is and action is going to be taken by the people who need to take action because I would argue that it’s worse when you start doing continuous monitoring and nobody’s paying attention to the results than not having continuous monitoring at all because then you knew and you did nothing. So you need to take the time when you’re evaluating continuous monitoring products to understand how you’re going to implement that into your organization’s operational process workflows. That’s an absolutely critical uh step. The other point is that continuous monitoring is largely based on the monitoring of publicly available data sources. So what what does your internet presence look like from the from the public from the outside and what are the vulnerabilities that may be present? So the in that perspective.

Bob Wilkinson: They’re going to be good about telling you where you have various vulnerabilities from a public-f facing perspective, but that doesn’t cover the internal vulnerabilities that you may have that these continuous monitoring solutions cannot detect. Also, you need to remember that the skill set for the people who are involved with continuous monitoring is different in certain respects than that for those who perform periodic risk assessment. So you need to ensure that you have resources that understand and are properly trained on how to extract the benefits from a continuous monitoring solution. So starting continuous monitoring this is where we get to one of the earlier questions and we start talking about how we can get visibility to fourth fifth and sixth party. So when you set up your continuous monitoring solution. The way it often works is in your contract with a continuous monitoring platform provider, you’ll you’ll define the scope of the number of third parties that you want to monitor. Some companies will monitor everything. And from that perspective, as you build your inventory of third, fourth, fifth, sixth parties, then you have the ability to add those fourth, fifth, and sixth parties that are associated initially with your critical business processes so that you can monitor them on a daily basis along with your third parties and that’s the advantage and the solution uh to the question of what you should do in terms of monitoring fourth fifth and sixth parties. If you have a continuous monitoring solution then you can see on a daily basis the same information for those fourth and fifth parties that you care about that you see about your third parties. when you look at logistically performing periodic risk assessments of your fourth and fifth parties logistically and from a cost and and just a program management perspective that’s a very very difficult cell. So moving in the direction of continuous monitoring for your third parties and their subcontractors the fourth fifth and sixth that gives you a way to do that. Now some of the nice things about some of the continuous monitoring solutions is they allow you to take a broader view of operational risk.

Bob Wilkinson: So, traditionally thirdparty risk management focuses on cyber and it focuses on business continuity, disaster recovery, impacts to operational resilience. But the fact of the matter is is we need to monitor third parties financial health um geographic and concentration risk uh regulatory compliance negative news ESG and that you need to take a holistic view of operational risk. This isn’t a cyber security question. This isn’t a business continuity question. This is an operational risk question. And to effectively manage those risks, you need to take that holistic view. You also need to realize that over time uh your Third parties will enter into other relationships and make acquisitions of other companies which uh will impact fourth, fifth and sixth parties and that you need to be aware of that. You also need to be aware of how the relationships change and you know whether it’s increased data whether it’s additional functionality that uh uh third fourth parties may be providing to your company you need to be aware of that. So taking a holistic view looking at operational risks and looking at that from a multi-ter multiffactor and continuous ongoing inventory discovery perspective really leverages the full benefits of continuous monitoring. So what I’ve done here is just provide a checklist of some of the high-level things that you should be thinking about uh when you think about implementing a continuous monitoring program. So, how complete is your third party inventory? Do you have any insight into your fourth and fifth parties and who they might be? When you think about the monitoring that you want to do, you want to monitor your third and fourth parties for the location where they are providing the service to you. So, a lot of third-party programs when they build their inventory, they may not have good D data about where the third part is located or where the service which is the key thing where the service is being provided to to your company from. So you don’t want to end up with a third party inventory that has a list of all the corporate headquarters of all the companies that you do business with. You want to know the addresses of where those services are provided.

Bob Wilkinson: So are you really dealing with IBM Corporation in Armon New York where the corporate headquarters are? Are you dealing with an IBM subsidiary that’s providing services to you based in Chennai, India for example? Next, um how have you thought about, developed, implemented and documented the processes for continuous monitoring to ensure that when that continuous monitoring platform is turned on, your organization will be able to digest and leverage the information that’s produced? Next, what visibility do you have into that extended supply chain that your third parties are using? So again, starting with your critical processes, who are the fourth and fifth parties that are associated with those third parties and over time building that inventory and understanding what information is being shared? So do you have insight into where you’re sh where your organization is sharing information, the volume of information, how that changes over time with your third parties because that’s where you’re going to want to focus on first the sharing of data and then the second aspect is access to your corporate infrastructure? So what access are these third and potentially fourth and fifth parties what access are they getting to your infrastructure and are you comfortable with that and where you even aware of it? And I’ve already talked about the physical locations, but I can’t stress that enough. You have to know where business is being done on your behalf with your third and fourth parties and which of those third, fourth, and fifth parties have access to your sensitive information. And then do you have current contacts at your critical third and and do they have contacts at fourth and fifth? parties to know who to contact in the event that something goes bump in the night. So, who are your key contacts? How regularly do you test your process to ensure that you have the right contacts? People come and go all the time. Do you have a way to contact your third party when a crisis occurs to get the answer that you need or to invoke an incident management and crisis management process as as may be dictated by the circumstances?

Bob Wilkinson: And then finally, have your resources been trained in how to leverage the results from a continuous monitoring solution? Because they need to take action on that based on what the continuous monitoring platform is telling them. The role of automation in a third-party risk management program. So, So automate automation allows you through things like continuous monitoring and inventory management to have a single source of truth uh for your supplier risk that covers all of the key operational risks that you need to address. It allows you to aggregate information about your third-party risk program and also to track and drive the mitigation of operational risks that are identified and at the same time show trending and identify risks that are arising from your use of third parties. So it’s not enough that we look at what we have and we assess the risk and we say here’s our plan to manage it. We have to have a way to have visibility into what the risks are that are coming at us in the future which these days is fasting furious. We use the term black spa black swans to describe events that occur that there was a low probability of occurrence. And what we’re seeing today is all those black span swans are turning out to be regular events and occurring far too frequently whether it’s uh solar winds casa log 4j the Ukraine war. All of those things impact our third-party risk management. So we need to have and to the extent that we can automation to identify those risks and manage them. It’s also important and you don’t want to have to go through weekly, monthly, and quarterly fire drills to pull the information together that you need to report to your manager. agement at multiple levels on the status of the third party risk management program. So automation is a key factor in how you can manage and mitigate that risk. So here I have a a checklist of some of the things that you should think about when you think about TPR and program automation. And the first starts with do you have a centralized inventory of your third parties or does your business operate in a federated model where the business units are each responsible for managing their own inventory of third parties which makes things a little bit harder to do.

Bob Wilkinson: Now an important aspect of managing risk in third parties these days is software development. Some of the biggest issues that we’ve seen over the last year have centered on vulnerabilities in software. So how is it that we can make that determine that the software for a third party that we’re using is the software that’s been affected in a potential incident? So most organizations have an inventory of the software that they use. How can we leverage the inventory of software against the inventory of third parties to better map and understand that when something happens at a third party we can know that’s if if it was a software issue that that third party was affected by that software? It greatly simplifies our life. So leverage your software inventory as a resource alongside your third party then is there a single process for onboarding third parties in your organization? Many times with organizations I see that there are exception processes. It could be based on spend. Uh it could be based on uh a number of things that would allow third parties to circumvent your standard onboarding process. If that happens, you need to understand where they are and what the risk is that’s involved with them. Then do you have a centralized and automated third-party contracts database? So can you have reference to and understand in terms of the contracts that exist for your third parties? Is there um an automated process workflow for how you do the due diligence for onboarding that can streamline the process and bring efficiencies to your organizations? So that is uh another aspect of the qu of the challenge and how you can automate that the benefits that derive to your organization. Um, do you have an existing issue tracking system for all of the issues that are identified for third parties? And is that automated or you’re tracking it in uh on a piece of paper or an Excel spreadsheet?

Bob Wilkinson: Because what you want to do is you want to leverage where those issues are tied back to the businesses that have those issues and periodically update those businesses on the status of issue remediation because again, as I said, the key key to a successful thirdparty risk management program is the ability to mitigate risk and lower that risk for your business. Um regulatory and and business common sense tells you that you want to track the performance of your third parties. How is that’s usually ends up in the business with a business relationship manager doing that. But there are and in particularly in banking quarterly requirements to track the performance of the of your third your critical third parties and how they’re performing. So you have to think of that aspect of things um for continuous monitoring programs thinking about the process workflow that you’ve implemented and that that is an automated process so that information can be can quickly get to people who need it. so they can take the actions that are required for doing it. And then finally, have you considered your uh management reporting structure and requirements? So, have you thought about what you need to measure KPIs, Kri and what parts of your organization need to be reported at what frequency as you go forward? And that starts to wrap up my presentation. What I’ll say is that those questions about KPIs, Kri, um, management reporting, and how you do all of those things and, uh, how some of the regulatory environment changes are impacting thirdparty risk management will be a large part of the next webinar that we do, webinar 4, which is scheduled for June 9th. So, at this point, I’d like to turn it over to um back to Melissa first to see if we have any questions.

Melissa: Um okay, I’ll do one and then I’ll have Scott kind of jump in and do his thing. Um

Scott Lang: well, but there are so many good questions that have come through. I I think we should address those first before we jump into my part. I think that there Let’s keep the conversation going with that and then I’ll just kind of pop in at the end.

Melissa: All right. Usually it’s dead and now we have all these questions. It’s awesome.

Scott Lang: I know. That’s great.

Melissa: Okay. I’ll start. You gave him a lot to chew on, I guess, huh? Um, I have one that asks, “How valid is a sock 2 type two report since it’s a period of time?”

Bob Wilkinson: Well, a sock 2 type two has validity and it’s a comprehensive assessment of the risk pro posture of the organization that it was performed on. But I come back to my point, it it’s a very useful document on the day that you it’s provided to you, but what happens tomorrow and the next day? And how often is a sock two type two performed? So, are you comfortable that the product or service being provided by a third party that based on that sock too that that’s going to be good enough for you for the next year or two? So, that’s always my concern there because we’re in a world that is very very transactional where we’re seeing impacts all the time. It’s an absolutely useful piece of documentation, but then what happens tomorrow? You’re not going to hear you’re not going to get your SOCK 2 type two updated, you know, 365 days a year. That’s the challenge.

Melissa: Got it. Um, okay. I have another one for you. Are regulators being critical for entities who have many vendors that have similar services, i.e. one vendor who can serve multiple business lines? So why have four vendors who do the same thing? since since it does increase risk.

Bob Wilkinson: All right. So in that context from a business perspective, why do you have four when you can have one or two? You always have to think in terms of having sufficient redundancy. So if you have a critical process and you only have one vendor for it and that vendor goes bye-bye, you have a problem. So you might want to go from four to two. Now from a regulatory perspective, the way that the regulator would look at that is if you have lots of vendors all over the place and you’re sharing information with all of them, you may be t undue risk or you may not be very you may not be being as financially responsible in the management of your business as you could be. But I think to get to that point, you would really have to be doing some extreme things. So I think it’s less a regulatory focus and more a business common sense approach. Why do you want this duplication? you’ve increased your risk. That’s what the vendor, that’s what the regulators will focus on. Why do you share your data with four companies when you only need to share it with two? Um, and that from that perspective, it just makes good business sense and good risk management sense not to be sharing with so many when a lesser number will do.

Scott Lang: Uh, another question for you is what is the solution if sock 2 is not valid or important for the whole year? What other docu ments should we request slashdepend?

Bob Wilkinson: You see that’s the problem with documentation, right? Documentation is a moment in time and it is useful and historically that’s the way third party risk management has been uh practiced but because we’re moving more things to the internet because we’re expanding our use of third parties we’re at a disadvantage. antage if we don’t have that continuous flow of information to our organization. So, and it goes beyond just continuous monitoring. So, how do you tie your thirdparty risk management program into other key areas of your organization? So, how do you tie it in with your cyber intelligence? How do you tie it in with your security operations center so that when they have an an incident, they need to go they can go to you and say, “Hey, log 4J just happened. Which of our critical third parties are using that log 4j software and how can we address it that way? So it’s part of it is the changing landscape of the space, the increasing use of third parties, the use of u uh the internet and you know the the slow demise of the traditional data centers that force us to look at solutions that provide more timely information on an ongoing basis. So Dr. documentation isn’t really going to get you that visibility on what’s going on on a continuous basis. It’s a challenge.

Melissa: Perfect. Thank you for your your knowledge. Um I will pass it over to Scott at this time. We have a few minutes left. I know he wants to say a couple things. Go ahead.

Bob Wilkinson: Okay, Scott.

Scott Lang: Hey, actually I’ve got a couple more questions that I’ve seen come through uh that I honestly I swear I’m not a ing my part of the presentation here. I’m just excited to have this level of interaction with the with the audience. That’s fantastic folks. Um, another question that came through was, can you explain ESG risk? You know, ESG seems to be relatively new concept. Any advice on how to include this concept in regular due diligence processes?

Bob Wilkinson: Well, the short answer is come back on June 9th when when Prevalent is doing an ESG webinar and I’ll be talking about that in much more depth.

Scott Lang: I teed you up there, Bob. plant that one.

Bob Wilkinson: Brilliant. Yeah, the short the short answer is depending on the geographic region that you’re operating in. There’s a difference between the US and Europe, but in the US, ESG is really focused on companies providing information to their investors on what is called the concept of materiality. So if by if the the environmental, social or government governance risk is such that it would have a m material impact on an investor’s decision on how they voted their shares in a company or whether they purchase shares in the company. That’s the focus of the Securities and Exchange Commission in the US. When we move to Europe, UK and other regions, we get into different questions. So, like I said, June 9th and you’ll get lots of detail.

Scott Lang: Uh, and I do want to address one question that has come up repeatedly in the chat and in the Q&A. Uh yes, the recording for this session will be available as well as the recordings for sessions one and two and those presentations will be sent out tomorrow so everybody will have access to the to the great content that uh that Bob shared. Um uh one final question for you. I think you might have addressed this already. I apologize. Uh but the differentiating factors that you have to consider in performing due diligence for on-prem versus cloud hosted uh providers. Um yeah.

Bob Wilkinson: Um well that’s that is not a short answer and I’m not trying to avoid the topic but uh you know on-prem solutions um you’re dealing with someone specifically you know the problem with the problem with the cloud is as people move more things to the cloud how redundant is the cloud? The cloud is fairly redundant. It’s it’s it’s uh become a critical part of business. But when the cloud goes down, the cloud goes down not just for me or you. It goes down for everybody. And we’ve seen those AWS outages where you lose the east coast or the west coast. That’s a significant impact. And when you’re dealing with the cloud, you have a whole bunch of other questions that you need to address and manage, including how your data is managed. You know, what’s your role? Are you going to be the administrator? Is AWS for example going to be the administrator? There are many many aspects that you need to consider and Scott that may be something that’s ripe for a conversation on a different day.

Scott Lang: Yeah, agreed. Yeah, good call. Uh all right, I want to keep everybody on time for the rest of your day. I’m showing about a minute before the top of the hour. I just want to share with you one brief uh slide uh about Prevalent uh and what we can do to help you know alleviate some of your thirdparty risk management uh challenges. So, I’m going to go ahead and launch a poll while you do that and they can answer while they listen to you. Thanks. Go ahead.

Bob Wilkinson: Yeah. Yeah, sure thing. Um, all right. So, if you guys can see my screen. Um, you know what? What? Oops. I think you’re I think you’re probably seeing the wrong one, aren’t you? Oops. Give me one second here, folks. Apologies for that.

Melissa: Great.

Scott Lang: Melissa, just confirm you can see my uh my screen right now. Great. Um, you know, everything Bob talked about today u kind of doing on your own and all of the questions that you’ve asked kind of confirm for me that third party risk is still in its infancy. Uh so much still has to be resolved in terms of you know process risk management you know libraries for risk intelligence for asking good questions kind of going it alone or or relying on maybe manual tools like spreadsheets to do that is just an absolute nightmare. We specialize in providing a platform that brings all of this content together um in a single solution. So you have a vast library of questionnaires and assessments that you can draw from. Uh you’ve got automated remediation recommendations that help you direct your third parties to a path to an acceptable level of risk. Uh built-in risk reporting that aligns with several regulatory regimes and requirements. Questionnaires for ISO, NIST, uh cake, you know, all these different uh requirements as well. So that you were looking at risk not at a point time but holistically throughout the the vendor risk life cycle. Uh and again we package that up in a platform uh give you access to unlimited amounts of questionnaires uh risk management topics, the ability to build your own questionnaire and then you can close the loop on risk with those with those third parties, you know, as necessary. We’d love to have the opportunity to talk with you about what we can do to help you uh address your individual levels of risk in your organization. You know, as Melissa reaches back out to you with a recording of today’s session and the presentation and more. You know, feel free to engage with us. We’d love to have, you know, short conversation with you on where you’re currently at, you know, what the next steps for you might be and how we can kind of help you get there. So, you know, that’s all I’m going to say here. I know we’re at the top of the hour. Melissa, I’ll shoot it back to you to close it down.

Melissa: Perfect.

Bob Wilkinson: Melissa, just just one point if I can before

Bob Wilkinson: um the fourth part, the fourth webinar is scheduled for June June 9th, I believe. Not June 9th, what is it? June Sorry, June 15th. So, the fourth part where we’re going to talk about a number of uh other topics is for June 15th at noon. And if you have any questions about anything I presented today, my contact information is on the screen. Feel free to reach out to me and and also to the Prevalent team and we’ll be happy to get back to you.

Melissa: That’s pretty much all I was going to say. Have a great day you guys and we will see you at the last one, last part. Take care. Bye.

Bob Wilkinson: Okay. Byebye.