Third-Party Risk Management 101: The Foundations for Building a Successful TPRM Program

Host: Hello and welcome. It’s great to see everybody start joining. Host: I’m going to give you all a minute while we wait for everyone to get situated and dialed in. Host: But in the to see what brings you to today’s webinar. Host: Looks like we have slight issue with Ashley’s audio this morning. Host: So, we’ll see if we can get that figured out. Host: In the meantime, uh we’re going to launch a poll question as people start to join this morning. Host: So, let’s do that. Host: Ashley, if you can hear me, could you please launch that poll? Host: If not, I’ll see if I can do it myself. Host: There we go. Host: See if Ashley can make it back.

Ashley: Hello. Host: There you go. All right. I think you’re good. Where you wherever you left off? Ashley: Yes, Scott. Ashley: Um, we’re also joined by our very own VP of product marketing, Scott Lang. Ashley: And uh, just a reminder is being recorded and we’ll be sending out the recording along with the presentation slides shortly after the webinar. Ashley: Um, you’re all currently muted, but we do encourage participation. Ashley: So, So, please feel free to put any questions in the Q&A box. Ashley: Uh, today Bob will be going over the foundations of TPRM and establishing a TPRM framework. Ashley: So, Bob, I’ll go ahead and hand the reigns over to you.

Bob: Okay. Thanks, Ashley. Bob: Uh, welcome everyone. Bob: Uh, today we’re going to talk about uh, the first part in a four-part series uh, which I call building a sustainable thirdparty risk management program. Bob: Now, as we go through this, if you have questions, uh use use the chat feature uh that I’m happy to take questions along the way and uh let’s get the party started. Bob: So, today we’re going to focus on establishing a TPRM framework. Bob: We’re going to talk about maturity model and we’re going to talk about the role of operational resilience in supply chain risk management. Bob: And the reason I I call it supply chain is because we’re really looking uh at all of the vendors that uh your organization may be using, not just the third parties, but also their third parties, the subcontractors to really understand uh the risk the risk picture and what needs to be addressed. Bob: So what are the following recent events have in common. Bob: You know, we had the situation where a ship became stuck in the Suez Canal and no other ships could uh transit the canal. Bob: Uh we’ve had the California port issues with unloading ships. Bob: You know, in 2021, we had a winter storm in Texas which took out the power grid. Bob: We’ve had Solar Winds, CASA, Log 4J, Octa, the list of software issues from third parties just goes on and on. Bob: And there’s a number of other issues that I could cite. Bob: I could sit here basically and talk about them all day. Bob: But the point is that they were all what prior to them happening were considered black swan events. Bob: And when we use the term black swans, we’re talking about things that we rarely expect to happen, but do have a small probability of happening. Bob: And what we found out with our supply chains is that what we thought previously were black swans are in fact occurring at a far too regular frequency and that in the process of that uh we have to adjust our thinking. Bob: Black swans are the new norms. Bob: We learned that with COVID. Bob: We learned it um with uh the the impacts that we’re still suffering in supply chains from the disruptions of events that we could not have easily foreseen. Bob: such as the situation in Ukraine and uh China shutting down for a while because of all the COVID spikes that they had.

Bob: So we have to adjust to this new world where things that were considered abnormal have in fact become the new normal. Bob: So today what we’re going to talk about is uh how we get started with establishing a third party risk management. Bob: program. Bob: We’re going to talk about the journey through third-party risk management and the importance of knowing where you’re starting from. Bob: The need to take a proactive approach in managing your supply chain risk with a goal of ensuring that you establish operational resilience. Bob: Who are your key third parties? Bob: Which ones do you consider critical? Bob: And how have you ensured that they have sufficient capacity to support your critical business initiatives and functions. Bob: We’re going to take a holistic view of operational risk as it applies to third-party risk management. Bob: We’re going to focus not just on cyber risk or business continuity, but look at financial risk, operations risk, concentration geographic and natural disaster risk, compliance risk, and lastly, environmental, social, and governance risk. Bob: All of those factors are important, and any single one of them could result in a situation where your third party might be unable to deliver a critical service to you. Bob: We’re going to explore the third-party riskmanagement framework and life cycle, talking about The five phases of that process from planning and discovery through risk assessment, the critical role of continuous monitoring, remediation of third-party risk, which is one of the areas that unfortunately tends to get neglected. Bob: When we do risk assessment, the point is not to complete the risk assessment. Bob: The point is to remediate the issues that are identified as part of the risk assessment because it’s only through that remediation that risk is actually reduced and then finally the termination of third parties. Bob: After we do that, we’re going to talk about the third party risk management maturity model, the importance of understanding where you are on your journey from where are you starting and what is a reasonable maturity goal for your program to achieve. Bob: Then I’ll start start off by saying on on the scale of one to five, it’s not getting to five.

Bob: So, we’ll also talk about building organization and supply chain consensus, the importance of fostering your relationships with those third parties that you work with. Bob: And we’ll also talk about the importance of the various stakeholders that you need to work with when building your thirdparty riskmanagement program. Bob: So when we talk about third party risk management, we’re talking about a journey that you’re on. Bob: And whenever you uh tell a story such as this, you have to know where you’re starting. Bob: You have to know where you’re going to and you have to have a means to communicate that to the various stakeholders that you’re working with. Bob: So when you report to your management when you report to potentially the board of directors and helping them to understand why they should fund a third-party riskmanagement program. Bob: The best way to do that is to tell the story. Bob: Here’s where we started from. Bob: This is where we want to get to and this is what it’s going to take to do that. Bob: So, while you tell your story, you’ll also need to back that story up with data. Bob: And we and as we go through this uh course and as we we get to other modules of it, we’re going to talk a lot about key performance and key risk indicators. Bob: And when you think about backing your story up with data, it’s really important to understand that that data shows trends. Bob: You have to ask yourself whenever you think about the data you’re using to support your story and and where you’re going that it tells something about how you’re trending. Bob: The first question you should always ask yourself about data is so what what is it telling me? Bob: Is it telling me about a trend I need to do something about? Bob: But there’ll be more about that uh in a future course. Bob: So remember, know your starting point and how is it that you can communicate that to your stakeholders so they have confidence that you’re building a sustainable program. Bob: Proactively managing supply chain risks. Bob: What we’re really trying to do is we’re trying to ensure that we build sufficient operational resilience into how we manage our third parties so that our critical business functions can continue to deliver for our customers.

Bob: And as part of that, you need to understand on an ongoing basis where risk is occurring. Bob: I talked a little bit earlier about the black swan events. Bob: Well, as they become more common and as we have to deal with them, we have to ensure that we have the capabilities not just within our organization, but with our critical business partners. Bob: that they can continue to deliver the services that we expect. Bob: So I cannot overstress or overuse the term operational resilience. Bob: That is key to being successful in delivering for your customers. Bob: So by doing that we will enable the prevention of disruption. Bob: We’ll be able to quickly detect when an event has has occurred and likewise to be able to rapidly recover to continue to deliver those services to our customers. Bob: Now, one of the things that uh is not as appreciated as I believe it should be is the fact that over half of the security incidents that we have um in our organizations are the result of a compromis that occurs at a third party. Bob: What’s even less well recognized is that often that compromise at the third party started at one of their subcontractors, one of their fourth or fifth parties as we call them. Bob: So that understanding the controls and the processes that our third parties use and their oversight of their sub subcontractors and their clear disclosure to you that they’re using contractors particularly to deliver critical services becomes a key component for managing operational risk and ensuring resilience. Bob: So there are different kinds of operational risks and everybody likes to focus on cyber likes to f focus on disaster recovery and continuity of business but any of these risks could definitely impact your business. Bob: businesses. Bob: So, we have financial risk. Bob: Is the company, the third party that you’re working with continuing to operate in a sound in a profitable way? Bob: Have they seen a a dramatic change in their financials, which may indicate that they’re having problems and potentially heading to bankruptcy? Bob: And for those third parties that are critical to your business, do you have a contingency plan should they be negatively financially impacted and potentially go to bankruptcy. Bob: From an operations perspective, it’s important to look at resiliency.

Bob: Do they have the capability to quickly recover to ensure uninterrupted service to you? Bob: Are they doing an effective job of managing their resources? Bob: Do they have high rates of turnover in their staff which may impact their ability to deliver operationally. Bob: Has the company been affected by an acquisition or a divevestature and h has that led to a loss of focus on the delivery of services to you? Bob: Do they have sufficient infrastructure capacity to continue to deliver? Bob: Moving on from there, it’s important particularly in the world as we see today to understand geopolitical uh location and concentration risks that we may face. Bob: One thing for example that companies have found out is that a lot of outsourced software development activity happens in both Ukraine and Russia that may have been directly impacted by events that are going on in that part of the world today. Bob: Have you located this, you know, have you understood the location of the services that a third party is providing to you? Bob: They may have a corporate headquarters in the US, but if that service is being delivered, for example, in Turkey today and they were impacted by an earthquake, that may have caused an interruption to services to you. Bob: So, it’s very important to understand from where the service is being delivered that you’re relying on, not where the company that you who contracted with is located, but where is that service being provided from? Bob: And finally on that topic, understanding where you may have concentration risk and concentration risk can take several forms. Bob: It can be the case where a number of your business activities and business units are relying on the same third party to deliver service to to them and that there could be an interruption in that service. Bob: In a bigger sense, The for example the banking industry makes reliance on certain key players in certain parts of the world and should there be an impact to those um companies or that physical location it could have a ripple effect through the banking industry from a cyber perspective. Bob: The attacks are just becoming more complicated more sophisticated what we call advanced persistent threats and uh attacks upon organizations.

Bob: We’re seeing even for midsized and smaller organizations where they’re victims of organized criminal or even nation state attacks. Bob: So, it becomes even more important to ensure that proper hygiene is being used with regard to cyber and the rate at which new attacks are coming. Bob: And particularly in this regard, I’ll talk about software. Bob: When you’re using third-party software, you need to be aware what third-party software is being used in your organization. Bob: So just as we’ll talk in a little bit about uh building an inventory of who your third parties are, it’s equally important to understand an inventory of the third party’s software that’s being used in your organization because we as we’ve seen with Solar Winds with CASA with Log 4J that those things have real impact on your organization. Bob: And when there’s a problem with that software, people in your company have to drop everything they’re doing, go through a fire drill and to figure out whether you’re leveraging any of that software. Bob: Next, uh we have uh ESG and environmental and social topics are becoming more and more important by the day. Bob: So the focus on environmental I think Everybody understands that. Bob: So companies need to be conscious that the people that they’re working with that those environmental uh practices of those third parties that they’re using are properly being being exercised in a proper and responsible manner. Bob: From a social perspective, you want to know that the companies that you’re working with are treating their workers fairly, that they’re not taking advantage of child labor, and a number of other topics there, that they’re considering diversity and inclusion and how they do business and related topics. Bob: And then finally, on the compliance topic, that the third parties that we’re working with are complying with necessary laws and regulations because If they are not complying with the laws and regulations that you’re subject to, you are potentially liable and you will have a very negative reputation impact because of that. Bob: So that’s really the universe of what we’re talking about. Bob: Now when we talk about the life cycle for third-party risk management, it starts with planning and and discovery.

Bob: And what we’re interested in doing there is identifying what our supply chain inventory looks like. Bob: So obviously we want to know the third parties that we work with. Bob: Obviously we want to focus on the third parties that affect our critical business activities. Bob: And there are several ways that you can get started in this space when you’re trying to identify your supply chain inventory. Bob: You can focus on and and this is something that is particularly useful. Bob: Which are my critical third parties. Bob: And one of the best ways to find that out is talking to your information technology department, the people who are responsible for business continuity and disaster recovery because it is generally very aware of who the critical vendors are that they need to continue delivering their services. Bob: So that’s one way to do it. Bob: When you’re trying to validate that you have a full supply chain inventory, it’s very very useful to go to your accounts payable people and ask who did we pay in the last two years because if you have a vendor and they’re getting paid you’re going to discover it through your accounts payable process. Bob: Another aspect is ensuring that contracts exist and when we talk about contracts that they properly address risk. Bob: Many relationships that companies have have been around for a number of years. Bob: But when you ask them to find a copy of the contract, they say, “Oh, we’ve been doing business with them for 20 years and nobody can locate the contract.” Bob: That’s problematic. Bob: Next, we move on to risk assessment where we look at uh how it is that we do due diligence and focusing on onboarding. Bob: And one of the biggest problems that we find in thirdparty risk is that the process for onboarding new third parties is too cumbersome and drags out too long. Bob: And that when you talk to your business partners, they’re ready to move on a market opportunity or to ensure that they can continue to deliver their services very rapidly and we have to be very efficient in how that risk assessment process is is accomplished.

Bob: I know of large organizations where if it’s a critical vendor, it may take them three months or longer to onboard that critical third party and that’s just too long from a business perspective in terms of getting things done. Bob: Again, that’s a topic we’ll talk about in a in a future webinar. Bob: The important thing to take away is that you need to bring efficiency to how you do due diligence and your onboarding process and you need to think very seriously about how to automate those processes to be successful. Bob: Next we have continuous monitoring. Bob: And from my perspective, continuous monitoring is absolutely critical to thirdparty risk management. Bob: When you do a risk assessment, you’re taking a point in time assessment of the controls that your third party has in place. Bob: Well, that’s good for the day it’s done, but there are 364 more days in the year where you need to have understanding and visibility into how your third parties are performing. Bob: So you may start with risk assessment but you need to particularly for your critical third parties continuously monitor across this all of the supply chain operational risks that that that your third parties face and that you have to ensure are being properly managed to support your business. Bob: From there we have the topic of remediation and issues management. Bob: And and for me this is perhaps the most frustrating of all topics because I’ve seen many instances where companies don’t do this well. Bob: If you’re going to take the time to do a risk assessment and it identifies issues, then take the time to ensure that the issues are sufficiently fixed and validated. Bob: Otherwise, quite frankly, don’t bother doing a risk assessment. Bob: if you’re not going to fix the issues that are identified because that is where true risk mitigation occurs. Bob: Excuse me. Bob: And when you identify issues, you have three ways to deal with them. Bob: You can fix the issue, you can accept the issue, or you could transfer the the issue, the risk associated with it. Bob: Now, risk transfer is generally done through what we call cyber insurance.

Bob: where, for example, if you have a lot of customers and you’re concerned about a data breach with the customers, you can get cyber insurance, which will help you offset the risk of a potential customer compromise. Bob: But the only way you get underwritten for cyber insurance is by having a sound riskmanagement program. Bob: When it comes to accepting risk, one of the important things that you need need to do is the business can’t just say okay I accept the risk the business hired the third party the business is accountable and responsible for what happens with that third party and if there are issues that cannot be remediated then compensating controls must be put in place to offset the risk and that a business just accepting risk may be accepting risk not on behalf of their business unit but on behalf of the company and that puts us in an unacceptable position. Bob: So remediate accept with compensating controls and transfer risk through cyber insurance for example where that’s an option and then the final part of the uh life cycle is termination and one of the focuses there is to ensure that you properly obtain the data that was being handled by the third party or that it is destroyed and that all third-party staff who had access to your environment their access is properly remediated. Bob: The TPRM maturity model and this is just one of many models that existed in the space but it conveys the critical points. Bob: So, five stages. Bob: At level one, your third-party risk management process is very ad hoc in nature and you may not have the proper resources. Bob: You don’t have document documented procedures. Bob: You don’t know what your third-party inventory is and you’re trying to figure out how to get started. Bob: And from a TPRM perspective, that’s where many people start out. Bob: But, uh, the risk that exists are are pretty significant. Bob: From there, we advance to level two where at least resources have been allocated, your processes are still not well documented, and you’re primarily reacting to events that occur. Bob: So, at level two, you’re trying to figure out what do I need to do? Bob: How do I get the resources in place? Bob: How do I structure my program?

Bob: And those things are very critical to the success of your program and they include how you go about obtaining sponsorship from key stakeholders. Bob: At level three, you have a documented plan and roadmap. Bob: You know where you want to go, the things you want to accomplish. Bob: You now have an organizational structure for your program. Bob: And you’ve established some governance processes and begun to have dialogues with the different stakeholders in your organization. Bob: As you do that, you begin to address some of the issues that have been identified and ensuring that your program is starting to mature. Bob: Many organizations find that once they put these steps for level three in place for the business that they’re in, they’ve gotten far enough. Bob: However, there’s still work to be done and other things to be considered. Bob: And that’s when we get to level four where a third party risk management program has been implemented. Bob: You may have policies and standards. Bob: You understand the risks and you actively track those risks and you’ve begun to do some level of continuous monitoring of the health of your critical third parties. Bob: At level five where which we generally refer to as the optimize level, you’re continuously improving your third-party risk program. Bob: You’re proactively addressing risks. Bob: You’re looking more deeply into your subcontractor risk. Bob: s and you’re spending a lot of money. Bob: So for many organizations, getting to level five to that optimized state is more than your business may need and perhaps more than your budget can withstand. Bob: So if you can get yourself at the end of the day to somewhere between a level three, level four and mature your program that way, you’re ensuring that you’re addressing both the critical risk that you identified and the risk that emerged. Bob: on an ongoing basis. Bob: So building organization and supply chain consensus for third-party risk program success. Bob: So there are a number of business drivers for why we need to build resilient supply chains. Bob: Among them are competitive advantage, the ability for a business to enter quickly into new markets, improving the business’s reliance on the supply chain because more businesses are constantly outsourcing activities.

Bob: So we that’s a key driver in what we’re doing and probably why many of you are here today because as we increase the business reliance on supply chains, we need to likewise make sure we’re taking steps to offset that risk. Bob: We have a black swan events that as I said before are becoming not black swans but daily occurrences and we need to be better prepared to deal with that risk and then in areas such as health care and financial services we have to meet increasing regulatory requirements so netnet what are we trying to do we’re trying to build trust across our supply chains the third parties that we’re working with they’re our partners they’re not the they’re not the enemy. Bob: They’re not someone that we just need to do due diligence on, but it’s someone we need to foster relationships with because our third parties can teach us much about how our businesses are doing, how our businesses are perceived. Bob: And if we build trust with them and trust has to be built one third party at a time, we can find ourselves in a virtuous cycle which ends up paying dividends for all of us. Bob: So trust across the supply chain is a key concept, one that we need to focus on more, the importance of third-party riskmanagement stakeholders. Bob: For me, understanding who the stakeholders are in my in any business that I work with is critical to building success. Bob: How we go about cultivating those relationships, who are our logical partners in this journey. Bob: journey called TPRM that we’re on. Bob: How can those stakeholders help us ensure su success? Bob: So, I’ve listed a number of different stakeholders here. Bob: I’ll talk about them not necessarily in in the order they’re here, but in their order of importance. Bob: So, one of the key organizations that we need to focus uh and build relationships with is our procurement and sourcing organization. Bob: They’re the ones who have the most visibility into what businesses are trying to do across our organization and they are under a lot of pressure to get new third parties onboarded and as we go through the process of of onboarding one of the key steps is doing a third party risk assessment. Bob: So fostering the relationship with procurement helps to understand key trends that are going on in the organization.

Bob: when businesses are looking at new third parties because often it’s procurement who hears about that first long before you get requested to do a third party risk assessment. Bob: By building that relationship and being supportive of them when they come to you and they need to get risk assessments accomplished to complete the onboarding, you build a healthy relationship and you build visibility into what’s actually going on and how your businesses are looking at building building out their third party relationships. Bob: Now, if you have an enterprise or operational risk management focus in your organization and you have you have a function that’s responsible for that, they can be great partners for you because their job is in in in a model that we call three lines of defense where the first line of defense are the operational units actually working on a day-to-day basis to manage different functions. Bob: The second line of defense, the enterprise and operational risk management teams, their function is to oversee and validate that the controls that the first line of defense people have in place are being effectively administered. Bob: Having a relationship with your enterprise risk people, providing them transparency into what you’re doing with TPR, them. Bob: How you’re managing the risks, the issues that are coming up helps them to more effectively engage with the first line and with the business to get them to do the things to mitigate risk and better manage it that your business needs to accomplish. Bob: Another key relationship is with the third-party relationship managers. Bob: Business units should, although they don’t always, designate someone in the business unit to be responsible for the management of the relationship and the oversight of the performance of the third party. Bob: These are key people from a TPRM perspective that you can liaz with and work through to ensure that third parties are aware of your risk assessment requirements that they are responsible when and responsive when issues are identified to mitigate that risk and to help you in this overall effort to ma better manage risk with the third parties.

Bob: Information security is an important stakeholder because they have many functions that tie directly into thirdparty risk management and many if not most of the time thirdparty risk management programs are part of the information security organization. Bob: So When an incident occurs at a third party, usually it’s the if the business is notified, they may notify you or it may have come to the attention of your security operations center or SOCK as it’s sometimes called. Bob: And when SOCKS become aware of security incidents at third parties that your company might be using, they’re going to need information about that. Bob: They’re going to reach out to the third party team or the third party team may reach out to the sock proactively to help with the management of an incident. Bob: Likewise, if the cyber intelligence function in your information security team, which looks for potential future vulnerabilities, is aware of the critical third-party relationships that your company has, they can be more proactive in looking at risks that may be emerging or evolving. Bob: as it relates to those third parties. Bob: Now, jumping up back to the top of the list to the board of directors and senior management. Bob: The board needs to have a clear understanding of the risk that’s represented by businesses deciding to outsource third-party relationships. Bob: And in fact, before critical outsourcing decisions are made, the board of directors should be consulted ulted about the nature of the relationship and agree that it’s an appropriate relationship to enter for the businesses. Bob: Does that happen all the time? Bob: No, it doesn’t. Bob: But if you look at regulation and and particularly as it applies in financial services, the board is expected to know about third-party risk, they’re expected to have an active role in overseeing the third party risk program. Bob: and that they are responsible for co communicating their risk appetite when it comes to third-party outsourcing to the senior management team. Bob: The senior management team is responsible for communicating the board’s risk appetite down to the business units and down to all of the functions within the company so that undue risk is not being undertaken through outsourcing. Bob: to third parties.

Bob: The uh business unit management, they’re the key decision makers in terms of identifying needs and opportunities to outsource to third parties. Bob: The business unit management should as part of this have a very clear definition of what they’re trying to achieve and an understanding of risk and appointed someone within the business unit to be accountable for the management of that third-party risk. Bob: And that was what I referred to as the relationship managers. Bob: Depending on the nature of the business and the information or access that is being shared with a third party, if there is financial information being exposed, there’s the potential risk of fraud. Bob: So understanding who your fraud risk management people are, particularly in in an organization where financial transactions occur can be important because increasingly third parties are being exploited to gain that financial information to commit fraud. Bob: Legal has a strong interest in contract management and understanding what risks may emerge when entering into third party relationships. Bob: So the contract topic is a really important one. Bob: And one of the things that that companies do is besides the master service agreement that they sign with a company, they often add a security appendix to the contract. Bob: And when signing those contracts with third parties, there’s three key things that need to be included. Bob: Those are the right to it third a requirement by the third party to notify your organization about any data breach and lastly a commitment to remediate any issues that are identified. Bob: So that security appendix becomes an important um aspect of the third party relationship and often involves at some level some conversation with your legal people that may also come up along with not just legal but compliance in the event that there’s a data breach for example or some other security event from a compliance perspective. Bob: You if you’re working with a third party, you don’t want to see negative news about that third party questioning their labor practices, their commitment to the environment, any other type of issue that might emerge.

Bob: So, being able to work with compliance to help them understand where you may have identified negative news or other uh abnormal behavior at a third party is an important relationship to have business continuity and disaster recovery. Bob: As I said earlier, they’re a great partner in this journey and they have a very good understanding of who the critical third parties are that need to be well understood to support your business on an ongoing basis. Bob: So when you’re starting out, the first thing you should do as you build your inventory is identify who those critical third parties are. Bob: And the best way to get a jump on that is working with your business continuity and disaster recovery people. Bob: Privacy is an important consideration if you’re sharing information with third parties. Bob: Now, when I think about who my critical vendors are, my critical third parties. Bob: I think about two things. Bob: Who am I sharing information with and who am I granting access to my infrastructure and my network? Bob: That for me drives a lot of my factoring in on who my critical third parties are. Bob: So when you think about information, sharing of confidential information with third parties, privacy definitely is a critical topic. Bob: Finance obviously because you need to have a way to check on the financial health of third parties and then uh your actual third, fourth, and fifth parties. Bob: Understanding what the supply chain is people say, well, I’m just starting out with my program and identifying third parties. Bob: How am I going to get to my fourth, fifth, and sixth parties? Bob: Well, start with those third those fourth and fifth parties that are tied to the critical business activities that that involve third parties. Bob: The rest you can get to later. Bob: And then of course, if you’re working in an area where regulation is an important consideration, you’ll want to ensure that you have an open dialogue with your regulators and that you’re communicating in a good fashion and that you’re continuing to monitor the regulations such as uh uh they evolve because there’s a lot of new regulations on the horizon. Bob: in things being published and depending on the country that you’re doing business in there are different regulations that apply. Bob: So that’s it for uh the presentation.

Bob: If there are any questions, I’m certainly open to them and would love to hear from you. Bob: And if you have questions after this webinar, here’s my contact information, bobcyms.net and and my mobile number. Bob: Feel free to reach out. Bob: to me and um I love doing this stuff. Bob: So, I’m happy to have a conversation with any one of you. Bob: All right, at this point I’m going to stop my share and I’m going to turn it over to Scott Lang. Bob: Scott, off over to you.

Scott Lang: Awesome. Thanks so much, Bob. Scott Lang: Uh you know, real quick, uh making sure everybody can hear me. Scott Lang: Okay. Scott Lang: You know, can you hear me? Scott Lang: Okay, Ashley, can you hear me? Scott Lang: Okay. Ashley: Yes, sir.

Scott Lang: Awesome. Scott Lang: Good. Scott Lang: Uh well, thanks folks for giving an hour of your time today to listen into some pretty incredible best practice ices that that Bob has to share based on his experience and some of the foundational elements of of building a TPM program. Scott Lang: What I want to do today is just explain a few things on how you can get started pretty quickly and what our perspective is on it from there. Scott Lang: So, start thinking about your questions that you want to ask Bob if you haven’t asked those yet in the uh in the Q&A uh tab in Zoom here while I’m kind of going through my presentation. Scott Lang: So, you know, as we talk to our customers, they overwhelmingly tell us they want to accomplish three things. Scott Lang: with their third party risk program. Scott Lang: Uh first is helping them get the data they need to make better business decisions about vendors to onboard uh third parties to assess and how and what the right criteria is for potentially offboarding a vendor. Scott Lang: Uh third is increasing efficiency in assessments and monitoring and remediation and more uh by breaking down silos of information and tools and systems that are inherent in almost every organization and third evolve and scale their programs over time as the number of third parties they work with increases. Scott Lang: Um you know how do they position themselves effectively to accommodate the additional level of assessment and remediation work that has to be done uh you know accordingly. Scott Lang: But the problem is this um doing third party risk a manual way or doing third-party risk management a manual way uh just ends up uh costing a lot a lot of time and a lot of money with very few results to show for it. Scott Lang: And some evidences of that is um we do a survey every year in the industry and one of the questions we ask is you know what percentage of companies out there are still using spreadsheets to perform their vendor risk assessments. Scott Lang: Well, in the last three years that trend has uh pretty much stayed the same. Scott Lang: It was 42%, it was 45%, it was 46% back to 42%.

Scott Lang: % just fewer than 50% of folks out there still using spreadsheets to assess their third parties compare their results against acceptable control thresholds and then do some sort of remediation or reporting and we all know you just can’t do that effectively with spreadsheets. Scott Lang: Second is they’re dealing with outdated info. Scott Lang: About 46% of folks we talk with say they have no real time intelligence into vendor risk. Scott Lang: And as Bob mentioned a while ago. Scott Lang: Doing that, you know, once uh every so often risk assessment is valuable. Scott Lang: It gives you a good baseline, but an awful lot happens in between those risk assessments. Scott Lang: And without that consistent flow of information on a third party’s cyber risk, business or negative news, reputational problems, financial financial issues, you know, ESG findings, whatever, you’re really exposing yourself up to a lot of uh a lot of additional risk. Scott Lang: And third, and this kind of goes to that to to the previous slide, um you know, a lot organizations have uh a lot of different folks in that organization with their hands on the plow. Scott Lang: You know roughly 50% of organizations we see have the IT and infosc teams leading third party risk and then the other 50% ownership is spread amongst you know four other departments or so and that’s you know probably similar to a lot of the folks on this call today about 50/50 security and non-security I would surmise but the issue is every one of those departments all have listed there and then the numbers that we don’t even have listed here, the departments we don’t have listed here, each have a stake in thirdparty risk in some capacity. Scott Lang: So, lots of different tools at play, a lot of them manual, very little of them offering real-time intel. Scott Lang: It just adds a lot of confusion and and overlap in the enterprise. Scott Lang: So, our approach to solving the problem is to be much more prescriptive for you and this is across departments across procurement, vendor management, supplier management, IT security data privacy, legal compliance, whatever. Scott Lang: And to look at risks uniquely across every step in the third party life cycle, we see challenges at every one of those steps, but we also see solutions and needs and wants at at each of those steps as well.

Scott Lang: You know, getting automation and intelligence when you’re evaluating vendors. Scott Lang: You know, finding out if a vendor is fit for purpose or fit for use, you know, is great for the business, but it’s also bad for the business because you don’t know if they match, you know, your risk. Scott Lang: threshold. Scott Lang: Um creating a single source of the truth in terms of supplier risk profiles, intake processes, contracting and onboarding workflows uh tends to be a challenge for a lot of orgs. Scott Lang: You know, different tools in place, processes more really just add to the problem. Scott Lang: And third, not having a good um um uh inherent risk score so you have a baseline from which to build the rest of your assessment strategy, you know, off of. Scott Lang: Um next, you know, another big challenge that organizations face that we help to address is streamlining the ongoing assessment process against multiple different requirements because it isn’t just about IT security and privacy and you know particular compliance concerns although the vast majority of it is which I recognize but it’s also understanding their financial position or their certain ESG metrics or anti-briving corruption or anti-money moneyaundering statements you know things like that how do you pull that together in one solution next is continuously monitoring and validating those results. Scott Lang: You know, we said before, you know, looking at a snapshot of a company’s internal controls over their, you know, IT security risks, for example, is only going to be valid the day those controls were captured. Scott Lang: Next is measuring performance over time. Scott Lang: You know, whether or not a vendor or supplier or third party is meeting your contractual requirements um is necessary, you know, to to to you know, you got to have that in order to view your KPIs and KIS and and and measure that against service levels. Scott Lang: And then finally, terminating an boarding uh organizations.

Scott Lang: You know, you kind of see some parallels to this with what Bob presented in his presentation around, you know, the uh the third party vendor and supplier life cycle, but making sure that when you’re offboarding and terminating a relationship, a vendor relationship that you have the data destruction policies addressed, that contract terms have been addressed, that final payments have been uh addressed, and more. Scott Lang: So, you know, we we see lots of challenges across that life cycle, but we see solutions, too. Scott Lang: And at the end of the day, you know, the goal is to to accomplish three things. Scott Lang: To simplify and speed up onboarding with a single source of the truth and a single set of processes to streamline that process and to close gaps in risk coverage, which you know, a lot of companies tell us they have. Scott Lang: You know, they say they’re only looking at data periodically. Scott Lang: And finally, unify teams across the third party life cycle. Scott Lang: Now, that’s the foundation of what we’re trying to help you achieve uh in in thirdparty risk. Scott Lang: And to do that, we deliver a unique combination of experts to execute the hard work of thirdparty risk on your behalf from onboarding vendors, assessing them, remediating the results, which is a key point that Bob brought up, and then performing ongoing management, giving you the richest set of data intelligence inputs into your vendor profiles to help you make good riskbased decisions across a multitude of vendor risk areas. Scott Lang: Housed in a platform that automates, manages, and centralizes the process for all departments across the organization. Scott Lang: That’s what we deliver to help you kind of get off the ground and get started in automating your thirdparty risk program very quickly. Scott Lang: Um, you know, we address multiple different types of risk areas. Scott Lang: So, instead of buying six or eight different tools to assess and monitor, uh, different types of risks that your organization might be exposed to with its usage of third parties, you know, prevalent specializes in bringing all of that together in one solution. Scott Lang: And the outcome to it is really three-fold.

Scott Lang: And number one, to help you be smarter make good risk based decisions with good role-based reporting analytics and comprehensive risk analytics to unify processes uh profiles assessments and the life cycle from onboarding to offboarding and then to be very prescriptive with built-in intelligence workflow and all the expertise uh behind it to help support you as you move throughout your thirdparty risk management journey. Scott Lang: And speaking of that journey, a great first place to start is in performing a maturity assessment. Scott Lang: So Bob mentioned a maturity assessment during his part of the presentation. Scott Lang: Uh you know we offer a maturity assessment that really operationalizes what Bob talked about and it involves taking a pretty quick 45minut uh or sorry 45 multiple choice question assessment in our platform that will then create a report that tells you where on this maturity scale your organization is and give you some very specific guidance on um what to do next on the next few steps depending on what your organization uh wants to achieve. Scott Lang: So, as part of the follow-up process to uh this webinar today, you’ll get um the recording, you’ll get the slides, and then we’ll get you a link to the maturity assessment as well. Scott Lang: You can schedule an appointment with our team and we’ll guide you through that process. Scott Lang: Great first step uh to determining uh you know, where you’re at now and where you want to be. Scott Lang: Okay, with that, that’s all I wanted to share with you today. Scott Lang: I’ll pitch it back over to uh Ashley. Scott Lang: Ashley, I think we’ll open it up for questions from there.

Ashley: Thank you. Ashley: But first, I’m going to go ahead and launch our second poll. Ashley: Uh we’re just curious to see if you’re looking to establish or augment a third-party risk program within the year. Ashley: And please be honest because we do follow up with you. Ashley: Um but let’s go ahead and look through some of these questions. Ashley: I love to see all the participation. Ashley: And we do have quite a few. Ashley: So Bob, why don’t you go ahead and pick out a few that you think would be the most valuable for our audience. Bob: Okay. Bob: So let me get over to the chat. Bob: Uh I’m just going to go through as many as I can sequentially here. Bob: Okay, the first one. Bob: My customer has experienced at least one vendor who uses a managed cyber security third party who farms out its firewall event monitoring. Bob: Okay. Bob: Is there a way is there a way in which my customers legal department can can structure a contract with the primary vendor so their risk is minimized against all the other vendors, third parties? Bob: Well, generally when uh you’re dealing with a third party and a third party contract, uh you make the terms of the contract with the third party apply equally to any fourth, fifth or sixth party that uh that third party might be using. Bob: So in other words, the terms of the contract that you have with the third party carry through to any third parties that they use. Bob: and that they the third party are responsible for due diligence on that fourth, fifth and sixth party and that’s generally the way that’s handled. Bob: Um because at the end of the day there’s a limited amount of resource how much you can actually you know do yourself. Bob: All right. Bob: Uh next question. Bob: Uh let’s see. Bob: Uh how soon uh Uh, is a TPRM program expected to embed ESG standards with the new rules and regulations on the horizon? Bob: So, as far as ESG goes, um, there’s not a lot of regulation in place specifically. Bob: Now, it depends on the industry vertical that you’re working in. Bob: It depends on your company’s position as it relates to ESG. Bob: For example, the if you work in banking, the OC is currently considering um publishing uh policy or guidance around uh the environmental impacts on uh financial services companies. Bob: You need to follow that. Bob: So, a lot of it’s driven specifically by the business that you’re in. Bob: If you’re an asset manager and subject to regulations, by the SEC. Bob: Um, you know, in uh ESG investing is a very hot topic. Bob: There have been a number of fines for companies. Bob: That is an area where you need to pay attention. Bob: But you always have to consider what the reputation risk is for your company around environmental, social, and governance issues. Bob: Okay. Bob: Next, let’s see what the next question is. Bob: Uh, will participants get uh both Bob in Scott’s deck. Bob: I I will leave that to prevalent. Bob: I believe you do.

Ashley: Yes, we do. Ashley: Yes, you do. Bob: So, you’ll you’ll have that to go through. Bob: Um All right. Bob: Now, we’re getting into Scott question. Bob: Scott, is there a cost for the maturity assessment? Scott Lang: Uh no. Scott Lang: Uh if you’re interested in that, um you know, we’ll reach out to either Ashley or Melissa or one of the will reach out as followup from this webinar if you’re interested in that. Scott Lang: Uh we’ll schedule a call with um one of our specialists. Scott Lang: They’ll kind of walk walk through the process with you. Scott Lang: Um and you know, you can take that assessment pretty quickly. Scott Lang: Uh the only requirement is that uh you know, we do like to have uh an executive audience on the presentation of findings to make sure that everybody across the organization understands the the depth and the breadth of of uh what the issue is and what the potential solution could look like.

Ashley: All right. Ashley: I have a Few more questions here. Ashley: Um, how do you view issues versus findings? Bob: Uh, issues and findings are in, you know, from my perspective the same thing. Bob: So, well, let me clarif you have a finding, you need to validate the finding to determine if it is an issue. Bob: Issues need remediation. Bob: Um, do you when when I talked about software, the question is, do you mean software via licensed onprem? Bob: versus SAS. Bob: I’m I’m talking about companies needing to have an inventory of all the software that they use because all of that software is potentially the the target of a compromise and the ability to have a full inventory of all software that’s used within your company, which you may in fact have. Bob: And you need to talk to your software development organization and see if they actually have managed to build an inventory. Bob: But, you know, Bob: Whether it’s licensed on-prem software or it’s SAS software, either one can suffer from a compromise and you need to know what that is when uh when it occurs. Bob: Um

Ashley: Bob, why don’t you go ahead and pick out one more question? Ashley: We’re at the top of the hour. Bob: Okay. Bob: Okay. Bob: Um what if a TPRM analyst flags off a vendor, however, the business is still onboarding the vendor? Bob: Uh yeah, the final call is mostly with the business. Bob: The question becomes compensating controls. Bob: So if the business is willing to accept the risk and they’re not willing to impose compensating controls, that’s uh the most undesirable situation, but that’s where TPRM has an obligation to escalate that and to ensure that there’s visibility. Bob: The key with all of this is visibility and transparency through the organization. Bob: And that’s a case where things need to be escalated. Bob: So that’s Uh, that’s that. Bob: Back to you, Ashley. Bob: And if anybody else has any other questions, feel free. Bob: You have my email, contact, my phone. Bob: I will respond if you reach out.

Ashley: Awesome. Ashley: Thank you, Bob, and everyone for all of your questions. Ashley: Bob and Scott gave us some great information to take in today, and I hope to see you all either in your inbox or at a future Prevalent webinar. Ashley: Cheers, everyone.