What's Next for Third-Party Risk in 2024?

Melissa: Let’s kick things off with some introductions. My name is Melissa and I work here at Prevalent in Business Development. And today we have a couple of guests. Um we have Alistair Parr, our senior vice president of global products and services. Welcome back, Alistair.

Alistair Parr: Thank you for having me.

Melissa: And last but not least, we have Scott Lang. He’s with us today. Uh Scott’s our VP of product marketing, and he will dive into how we may be able to help mature your TPR and program at the end of the session. Hopefully, we have time for that. Hello, Scott.

Scott Lang: Hey, Melissa. And uh as a little bit of housekeeping, this webinar is being recorded, so you will get a copy of it. So no need to take notes. You’ll get the slide deck shortly after that webinar. So um you’re all muted. Use that Q&A box if you do have questions and you can ask them anonymously if that works for you. And without further ado, Alistair is going to review this year in thirdparty risk and explore the emerging trends that will drive TPR and programs in 2024. Go ahead, Alistair.

Alistair Parr: Lovely. Thank you, Vanessa. and good morning, good afternoon, good evening wherever you all may be in the world. Thank you for joining me today. So, what will we be covering off today? Now, these are always quite a fun webinar in my opinion that we do sort of once a year. This is where we bring all of the great minds of prevalent into a room and then I get to sit and stand or sit or stand there in awe and uh listen to them talk about what they’re seeing, what the threats are, what the trends are. We amalgamate information from all the various analysts that we speak to and it culminates into essentially what we see as top 10 predictions. The good news is those of you who might have joined us in our previous webinars on this, a lot of what we predicted has come true. So today should be time well spent in that respect. So just to begin with, hello everybody. Alistister par. I was looking slightly younger and fresher face back then, but why am I here really talking to you today? So I’m the SVP of products and services over here at Prevalent. And I do have the joy, the blessing, and the curse of speaking to hundreds and hundreds of different customers. around third party risk management specifically. I see the good, the bad, and the ugly in relation to how their programs work and function and interface. And I have the joy of being able to work with some of them on itive improvements, addressing maturity and getting them to a point of hopefully satisfaction when it comes to their third party risk and life cycle management. Over the course of today, I would again strongly encourage you if you have any comments yourselves. If you want to make any predictions or you have any thoughts, please feel free to put those in the Q&A and the chat sections, we will try our best to weave some responses into the uh the general discourse as we go through today on a whole. Uh failing that, of course, we’ll we’ll try and have some time for Q&A at the very end as well. I will be covering off about 10 core predictions that we’ve got uh moving into next year. And without further ado, I will dive right into our first. So our very first observation and prediction we want to make is actually related to third party risk management funding.

Now last year we spoke about the fact that there was going to be um added pressure into 2023 uh on programs and that will translate into focus on things like efficiency and automations and even outsourcing to an extent across uh the third party life cycle. Now from our perspective What’s very interesting is we’ve seen a trend probably more in the last six months that we expect to continue into next year, which is that third party risk management is very much expected uh as a program. So I I’d like to think that we are now at the the culmination of years and years of work where TPRM is an expectation. It’s matured. It’s almost table stakes when you start looking at um organizational positioning. So as much as we have seen economic uncertainty, inflation in different countries, uh and even skilled labor shortages at the start of 2023. We have some expectation into 2024 that investment will and has uh remained consistent into 2024. It is table states and that isn’t changing. You know, we do see board level, exec level, investor level engagement when it comes to TPRM. Now, looking back at 2023, there are periods of times where there was challenges is to find seasoned skilled TPRM practitioners. Now that isn’t expected to change into next year. There’s still a situation where there is too much work I think for the practitioners who are who are out there in the wild. Uh but we are expecting the fact that programs are going to continue to get more efficient and effective partly due to the culmination of things like generative AI um things like uh machine learning of course looking at data sets and better automations. and integrations between different systems that will enable less people to do more. Uh, and we expect that to continue and and probably accelerate into 2024. We don’t expect any real change from a maturity standpoint moving into next year. You know, we do expect that it will maintain that expectation of table stakes. And unfortunately, we’ll likely see some more zero days and issues that are going to prompt people uh to continue to apply focus and understand what we are all respectively doing in our programs. Now last year we discussed outsourcing.

We expected more outsourcing based on the lack of uh skilled resource and and cost management into 2023. We do foresee into 2024 that as much as we are seeing these new uh automation capabilities uh coming out and coming to market, they will not have reached a degree of maturity yet to basically replace uh individuals. and um and take up budget from that perspective. We’ll always see these automations, capabilities, machine learning, NLP, AI uh to be supplementary. We’ll still need people to validate any of the results to that. So, there’s still going to be a need to apply things like outsourcing models for things like managed services uh or appropriately rightsize the level of effort based on the types of resources that we’ve got in the business. So, to summarize, Observation number one there, funding is table stakes and into 2024 will continue to be. So we don’t expect cuts of of budgets into 2024. Instead, we’ll expect people to be wanting to do more uh for the same amount. Moving on to our second prediction and observation uh is program convergence. Now that’s a very generalist and and open statement. Program convergence sounds lovely. But what do we actually mean by this is is and and we’ve articulated this in the past and we’ve continued to to stick by this which is third-party risk management is evolving into third party life cycle management and the key differentiation here is the fact is that you have a life cycle journey of the vendors being onboarded through to offboarding and tied to that you’re seeing different personas and groups getting involved in it. So to give you an example when you go through sourcing and selection intake on boarding inherent risk management whatever ever the risk types may be assessing the results and driving things like remediation. You then have ongoing monitoring capabilities being required u SLAs’s performance management and then offboarding termination. It’s a life cycle. It’s going to continue to be a life cycle and what we’re seeing is different personas getting involved pardon me and having more table stakes engagements in the third party uh landscape. We are seeing and expect an increase and trend of procurement being a driver uh for third party life cycle.

So whether that’s uh even KYC or KYS know your customers and know your suppliers uh there is an expectation that they want to understand who are they engaging with have they done anti-bribing corruption modern slavery checks there’s obviously more regulations coming out particularly in Europe in relation to ABC uh into the rest of the year and into next year and they’re generally looking to have that that monitoring snapshot to be able to understand is the vendor good Are there any key issues that we need to be mindful of and where do we go from here? We are going to continue seeing legal getting invested in the process. Right now legal tends to be more segmented dealing with more contract management and uh clauses. We are seeing legal and expect legal to take more of an interest into ways that they can automate clause detection and comparative analysis between things like uh MSAs and uh and terms. And then they’re going to use that with the rest of the life cycle to identify failures. That of course leads into risk management. When you start dealing with risk management on a whole that’s you know relatively established when it comes to third party risk management but they remain a core player in third party life cycle management. And we’re seeing operations using the data sets from procurement and legal and risk to drive things like operational resilience and management of the third parties uh as well as quality and ensuring quality are they doing what they say they do etc. And then finally the omniresent and everpresent requirement from audit remains there. We are speaking to lots of different customers and uh and individuals and generally speaking the vast majority are being audited in some shape or form. Now it’s not might not necessarily be external it may be internal but we don’t see that changing as the compliance mandates and regulatory mandates being imposed on US continues to increase and gets more complex. We are expecting that uh that level of audit and scrutiny to persist into 2024 and expect continual audits uh against our TPRM programs. So that translates into that broader life cycle and the things that we do in a life cycle.

But I did want to reference some material that prevalent actually generated. So some of you who’ve been on some of our webinars in the past uh may have been exposed to some of these metrics. But uh I’ll get of course Scott will comment uh on this this study that we conducted later on. But from the audience that we spoke to you can certainly see on the right hand side that more and more components of the broader life cycle are getting involved in TPRM. So for information security 70% are more involved. Uh for risk management 51% are more involved. 45% of compliance and audit are more involved. Procure payment 44% business owners 34% and executives 33%. To qualify the stats I’m pulling out there are people who are more involved as opposed to consistently involved. So you are n you are certainly seeing a trend that we expect to continue into 2024 where we have these distinct business areas having an involvement and increasing involvement in the third party life cycle and risk management process. So we don’t expect that to change. And if you’ve not seen by the way our study into third party risk management. Uh please do do feel free to reach out to us. We’d be more than happy to to share that with you and we’ll touch on how to get access to that towards the end. And just to reinforce that when you actually start breaking down those metrics uh when you actually look at how they are involved now that they are more involved of course infosc tends to be driving the programs there as you can see they’re involved in strategy design execution of assessments and monitoring using the reporting. Uh you see risk management, compliance, procurement, business owners and executives typically being users of data. There’s a high trend that purple bar there of there being users. We are expecting that bar to continue increasing specifically that purple bar users of third party information reporting uh while infosc or procurement typically or risk management are typically conducting the exercises to get data in. So what is our prediction when it comes to this data convergence?

Uh and this program convergence is that you are going to see an increase in procurement strategy design and planning for third party management programs and you’re going to see an increase in business user uh business owners sorry and um procurement usage of the third party information and reporting over time and of course executives will follow on that curve as well. So moving on to our third prediction and just to be clear we were talking just then about program convergence. Now we have a distinction between point number two program convergence and prediction number three which is data convergence. And what is that difference after my welltimed cough? Data convergence to us is about all of the different components that make up a profile of a vendor. So historically people tend to be fixated on things like What is their cyber posture? They might be fixated on what assessment data can we amalgamate for them? What we have been seeing and what we expect to continue increasing uh is the number of nonIT risk domains that are feeding into these vendor profiles that we’re seeing in these programs. Now this is because of course prediction and observation number two is procurement, IT, compliance, etc. are all looking to consume data on the vendors and they have different lenses. is to perceive that information. That’s not changing and we’ve certainly seen that into 2023 where we have programs uh being initially driven by information security uh but onboarding procurement life cycles and workflows into it as well. That is not going to change. So while assessments will remain core and we don’t believe assessments are going away because it’s the the best way to get you know validated data beneath the surface from the third parties themselves. you the assessment content is going to vary. So you’re going to see assessment content covering the gamut of things that procurement, IT, security, compliance are going to be looking for and that’s going to be supplemented by additional data streams. Cyber of course will continue. I don’t think that’s a prediction. I think that’s an established fact that we see today. Business intel is becoming more and more prominent partly driven by procurement.

And by business, what I mean here is starting to look at things like What is their operational posture? Are they releasing new products? Uh are they going for anything like particular M&A that they need to be mindful of? That type of data. It’s the the zeitgeist of the company. What are they doing and who are they? Financial records usually being distinctly tracked separately in the procurement cycle. They’re actually being tracked more often now. We predict this more into next year as well on a regular cadence basis. Are there changes to their financial scores? Who is the the UBO the ultim beneficiary associated to that uh to that company. You know, that’s the sort of data that’s starting to get merged into these broader vendor profiles. We are seeing more and more focus and expect this more heavily into 2024 on geographic events. So, what do I mean by that? Uh we’re talking about things like there might be uh particular natural disasters in locations or there might be uh certain strikes um or for example there might be um political issues in particular territories or wars. These are those sorts of geo events that we’re seeing more and more from an operational resilience perspective coming into focus. Certifications remain a a check mark almost a checkpoint and a check mark for the procurement cycle and people are expecting vendors now to almost provide that certification on a reoccurring basis and that will continue into 2024 as the analysis of those becomes easier and automation of interpretation. And then nth party. So for those who don’t know just to recclarify nth party here are the vendors of your vendors. Now we’ll touch on a specific prediction on end parties later on today. But what we see against end parties is people are looking for and we expect this to continue into 2024. They are looking for insight into critical vendors. They might not be able to assess them but they want to know who they are. and more importantly check that the third party is doing their due diligence on them even if they’re not going to do it themselves.

So when you merge all these data points together, assessment, cyber, visiting, etc., you end up with a very very clear contextual insight and and a richer landscape of your third parties. This is becoming more and more valuable as we have these different personas consuming the data through the program convergence piece. And I wanted to take a moment just to dive more detail into one of those particular avenues because this is tied to one of our predictions uh which is the geographic and political insights piece that I referenced. Now this historically has not really been a core focus for a TPRM process certainly from an operational resilience standpoint but while COVID certainly opened the eyes to lots of organizations that you know they need to be prepared for pandemics etc. And and just to give everybody example on that. In fact, um in a previous life as an auditor where we had to produce content for things like swine flu, uh reactive processes, etc., a lot of organizations would roll their eyes and think, okay, we’ll put that on the shelf and never use it. Of course, COVID comes around and pandemics become top of mind and all of a sudden we realize most of these vendors are really not doing anything about it. Since then, we have seen an increase in focus areas on the operational resilience front and that is during we predict that moving into 2024 things like the geopolitical and environmental landscapes based on geographies here are going to be more table stakes expected data points that we are tracking and reacting uh against our third parties. Now there are problems inherent problems with that which is it is very difficult to be able to predict uh or identify all the localized geographic sites that a third party operates in while the head office is usually relatively apparent for your financial reports, UBOS, whatever it may be, the localized sites tends to be a degree of trade secrets in some cases or they might just give you small offices that they have dotted around, not necessarily manufacturing sites uh that they use etc or fourth parties.

So this is a challenge but people are going to be focusing on this from a more pragmatic perspective which is well let’s look at our our actual vendors that that at least state that they operate in particular territories and focus on things that might have a tangible impact. So if there’s ongoing wars disruption in regions if it’s flooding strike action whatever it may be people are going to want to be able to see through notification that you have 74 vendors in this geographic limitation in this territory and so that they can react to it if it’s going to bring down your supply chain if it’s going to affect your resilience for your data centers. You want to be able to have an answer for execs and any of your customers before it becomes more more commonly known. And how are people going to be doing that? Uh they’re going to be using an amalgamation of monitoring solutions that’s going to give them that level of insight. It’s not going to be universally accurate in the sense of all these subsites aren’t going to be covered, but nonetheless, it’s the first which will move into 2025, 2026, and so on where we’re going to see people start getting better control of these uh of these these geopolitical events and be able to react to them. And again, that’s all tied back to this broader data convergence mindset. The industry will continue to be hungry for data. They’re going to continue to be hungry for building these comprehensive profiles because these disperate parts of the business are asking for it and see value in it. That is not going to change. So observation Number four, moving over to the three A’s in this case, advanced and aggregated analysis. What am I actually talking about here is that people are building more and more versatile reporting capabilities against an an everinccreasing data set. Meaning all of this data that’s being converged against an extended third party landscape means great, we can get richer, better analytical data. So into 2024 we are expecting more personadriven reporting to become prominent and what we mean by that is we start segmenting it really by three core areas.

There’s some periphery beyond this as well like the vendor themselves uh or of course practitioners but the three core audiences for the top level reporting tends to be the CISO in many cases driving the program uh the business of course so the broader business uh leaders and then of course the board. Those are the drivers moving into late 2023, but we are expecting that to start changing and evolving uh to be on some additional personas. And the things people are looking at and are continue will continue to look at will be risk of course. What is my risk landscape across my third parties? Okay, straightforward enough. Uh the threats specifically looking at external threats associated to those risks. How does that affect my compliance posture? And then finally, what sort of coverage do I actually have against these? When you start amalgamating these four contributing factors and these are just ways of interpreting a broader data set, you know, that’s how you start building these true third party risk management programs. And we are expecting that to continue and become more personentric. How the board is going to interpret this will be very different from say you know your chief procurement officer, your legal officer, whoever it may be. And that’s been supplemented by maturity. Uh so we are seeing an increase in sort of expectations of people that they are going to be tracking the process of their program rather than just vendors. Before it would be quite vendor centric in that mindset. But what we’re seeing is people starting to think about well the coverage content roles and responsibilities remediation and governance uh across their their entire process. Now historically when we’ve done maturity assessments a First beret customer starting at the beginning is typically around the 1.7 mark. A matured customer is typically hovering around the the low freeze. It was very rare to see anybody approaching a four from a process perspective. We predict into 2024 that we will actually see a general increase of about.3 or point4 on maturity curves by the end of the year. Now that’s quite a jump when you start looking at you the fact that these get increasingly more difficult to to progress through.

And the driver for this is the fact that the tools and capabilities being made available means that people are going to be able to engage with vendors on mass and they’re going to be able to analyze broader data sets and start segmenting it to make more informed and intelligent decisions using things like automations and so on. Now, one other component where you’ll see this getting richer in our perspective is actually behavioral insights. So, start talking about advanced analysis on this. We expect into 2024 that more and more people are going to have the ability to look at behavioral insights as part of their reporting metrics. So what do I mean by behavioral metrics here? I’m talking about how do their vendors interact, how does the business interact, you know, is that human element. I know the term human element is overplayed in certainly risk management as a as a mindset, but at the end of the day, beyond passive monitoring, if we’re talking to a vendor, whether it’s from how are you going to fix this, you what is the state of play? for yourselves uh or even how are you managing our KPIs KISS that we’ve agreed of you can derive a lot of useful information into how they respond and we’re expecting that to become less localized on a per vendor basis but into 2024 things like the analytics models that we see out there are going to start to give people that rich data to see predictions interpretations based on user behavior in these programs which would be quite exciting from our perspective So just again I wanted to uh revert back to our 2023 assessment data. You know just to reinforce some of the problems people are having that’s actually driving this change into 2024 is that when you actually start looking at the general perception of people’s programs 50% of people do not feel that their TPR program is addressing all of the departmental needs. So that’s a pretty high number. Uh 40% feel that the risk is not being assessed and in the vent life cycle effectively.

And going through this list without laboring the point, you can generally see that there are majority cases in most cases where people do not feel that their programs are being effective enough and one of the key drivers for this is being able to report effectively at the data to be able to target risk insights and target you know the areas of exposure in their process. I draw attention to this very bottom right hand metric here which is 43% feel that it is satisfying exec more demands for information on third party risks. This is going to be driving this mindset into 2024 where each of these personas are going to use things like behavioral analytics um or broader analysis of the richer data set uh and be able to draw better conclusions and improve their programs and their program maturity accordingly. So from our perspective, we are certainly very excited to see how that’s going to evolve. So Observation number five, NLP, natural language processing. So when you look at how NLP’s been around for a number of years in third party risk management, but we’re expecting a few changes into 2024 and some of those is and just to reiterate for those who don’t necessarily know what this is, this essentially taking from a third party risk management perspective documentation, word docs, PDF, whatever it may be, being able to interpret it and analyze it and then do something with it. Simple. Now, to date, that’s generally been focused on some relatively inferior workflows where you’re looking at things like particular keywords or you’re not factoring in things like sentiment around uh particular documents, paragraphs, phrases, clauses, whatever it may be. Uh but we’re finally reaching a point of maturity where we see that’s going to change in 2024. We are going to see more and more NLP being leveraged to extract data consistently from documentation being provided from vendors. We are going to see it start translating documents where there might be in other languages. Uh that’s finally at the point where it’s reached a degree of maturity where we can trust some of the output data. We’ll even start seeing it populating assessments, taking sentiment of certain infoset policies, clauses, etc.

and then feeding that into uh assessment content, structured assessment content. And I suppose that’s the key operative bit to take away from this, which is what is NLP going to provide us the ability to do into 2024 is apply structure. We’re going to take these unstructured documents. We’re going to be able to interpret them, translate them as we need to. And importantly, what we’re going to see into 2024 is more and more people building actions based on these. It’s all well and good extracting data from a document, but if we aren’t actually uh normalizing that, into actions and automations, it’s less useful. So, it’s finally reached a degree of maturity where we’re going to start seeing that and and have that become the norm rather than the exception into 2024. So, a few examples of what we mean by that is someone might provide you with a SOCK 2 report, an ISO, their information security policy, being able to extract things like control failures and creating risks against those. Taking the scope component of it and populating a inherent risk assessment or profiling and tearing assessment based on the responses or taking a document that’s been uploaded to me in Japanese which I’m not that fluent in being able to translate it for me that’s tangible benefits to my third party program and if I can do that without having to do it myself and I’m checking the homework great now some of the things are going to be driving this NLP adoption one of which is we expect into 2024 more and more third parties and vendors are going to be providing uh their self attistation material. It might be externally ratified. It might be a sock 2 uh might be high trust whatever it may be. But more and more are pushing back. Therefore we expect that analysis to occur against these documents. The challenge of course that people are facing is the fact that all of these documents themselves tend to be in very different formats. You take a sock two document is that it might be 100 pages long. might be 20 pages long. The scope can vary dramatically between them. And until relatively recently, you had to have an individual really trying to understand and distill the material into tangible risks.

Into 2024, it will be almost expected that this won’t be a necessity anymore. So, we’ll be looking at initially seeing people use it to identify concerns, control failures, and risks. And then that will eventually turn into uh populating assessment content, platform content, as the year goes on. So NLP goes hand in hand in some cases with our sixth observation uh and prediction and that is tied to generative AI. I almost wse a little bit when I start talking about generative AI as a prediction is because it’s so prevalent and prominent in the general conversation around third party risk and just generally across the world at the moment that it almost sounds like anyone’s jumping on the bandwagon to to refer to it, but I’ll start off with just illustrating a um a very interesting sort of Gartner curve tied to this, which is there’s many different components that go into artificial intelligence. And generative AI typically is sitting around what they classify as the peak of inflated expectations. You will very readily start to see that emerge over time into what they call the trough of disillusionment before you eventually end up into a degree of productivity. This is definitely applicable when you start looking at generative AI which is large. A lot of people are focusing on things like large language models and going this is great but aren’t necessarily comfortable about that being used in a third party risk management program. It’s certainly better to be uh a thoughtful second mover on this rather than just adopting the first thing that you see into 2024. We are expecting people to start ultimately coming to terms with generative AI and expecting some components of it in their third party programs as 2023 is starting to slowly fade away. You know, we’re very mindful of the fact that people are concerned about three core areas more often than not. Firstly, AI hallucination is the AI confidently telling me something which is patently false and is that that’s of course a negative thing when it comes to risk management. Cognitive bias is the AI telling me this because of the fact that it’s being trained on a data model that’s not actually appropriate for my needs. In which case, it may not be hallucinating.

It might just be stating that because that’s what’s been taught. Particularly, we start pointing AI at large data sets like the internet. I’m sure I don’t believe everything I read on the internet, thankfully. And probably more commonly than not, like one we hear about in 2023 is data security. People are concerned about all these AI technologies exist, but at the end of the day, I’m not going to give them my data which is a very very valid starting point. We predict into 2024 people are going to become more comfortable with these three criteria as organizations and vendors and and technologies out there start to really start breaking down large language models and a and generative AI and building something that’s actually appropriate. And the way that’s going to work is you’re going to start seeing things like the same controls and expectations that we see on any other technology in the technology stack being applied to generative AI capabilities. So we’re talking about automated vulnerability scanning on the on the LLMs, anomaly detection against the data set, safety analysis based on the outputs, bug bounties for prompt injection, etc. Staff training on how and where it could be utilized. Um, and then of course forensic reconstruction when things go wrong. Nothing too dissimilar from what you would ultimately apply to any technology in your technology stack, we are expecting that into 2024. And something we take away from this is the fact that as people become more comfortable with what generative AI is going to do for them, that’s when they can start pivoting to really understand what the benefits are and then you start seeing that moving onwards into 2024. And some of the things that we’re expecting from our perspective to see into 2024 on Genai uh tend to vary depending on who we’re talking about. So for third parties and of course they’re always there to to help us and make life a bit easier. You know we do expect more document mapping assessment population using stuff like NLP as well. Giving them trend advisories telling them how they fare against their peers uh is is certainly a useful thing that encourages them to to participate in the first place. And then language translation.

So a combination of generative AI and NLP will make these tangible capabilities in our third party programs into 2024. Moving across a persona here, if we start looking more at say some of the practitioners, they’re going to expect something slightly differently. The things we’ll see into 2024 that the practitioners are going to start leveraging things like sentiment analysis. Okay, what is this vendor actually telling me? What’s this report telling me? Contradiction detection. Is there anything that contradicts itself against that large comprehensive profile that we built when we start talking about our our prior prediction there being the uh data convergence models chat bots. So how can AI and generative AI actually assist me in automating my processes and cutting out steps and then finally using things like sentiment analysis to do things like risk report generation. So they’re all focused on efficiency and consistency there in the program activities. workflows that they do. And when we move over to this very happy executive over here into 2024, why are they going to be happy? We are going to see more and more things like program advisory. Bit like how we have trend advisory for third parties. We’re going to see executives trying to understand how does their program compare to peers? Bit like the maturity assessments. We’re going to see proactive event detection. You know, we’ve seen this geo issue looking at your data set. Go deal with these 70 80 vendors. letting them react. Compliance mapping of course how do they fair against their compliance and regulatory landscape I will touch on in due course as well and broader peer insights as much as program advisories focusing on their workflows and and processes being able to give them better peer insights based on their vertical demographic whatever it may be uh help them understand are they in the middle of the pack and that’s been a reoccurring theme historically which is The executives want to be not at the back, not necessarily at the front depending on their their sector. Yeah. They want to be healthfully in the middle doing good practice, not best practice, but good practice uh by and large.

And generative AI is going to be able to support that in helping them benchmark. So we expect Gen AI to start introducing a good chunk of these technologies into 2024. Initially, we expect a lot of the focus on this is going to be around external large language models that are ultimately sending data externally. So that that has some security implications associated to that the data security element but as the year goes on we’re going to predict more and more localized models. Now this might be using things like AWS Azure etc and be localized and retained in those environments but we will see uh the advent of better generative AI processing and activities happening in control environments against controlled data sets. And that’s the point in our mindset where we’ll start evolving from these expectations and disillusionment through to gradual plateaus of productivity. And we expect that probably on you know the later stages of 2024 when we’re looking at our predictions here. So beyond generative AI uh as our sixth prediction, we’re going to move on to our seventh now which is regulations. This is a reoccurring theme for us and I’m sure for yourselves as well where every year we make the prediction that there will be more regulations. That’s a safe bet. I don’t think that’s uh anything anyone on the call would would hop on in order to hear about. But what we are expecting is smarter management of regulations. That’s the thing that’s going to be changing that’s going to really dynamically impact a TPRM process or program. So what do I mean by that is that It is relatively soul crushing. There’s some people out there who love it, but I find it relatively soul crushing. But when you start looking at the acronyms and abbreviations associated to regulations out there and that is evolving into the rest of the year and next year, as I mentioned with things like anti-bribering, corruption uh regs coming out of Europe, you know, we are expecting people wanting to simplify the uh the application of these regulations and the way that they’re doing that is they are whether it’s using passive monitoring or using their assessments, they will be wanting to be able to easily and simply crossmap new regulations.

One of the more common things we’ve seen in 2023 is people asking us and our content team, hey, this new rag’s coming out, what are you doing about it? People don’t want to have to be proactive to ask this. They are looking for sources, the community to basically advise them and say there is a new version of anti-briving corruption uh regulations coming out in 3 months time. This is what you need to be mindful of and this is how your program is going to be compliant or not. And the way that’s going to work into 2024 is there will be more proactive mechanisms uh to be able to retroactively apply these regs to your data set. New regulation comes out tomorrow. We know that there’s 47 unique criteria that we need to be able to track against using some of the mechanisms we’ve spoken about already today. People will be retroactively reviewing quickly at a snap how their landscape currently fares against it. People shouldn’t be having to send out reassessments or do fresh passive monitoring. They shouldn’t be having to sit there and studiously build new controls into their frameworks in for the most part. The expectation is there that they will be able to ultimately automate some of that process and automation of regulatory compliance from a perspective of identifying compliance or non-compliance is absolutely going to become more and more prominent into 2024. If it’s not, certainly join me next year and uh and comment down in the chat. So, just an advisory for people who are obviously interested about the uh the regulatory aspect there as well. Uh Prevalent does actually have a third party riskmanagement compliance handbook. This is a reference guide across some of the more common frameworks and regs that you see out there at the moment. Uh if you haven’t seen it before, it’s it’s quite a sizable material. Please do feel free to reach out to us. We’ll be happy to to share it with you and talk and talk to you in a bit more detail about it. But it’s a great reference guide and certainly something that we, you know, are continuing to evolve as we see new regs come out. So regulations an omnipresent, everpresent requirement in our lives.

Uh but that ties to some of the broader life cycle because we have different personas asking us to be able to track these regulations in the same program. And that ties into our eighth prediction here. And our eighth prediction is looking at integration and synchronicity. When I practice this before, it took me multiple attempts to say synchronicity. So the fact I did it first time is making me very proud of myself. So thank you for for observing that. But integration and synchronicity in this perspective is being driven by this life cycle. You know, we have a life cycle of sourcing and selection, intake, inherent risk. etc. We need to join the dots across these these various components. This is becoming more and more challenging because when you actually start looking at you know standard workflows and then this here is looking at a very particular standard workflow which is is a vendor important? What do we do? We we do monitoring. We look at the results. We send out assessments. We debrief with the business. We do analysis against those results. We produce reports. We do validation on the reports. We even do on-site audits etc. Yeah, this is just a subcomponent of this broader life cycle. You know, it’s a relatively intense component, but it’s a just a subcomponent of it. When we start looking at these sorts of workflows, these when you join them all together, join all the dots, you are going to see multiple technologies in some cases doing different bits for different parts of the business. You know, whether it’s that procurement software or finance for invoicing uh or whether it’s performance SLA and uh the um operational resilience uh components. We are expecting more and more demand for integration between adjacent systems and a driver for this is the fact that you are seeing the market space mature. Technologies are maturing uh as they introduce things like automations and they’ve people have started to build things like their um you the vendor universes and landscapes in particular technologies. They want to be able to replicate that across all the others so they’re getting best value for across the across the uh the stack there.

We have personally seen a pretty sizable increase in demand for integrations and connections between systems. We don’t expect that to go away. In previous years, we’ve talked about convergence of technologies into single systems and for more less defined programs that’s certainly certainly a logical step to take. Uh but for large enterprise multid-disipline uh pretty established workflows and processes we are seeing more and more expectations for uh for the TPRM life cycle to be embedded across technology. So I want to move on to our ninth observation here and prediction which is that continuous capability. Now I’ve mentioned passive monitoring already a few times and when you start looking at passive monitoring you can start segmenting it across things like the IT security space uh the business monitoring data sets that we spoke about and of course financial legal data sets. as a subset. These all have in some cases almost daily iterations. Hopefully things like bankruptcy aren’t daily, but when you start looking across these, there’s certain insights you’re going to want a daily summary of. And what we are seeing is more and more procurement demand for uh near enough as close to real time as possible insights into things like violations uh or issues that are emerging across the vendor landscape. Previously it was cyberentric and that respect. But into 2024, we are expecting more and more focus on continuous insights across business, financial, legal driven by the procurement demand. And something that we predict tied to this is as you start building these very very in-depth continuous monitoring capabilities. So using prevalent as example here, you know, ranging from 500 million profiles, 84 billion different business monitoring events over in fact 900,000 different sites getting tracked at any one point in time, you’re building a wealth of data from that continuous capability. So when we were talking earlier on about our prediction for uh advanced and aggregated analysis, this is going to feed into that as we start introducing more and more data points through this continuous capability that’s going to in turn generate more and more advanced analysis. So almost a self-fulfilling prophecy.

People want daily insights. which means they get more events, they get broader coverage, and that’s going to lend itself into our other predictions over time. Moving onwards to our 10th and final prediction for the day, which is context. And context has always been very important, but very difficult to to uh aggregate across the the breadth of the the third party landscape. So context for us in this case tends to mean a couple of things. It’s about understanding like inherent risk or profiling and tearing, who is the vendor, what are they doing, why are they doing it, how are they doing it, all those criteria and that helps us ultimately rightsize and grade our third party accordingly. People are starting to expect better structure through the procurement cycle to populate this upfront. So what do I mean by that is that there’s a lot of data uh sorry third party landscapes and inventories out there which lack this information. more and more procurement uh functions are capturing this data in the procurement cycle or upon renewal to feed that and that’s because they’re consuming data. So into 2024 we’re going to see more and more people using this data and we’re going to see procurement driving the collection of this data uh moving forward and that in turn is going to lend itself to a prediction into 2024 which is more pragmatism when it comes to managing these landscapes. So for example let’s Say we have a vendor count of 15,000 in our ecosystem. We might have 15,000 profiling and taring exercises. That should reduce the volume down to circa 4,000. That might be due to, you know, critical vendors needing interactive assessments. There might be a smaller subset requiring continuous monitoring based on the output from that. That might again shrink down based on those that need risk management tracked iteratively. And then a smaller subset that require cons consistent regular event management because they are truly critical to us. This continues you expect down to things like validation steps uh and then even on the tail end of it on-site audits in some cases and then a certain amount of ad hoc zero days that we have to deal with. But we should be seeing this sort of pyramid with our vendor estates.

You know the days of 15,000 means 15,000 should be going going away into 2024. We expect the profiling and tearing exercise to enable us to start building these more pyramid style uh TP sorry third party landscape uh and inventories over time and this actually contributes to nth parties fourth parties as I mentioned earlier on which is there’s been an expectation for a few years which is I will get round to nth party we don’t think in 2024 that end parties are going to be fully indexed and assessed down to multiple tiers. It’s just not pragmatic. Uh but what we’re going to start seeing is that people acknowledge that that’s an issue and they’re going to start focusing on uh particular fourth party targets. So what we mean by that is what are our really critical vendors? Are there particular concentration risk fourth parties that we need to consider and are there ones that impact our privacy policies? And you’re going to see potentially one layer deep if that of a subset of fourth parties being in scope to some basic due diligence. And in some cases we will just see third parties uh the expectation that third parties will be doing that on our behalf which is sort of more of the current state but we should see more targeted fourth party work into 2024. So to summarize because that’s a lot of information in 51 minutes so far but some of the key predictions we’re making here TPRM funding is going to remain table stakes. We are going to see this program convergence where you’re going to see multi um multi-disipline uh multiple business owners working together. You’re going to see that data convergence as the data sets expand. We are going to see those data sets expanding feeding into advanced and aggregated analysis and that’s going to include behavioral analysis into the uh the tail end of the year. NLP is going to become a a common uh contributor to our automation and standardization processes.

And we’re going to see things like gen of AI feeding into our automations, regulations becoming more proactive in in mapping it to our existing landscape, continuation of integration into adjacent technologies, uh the ability to monitor these vendors as close to real time as possible, and the ability to be pragmatic in our vendor analysis and management. So, what does that really distill down to is that we’re going to see the good foundation that’s been built in previous years uh evolve Coming into 2024 with the advent of things like these increased automations, greater data sets to provide better real-time reporting, uh, less work on the ones that don’t matter. So, right sizing our vendor populations, and giving the right people the personabased dashboards and reports that they really care about. I’m going to give my voice a break for a minute and we’re going to move over to a very brief overview from the lovely Scott Lang on some of the components that might uh that might be able to help out here. Scott.

Scott Lang: Thanks very much, Alistair. I’m going to share my screen now. There we go. Awesome. There we go. Uh folks, thanks for hanging in with us for these uh 53 minutes so far as as Alistister really laid down quite a bit of uh you know, excellent best practices, predictions, and thoughts that uh we can use to formulate our TPR plans going into the new year. I know this is budgeting season prior to vering season. Maybe we’re even out of that already. You’re starting to line up projects. Good to have this amount of um understanding of the key trends and movements in the market uh to help kind of inform that process for you guys. What I thought I would do is just take a few moments and identify u you know how prevalent can help you from our perspective and I’ll just take a couple of minutes and then we’ll be able to kind of go to questions after that. But from our perspective, you know, there are three things that you know you should want to achieve in your third party risk management program. The first is getting the data you need to make better decisions.

You know, chances are you’ve got maybe silos of information, different departments, uh different tools, you know, maybe you’re using spreadsheets or, you know, other other substandard manual processes to collect information on the internal controls of your thirdparty vendors and suppliers. Uh, and as soon as you collect that info, it’s out of date with no ability to really keep it updated uh in between those assessments. And that’s that’s kind of a challenge. I understand that a second big thing companies are looking to achieve in thirdparty risk is to knock down those silos and improve team efficiency. You saw a slide that Alistister uh put up in the presentation very early on that said that although the information security team tends to be the ones responsible for executing thirdparty risk assessments when cyber security is the the primary driver. Um we’re seeing that the procurement team are the ones that owns the relationship. So if you’ve got the executive and the owner uh you know perhaps at odds with one another using different tools, different processes, different systems, not talking to one another’s systems, not interacting, you know, that’s not a recipe for success going forward. That level of integration uh and consistency across the organization is the desired outcome and that helps you to achieve the third outcome and that is uh to evolve and scale your program over time. So getting good data, knocking down uh silos between teams to help them work together more efficiently and evolve and scale uh programs over time. That’s precisely what we hope to achieve with your thirdparty risk management program if you know we’re able to to to you know to help you provide a solution. Our view of thirdparty risk is that we see risks unique at every stage of the third party life cycle. It isn’t just about sending out an assessment, getting some sort of risk scoring back, doing some triage, doing some remediation, and then kind of moving on. And it’s more than just pre-contract due diligence. It’s a consistent process that exists from the point at which you source and select a new vendor to the point which you uh end up uh offboarding and terminating that relationship.

Again, we see unique risks in each each one of these stages and we can help to automate the process of discovering those risks, doing something about it, closing it out and then ultimately reducing uh the uh residual risk to your enterprise. At the end of the day, it’s about three things for you. Number one is to give you a simpler and faster process to onboard a new vendor. Give you a single source of the truth and and a process to manage that vendor across your enterprise. Streamline the process and close gaps and risk coverage where you may have gaps now and then unify your team uh across the life cycle. I’m not going to dwell on this. These are just six buckets of uh risks that prevalent helps to capture and manage for you in the platform whether via an in place assessment in a platform or whether utilizing thirdparty risk monitoring data that’s correlated uh with with assessment responses. Look, at the end of the day, what we deliver is a combination of three things. Number one is expert uh help. The people, right? If you choose to do so, our managed services group can do the hard work for you from onboarding vendors, conducting assessments, performing remediation, managing them through the life cycle, or you can use the the platform on your own. Of course, the second key component of of of our solution set is the richness of the data set. You know, we’ve got uh more than half a million uh uh sources of information individualized and half a million different profiles that are built into the system that you can get access. from immediately across multiple different risk uh types. And then third, that’s all housed in the platform to help you perform, you know, best-in-class analytics uh reporting uh workflow and ultimately get to some level of remediation for your customers or for your vendors. So, real quick, just wanted to provide that overview. I’m going to pitch it back to Melissa who’ll open up for questions and then we’ll kind of close it out from there. Go ahead, Melissa.

Melissa: Perfect. Thank you, Scott. Um I’m going to go ahead and launch our second and final poll. You’ll see that pop up in two seconds. Um, I’m curious to see if you are in that boat of establishing that TPR and program. I know Scott did talk about budgeting. Now people are locking that in for next year. So maybe that’s you. Um, be honest too. We do follow up with you uh probably within the next 24 hours if not sooner. Um, but yeah, I mean we have a few questions. I know there’s a few in the chat I’ve been trying to chip away at, but also there are a few in the Q&A box. Alistister, do you want to kind of ch pick one that the most valuable. I know we have a minute.

Alistair Parr: Yeah, sure. There’s been a couple that um correlate down to I think the commentary on third party risk management as a distinction that’s evolving into third party life cycle management. So um just looking at a couple of these and there are certainly a few so thank you everybody. Uh but do you see the TPRM workflow equating to include vendor management? Uh in in part yes so I would say that there is an overlap between them. So into 2024 the expectation is there is an evolution You will see more life cycle vendor management as a component. Risk management will still exist and it doesn’t necessarily mean that the infosc teams and risk management are going to own the entire process. It just means you’re going to see some degree of synchronicity between the teams using whichever engagement mechanism is best working at that point in time. The risk management teams usually need a level of detail below what some of the others are doing in the form of risk risk triage and continuous tracking in that perspective. But you will see third party risk management ever continue into being third party life cycle management and the two lines getting uh blurred between them over time. So we certainly are seeing that and expect that to continue. So great questions. I know we’re at time so I’ll hand back to you Melissa.

Melissa: Okay well perfect timing. Um it is the top of the hour for everybody. So um I wanted to thank you Alistar of course for popping on again and thank you Scott for your spiel at the end as usual. Um you know if you guys have any questions I will put my email in the chat. So, it’s there. Um, you can also use the chat function on our website that goes straight to me, too. So, uh, hopefully we can see a handful of you in your inboxes and maybe at next week’s webinar. Take care, guys. Thanks. Bye.