Between different industries, geographies, and organizational needs, no two third-party risk management (TPRM) programs are alike. And, no two TPRM experts will have the exact same view on managing risk – and understanding different approaches is vital in this ever-changing world.
Join Bob Wilkinson, CEO of Cyber Marathon Solutions and former CISO at Citigroup, and Samira Duijnmayer, Compliance Manager for Financial Crime at Booking.com, as they share their unique practitioner’s perspectives on what drives TPRM.
In this interactive, panel-style webinar, Bob and Samira discuss:
- The biggest challenges in a TPRM program
- Fourth-party risk in the vendor ecosystem
- What the TPRM regulatory landscape looks like in the next 12-24 months
- The role of AI in TPRM
- What is – and isn’t – working in TPRM
- …and more!
Learn from leading experts in the field and get practical advice you can implement in your TPRM program!
Speakers
Samira Duijnmayer
Compliance Manager for Financial Crime at Booking.com
Bob Wilkinson
CEO of Cyber Marathon Solutions and former CISO at Citigroup, and Samira Duijnmayer, Compliance Manager for Financial Crime at Booking.com
Transcript
Ashley: My name is Ashley and I work in business development over here at prevalent and we’re joined with some very special guests. Uh Samira Downer, compliance manager at Booking.com. Hi Samira.
Samira: Hi everyone. Great to be here.
Ashley: Uh Bob Wilkinson, CEO of Cyber Marathon Solutions. How’s it going Bob?
Bob: It’s going great.
Ashley: And last but certainly not least, our very own VP of product marketing, Scott Lang.
Scott: Hey Ashley. Uh just a little bit of housekeeping. This webinar is being recorded and we will be sending out the recording along with the presentation slides shortly after the webinar. Uh you’re all currently muted, but we love participation. So please put any questions in our Q&A box and we’ll be able to go over them at the end of the webinar. Uh today Samir and Bob and Scott will be discussing their perspectives on TPRM. So I’ll go ahead and hand the reigns over to you guys.
Scott: Awesome. Thanks Ashley. Hey everybody, welcome. As Ashley said, I hope everybody had a great uh US Thanksgiving if you’re based here in the States uh and uh have kind of come off of your uh your turkey malaise or the tryptophan malaise as they call it uh and ready to kind of jump back into uh into the work world here. Um you know, as Ashley said, we’ve got two very special guests with us today. And you know, the format of today’s uh webinar is going to be an open Q&A style uh uh you know, format where we’re going to pose a few questions and have some different perspectives. shared on on those particular topics and third party risk. Um, you know, I think this will be a lively and engaging webinar, something that will, you know, keep your attention and might be worth taking some notes. Uh, as Ashley mentioned, uh, you know, we will send this presentation out to you uh in the recording of of this uh, webinar out to you tomorrow uh, so that you’ll have access to it and, you know, can kind of, you know, listen to it again, read through it, and, you know, get some additional insights to help grow and manage your your TPRM program. Uh, so, With that, uh, I’m actually going to have, uh, Samira and Bob do very brief introductions of themselves, uh, just to lay the groundwork for for today’s discussion and and, uh, you know, provide a reason why you should pay attention to these really smart people. Samira, you go first.
Samira: Sure. Hi everyone. Uh, great to be here. Sama D mayor. Uh, I’m based in Amsterdam, so uh, you can see it’s quite dark outside already. Um, I work for an online travel agency, Boogie.com, uh, for about five and a half years now. Um, heading the program for third party risk management and financial crime compliance. And uh prior to working for an online travel agency, I used to work at several law firms where I advise big corporates on compliance policies, best practices uh on how to best manage third party risk. Um and at Booking.com, um uh I built the third party risk management program from the ground up, which is actually very amazing because you have a lot of flexibility into the design. Um uh currently grow uh leading a growing team um and uh yeah for the people less familiar with Booking.com um we have grown from a small Dutch startup uh to one of the largest e-commerce companies in the world and we basically invest in digital technology to take the friction out of travel. So we started with accommodations uh only but have now expanded into uh all areas of travel planning uh basically enabling our customers to do more with without having to go to multiple platforms, service providers. Uh so customers also have the option to also book ground transportation, car rentals, attractions, flights directly on our program. Um so yeah, uh glad to be here and looking forward to an insightful panel.
Scott: Awesome. Well, welcome Sam. Uh Bob, over to you.
Bob: Thanks Scott. Uh my name is Bob Wilkinson after spending uh more time than I care to remember in in fin financial services where I played the CISO role, operational risk head and various other things. Uh for the last eight years I’ve been an independent consultant working in operisk information security and a lot of the time focusing on thirdparty risk management. I’ve been uh involved in the space pretty much since it began and uh looking forward to the conversation today with Samira and Scott.
Scott: Awesome. Awesome. That’s terrific. Welcome Bob and welcome both of you and thanks so much for uh you know the opportunity to to have this conversation I think with our attendees be very educational. Uh so as I mentioned before the the format of today’s call we’re just going to kind of jump into some questions and you know these are topics that come up fairly often in conversations with thirdparty risk professionals and practitioners. We’re going to distill those things down and give kind of Samaran Bob’s uh kind of perspectives on these particular topics. As we get through today’s presentation, I do want to remind you if you have questions, please enter them in the Q&A uh window uh in the Zoom app here. Uh we’ll triage those and ask those to Samir and Bob as as we get through our presentation today. All right. So, first question of the day. Let’s uh start out with a big one here. Regulatory. Uh so, there’s no shortage of regulation uh in the industry, especially in third party risk. And this last year, regulators have been very very active uh with new cyber security reporting requirements from the SEC uh US financial indust uh inter agency guidance several new AI regulations uh and then obviously you know multiple uh ESG type regulations that are emerging uh out of out of Europe you know I guess my question Bob I’ll start with you um you know what do you say is what do you consider some of the biggest challenges Oops I think I I skipped ahead of that one didn’t I um you know what does that third-party risk landscape look like in the next 12 to 24 months for you? I mean what what areas should should we as practitioners be worried about and how do we kind of prioritize some of those uh those landscape changes of the next year or two?
Bob: Well well Scott I think it comes down to execution. I think that the regulators have been very clear uh that what they’re interested in is exe ution and are you doing what you say you’re doing? So as you mentioned there’s been a lot of new regulations from different agencies and it’s not just banking and financial you know you always have to be aware in healthcare there are regulations in other industries but from a financial services perspective which covers a large uh space really the regulatory focus is do what you say you’re going to do and be able to demonstrate you’re doing it. The inter agency guidance, the update that occurred there, that was the interesting phrase was inter agency because there had been slight differences between OC, Federal Reserve and FDIC and their guidance that they were offering. The main thrust of their regulations were to standardize. So let’s all get on the same page and primarily to incorporate the O CC 2020 uh FAQs which were additional guidance that the OC provided at that time. So the key thing that regulators are interested in which is at times at odds with what banks are doing and other financial services companies is regulators don’t want to see compliance. They want to see risk management. And too often what happens is financial services are focused on compliance. Well, compliance compliance doesn’t necessarily equal effective management of risk. So, that’s really I think the key trend that you’re going to see. I don’t know how much more regulation in the US perhaps around u environmental impacts on financial services companies is certainly an area that’s going to come out. Uh from a European perspective, you’re going to see um the continued focus focus on environmental and social legislation. You know, following on from the German supply chain due diligence which was effective January this year. Oh, I think we lost Bob.
Scott: Yeah, I think you do.
Scott: Hey Bob. Hey Bob, we can’t hear you if you can hear us. All right. Well, we’ll pause. Bob Simone, may I’ll pitch it over to you. You know, give me your perspective on kind of what you’re seeing in the EU. Are there any types of compliance rags or risks that regulators are really kind of zeroing in on?
Samira: Yeah, I I think Bob actually made a a nice bridge right now. I hear myself.
Samira: Hello. Hello.
Scott: Yeah, we hear you. Yeah, we hear you. I I hear myself echoing myself.
Samira: Try again.
Scott: Can we hear you Sam? Can we hear test Yes. Yes. Still an echo. I think everyone has echo. I think everyone has.
Bob: Bob, how about you? Can we hear you? Can we hear you?
Samira: Samira, try again.
Samira: Hello. Hello.
Samira: I think I think Oh, no. No. Hello. Hello. Hello.
Bob: I only hear you once.
Scott: Okay, Bob. And I think that.
Samira: it could be. Yeah, I think. Yeah. All good.
Scott: Excellent.
Samira: So, let me let me continue on the um the EU regulation. I think uh Bob already already introduced it, but indeed uh in the on the EU side, we definitely see uh some movements around the uh directive of the corporate sustainability due diligence and uh you know basically this legislation requires inscope companies to conduct due diligence and take responsibility for human rights of users and environmental harm through uh their global value chains. And what this basically means in practice because you know it’s it’s all about execution and what does this actually mean for companies is you know think about uh you know driving new risk mitigation strategies for for sustainability meaning that TPM programs or companies could be required to develop and implement measures to address sustainability risk in their supply chains. Uh which in practice means okay I hear myself echoing again.
Scott: I fixed it.
Samira: All good.
Scott: Yes. Good.
Samira: So companies are requ ired to perform uh you know extended due diligence requirement diligence requirements. I hear myself echoing again. I don’t know what it is.
Scott: Yeah, it sounds like every time Bob comes off of mute uh uh we can hear you twice. So So Bob just uh keep yourself muted if uh if uh you’re not directly speaking.
Samira: I think Bob just left. Um but I’m happy to continue.
Scott: Yeah. Good.
Samira: So you know think about including um for you know, for purposes of extended due diligence requirements, think about including um uh sustainability questions to for instance your due diligence questionnaires or perform an audit on so you can actually evaluate their adherence to you know recognized standards but also including those in your contractual obligations and supplier code of conduct. So you know this definitely sets expectations and requirements for sustainability practices with you know consequences for non-compliance for example. will include those, you know, relating to um fair labor practices, waste reduction, emission controls, uh all into your supplier code of conduct and contractual obligations. Um so that’s really on the practical side, but then also what I’m seeing as well and that’s that’s not necessarily only EU, but really globally is, you know, more and more sanctions are imposed uh due to the fact that there’s a lot of turmoil in the world right now, right? I mean, look at the war in Ukraine or now Israel. Uh mask force which basically means whenever there’s a conflict more sanctions are imposed on individuals entities and potentially regions which in practice means you know as an organization you have to ensure that your supply chain and their supply chains third party suppliers are not subject to the growing list of sanctions uh regimes. So I think you know what is most important is depending on the industry and the type of vendors uh companies work with uh new and existing regulations are either you know applicable or not applicable. Uh and it might well be you know that you would as a company um you know look at more uh regulations around cyber security or sustainability uh depending on the type of vendors you work with.
Scott: Yeah. Excuse me. I think um you know I I was going to ask you the question. I think you might have answered it but I was going to ask you the question if there’s a sort of a balance between cyber and non-cyber when it comes to regulatory enforcement. like has the pendulum swung a little bit from a laser focus on third-party cyber security controls to maybe something a little bit more along the line of supply chain controls or you know reputational controls or um you know financial controls things like that right is do you think there’s a balance that that we’re slowly getting to from an industry perspective where the these things are maybe going to kind of even out a little bit?
Samira: I think it really depends on the type of organization you are the type of vendors you work with and the types of you know regulations you need to adhere to. Uh but you know what is more you know what is let’s say you work in an organization where um you know 80% of your inventory is um uh or software or technology uh companies but 20% is more around um let’s say um firms who perform lobbyist activities. Um you know we can never say oh 80% of inventory um are focused on software which means we need to prioritize cyber related um risk management activities over the the remaining 20% because it really depends on the type of regulator and also how they measure um the potential risk. So I I yeah it’s always difficult there’s no really good no good answer right it’s always difficult to measure.
Scott: Yeah, yeah. Um this kind of a good segue to the next question. Um, and Samir, this would be a good one for you as well. You know, one of the things you have to demonstrate to auditors is that you have a TPRM program in place on some level that you have some control over your supplier and vendor base. You’re doing regular reporting and whatnot. You know, when you’re building your program, you’re building the Booking.com program, for example, or other programs in the past, you know, what were your challenges and how did you address them?
Scott: you know, in building some sort of a sustainable startup type program here? What what what were the biggest challenge? How did you conquer those challenges?
Samira: Yes. Uh well, yeah, indeed building a sustainable TPRM program involves addressing various challenges, right? And uh to ensure its effectiveness over longer term. Um but I think you know one of the first things that’s coming to mind is the complexity and skill. Um I think you know managing third party relationships can be complex especially for organizations with a large number of suppliers or you know diverse supply chain. So either you don’t know what level of risk assessments or due diligence you want to apply to them or you don’t even know where the third parties sit in your organization, you know, and maybe even have five onboarding channels. It doesn’t really sit within a centralized function. So you don’t really know where these third parties sit. So you have to think about a, you know, systematic approach by categorizing suppliers based on risk levels, prioritize due diligence efforts on high-risisk vendors, but also for instance use technology automation to streamline processes and you know handle large data sets efficiently. Um I think a lot of companies also struggle with resources constraint. Um limited resources you know including personnel and technology can definitely disrupt the effectiveness of TPRM. Um so it’s always good to leverage technology if you have that. Um and but what I’m seeing a lot and have seen in the past is striking the balance between mitigating risk and achieving business objectives. Um, most businesses are.
Samira: out there to, you know, make money, but don’t forget not complying with TPRM will cost you money. Um, so it’s important that you align your TPRM goals with overall business objectives. Conduct, you know, risk assessment that consider both uh risk and benefits. Ensure that risk management measures do not unnecessarily hinder business operations. So really think about, okay, customers first and try to balance this with managing risk as much as you can.
Scott: Yeah, that’s a great foundational point there. That that opposing force of business impact versus compliance or business impact versus sustainability or business impact versus, you know, good processes going forward to measure risk. That’s a that’s a great uh kind of balance point to to kind of strike. You know, Bob, I mean, did have you seen the same thing as as you’re kind of building up your TPRM programs on your side? you know, does that jive with some of the same challenges that you faced?
Bob: Uh, you’re on mute right now.
Scott: Still on mute.
Bob: Okay. Can you hear me now? Sorry.
Scott: I can hear you now. There you go.
Bob: Okay. Yeah, I had a little technical difficulty there. But yes, everything Samira said is absolutely uh appropriate, particularly the balance between uh business goals and risk mitigation. Some of the things that I would add to that foundation that that she mentioned um it’s important to have the right level of management engagement and support. So how that risk uh of the use of third parties is communicated to management for me is a critical aspect of things. You have to have engagement. You have to understand who your stakeholders are. And when I take a view of stakeholders. I take a very broad view. So, you know, it’s not just your immediate management. It’s senior management, it’s the business units, it’s the board of directors and a whole list of parties that you have to coordinate with. Most importantly from my perspective being the sourcing procurement organizations and also leveraging the enterprise risk organization that that is present.
Bob: That that being said, the other things that I would focus on is getting your inventory right from the beginning. And when I say inventory, I’m not a big fan of the term third party anymore. I much prefer the term supply chain because if you don’t know who your fourth and fifth parties are, a lot of the the bad things that are happening in this space with threat actors and hacks and and things like that are the result of third and fourth party compromise. And if you don’t look down into that supply chain for those business processes that you have defined as critical and that and that’s a key thing criticality and then understanding that full supply chain u that’s a really important thing that you that you have to do in this space.
Scott: and you know I think that’s another good segue to the next question and Bob I’ll go to you on this one as well is you know it starts with some sort of a profiling tiering exercise categorizing understanding who your suppliers are and then kind of uh you know putting them into buckets so you can triage as appropriate. But what is the role of risk profiling you know and transitioning from that into risk management? How do you really do this?
Bob: Well, you you you have to understand what’s important to your business and it varies uh across different industries. So we have to be clear clear about that. Uh too often in these conversations we focus on financial services and healthcare. And the reason for that is those are the most regulated industries. Those are also the industries that tend to have the best security practices because of regulation. Because without regulation, it’s sometimes difficult to make the business case to allocate the resources. But when I think about criticality, it usually boils down to three things for me. Sensitive information, access to my infrastructure, and is the third party managing any of my critical internal control functions. And I’ll just point to Octa as an example of that and some of the things that have gone on there. But if you use those definitions for criticality, that’s that helps narrow down the things you need to focus on. Another way to do that is to talk to your IT people, you know, the people who are responsible for things like business continuity and disaster recovery because they’re going to know who the critical vendors are that need to be available in order to continue to deliver your business services.
Scott: That’s great. I mean, Samir, does that jive with kind of your perspective as well on on profiling? I mean, how do you how do you view that from your perspective?
Samira: Oh, you’re on mute still, by the way.
Scott: I’m on mute.
Samira: I was just being careful to.
Scott: Got it. Okay.
Samira: Echoing um Now as a compliance professional I would always argue you need to embed you know compliance as a risk area to consider but perhaps there are you know other areas that are more relevant to your organization but generally you know you need to ensure that you you manage risk around you know security privacy compliance but indeed depending on the type of third parties you have and what tools you have available to embed more risk areas into your you know scope of assessment um I think you know whether your organization works with 10 or thousand or even 10,000 third parties the problem will always be the same right you have always limited resources so you need to think about ways of okay how do I deploy them most effectively and you know in general I I strongly believe that TPRM is primarily about making the smartest use of your company’s limited resources um you know and different risk teams focused on different third parties and risks you know which have the most impact to your organization um and which tactics will help your company to be more proactive in managing third party risks. Um, you know, how can you optimize your TPM program to make better decisions uh for your business? Um, so yeah, I think you know these are key questions I think you need to ask an organization. Um, and really think okay what are the uh which vendors pose the most compliance, regulatory and reputational risk to your uh company and depending on that you build a risk management program around it. Yeah, that’s a great point and I think what you and Bob both echoed was I think at the end of the day it’s all about that concept of operational resilience or continuity and you know that is what you have to as an or as your own organization have to ensure but also when you work with third party vendors and suppliers you have to understand their processes for operation and resilience and continuity so you don’t have a some sort of a downstream impact on service delivery, product delivery or uptime or or or something like that. And that drives a lot of that profiling decisioning. I think anyway, I think you guys are are spot on there. Um, so Bob, I’m going to kind of circle on this because, uh, you brought this up. You know, how important is it to look beyond your third parties? You know, if you think about it like a concentric circle, right? You’ve got, you know, your organization here and then your third parties and your fourth parties and then your extended supply chain and all that stuff and that goes out at infin item. How do you tackle that? How do you look how do you look at your supply chain or your vendor landscape?.
Bob: Well, you know, that’s that’s a a fascinating question. Um, first when you know when you think about your third parties, how do you know that you have your full third party inventory? How do you know that all of your business units are following a common practice? Uh, for onboarding. One way to get at this problem is if you go back and get your last two years of uh accounts payable data, you’re going to see everybody that you paid and that’s going to be a a really good starting point for understanding who your third parties are. But then from there, understanding your fourth and fifth parties, one thing that you can do is contractually ask all of your or third parties to disclose any fourth or fifth parties that they use as part of the relationship. That’s an essential step along with including a clause and any change that they put parties who have access to sensitive that prior written notification is provided by the third party. That helps you get at understanding as you said Scott as you expand those concentric circles out out. But the important thing to remember in this space is that most uh hacks that happen of organizations start with third parties. And what people don’t really well is the layers of that uh onion that a lot of those attacks start with fourth and fifth parties because just like you’re making all the these efforts in your third party program to get your third parties to properly protect themselves and your information and the business relationship. The bad the bad actors, the threat actors know exactly what you’re doing. So they’re saying, “Okay, where is it? Where are the weak points that I can attack?” Well, the weak points quite often are those fourth and fifth parties. So if you have some definition of criticality, what’s really important to you, then you can focus is on those third, fourth, and fifth party relationships to really understand what the potential exposure is. And it goes back to Samira’s earlier point that we have limited resources and we have to decide best how to allocate those resources to mitigate the greatest risk to our businesses.
Scott: And Samira, maybe I’ll I’ll pass this one over to you, too. From your perspective, I mean, have you had success in requiring your third parties to disclose their third parties so that you get a picture of your supply chain? And you know, I understand the contract drives behavior, but are there other carrots and sticks available to you that you can get that information?
Samira: So that’s an it’s it’s a big challenge and what you know what can help and what often helps is you know in your procurements or fun vendor management software you can as part of their profile you can often ask a question whether you know they would like to disclose this information or whether they um work with you know other soft contractors um and then um they feel more comfortable responding to that when it’s part of their risk pro or their profiling in the vendor management tool. So that could be one of the ways in order to get that information but it’s always challenging and uh you know I see a a question on the screen on you know what are the risk of ignoring that and there are absolutely risk that comes with that um from a regulatory compliance um uh perspective you know you’re if if if there are any um uh risks relating with that then uh you if you ignore your extended supply chain that may result in non-compliance with certain regulations that’s that’s just absolutely correct and the customers you know whether there’s a breach or uh an attack um the customers go to you as an organization and not to your extended supply chain and and that’s very critical.
Scott: Yeah.
Bob: Yeah. You have to have the answer. You still own the risk even if you have out this relationship. Right.
Samira: Correct.
Samira: But it it remains to be a challenge for for many organizations. But I do think that you know making it part of your contractual obligations plus you know abandoning it into your supplier code of conduct is a very good starting point. Um especially you know if you have a regulator who is um who is watching you um uh you can you know you you you demonstrate that you take your program seriously um and I think um you know it’s it’s one of the cua um exercises that you’re you’re able to do.
Scott: Yeah. Uh yeah good transition to the next next question which I think is very relevant to an extended EOS. system and you know maybe Bob I’ll start with you on this one. Um fourth party software providers you know Bob you mentioned it a few minutes ago Samar you mentioned it as well you know we’ve seen a lot of uh you know third and fourth party software breaches that have happened in the last several years that are very high-profile names that you know are are household names. Most recently this year has been the move it uh breach and that has impacted thousands of organizations. I saw an article written earlier this week or last week on the number of the thousands of organizations that have been impacted by by that move it software breach. You know, how do you manage that? You know, how do you what happens when that that fourth party software becomes a third party problem?
Bob: Well, it it it it certainly is. And uh I think it’s probably one of the biggest problems that we’ve seen the last year or so. You know, it goes back to Solar Winds, Log 4J and now move it most recently as as the big uh uh third party software compromises which have resulted in big impacts on organizations and it’s not quite frankly it’s not a topic people have focused on very much and this gets to the whole idea of taking a holistic view of how things work in your organization and who your stakeholders really are. And the value of being able to reach out, you know, to your security operations people, to your cyber threat intelligence people, and particularly around this software topic to interact with your software architecture teams to understand who the critical third-party software providers are to make sure that you have a good inventory and where possible to marry that thirdparty software inventory up to your third party inventory. The first thing that happens of a security incident is everybody wants to know whether anybody at your company is using that third party software. That’s the first issue. The second issue is are any of our third parties using that software as well and particularly any third parties who have access to our data, access to our infrastructure because that’s the way that that third party weakness can be exploited by a hacker to compromise your organization. So it’s really I I think in some senses a reset and a wakeup call to people that you can’t just look at your third party vendors if you don’t know where your third party software inventory is where it’s being used both in your company and then having a process by which you can easily determine where that third party software is being used by at least your critical third parties. You are you have a real problem.
Scott: Absolutely. Sam, I’ll pitch it back over to you. Any any additional thoughts from your perspective on that, uh, you know, experience you’ve had in that area?
Samira: Yeah, I mean, I think what is, you know, what’s coming to mind is you can think about ways to you to kind of require your third party vendors to provide transparent reporting uh reporting on their use of of software uh for fourparty software for instance um you know so you can regularly you know assess or audit on that piece of risk management um or look into kind of the incident response planning that organizations have um you know clearly look into okay what are the processes that these companies have uh who are the stakeholders involved in those processes clearly defined rules and responsibilities. So it gives you also some comfort on what they do in case of a you know a breach uh and then again embedded into their contractual uh classes um where you know if they don’t manage this uh so you know for party um uh software um if they don’t manage it effectively you know then you can even say okay we’ll terminate your contract or impose corrective actions in case you um reach those clauses.
Scott: Yeah. I mean, it’s so such a difficult exercise just to get a basic inventory. You know, it’s you know what,
Bob: you know what I would say, Scott, is though Samira’s point is exactly right about contractual obligations and in that initial contract there should be disclosure not just of any fourth parties that are used, but any software other than that third parties that they use. use to provide the service. In other words, you know, this whole concept of uh what they call sbomb, software bill of materials, a detailed disclosure of all of the various software components that are being used to deliver the service to your organization is one good really good way to get at this.
Scott: Yeah, it’s a great point. Great point, guys. Um, you know, the next question question here is around um and this we’ll start with you Samira is I think fairly timely and you know and that is kind of what’s the right formula for assessing vendors.
Scott: you know is it part assessment is it part monitoring is it both what comes first what comes second you know what does that look like for you guys?
Samira: Yeah, I mean I would say you know from what I’ve I have been seeing over the past couple of years third party uh risk management and due diligence usually takes a back seat after third party has been brought on board. Um but you know TPM doesn’t stop at on boarding and this simply makes organizations unaware of future third party risks uh which if left unmitigated can lead to critical issues uh that could significantly uh affect uh the reputation of your organization and it really doesn’t matter if the liabilities on the third party site because you know ultimately the company that engages the third parties held responsible by regulators and customers for not identifying and addressing the issue. So I would definitely say that an effective TPRM process follows a continuous life cycle for all relationships and incorporates different phases. So you must have controls in place to manage this risk throughout the third party risk management life cycle. Um Um, but that means you also need to think about implementing several elements, right? So what I would say and is you do more frequent monitoring throughout the third party relationship, but each individual risk pillar will probably perform their own risk tiering of of each vendor engagement. Uh, and that risk tier will then guide the appropriate level of the ongoing risk pillar oversight and controls reassessment frequency. Right? So I guess you know the most important success factor is to structure and formalize continuous monitoring activities based on the risk level and then you know third parties who are classified as high risk must be more monitored more closely um but also think about an automated system that could allow companies to do this efficiently. You can think about leveraging external uh sources. So you know you have all your internal screening assessments, onboarding risk assessments um and that’s all critical but it’s also important to take information from outside of the organization. So, uh think about uh leveraging uh external data sources like credit ratings, uh sanctions list, adverse media or negative news checks which can provide you a complete assessment of third party risks that would account for politically exposed uh posture risk uh enterprivate corruption risk or enforcement actions. Um so really leverage that technology for real-time monitoring of key risk indicators. And with that uh it’s also of course very important that you establish clear communication channels to address emerging risks promptly because you know could be that tomorrow something about a third party you work with will be alerted. Uh so you need to have a process in place in order to you know escalate these matters uh and and address those.
Scott: Um yeah. Yeah, you know, we did a study. We do an annual third-party risk management study every year. Prevalent does. And uh it’s a agnostic study. It’s it doesn’t promote prevalence or anything. It’s just a straight study of kind of practices in the in the market. And one of the most interesting things that were uh that was communicated in last year’s study was the prevalence of assessment and monitoring at various stages of the life cycle. And it was astounding and it followed this curve like everybody assesses at the time of sourcing and selection and onboarding. And then once that onboarding is done, man, the drop off is pretty dramatic. And the evidence would dictate that the next time like a proper assessment is done is when there’s an external trigger event of some sort, whether there’s a disruption or a breach or something. And then everybody’s like, we got to do this again, you know, and then anytime periodically for any compliance purposes, you know. I I think the holy grail perspective though is to have a nice clean and even cadence of performing that activity over the life cycle. Would you agree with that?
Samira: Yeah. And and and I think what organizations are also afraid of is the manual component. And that’s why I think it’s very important that you find ways to leverage technology in order to you know remove that burden um uh of the manual component here. But I’m I’m very curious how you know what is Bob seeing in his organization um relating to this topic.
Bob: Well, I I think you start continuously monitoring from the day you decide you want to talk to a vendor right until the day you terminate your vendor relationship. So initially doing that deep dive as Samira mentioned many organizations have different pillars that do assessments before you can effectively onboard. That’s both a blessing and a curse because one of the single biggest problems I see with I think we lost Bob again.
Scott: Bob, you must be broadcasting from Antarctica with no.
Bob: I hear you now.
Scott: Can you hear me now?
Bob: I can hear you now.
Scott: Okay. I I don’t know what happened there, Scott. That was a weird one. Anyway, what I was saying is, you know, you monitor from day one. You monitor through the life cycle and you really, really need need to ensure that you particularly for those critical relationships that you monitor on an ongoing basis across all of the risk disciplines. So it’s not just security, it’s not just business continuity, it’s finances, it’s your operations practices, it’s compliance, it’s ESG. You need to have a holistic view and it needs to be an on and you continuously if you’re going to effectively manage risk. The other thing that goes with that is initial onboarding with all the different pillars that look at risk that slows down the whole onboarding process. One way to help get a jump on that is right when you decide you’re going to work with a vendor, start your continuous monitoring there. See what um you know with the tools and processes you’re using what you can learn about that vendor before you even establish the relationship because that might give you very good insight and also suggest several things you need to address contractually before you move forward.
Scott: Great point. Keeping our conversation moving here. Uh I’m going to pull the pin on this one. The million-dollar question of the day. Uh where does thirdparty risk management belong? You know, I mentioned that study that we do on an annual basis. and uh every spring and the results said that invariably security will own most of the assessment process but procurement owns the relationship. That’s not real clear, you know, and I I I can anticipate a little bit of uh little bit of headbutting inside the organization as as to priorities and and whatnot. I’ll start with Samira. I mean, what’s your perspective on that? Where does it belong? And I think maybe maybe we answered that question on the slide here, but I’d love to know your thought on that.
Samira: Yeah. I mean this I think this is always a very controversial topic and I don’t think there’s one good answer to this but what I do believe is that the placement of third party risk management within an organization can vary right and the optimal location often depends on the organization structure priorities and risk management framework and it can definitely fall under different departments right uh each bringing I would say uh its unique perspective and expertise um so you know one of the baseline questions organizations can ask themselves is, you know, who who has visibility on uh TPRM, whose name is on the contract, is it a business risk? And I think, you know, depending on where you place TPRM, there are pros and cons to it. Um you can think about, you know, if you look at legal and compliance, for instance, um you will have maybe more um the TPM approach will be more um uh focused on regulatory adherence, contractual obligations and legal risk associated with part uh third parties. But the downside of that is that it might not fully address operational or strategic risks and could you know miss the broader context of risk management. So what you can do is you know you place the UKM under procurement which then emphasizes the operational and strategic um aspects of the third party relationships. You know considering also factors as you know per performance, reliability and cost but then in turn you have the risk of under emphasizing you know nonoperational risk or you know cyber security compliance if not adequately integrated um but I would say you know my advice would always be from what I’ve seen working is a shared ownership so cross functional um you know TPR responsibilities are distributed across multiple functions and ensuring a holistic approach that considers various uh risk dimensions right so So I think what is very critical is coordination and communication. Um you know and building effective governance around that. Um I think that’s you know whatever you decide as an organization that’s critical you know clear roles and responsibilities. Um and build a good effective governance around that.
Scott: Indeed. Yeah. Bob Bob you feel the same way?
Bob: Uh I do feel the same way. I think it’s important that whoever has as let’s say end-to-end view into vendor relationships is the most logical place to put it in the organization and that’s going to vary by organization. So it may be the procurement organization, it may be the CEO, it may be legal, it may be compliance, it may be security, but who really has the most holistic view and understanding of the the the totality of the relationship wherever that lies is the best place to put it.
Bob: You know, increasingly I see that occurring in the procurement and sourcing organizations, but they do have to take into consideration all of the factors that Samira mentioned. And that’s why understanding your stakeholders and taking a broad view of who your stakeholders are. When I think about stakeholders for information security, I’m thinking about legal. I’m thinking about compliance. I’m thinking about private acy. Um, and you know, at the end of the day, who’s responsible for the relationship? Well, the person who’s responsible for it is the person whose name is on that contract. At the end of the day, they have the ultimate responsibility. And while they can outsource some of the functionality, they cannot outsource their accountability or responsibility for the relationship.
Scott: Yeah. Yeah. Great perspective. And, you know, I I love that concept of of the cross functional team Samir that you mentioned as you know and Bob to kind of meld your approach to have a chairperson of that committee whose name’s on the contract right everybody has their hand on the plow that way and uh can direct the the direction of the field.
Bob: There’s there’s only one person pushing that plow though and that’s whose name is on the contract.
Scott: That’s right.
Scott: Um you know just a couple more questions here uh as we’re we’re kind of getting near the top. the hour in our aotted time. You know, let’s let’s kind of play queen for a day or king for a day. And you know, if you were granted a blank slate to build a TPRM program from the ground up, you’ve got a blinking cursor, a blank word document, an empty spreadsheet, you understand what I’m saying? Okay, Samira. Okay, Bob, what are the three things that you would do right away?
Scott: Sam, we’ll start with you.
Samira: Yeah, I can start. Well, the first thing coming to my mind is, you know, you need to.
Samira: either Am I.
Scott: Yeah, go ahead Sam. You’re good.
Samira: Uh define your, you know, vision and strategy from the very beginning when building your TPM program. Think about, you know, what is your northstar and work towards that. If your goal is to build an integrated and coordinated framework to manage risk effectively and prevent, you know, or mitigate negative outcomes such as financial loss, uh reputational damage, legal action. Make sure you embed those checkpoints. you know, are you actually doing that? Is what I’m doing actually needed? But, you know, you’re asking, you know, you have a blank uh um uh paper and you know, what are the three priorities uh coming to mind? I would always start with governance. Um and with governance, it’s you know, it’s it’s quite broad, right? But I’m thinking about, you know, clear roles and responsibilities. Um uh you know, build your case to get buyin from senior management because as I said, you know, earlier, you know, who’s doing the work and where do you create the accountability and you know, the business is there to make money and you know to to to uh sign as many contracts as they can. So there needs to be some benefit there for the business. I think you need definitely some buy in but also think about you know working groups and committees um in order to operationalize your program. I think that’s very critical. Um you know what is your operating model? Um how do you define your TPM capability? um and how will it interact with your stakeholders. You know, you can think about do I want a centralized program or do I want a decentralized program or a hybrid program. Um so I think that’s all critical to be defined first and then also secondly you know define your scope and understand your vendor landscape. Um because you know we spoke about it a lot over the hour you know your vendor landscape is absolutely important to you know in order to define um you know what are the risks to your organizations um you know that may arise from your third party relationships um and that also you know assist in kind of the resource allocation for your risk management efforts because you cannot do it all um and then thirdly I would say you know think about what you already have can you leverage something you know is it you know what’s working not working build a program around that um maybe you can think about using existing tools or processes to ensure seamless integration within the organization. Um you know sometimes it makes it easier for stakeholders to incorporate those um you know into their daily tasks uh or it avoids siloed processes um and it basically enhances your collaboration right across the department. So that these are the three things that um I would start with.
Scott: That’s great. You know Bob how does that align with with your three priorities?
Bob: Uh there’s definitely overlap. Um, governance is an important factor that you need to take into consideration. You do need to understand what the scope of your program is. You know what what are you going to look at? Where are you going to focus your efforts? In the beginning, you’re going to have limited resources. It’s important to think about technology and automation because of the volume of data you may be dealing with and on an ongoing basis. Many processes are not going to cut it. So automation is an important aspect that you have to factor in. But if you’re going to think about automation and tools, you have to ensure that you understand how they’re going to fit into your existing operational process workflows. If you haven’t thought that out, your tools, your software is going to become shelfware. It’s not going to be effectively used. The other thing is I would start doing management reporting right from the beginning of the program. And I would use a a very simple framework to do that. Um a four po four-page report. Page one, what I’ve done in the last reporting period. Next page, what I’m going to do. Third thing, roadblocks to my success. Management. This is what you need to do to help me. Because it’s that management engagement that’s going to create motion and pre prevent you from get getting what I call started but stuck. So you need that engagement. And then finally, what do you need to make your management aware of?.
Bob: If you do that reporting, then it’s hard for people to run away. You might say, “What can I report on in the beginning? What you report on is all zeros.” Well, you know what? That sends a message. I’m not making any progress. And that’s going to and and if management looks at that and does nothing, well, that’s the time to start looking for another job because you’re never going to get the support. get done in this place.
Scott: Yeah.
Bob: So that holds everyone including your management accountable and I think that’s really important because there’s a lot of work going on.
Scott: Absolutely. It’s the art of managing up.
Bob: Right.
Scott: That’s right.
Bob: And this is this is a space where if you don’t manage up well, you’re going to have problems. You’re not going to be able to achieve your goals. Plain and simple.
Scott: Yeah. Yeah. Um I say one final question uh for the two of you. You know what do you think are the biggest mistakes that orgs typically make in thirdparty risk? You know, what do they overlook and how do they overcome that? I think this is a good question to draft off of the last one where we talked about kind of your three priorities, but this is kind of a different way to look at it. What are the three mistakes organizations make and kind of how would you resolve that? You know, Bob, I’ll I’ll start with you.
Bob: Uh compliance versus risk is always number one.
Scott: Yeah.
Bob: So, you know, if you’re just doing your program to ensure you comply with some kind of guidance or regulations. You know, that’s a waste of time. You know, too many times people say, “I did my risk assessment, my work is done.” Um, the risk assessment is the prerequisite for the real work, which is the remediation of identified issues because it’s only by doing that that you actually reduce risk.
Bob: The second thing that I would talk about is what I refer to as the unfettered growth in in the number of third parties. used by companies. Too many times companies don’t take the time to say, “Well, do we already have a third party that provides that service?” And in that process, the the simplest way to decrease risk and reduce your budget is to do number of vendors that you allow to have access to your information and to your uh to your networks. It’s that simple. Because if if you just allow new third parties to be end added endlessly, then you’re just making work for yourself and and you’re not helping your business and your risk profile has increased dramatically. Those are the kind of things that I that I focus on.
Scott: Yeah, Sam, does that line up with what your concerns are as well?
Samira: Yeah. No, I I fully agree. Um, you know, I see a lot of organizations struggling with, you know, what level of risk assessment and due diligence um they need to perform, you know, performing an extensive due diligence on a uh cleaning company. You know, that’s something that I’ve seen that’s just, you know, not making the best use of your resources. But, you know, maybe also, you know, a little bit from a different perspective on some of the challenges um I have seen is uh you know, companies often um and maybe this is across industries, there’s a lack of kind of standardization um you know, across industries. So for companies it’s quite difficult to benchmark their TPR efforts and share best practices. So I think it’s always good to you know get into the room um with uh you know your peers um and understand okay what are you doing and you know and kind of benchmark your your processes. I think that’s very critical and and something that I would suggest everyone uh to to look at you know to make it more effective uh because there’s a lot uh you know companies know can do better or do it you know more effectively or more efficiently. Um so yeah um definitely um but fully agree with what Bob is saying. That’s exactly what I’ve been seeing over the past years as well.
Scott: Awesome. Awesome gang. Hey, we’re nearing the top of uh our time uh together today. But what I want to do is make sure we open it up for questions. Uh so actually I don’t know whether you want to triage a few questions here uh and ask a few that we’ve got built up uh uh just While you’re doing that, I am going to just put up a single slide and scan through a little bit here of of how prevalent can help. So, just a real quick overview. You know, what we do from a from a third-party risk management perspective is help you um deliver the insights, uh the automation and ultimately the ROI and the results that you need to demonstrate thirdparty success throughout, you know, the thirdparty risk management life cycle. And we do that through expertise. through the data that we have in our platform through completed assessments and inputs as well as the automations and workflows uh built in our platform. So, actually look, I’ll just kind of pitch it back over to you. I know we’re at the top of the hour. I don’t know whether any any questions we can uh kind of sneak in here at the top of the hour.
Ashley: Yeah, of course. Um I went ahead and launched our second poll uh while you were talking. Scott, we’re just looking to see if you guys are interested in augmenting or establishing a TPRM program within the next few months. And please be honest because we do follow up with you. But yes, let’s go ahead and get through some of these questions. Uh so, Someone asked, “Do you recommend using alerting or monitoring technology on your third parties?”
Samira: Um, I mean, I’m more than happy to answer that one at least from a you know, compliance perspective. Um, yes. Um, but that also depends on you know type of monitoring or ongoing monitoring I think organization want to do right. I mean one of the basic or you know minimum requirements you know is you will always do your sanction screening of your third parties on an ongoing basis, you know, and if um if they hit in in the um uh in the sanctions list, you know, you get alert out of it or ensuring that you don’t pay out or contract with a sanctioned individual in a restricted uh jurisdiction, for instance. So these are I think the the the bare minimums that uh you need to include into your program. But you know, you can always take a risk based approach and say, “Hey, I I’m working with parties that uh are higher risk from a bribery corruption perspective. So I want to do a more enhanced screening on those third parties. I don’t necessarily think that that needs to go through an ongoing mon monitoring. Uh I think you can decide to do a yearly or a bianually uh check and an extensive due diligence on these uh third parties uh or screen them against politically exposed persons lists uh to to mitigate those risks. Thanks, Sam. And then Bob, one more question. Uh, how would you go about managing thirdparty vendors that are politically influenced?.
Bob: I’m not sure I understand the context of politically influenced. I don’t know if someone can elaborate on that. That’s a that’s a strange phrase. Uh,
Ashley: we’ll we’ll give them time to elaborate in the chat and move on to a Yeah,
Ashley: question.
Ashley: Um, have you seen a good way to track and use SBOM for risk analysis and followup?
Bob: Um, I think that’s something a lot of people are focused on right now. I myself haven’t seen anybody do that particularly well yet, but it’s an emerging area. It has to be dealt with. I think it’s one of the the the biggest risks that we’re not addressing well. So, It’s important to understand the software, the API interfaces, everything that that people might be using, but I haven’t necessarily seen a good way to do it. My first thought is you always focus on contracts, and if you can capture it in the contract, that’s the best way to start.
Ashley: Excellent. Thank you, Bob. Well, unfortunately, we’re at the top of the hour. Um, so thank you, Samira, Bob, Scott, and everyone for all of your questions. They gave us some great information to take in today. And I hope to see all of you again uh either in your inbox or at a future prevalent webinar.
©2026 Mitratech, Inc. All rights reserved.
©2026 Mitratech, Inc. All rights reserved.