FCPA Compliance Report Interviews Brad Hibbert

Tom Fox: hello everyone this is Tom Fox back for another episode and I’m thrilled to have back with me Brad Hibert Brad is the president of prevalent and more importantly we’re here to talk about prevalent third party risk management study so Brad first of all welcome back Brad Hibbert: yeah thanks for having me back it’s great to be here Tom Fox: Brad this is an annual study done by prevalent provides a lot of great information for the compliance professional both in terms of what’s going on out in the marketplace at least as you got I see it but the thing I like about it one you get to see what’s going on in the marketplace two you can Benchmark your program against what others are doing along the lines of best practice but also maybe gives us a teaser or hint as to what some of the biggest challenges are so with that could you tell us what is the report how do you guys generate it and maybe even why do you do it Brad Hibbert: yeah sure so this is the fourth year that we’ve done the report so again my roles one of my roles as the chief strategy officer so part of that is working with customers and analysts and partners making sure that we’re building the right Solutions and what the report allows us to do is cast a wi net to really understand the broader challenges that that organizations are are coming across to make sure that we’re building a strong Foundation to help customers overcome those challenges but also to make sure that we’re building a strong foundation and that we’re on the Forefront of innovation to really handle some of the upcoming challenges and opportunities that we’ll get into a little bit more today Tom Fox: so what I may me start with any surprises that you finders is almost consistent with what you were hearing from your customers and clients for the past year anyone Brad Hibbert: yeah we’ve doing a recort for a long time been in this space for a long time as well and I think one of the biggest surprises again we can certainly talk about a bit more detail is just the number of respondents that are still Ry on spreadsheets and doing this manually so I think that was probably one of the biggest I think the other one is the third party space continues to mature but the other observation is that the programs in the market itself are still somewhat fragmented Brad Hibbert: so we’re seeing lot to comp companies that are approaching third party risk management from different teams with different lenses and using multiple different disconnected products to try to manage these risks throughout that that third party or that vendor life cycle and again we could certainly talk about some of our recommendations from that respect and I think the last one I’ll just mention we always tell people to try to move beyond the compliance check box so I think the last one is really there’s a pretty significant gap between people that are identifying risks and attracting those risks and those are remediating performing the remediation right so I think again that kind of speak to the relative immaturity of the market and some of the programs that are organizations have in place it’s all trying just to get the assessment under the belt and haven’t gotten around to actually really digging into to the risk and remediating those risks with their vendors and supply chain Tom Fox: let me pick up on point number two because I see that in my Consulting practice as well companies for either Legacy reasons will have disperate systems that really don’t talk to each other but it really leads to a non integrated approach and one of the reasons I’ve always enjoyed talking to you and your team at prevalent is you guys really talk about an integrated approach to thirdparty risk management you just said a little bit about that in terms of it starts with a risk assessment but it only starts there and then from there you build out a risk management strategy you implement Monitor and then upgrade or update you continue his Improvement as appropriate but when you sit down with clients do you have to have that basic kind of conversation hey guys this is a business process that requires a process approach not a disperate we’re going to do a risk assessment or we going to put a platform or we’re going to do something else where nothing talks to each other Brad Hibbert: yeah I think when we talk about third party risk management as you mentioned it’s not a product it’s a program and it really has to take in consideration the entire life life cycle from on board in a third party to offboard a third party and through that relationship there’s diff Brad Hibbert: erent departments that have a different lens so they have different uh job responsibilities they’re interested in different types of risks they have different workflows and processes that they follow and so how do you bring all of that together throughout that entire life cycle and we think unifying that information and comprehensive risk profile that the different teams can tap into and share information throughout that Journey or relationship is the way to do that now most people don’t want to you don’t have to start with the entire life cycle but you got to pick the pieces that are most important to your organization and start there but you have to have the foresight to look out a few years and understand where do you want to take this program and make sure you’re building those foundations today so you’re not stumbling in two or three years when you try to scale with the quality that we’re looking for Tom Fox: maybe a to step back and start with an even more basic question do the people who are still using spreadsheets understand that third parties are still seen as the number one risk under anti-corruption laws such as the fcpa it’s still 90% of all enforcement actions involve third parties Brad Hibbert: yeah I think if you take a look at our study this year I think what you’ll find is that 41% of the respondents impacted that they had an impactful third party data breach in the last 12 months and that that impact was costs associated with remed identifying or remediation remediating those risks and so that’s certainly driving a lot of awareness and visibility for these programs and why a lot of people are getting them kicked off and when you dig into it even a little bit further what’s the top concern that organizations have with third parties again 71% of the respondents indicated that a security breach a security incident due to poor vendor or security practices is still the top concern so I think that they realize that security is top concern of course compliance is another big driving Factor behind this but security risk are the top concern of many organizations really driving these programs in the growth within within the market right Tom Fox: could we maybe go through the the top findings you guys found in this year’s report Brad Hibbert: yeah Brad Hibbert: sure so again the idea for the report is really to provide insights to organizations and they can provide peer line baselines they can Baseline where they app with the program to let them know that they’re not alone other companies are facing these challenges and then to provide actionable insights on what they can do with the challenges that they’re facing I think from a a high level perspective there there’s five key findings that we have in the report with a lot of kind of backup detail in the full report

• The number one is data breaches continue to be a top concern as I mentioned before 41% of the respondents indicated that were impacted by a third party data breach in the last 12 months and had to perform some radial activity because of that. This is really driving a lot of visibility to the space, especially with high-profile cases like LastPass, OpenSSL, or OCTA.
• The second top concern, driving the market, is security, with about 71% indicating it as a top concern for driving the program. This has shifted from about 15 years ago when compliance was the main reason for these programs (e.g., SOX, PCI mandates).
• The third interesting finding is that about 70% reported more involvement from the IT group and about 71% indicated that infosec actually owns the program. This makes sense as programs typically start with information security teams validating security controls around IT vendors. This also suggests increased adoption of third-party risk management and efforts to standardize security practices. Prevalent views third-party risk management as another security layer, similar to patch management or perimeter security.
• The fourth finding is that 48% of organizations continue to use spreadsheets to manage the third-party process, which is less efficient and effective than automated tools, especially with constantly shifting compliance mandates. The number of people using spreadsheets is actually up about 6% since 2021. This rise, coupled with a drop in respondents doing nothing about third-party risk management (from 10% to 4%), suggests many organizations are starting their programs, often beginning with spreadsheets as a natural part of maturity.
• The fifth top finding is a significant gap in remediation activity, meaning there’s a big difference between those performing assessments and identifying risks, and those actively remediating those risks across the third-party life cycle.

Those are some of the high level findings but there’s a lot more detail on those Tom in the the more detailed study that you get off the website certainly get in any more detail you like on those though today Tom Fox: what were some of the key recommendations your team made based upon th Tom Fox: e findings Brad Hibbert: yeah sure again there there’s a lot more detail but I think at a high level what we’re finding is that organizations really have to proactively put a plan in place and understand how they’re going to how they’re going to remediate or how they’re going to respond to incidents if they occur. Working with third parties to identify and mitigate risks before impact is the most effective approach to protect organizations and customers.

• It’s likely that a vendor or supplier will be impacted by a data breach despite hard work and mitigation efforts. If this happens, shortening the gap between discovery and mitigation can reduce costs and limit risk exposure. This requires automating incident response and having plans or pathways in place.
• Recommendations include getting it in contracts that vendors must disclose breaches, as sometimes this is missed. Monitoring third parties and public websites for disclosure notifications is also good.
• For proactive measures, cyber monitoring tools can provide indicators of compromise to help get ahead of a breach by identifying vulnerabilities that can be closed off before an incident. These are basic steps organizations should have even before a more robust solution. Brad Hibbert: I think the other thing Tom and you Brad Hibbert: mentioned it to have a single source of Truth really start to knock down those silos whether those be technical silos whe whether those be process silos between the different teams to really extend that risk visibility across the entire life cycle so from onboarding to offboarding allow your teams to collaborate and really share that information to be more effective in the way that they’re handling third party risk management so that’s another big one that that I think and again we can certainly talk about how to do that and you mention some or program and program design given up the spreadsheets I think a lot of people start with the spreadsheets which is great right it gets you going it lets you identify the risks but as you try to grow scale your program over time the spreadsheets are just not not the best way to share information right it’s very static as I mentioned a lot of the time when you’re creating RI out of those spreadsheets you want to map those to difference compliance mandate and so on it’s very difficult to do that with a dynamically changing regulatory landscape right so try to get some tools in place to help you automate that process the more you can automate the discovery and it frees your team up to actually do the important part which is remediating the risks and today I think a lot of teams are really stuck in just identifying those risk manual processes and they don’t have enough time to to remediate the risk and so I think that ties into my my my fourth recommendation which is really push your teams and really push your organization to move beyond that compliance checkbox to try to reduce the risks associated with these third parties and and I think that I think that as you start to grow your program to support these oncoming compliance requirements and again Tom some of these compliance requirements are pushing team to move Beyond just point in time assessments to doing ongoing monitoring right so you’re going to have more information coming in more information coming in more risks being created the more you can automate that front end the more you’re going to be able to start remediating those particular risks and that could be actual remediations or making sure you have appropriate Brad Hibbert: compensating controls in place so those are just some of the high level risk recommendations that are covered in the in the study Tom Fox: let me go to one of the things I think you touched on which is having a response team or a response ready should the need come for a response in terms of a breach do you find that and I talked to a lot of data Security Professionals you say you absolutely need to prepare and you absolutely need to be to to whether you have practice runs whether you have a Playbook whatever it might be that if something happens somebody knows who to call who to notify who to get together in the room is that something is that a message that you find is resonating with your clients that hey guys it’s not if but when and you really need to be ready almost as a critical response that you would for a physical disaster or some something along those lines if they understand the need for critical response team that you can immediately call into place when you determine a breach has occurred Brad Hibbert: yeah that’s right I think it goes for the breaches so that’s certainly something that we’re seeing just ourselves we do assessments and we do monitoring we’re finding more and more organizations out of the gate when they start their program now are implementing monitoring along with the point in time assessments but they want that continuous those continuous insights and they’re kicking off workflows that that don’t just cover the data breaches but other types of events that may happen as well so could be could be things like sanction events it could be things like ESG violations those sorts of things so making sure you understand those different risks and making sure you have the workflow appropriate to the right team that that’re responsible for handling those risks I think it’s important to have those things well defined in the design and plan planning stages of your third party program Tom Fox: you’ve used another phrase I wanted to pick up on for a couple of questions as well you talk about scale scaling up and I often see a company that may start with a small program and as you suggest they may have actually started with a spreadsheet yet when they think about scaling it through National and even International operations that Tom Fox: ‘s where the thinking really breaks down how do you help a client think through we either through acquisition grew we either grew organically or we need to roll this out across literally the globe how do you help a company think through that process of literally scaling up their program Brad Hibbert: yeah thanks I think a lot of it comes down to don’t try to boil the ocean from day one I think that’s the biggest mistake I think a lot of companies make hey I’m starting the program this year I want to make sure I assess and remediate 20,000 suppliers and third parties around the globe year one and sometimes thousand but but in practice it’s very difficult to do so what we recommend is think about where you need to start and where you want to get your program over the next three to five years and then Pro get your vendor supplier lists in order sometimes that’s the most difficult piece is who are your most critical third parties so start having those discussions between the different teams to curate your your sort of your your third party repository if you will then profiling tier those third parties because not every third party not every relationship’s the same so really identify the ones that would be most impactful to your business and maybe that’s 50 maybe that’s 100 maybe that’s a thousand but whatever that is those are the ones you want to start with then take a look at what resourcing you’re going to require internally and what you have available to you to actually not just assess them to get the risks but to go the next that to remediate those risks and then just plan how do you want to scale it over time that if you can manage 50 this year start with 50 better than doing zero if you can start with more so we really try to show them how we can get things up and running through a pilot phase work through those workflows that you mentioned earlier as well so make sure you really lock those down and get those efficient make sure you implement automation so you can have different checks and balances in place and then start to scale once those those foundational elements are validated and and proven so so again don’t try to boil the but start doing something Tom Fox: I might actually have to cut that answer out and make it its own p Tom Fox: odcast that was his F answer I think I’ve ever heard you’ve done that before that was Brad unfortunately we are near the end of our time for this episode but before we leave I wanted to ask you our listeners wanted more information we’re going to link to the report of the show notes but what would be the best place or places for them to go Brad Hibbert: yeah look could go to our website www.prevalent.net and as you said we suggest companies come up there use the data in the report to Benchmark their organization and their program their efforts against their peers I try to adopt some of the best practice that that we that we outline in the report we also have a resources page with lots of insights and blogs on different compliance mandates and things that are coming up coming around the B website’s a great place to start Tom Fox: well Brad I wanted to thank you one for doing this or prevalent for doing this report it’s always a great resource for the compliance professional and I’m G to ask you that or tell you I look forward to our next conversation as well Brad Hibbert: absolutely maybe ESG or something around that date would be great Tom Fox: okay thanks very much Brad Hibbert: awesome awesome thanks Tom thanks for having me