Description
One of the best tools a risk professional has at their disposal is the contract – yet, alignment between third-party risk teams and contract or procurement management is often siloed and disjointed. As organizations rely more on vendors, negotiate riskier contracts and face increased demands from regulators, it can be a struggle to connect the dots between departments.
Join Tom Rogers, CEO of Vendor Centric as he discusses ways to bridge the gap between third-party risk and contract management.
In this webinar, Tom will help you to:
- Understand what a lifecycle approach to third-party vendor management looks like, and where risk and contracts fit in
- Identify the most common gaps that create misalignment between risk and contract management
- Discover practical processes you can follow to close the gaps and create tighter alignment between risk and contract management
- Identify key changes you can make to TPRM governance to ensure any improvements you make will stick
Aligning third-party risk and contract management can eliminate gaps in your vendor lifecycle. Watch this on-demand webinar to learn how.
Speakers
Tom Rogers
CEO of Vendor Centric
Transcript
Melissa: Happy Thursday, everybody. It’s really great to see you all start joining. And uh we’re going to wait just a little bit for people to settle in, get connected, make sure you have your cup of coffee. Um I’m going to go ahead and start our first poll. There are two. So here’s our first one. While you’re waiting so patiently, um if you’ve attended one of our webinars before, you know the drill. But we’re always curious to see what’s bringing you to today’s webinar. Is it educational. Are you in the beginning stages of your thirdparty risk program? Are you a current prevalent customer? I know I saw some of you guys this morning already in that boat. So, just let me know. Um, I’m going to leave that poll up there while I get a little bit of an intro started. We have a very special guest here, Tom Rogers. As you can see, um, he’s the founder of Vendor Centric, which is probably what drove you here in the first place. Um, and he is, you know, considered a thought leader on vendor life. management and a trusted adviser to organizations all over the US. We also have Scott Lang, our very own VP of product marketing here at Prevalent. Um, as well as myself. My name is Melissa. I work in business development and I’m usually the one who will follow up with you after this webinar. I’ve chatted with some of you before, I’m sure. So, if not me, you will hear from Amanda or Landon or Null. So, be on the lookout for them. And today, Tom will dig into the topic entitled How to Bridge the Gap Between Third Party Risk in contract management. Um, as a quick reminder, we want to value your time, so just feel free to use the Q&A for those burning questions. They will get lost in the chat, so ensure you are utilizing that Q&A. Uh, this is also being recorded. Um, so you’ll get this in your inbox later today or tomorrow. And lastly, you’re all muted, so use the chat if you need to communicate something that’s not for the Q&A box. Um, other than that, I’ll pause this poll and I will let our expert Tom take over.
Tom Rogers: Awesome. Thanks so much, Melissa. And uh welcome everyone. Good morning, afternoon, or evening depending on where you’re coming in from. Uh as Melissa mentioned, I’m Tom Rogers. I’ll uh be your guide through today’s webinar. Um and the topic we’ll be covering is really bridging the gap between thirdparty risk and contract management. Uh but really we’ll be talking also kind of holistically around thinking about other components of how your managing vendors in addition to risk and contract and all those other pieces that fit in because this topic isn’t just about thirdparty risk and contract it’s really about holistically uh managing those vendor relationships. I’ll be talking specifically about some areas where risk and contract tie in. Um but this whole topic around a more holistic approach to vendor management is is a big area right now as a lot of organizations are either getting something started and up and running off the ground or they’ve got an existing program and they’re they’re trying to take it to the next level. So, let me give you kind of a quick overview of what I’ll be covering today in the uh webinar. So, uh there’s really three goals I’ve got. Um one would be uh giving you a sense of where TPRM and contract life cycle management along in the uh align along the life cycle of kind of managing those relationships. with third parties. So, where do those pieces come together, right? And then as you think about where those pieces come together, what are the types of control points that you can put into place to really help create better alignment between contract and uh management and thirdparty risk management? Um, and and what does that look like? And then lastly, as you’re looking to potentially put some of these control points in place, where does that fit within the overall governance structure of managing those vendor and thirdparty relationships to make sure that the types of things that you do as you want to enhance controls and create better alignment kind of stick right and that’s where the governance piece comes in and I’ll talk about that a little bit on the back end um I’ve got uh the webinar is kind of broken down into into two parts uh the first part is really talking about the uh kind of the the why and the the what and the back part really talking about the the how. And so, um, as Melissa had mentioned, if you have questions along the way, just pop them into chat. Um, there’ll be some natural points in which we’ll, uh, we’ll break for questions, but, uh, Melissa will pop in if there’s something that comes up that she wants to bring up as well. Okay. So, with that as a background, let’s just hop in. So, the first part here I want to talk about is really um, uh, why it makes sense to to align and kind of wear those key alignment parts are in that that contract management relationship. So the way we think about contracting and um is really it’s broken down into into two parts, right? So you kind of have all the things that you do on the front end of a of a relationship with a with a new third party. So that can include everything from uh sourcing, going out and finding somebody, determining who you want to work with. It can include diligence on that third parties. So doing those risk assessments and and diligence on them before you go into contracting and it also includes you know the process for negotiating those contracts and deals. So all those things that happen on the front end those pre-contract activities then is once you get those contracts in place right and then it becomes all the activities related to managing those relationships. So it’s SLA management it’s managing to deliverables invoices things like that. But it also includes things like managing contract modifications um when there’s changes to scope. Uh and it includes also on the back end making sure that once a contract is done and terminated that there’s a a way to close it out and uh kind of remove that that contract and and do it in a structured way so that you’re offboarding the relationship. So that that contract management piece uh isn’t just once the contract signed, it’s all the things that get done on the front end and all the things that get done on the back end, right? So, there’s a lot of stuff that happens as you’re managing these contracts with the third parties. So, when you think about risk, risk really presents itself throughout that whole relationship, right? So, there’s pre-contract risk and diligence that needs to be done to evaluate what you’re getting into and making sure those risks are identified and and appropriately mitigated. And then there’s the ongoing monitoring of those risks on the back end, right? And making sure that as things come up, uh, that there’s alignment there and that those risks are being managed and mitigated and effectively dealt with as part of the general management of the contract, too. So, so risk doesn’t just happen at a point in time. It really happens through that that whole relationship from end to end. Um, so it’s important that those risk activities and these contracting activities all kind of come together and and have tight alignment. Um, Um, but what we typically find in a lot of our clients and the organizations that we’re working with is that there are lots of gaps that happen along the way where misalignment can occur and and risk and contracting aren’t working together. Right? So, let me give you a couple uh quick practical examples of where we see that and where some of these common gaps are. And I’ll focus really around this diligence piece here because this is probably what a lot of people are doing right now. So, so think about um when you’re entering into a contract, right? Everybody’s got standard contract provisions. This is one which um it was from a client of ours and it’s around a term and termination provision. And you can see on the on the bottom part here, there’s an actual requirement that they have for the vendor that they’re working with that that vendor is going to return, request or delete with written certification, deletion any protected information in their control. And they even go on to say that any protected information in possession of their affiliates and subcontractors. Right? So you think about the typical contract process. We’ve got, hey, we’ve got a contract. We’re negotiating with this third party. We’re we’re asking them to comply with this. So where risk comes in is, hey, we’ve got to make sure that this third party has the necessary policies and controls to live up to the requirement. Um, oftentimes though, these contractual requirements go into place and and there may not have been a full risk assessment that’s actually done around these contractual requirements. Risk assessments get done kind of in their own silo. Contract standards and provisions get done in their silo and there’s not a connection between the two. So what’s important here and where gaps occur is when organizations have standard contract terms, they’re not aligned to the risk assessment procedures that are done. And so something’s missing in here in this part of the process. And then if you look at this bottom part here where they’re requiring this of their affiliates and subcontractors, part of this risk assessment needs to ensure that they’re evaluating this vendor’s management of their own third parties, right? So how does this vendor kind of go through and manage their third parties? Are they require those third parties to have contractual provisions that align to what the actual uh client is requiring of them? and that those all flow down throughout the process. Right? So this is one area in where we see that there are definite gaps that happen where you know vendors are being requested to comply with certain contractual requirements but the risk assessments don’t always support their ability to to uh know whether they have the right policies and procedures to do it. So that’s that’s one area. The kind of the flip side of that would be in cases where um you’re doing a risk assessment and do the residual risks that come out of that risk assessment actually make their way into the contract. Right? So in this case, this is another example from a client. They’re a a large international NGO and they have requirements to um kind of receive and evaluate financial statements for certain types of third parties that they work with. So you can see down here they have a a due diligence question where they ask whether uh the third party had any ificant deficiencies or material findings in their most recent audit report. So the risk assessment is did they find anything? If they do though, what makes its way from that risk assessment into the actual contract? This is another gap that we see occur where the folks that are actually managing the risk assessment process, whether it’s the vendor management office, third party risk, maybe it’s finance is doing this, maybe it’s infosc is finding something up here that there’s community unication between those that are doing the risk assessment, those that are negotiating and actually creating the contract to ensure that this these risks that need to get remediated make their way into the contractual language. Right? So these are just a couple of gaps that we see on on a regular basis where risk and contracting really need to be aligned and oftent times there’s not. So either language doesn’t make its way into the contract or or certain risk assessment procedures are not done. So the way we we kind of talk about all right so what do you do and how do you start to close some of these gaps is really by creating structure that aligns contract management with thirdparty risk management and that’s where a framework comes in. And so um a framework enables you to really bring together operationally all the different components of managing that vendor relationship. So cont contract and third party risks don’t live individually. They actually come together under a common structure and common framework in how they’re managed, right? So, there’s lots of different frameworks out there for managing third parties. This is ours and the one we use. And as you can see on the uh the just to kind of orient you as to how this is set up. So, on the outer ring here, we kind of have the the life cycle stages. So, basically u the different activities and flow that goes through and managing the third parties, right? All the way from sourcing through doing risk assessments and due diligence through contracting and and onboarding that vendor or third party, making purchases, doing ongoing management and monitoring all the way through termination and offboarding, right? So, the stages kind of are the different activities that need to get managed that are inclusive of thirdparty risk and contracts. And then the inner part is really operational governance that that holds it all. together. So these are where you’re creating policies and standards, right? They’re not standalone policies for contract and not standalone policies for risk, but really policies for managing that that end to end relationship supported by standards, supported by procedures, supported by the people, skills and training that need to get the work done, the technology and reporting that you need all the way through kind of oversight and and management of everything as well. So this framework creates kind of the the I guess the glue or the structure that kind of pulls everything together and helps to support that alignment of the third party risk activities with the contract management activities. Right? But within the framework and within these different areas, there are really certain key points that are really important to align contract and third party risk management together. Excuse me. Because while they happen through about the whole process there’s there’s specific points in which third party risk and contract management really really come together and that’s where the alignment truly needs to happen. So as you think about the framework and as you think about where those points are there’s three that are really important. So one obviously is when you’re doing the initial risk assessment and you’re doing the the contract development right and I talked to that kind of on the on the early stage there. um is that not only do we need to make sure that any contractual provisions that we’re requiring the vendor to comply with are uh kind of evaluated from a due diligence standpoint, but that anything that comes up from a residual risk standpoint also makes its way into contract when contractual language is required. So, this is a is a key point of alignment. The second key point of alignment between risk and contracting is once that contract’s up and running, kind of the the ongoing management and monitoring of both risk and contract performance and making sure that um there’s the right procedures that are established and the right communication that’s happening uh to kind of take risks that come up and take contractual issues that come up and and have those folks coordinate on those to to manage those effectively as well. Then the last uh area of alignment is really on the back end here and that’s the termination and offboarding. And I think as we, you know, as I think about the types of organizations that we’re working with, a lot of them are um we have some clients with some mature programs, but we have a lot of clients that are just on the front end of this and just getting things going. And I think this last piece, this kind of termination and offboarding is where we see the least maturity out of most of our clients. There’s there’s no formal structure in place to go through and really ensure that all contractual obligations have been met. And as certainly that all those risk pieces that that are still in the contract like data destruction like maybe return of uh or transfer of intellectual property things like that that that happens in an organized and structured way so that um so there’s a d-risking of that relationship right so that’s a key point of alignment in the in the life cycle as well so so really as we think about um where can contract and thirdparty risk come come together in a much better way. It’s these three places that we we really focus on and then really determine what types of practical processes and controls should be in place to help support that alignment better. And so that’s what I’m going to um kind of start getting into on the on the back end of the presentation here. But I wanted to just pause for a second. Melissa, I know some things have been coming in through chat a little bit and see if there might be any any questions so far.
Melissa: Uh nothing too pressing at this very moment. Um everyone’s just excited to get a hold of the slides at the very end. So I’ll let I’ll defer to you on that and see what you’re comfortable with. But so far positive uh engagement. So I’ll let you continue.
Tom Rogers: Okay. Awesome. Awesome. So that’s kind of the highlevel stuff, right? A we’ve got, you know, there’s a why to connect um third party risk with contracting. There’s different points in the relationship that are really critical to make those connections. So now it’s a matter of all right, so what do we do? How do we make these connections better? What are some of the control points that are important? And that’s what I want to kind of just focus on on the on the um second part of the uh of the presentation here. So um so I’ve got kind of four control points I wanted to go through with you. Um and I’ll start with the first one here, which is contract approval. So, as we think about that, um I’m just going to go back for one second. So, we think about this initial risk assessment and contracting here. It’s like how do we make sure that all the residual risks have made their way into the contract. Um and the best way to do that is to have a good control point during that contract approval process, right? Because that will help ensure that the residual risks kind of get remediated. We’re looking through contractual language to make sure that they’re in there and everything’s kind of buttoned down before you actually execute that agreement with the vendor. So, practically how that happens is through some type of control during the approval process. So, what you’re looking at here, um I I’ve pulled some illustrations out uh just to share with you guys. This one is a a sample form from one of our clients. It’s a a large insurance company. um they’ve actually automated this so it’s not a manual form but um the form basically when they get to the approval of a contract um they go through a process of kind of collecting some basic information about the contract to start building out the profile executive summary contract name things like that but you can see down here in this bottom section before the contract gets approved they’re also doing some things around governance and risk management for the contractual relationship going forward. And so what they want to do here is not only make sure that um that the residual risks make their way into the contractual language, but they also want to make sure that there’s a control to do things like assign a contract owner uh which is this designated relationship manager, right? So they actually ensure that somebody post contract is responsible for for actually managing those deliver able and actually calling them out and assigning that responsibility, which sounds like pretty basic stuff, but in a lot of cases, um there’s a lot of um uncertainty and confusion about who actually owns that relationship and that contract. And so tightening that up here to make sure that they’re responsible for kind of risk oversight, contractual oversight happens here. And they do some other things here as well around segmenting, risk assessment was done. And then this last piece here in the red part is really making sure that there’s a step in the process that in this case it’s their vendor management office. They’re actually verifying that the risk assessment was done that uh residual risk analysis was made and if there’s anything that needed that came out of that analysis that needs to make its way into the contract was done. So the VMO kind of does this sign off and if there’s any issues they come up with they’re the ones that are kind of the quarterback spearheading figuring out what needs to get done before that final contract approval. Um, Melissa, I saw you popped up.
Melissa: Got a question for you. So, uh, one of the biggest challenges I typically see is with contracting and due diligence either being done in parallel or contracting to commence after a green light assessment, which can take time, which is the issue there. In your view, what’s the cleanest method for contracting/assessing either in parallel where the agreement can be negotiated but cannot be signed until assessment concludes? or a waterfall approach where contracting does not commence until all assessment due diligence has been sanctioned or approved?
Tom Rogers: Wow, that was a really good well-ritten question. That was great.
Melissa: I didn’t write it. So,
Tom Rogers: yeah. No, that was great. Awesome question. So, here’s my two cents. I think practically they they go in parallel, right? So, um it’s I mean, look, business owners need stuff. They can’t wait for for um a full due diligence to be done to start negotiating a contractual agreement. So practically what what we typically see happen and what we generally recommend is that contracting go hand inand with the due diligence right so that you can move these things along but there be a final check and a pause at the end to make sure that the contract can actually be executed and signed until there’s an approval process and diligence has been completed and any residual risks have been addressed as well. So, we typically see that they go in parallel and and think that’s the most practical way to deal with that.
Melissa: Perfect. And do you have time for one more?
Tom Rogers: Sure.
Melissa: Uh an easy one for you. What does vendor segmentation mean?
Tom Rogers: Okay. In this case, um vendor segmentation is really their risk, sorry, is really their risk taring. So, um they use a a high, medium, and low risk tier that comes out of their inherent risk assessment. And so that’s what they’ve established here. This was a manual process. They they basically they created the form and then they they put the form into their software platform to automate everything. So the the risk assessment gets done, the risk hearing gets done automatically, but they wanted a placeholder to make sure that that was included in the in the profile of the vendor.
Melissa: Perfect. All right. I’ll let you continue.
Tom Rogers: Sure. Hopefully that answered those two those two questions. So, thanks guys. Keep keep the questions coming. That’s helpful. Um, so, so this first control point around contract approval is is important. This is where we’re aligning contracting with the risk piece. So, a couple some keys to think about here. Um, so one of which is is to make sure that that the process is actually documented, right? So, um, a lot of times m the the misalignment that happens and the gaps happen because there is no documented process and there’s no clarity on roles and responsibilities and who’s to do what. So, uh documentation of that and being clear on the process with a supporting form or workflow is really important, right? Uh secondly is also um in a in a best case scenario would be to also have contractual standards that kind of match back to some of the your most common residual risks that come up. So that for example, if somebody, you know, if you’re if you’re going in and you’re doing a a risk assessment and you would normally expect that the vendor would have a sock report and let’s say they don’t have a sock audit, kind of what are you going to do, right? So there’s probably some additional diligence that you might do, but you also might have some contractual language that says, you know, you’re allowed to come out for an on-site visit, things like that, right? So if you know what those contractual standards are, are when some of your most common residual risks arise, you you make that process a lot smoother and it makes it much easier to kind of bake those into the contract once your risk assessment is done. So that’s a second thing. And then uh the third thing is is that um making sure not only is the risk assessment process documented, but that contract review and approval process is documented as well. And so you know where the misalignment can happen is if you’ve got third party risk policies and procedures and contract management policies and procedures. Our approach and and how we work with our clients is we bring everything together into one set of holistic policies and procedures for managing the endto-end relationship. So that includes everything from sourcing through risk assessments through contracting and onboarding oversight all the way through the backend um contract termination offboarding as well. So to the extent that you can not only define these but bring them together into one holistic view of managing that endto-end relationship that really helps as well but documentation here and and having these standards is a big part of supporting this this contract approval control okay so that’s control point one and that’s dealing with the front end prior to entering into a contract uh the second control point that I wanted to to talk about is really on the contract management side and once the relationship begins, right? So, here’s where we want to have a process in place to kind of communicate and escalate risks that present during contract management. And this is where um we see a lot that communication starts to break down because you’ve got different people in different roles and different departments within the organization that are doing different types of oversight and monitoring uh and management of either risk or the contract and they’re not kind of talking to each other and there’s no process to be able to support them to do it. Right? So in this case, this is a a just a screenshot. This is actually from the prevalent platform that monitors certain types of risks, right? So you know in this case, you know, you might have a vendor that’s being monitored and some issues came up around regulatory and legal risks. So what do you do and how do you who’s monitoring this. So, is this the vendor management office that’s monitoring it or thirdarty risk? Is this uh compliance that’s monitoring it? Is it the business owner? Right? So, who’s kind of monitoring the different pieces that happen during contract management? And how do you have a a a system and a process to be able to bring those together to kind of make some decisions and escalate them? So, the alignment here is really about creating structure to this process and being clear on who’s monitoring what and how to escalate issues as they come up. So, some of the keys that that we kind of talk about here during this contract management process, again, it gets back to roles and responsibilities on who’s doing the monitoring. And this is especially for newer programs and they’re trying to figure out kind of the roles of different subject matter experts and um who looks at financial statements versus who monitors systems like this versus who’s monitoring information security risks, things like that. It’s creating those roles and responsibilities as to as to who has has those uh um uh those responsibilities, sorry, as well as the contract and the service level agreements and deliverables, which is typically the business owner. So clarifying those is key. Um and then once you’ve clarified those, being able to have systems that when those risks come up, when those issues come up, that they actually can be either automatically identified in the system and then communications kind of go out to provide line of sight to all the different stakeholders involved or a way that if a risk presents itself and uh needs to be say manually entered into a system like a contract problem that it can actually do that be entered into the system and then some communication to go out to provide visibility to all the different stakeholders as well because it’s all about providing line of sight and keeping those communications open as to what’s going on. And then once things come up, it’s really figuring out, all right, so is this issue uh something that needs to be dealt with or not? And if it is, who kind of runs point on all of that? And and this is a big challenge for a lot of organizations, especially if folks are trying to push it down to the business owners because the business owners are typically not going to be the ones to know how to deal with a lot of the issues that come up. not information security experts, they’re not financial health experts, right? So, so who runs point to actually determine when a risk requires escalation and how it gets dealt with? Our approach is is that should really be centralized somewhere within the vendor management office or the third party risk group and that they should be the quarterback to figure out what to do with that and to get the right people involved in the process so that you’ve got all the right stakeholders that can kind of come together, make decisions, and decide what they what they want to do. But having the the the vendor management office or third-party risk office, whatever you might have in your organization, kind of be the quarterback to do that, right? So, they’re running point to figure out how to get the risk dealt with. And that might mean contract modifications, right? Or it may in worst case scenario potentially mean contract termination. So, the last key around risks that might come up during contract management and how to deal with them is if you have risks that um can potentially be dealt with through some additional controls, great. If there’s requirements you need to place on the third party to be able to do that through mods in the contract, but you also want to have a way that if you if something does come up that is beyond your risk appetite that’s really going to create an issue that the contract vehicle needs to have a way for you to be able to get out of it when that happens. Um the most common way to do that is through some type of um uh you know termination for convenience language. Uh generally there’s always stuff in the contract for termination for cause. Um but you want to give yourself some flexibility here in the contract that if there’s something that just can’t be mitigated and you need to get out, you need to have the ability to do that. So this control point is all around when risks present. Um how do you kind of centralize How do you have line of sight to the right stakeholders? Who should be the quarterback to figure out what to do with them? And then how do you modify or get out of the relationship if you need to? So these four keys kind of support uh this whole contract management control point here. Okay, pause there. Melissa, any questions on that?
Melissa: Yes, actually perfect timing. Um, in your experience, who usually owns the ultimate decision to accept a certain level of risk? and then parenthesis flagged by DD and that end up uh contracted. Is it businessh holders? Does legal or a TPRM team have a veto right? Is there a risk committee?
Tom Rogers: Yeah, that’s a great question as well. Honestly, it’s all over the place. Um and and it depends I think partly on the size of the organization and the maturity. Um ultimately it needs to be depending on what the risk. So there should be a process in place for um the stake the appropriate stakeholders to make decisions on whether to accept the risk or not and and so whether that be it could be a committee. So some of our clients have um risk committees or thirdparty risk committees where u when uh risk presents itself that can’t be resolved by say the VMO and the business owner it escalates to that committee and then they can collectively make that decision. So that might be, you know, um the committee might include folks from vendor management or thirdparty risk, um compliance, potentially legal, infosac, there’s different folks that can be on that committee. A lot of our clients though um don’t have as much structure. I think that’s typically reserved for for larger, more mature organizations. So, they do it in a little bit more of an ad hoc way. And and usually the way that happens is that the Whoever is running point in the vendor management office is responsible for bringing together the right stakeholders based on what the risk risk is and then collectively those stakeholders make that decision together. So the business owners really not making that decision. They’re obviously have to have a excuse me a say in that. Um but we don’t want them making a decision around something that is like a an information security risk. Right? We really need infos. to have a role in that or compliance risk or something like that. So, it’s it’s that BMO that kind of runs point that that brings those stakeholders together and that’s typically more on an on an ad hoc basis as those needs arise. What they do is they identify who all the stakeholders are in their roles so that when those issues escalate, they know who who that ad hoc group is that comes together. So, that’s a long answer. I’ I’d say I’ve seen it both ways. I see less of the committee structure unless you’re really a larger, more mature organization that’s doing that.
Melissa: Perfect. Thank you.
Tom Rogers: Awesome. Thanks, Melissa, and thanks for the question. All right, so let’s see. How are we doing on time here? All right, so let’s go through um I’m going to go through the next two control points and then I’ll I’ll pause for questions there and I’ve got one thing to kind of finalize from the back end. So the control point three here. All right, so we talked about risk the present. So what about contract mods? Right. Um, this is an area where I think it’s easy to to have a gap that comes up. Um, especially primarily when there’s a scope change, right? So, so what we’re what we’re concerned with here is that a business owner goes through and does a contract mod that changes the the scope of the relationship that may bring more risk into the organization based on the scope change, right? Um, and if Uh, and if there’s more risk that’s brought into the organization, there needs to be a an alignment and a pause with thirdparty risk to say, hey, we’re making the scope change. We’re adding, you know, let’s just say we we hired a vendor to do a project and now we want to outsource something to them, right? Or we hired a vendor to do some initial consulting work and now we’re going to be buying software from them. So that that scope change creates a different relationship potentially with more risks if you’re outsourcing. something or if you’re leveraging technology, maybe the the front-end diligence that you did didn’t include those aspects because they weren’t present in the initial scope of work, but in the new scope of work, they are. So, this modification alignment is important here. And it’s basically saying, hey, look, when we have a contract modification, there needs to be a process in place to to kind of stop, see what the the scope change is and whether it it changes the nature of the relationship to the extent that we need to reassess the risk. Right? So, in this example, this is just kind of a sample change order from one of our our clients again. Um, and they they’ve made some change where they’re doing a they’re licensing and implementing some software, right? I kind of clean this up. Um, but that would be one example. So, so what we really need to do is is pause, make sure that whoever’s managing the contract mod, notifies risk that the mod is happening. and that they’re able to get together and and really say what’s the details of the scope change. Is it enough that it’s changing the inherent risk that we’re accepting and do we need to go through and do additional level of due diligence based on this modification? Right? So, so that’s what we’re getting at there and what we want the control to be. So, some of the keys here again process making sure there’s a documented process for contract mods, right? And that there’s also a process to go through and redo that inherent risk assessment to see whether there’s new risks that need to be assessed based on the scope change and that if there are new risks and if the due diligence shows that there’s some residual risks that need to be remediated right that we we bake that into the contract. So it’s a similar process to what we talked about before it’s just happening for for the modifications right uh so that’s a control point that’s important around the mods. Um, and now as we work our way through the relationship, we’re on the back end and uh you’re getting towards termination, whether the termination is uh proactive, where you’re doing it because of a of a breach or for convenience or whether it’s just naturally expiring is that last control point that we want to get in place, which is to make sure that as the contract winds down, whatever risks uh remain are are kind of being uh alleviated from the relationship uh to the extent that you can as the the contract obligations are being closed out as well. Right? So um this was the same example I showed you guys earlier around term and termination where we’ve got this um you know they have to delete uh let’s see return or delete with a written certification all the PI right so in this case risk needs to be aligned with contracting to make sure that this was actually done. They get the attestation um and that that that risk can kind of be removed from the relationship and that that third party either no longer has that that data, right? Um or that they’ve returned it, right? And that they’ve attested that they’ve done it as well. So So syncing up on here is is really around making sure that there’s a formalized documented process can sense a theme here, right? Documentation. Um, and then also as you’re thinking about one of the things I didn’t mention is based on the nature of the relationship from a risk standpoint, you also want to make sure that if this is um this is a critical vendor, right, that you’re terminating that you should have a contingency plan in place already for the vendor. Um, and that the contingency plan was enacted prior to determination. So if you’re winding down that relationship of somebody that you’ve outsourced something to or or if they’re providing a key key software, right, that there’s already been uh some discussion and planning in place on how you’re either have a new vendor in place to kind of handle that outsourcing and provide the software. Maybe you’re going to bring some of that inhouse so that there’s no risk to um pausing or or creating problems. with operations with that that that vendor’s contract being terminated, right? And we’ve seen some issues with this before where something happened with a vendor, somebody moved quickly to terminate, and then the client was left with a major um disruption to their operations that they had to quickly try to uh uh to resolve. So, contingency plans are important here. Um also, you know, a lot of focus uh with with risk management, risk ments is around data, but remember there’s lots of non-data risks that need to be addressed as well. So that might be transfer of intellectual property if there is any something as simple as badging, right? So did a vendor have access to your office, right? Okay, get the badge back so they no longer have access or or turn off those rights. So all these things should be factored into a formal uh termination and closeout process that’s documented, right? Um and then there should be some final control in place. Um, again, this is oftentimes the vendor management office can be the the quarterback on this, the business owner might be kind of running it and responsible for it, but somebody needs to just make sure that everything’s done. And while client while organizations will try to push that on the business owner, practically it just won’t happen because they either have too many things on their plate or they’re not going to be held accountable for it. So, if you have a fun like a VMO that can support this. It’s great if they can kind of provide that that final check as well to make sure all these things are done. You you’ve derisked that relationship as well as got all the contract deliverables and obligations that that vendor was responsible to do. So, so creating that connecting those dots around d-risking and and offboarding the contract here at the end is important. Okay. So, that kind of uh you know in summary of those control points. As you think about that life cycle, right? We’ve got here during contracting and onboarding, we need an approval process. Uh where the risk and and third party uh sorry where risk and contract management come together. Again around contract management when risks present, they need to be escalated and how does that make its way into the contract if needed. Uh the third one is around the modifications. If there’s scope changes that need to be addressed, they are in the contract. And then lastly, it’s making sure as the contract winds down, all the the kind of the d-risking activities happen in in concert with that as well. Okay. Um, so that’s that’s my um my thoughts on kind of where the alignment’s really important between third-party risk and contracting. Some of the things you can do from a uh a control standpoint to support that. Obviously, all the stuff really needs to be um baked into some type of structure uh um that that kind of is the glue that holds it together so it’s not just done on an ad hoc way. Um and so that kind of is a good segue into my last point which is really around all right so as you think about all the different places where you need to make that alignment how do you make sure they kind of fit together right uh and and stick and that’s where this this governance comes into play. So this is kind of the inner side um the inner circle of the framework that I showed you earlier uh where really it’s it’s the glue that that ends up holding all those activities together. So when I talked a lot about documentation policies and procedures again bringing everything together into one common set of policies and procedures for managing these vendor and thirdparty relationships that’s where you can start to really get alignment between CLM Don’t treat them as separate. Bring them together into a common set of policies, standards, and procedures. Right? Secondly is um a lot of our clients find this very helpful is as you’re starting to build out roles and responsibilities. One way is to kind of make that more granular with a lot more clarity is to create REI charts. Um and REI charts are simply the REI stands for responsible, accountable, consulted, and informed. And it’s just a a way to really define what stakeholders are involved in different parts of the process around contract and thirdparty management, what they’re supposed to be doing. Are they responsible for something or should they just be consulted and informed and creating that clarity so everybody knows what their roles are throughout um third party risk and contracting, right? Uh then a third piece here on the on the governance piece that helps hold it together is to to really establish and integrate systems around around managing vendors both from a risk and contract management standpoint. And so that could either be, you know, two different systems that kind of come and talk together so you have one source of truth, right? Or it could be one single system that allows you to support both those contract and thirdparty risk management activities, which would make it even easier. But but you can’t have contract systems and thirdparty systems live separately. They they should be coming together to create a cohesive source of truth view for that relationship and all those activities that need to be involved. And then on the back side here, you think about kind of the structural stuff. There’s just making sure that there’s the appropriate oversight and reporting. So that gets back to do you have a risk committee um or not? Or maybe you have a a a management committee that might be responsible for that, right? What type of reporting should they be getting? How do you escalate things? All that happens kind of over here when you establish control and in doing it together with thirdparty risk and contracting. And then the last piece is um you know for again for more mature organizations if you have an internal audit function something like that is to really to make sure that they’re aligned and things are working as they should is to do those periodic assessments and testing of um um of all your activities to ensure that everybody’s kind of doing what they should be doing and then cleaning up any any gaps or areas where you need to make improvements. So, so that’s a kind of that’s my last um bit of uh kind of thought I wanted to share with you was really this governance structure is is key to everything. It’s the glue that holds it all together. If you don’t have these things, it’s really easy for for misalignment to happen. Um not only with contract and and third party risk, but with compliance and term and all the other pieces that go into managing that vendor relationship. So, um, so that’s that’s really what I’ve got primarily on the slides I wanted to share with you today. Um, Melissa, I see we’re at 12:49. So, um, maybe we have time for one quick question or I can turn it back over to you and Scott.
Melissa: Um, I’m going to let Scott take it from here and then, uh, let’s see if we have some more time for some Q&A.
Scott Lang: Awesome. Uh, Tom, if you could flip the my slide, please. use the start of it. Anyway,
Tom Rogers: um
Tom Rogers: sorry. And I’ve got I’ll uh I think we’re going to share this deck, right, Melissa?
Melissa: Totally your call. Um
Melissa: we’ll share the deck. Yep.
Scott Lang: All I wanted it.
Tom Rogers: Yep. I’ve got So, you can you can reach out to me if any questions or inquiries after. But anyway, thanks. And I’ll toss it over you, Scott.
Scott Lang: Yeah, you can uh keep going. Um and just, you know, we’ll flip over to me. I’ve just got a couple points I want to cover on what prevalence perspective is on aligning uh contract life cycle with third-party risk life cycle. Um and it might be good for me just to kind of walk through a few things here, talk about our perspective and give Melissa a chance to kind of triage all the questions that came in. Fantastic engagement everyone from all the questions you’re asking. Definitely keep it up. Keeps these discussions lively, real, interactive and and kind of grounded in actual situations. So thank you for the engagement. Keep it coming. you know, from our perspective, you know, Tom kind of walked through a very holistic approach to looking at, you know, how managing a contract, how managing CLM relates to managing a vendor. And, you know, we, if you want to sum it up, you know, it’s a very timeconsuming manual process. You’re probably using a CLM tool uh in a silo that maybe doesn’t have great interaction with the way you’re assessing your vendor. What that leaves is um some disjointed views of the risk a vendor brings to you from a contractual perspective. Are they meeting their SLAs’s? Is the right contractual language in there? Uh versus how you’re assessing the risk that the vendor brings to you inherently. Security, IT related risk, data privacy risks, reputational risks, whatever. Um it’s also a version control nightmare that you want that you well understand better than anyone else. But um what it results in is that you know you can’t really track details very effectively. Really doesn’t give you great visibility into the contract to the liv cycle and what what ends up happening? You got folks going rogue in the organization, maybe going outside of established contracting and purchasing cycles um maybe you know signing some paper they shouldn’t be signing and you know it leaves the business unprotected um from a you know potential you know contractual problem in the future. Uh it leaves you not in se in sync and you know it it it can introduce a lot of business risk with all those real business consequences kind of backending that. So I Guess the point I’m trying to make is if you’re looking at CLM and TPRM differently, uh, you know, bringing them together holistically is the is is the better path to go. Tom, next slide, please. You know, so um, you know, our our approach on this is to offer a solution that fully integrates with the thirdparty risk management life cycle and the solution is called contract essentials. Um, at the heart of the solution is the ability to centralize uh the creation distribution, discussion, retention, and review of vendor contracts. We’ve implemented workflow into our solution that helps to automate the progression of that contract through its life cycle. And you can see a bit of a representation of that on the right hand side. So at the end of the day, you can treat contracts with the same level of discipline as you’re treating uh other types of risks that come through um you know, the regular engagement with the vendor. So you know, got couple of high level capabilities available in the solution. You know, built-in workflow to again help you automate the progression of contracts and review uh until a signature is obtained. And then the ability to then extract key um uh contractual provisions or language that you can then automatically implement into, you know, S contractual SLA monitoring, for example. Uh it’s got built-in version control to allow you to, you know, make changes and re-upload new uh new versions and then implement discussion tabs in there as well so that if you just want to simply ask a question to the contract manager uh or internal procurement person you know you can do that as well. Next slide please Tom. You know we see contract life cycle management um is its own thing of course and so is thirdparty risk but we see contract life cycle touching multiple stages of the third party risk life cycle. It isn’t just about sourcing and selecting good vendors or simplifying the process of negotiating and kind of version control and and upload and such, but also from an onboarding perspective, it’s all, you know, making sure that you’ve got the review, the redlinining and approvals processes in place so that when you make a decision on a vendor, you can quickly execute and get them on boarded uh come to a contractual provision uh agreement and then agree on what SLAs and then move forward to more uh comprehensive due diligence uh which means it’s totally appropriate as you’re measuring SLAs’s and performance throughout the life cycle, right? Okay. Sourcing and selecting vendors, intaking and onboarding, performing some level of inherent risk, doing due diligence assessments and remediation, validating those results through continuous monitoring, monitoring their performance over the life cycle, and then finally speaking to something that that I think Tom is really clear about in the in the slides was uh offboarding and termination. Uh that gives you a central repository that’s tracking not just um you know final contractual requirements and obligations that have to be met. but how that aligns with the rest of your third party, you know, risk tasks, breaking access, cutting off physical access to systems, you know, things like that. Next slide, please, Tom. Um, you know, multiple different people throughout the enterprise is uh or can you know benefit from uh the integration of CLM and and thirdparty risk. You know, legal folks, you folks who are managing contracts on a regular basis, you know, they save a lot of time by automating those cumbersome processes. and more importantly keeping their stakeholders updated involved. Procurement shortens purchasing cycles by making sure everybody’s adhering to the process uh by offering it centrally and requiring everybody to kind of play into that system and then looking you know at uh contractual risks as well as business risks. And then IT security and risk management teams as well uh have a derivative benefit of reducing the risk of a downstream business disruption by making sure contracts have the provisions that are enforcable in the contract and can measure that throughout the life cycle as well. Next slide, please, Tom. You know, and that just kind of aligns with the rest of our approach on managing thirdparty risk. You know, we start out by uh offering you the ability to um source and select a vendor appropriately through, you know, RFX essentials, intake and onboard and contract with contract essentials and then perform deep uh, you know, inherent risk and then ongoing due diligence, assessment, and remediation in our platform all the way through the life cycle so that you can continuously reduce risks not just from a contract perspective but from a holistic risk perspective. Next slide please. You know at the end of the day our approach is is founded on three driving principles. Number one we hope to make you know you smarter with regard to risk through a very datadriven and comprehensive approach that adds context uh to help unify your processes and teams and break down silos not just your risk and thirdparty teams but also now legal and procurement teams as Well, and to do it in a way that’s prescriptive with built-in intelligence, recommendations or mediations so that everybody knows what’s happening to everybody else at the same time and you can produce great reporting uh improve your organizational consistency and process and eventually close the loop on risk from contracting, you know, uh onward to offboarding. And that’s really our approach uh to kind of how we address, you know, thirdparty risk and and CLM together. Um I’ll stop talking now. You know, we can open it up to questions if you guys have questions for Tom. especially or even a few for me. I’m happy to take those as well. Melissa, back to you.
Melissa: Awesome. Thank you, Scott. Um, we’re going to go ahead and attack that Q&A box, but before we do that, I have one last question for you. Are you looking to augment or establish a third party risk program in 2022 or even early 2023? I can’t believe this year is halfway over. Um, so answer it honestly. Um, we’re just curious to know and we do follow up. As mentioned earlier, it will will be either me or one of my counterparts, Amanda, Null, or Landon. Um, regarding the Q&A, I I have a question for you, Tom. Um, how do you manage your contract control points with your critical vendors verse, uh, versus high-risk vendors?
Tom Rogers: Um, contract control points. Uh, so I’m I’m I think the question is, if I’m interpreting it right, it’s the four kind of control points. that I I mentioned earlier, right? And is there a difference between managing uh or are they managed any differently with critical and high-risisk vendors versus others? I think might be the question possibly. So, I’ll make my own interpretation. Um so, I’d say the control points are are the same. So, there’s no change in the control points with regard to whether the vendor is critical or not critical or high risk or medium. or low risk, right? Because let’s think about um I know we’re short on time, but one quick example might be, hey, let’s you have a modification. Originally, the vendor might have been segment or uh tiered as low risk, right? But let’s say the modification turns them into high risk because now you decide to outsource something to them or you’ve got a system you’re buying from them. So, it’s it’s really less about what risk classification they are and criticality and it’s more about the control point. Uh to apply that consistently across your entire vendor population. So, I hope I interpreted that right, but there should there would be no change in in in the controls.
Melissa: Perfect. Well, I mean, you timed that perfectly. We have about a minute and a half left. Um, can I ask one more question?
Tom Rogers: Yeah, sure. I’ll I’ll do it in 60 seconds or less.
Melissa: Okay. I’ll read as fast as I can. Can you talk a little more about how to interface your riskmemes and contracting experts with business owners uh who you mentioned may not have as nuanced or risk understanding. Any quick best practices for ensuring that nothing gets lost in translation?
Tom Rogers: Yeah, that’s like an hourong conversation. That one that’s like that’s a great question. That one’s hard, right? Uh it’s really hard. And um you know, the bigger you get, the harder it is. So, I don’t know that I have any quick answers to that other than to say what we found that works really well is to remember I talked about races a little bit before that process has helped a lot with a lot of our clients um because it it makes them go through and and really define their process and also identify which stakeholders are involved at what points and and who needs to really be engaged and who just needs to be informed or consulted. So so that it’s kind of so maybe my quick answer is start starting with figuring out who who they are and what their roles and responsibilities are. Maybe using something like a structured racy model, right, will be the starting point. And then it’s a matter of all right, getting them to work together is like a completely different conversation. And that comes with some change management and training, coordination from the VMO as a quarterback to pull them in. Um, but that racy would probably be a good starting point if you don’t have something like that already because it really helps to clarify everything.
Melissa: Perfect. Well, that’s all the time we have for today. I hope you guys enjoyed this webinar. Thanks for your interaction as well. Um, we gave you a lot to think about, I’m sure. And I will be seeing you in your inboxes shortly. Bye.
Tom Rogers: Thanks, Melissa.
Melissa: Bye.
©2026 Mitratech, Inc. All rights reserved.
©2026 Mitratech, Inc. All rights reserved.