TPRM 101: Getting Real Value From Vendor Assessments

Amy: All right, we are live. Welcome everyone. Amy: I see a few of you starting to trickle in. Amy: As you settle in and get ready for today’s webinar, I’m throwing up a poll question because we really want to know what brought you here today and it is launched. Amy: Okay. Amy: So, whether it be purely educational project research, you have a upcoming third party risk management project. Amy: If you’re not sure why you’re here, that’s fine, too. Amy: Stick around cuz you might learn something um or maybe you’re a prevalent customer and you know staying on top of everything. Amy: Um so my name is Amy Tweet. Amy: I’m in business development here at Prevalent and my job today is to make sure that your questions get over to Brenda Ferraro. Amy: You’ll see here on camera right there. Amy: Give us away Brenda. Amy: She is our uh own VP of thirdparty risk here at Prevalent. Amy: She has 20 plus years of building successful thirdparty risk management programs. Amy: And today we’re going to cover getting real value from vendor assessment. Amy: A couple housekeeping items as I leave this poll question up. Amy: You are all um off camera and on mute. Amy: We really do want you to stay engaged. Amy: So through so throughout this webinar, we’re going to be asking a lot of questions and we want your questions as well. Amy: So please use the Q&A function at the bottom of the screen on your Zoom here or use a chat function. Amy: Either way, I’m going to get your questions to Brenda. Amy: Um also this is being recorded so if you have to hop off um you can uh get it right in your inbox tomorrow morning and re-watch as many times as you please. Amy: You know, that being said, Brenda, I do have a ton of questions today because this is a really hot topic and I’m excited to learn a ton from you. Amy: So, I’m going to pass the mic. Amy: Uh, welcome Brenda.

Brenda: Thank you. Brenda: It’s pleasure to be here and Amy, I’m excited to have you really engaged in this call and I’m hoping that the audience will ask questions as we’re going through each of these five different topics because it really is important. Brenda: So, the things that we’re going to be talking about today that you would have noticed on your or invites is we’re going to talk about streamlining the assessment workflows. Brenda: Sometimes workflows can have a lot of disconnects and gaps and we want faster results or we may not have enough people to do the work or we might be doing things in circular motion and it just never gets to the point where it needs to get to accessing existing source of vendor data. Brenda: So we’ve done so many assessments already. Brenda: Why aren’t we repurposing those? Brenda: And how do we repurpose them? Brenda: And what kind of things are in place for that to happen? Brenda: and risk intelligence is what we’re looking to do more so than gather content. Brenda: So, we’ll be discussing that too. Brenda: Scaling to cover more third parties with fewer resources. Brenda: I kind of touched on this at the first one, but we’ve got so much to know where the risks are, what vendor universe we have, how we’re profiling them. Brenda: Um, and we may not have enough resources to get everything done. Brenda: We might be starting from scratch or we may have a mature program where we need to make sure that we’re looking at the risks for the threat landscape. Brenda: today also ensuring that risks are efficiently managed to remediation. Brenda: So I I have been doing a lot of discussions with different types of companies sector agnostic globally and they’re doing a wonderful job and I’ve talked about this before where they are doing collection to the nth degree. Brenda: They’re doing a great job of getting the information but as soon as they get it they just chalk it off as okay I got the information I know what the risks are and they don’t spend as much time on mediating those risks. Brenda: And that’s what’s going to make us more safe is if we take the risk, we correct what the issue is, and then we move forward on to the risks of the next flavor of the month or the week. Brenda: We’ve been experiencing a lot of them lately. Brenda: And then also achieving multiple compliance objectives. Brenda: So, as we’re moving into the middle or we’re we’re even past the middle of 2021 now, we’re about to go into the seventh month. Brenda: And what’s happening is is a lot of the departments are determining that you know what we’re asking a lot of our suppliers and our vendors. Brenda: We’re asking questionnaires from the legal department, from the privacy department, from the procurement department, from the third party department, and those poor vendors are getting fatigue still. Brenda: We wanted to address that uh last year, but of course we had some other things to address. Brenda: But now it’s really getting to the point where everyone’s getting together and they are looking at an enterprise approach to compliance and whatever information needs to be gathered can be looked at with a different lens. Brenda: So, we’ll also talk about those things. Brenda: Now, as we move forward at the very end of this, we’ll have some key takeaways, but I’m going to have Amy ask the questions and also questions that come from you to get us launched off for each of these five component areas. Brenda: And so, Amy, what are we going to talk about first?

Amy: So, my first question are what are the top three things that make assessment workflows streamlined and faster?

Brenda: Okay, so the top three things to me is a platform that has automation and I’m look at my notes because I don’t want to forget anything and I seem to talk about excuse me a lot of things and I’ll miss one and I don’t want to miss anything today. Brenda: So platform automation to me I’m a process master. Brenda: So back at my days at Charles Schwab, they put me through Dr. Michael Hammer’s MIT and Harvard process mastery courses and they I learned so much about agile and lean and ways to make a workflow that would be more efficient based on taking what you have, looking at it, picking it apart, and making sure you’re removing delay and waste, and then finally coming together with a platform or a proposal or a workflow that’s going to make it so that you get from point A to point Z without any hiccups or things automated that you don’t have to do manually to cause that waste and delay. Brenda: So, look for a platform that can send automated notifications based on status or look at information with algorithms to say, you know what, you’re going to miss your risk mediation remediation date. Brenda: We need to remind them that it’s either upcoming or it’s been missed and what’s going to happen. Brenda: So, it’s kind of like having your best friend or Tinker Bell or a Lucky Charm in the platform that’s doing work for you so that you can focus on what things really require manual intervention. Brenda: The other thing is profiling and taring. Brenda: A lot of companies that I’ve been talking to have done profiling and tearing but at a very very high level. Brenda: And what we’re finding is that when we’re collecting information, we collect that information so that it’s not extremely relevant to the engagement. Brenda: So for example, if I have a cloud vendor or supplier, I want to look at cloud security in its most apparent form. Brenda: And there’s other things that I’ll probably ask about, but I don’t nec necessarily need to ask everything under the sun. Brenda: We used to have questionnaires that were 1,700 questions and that was ludicrous. Brenda: It was crazy to ask everything because what you’re trying to focus on is what’s happening during the time. Brenda: So ransomware is one of them. Brenda: You want to find out what they’re exactly doing for you and ask the right security information for that. Brenda: And same thing like another example would be software. Brenda: Software has a couple different things that you would need to look at versus if you’re looking at cloud. Brenda: and using either a CAIQ or if you’re looking at software and using a VBSIM questionnaire or if you’re using a prevalent control framework questionnaire. Brenda: They all have its reasons and purpose for what you need to find out. Brenda: And then finally, the third thing would be platform notifications and reporting automation. Brenda: We talked about automation and we talked about notifications, but reporting is by far the most important thing that you can have. Brenda: You’ve got all this data that you’re absorbing ing. Brenda: You need to be able to slice and dice it in a way that you can tell where you are in your assessment, where you are on your due diligence, where you are in your remediation, where you are at a portfolio level, where you are in a department level, where you are all over your enterprise. Brenda: And if you can’t take machine learning and artificial intelligence and use that to report what you need to see in a moment’s notice, then you’re going to be handicapped. Brenda: And It’s going to make it so that you’re doing a lot of like spreadsheets on the side or reports that you have to create from scratch or combining information from scratch. Brenda: And so those would be the first three things. Brenda: Did we get any questions, Amy, while we were talking about that?

Amy: Not yet, but I have a question. Amy: I want to go back to profiling and taring. Amy: I’ve talked to a few people here at Prevalent that are interested um that have never dabbled in tiering and don’t have their um vendors tiered at all. Amy: What’s a good way to get started doing that?

Brenda: So, we’re going to talk about that a little bit in the rest of this presentation. Brenda: But some of the tidbits for taring is you have to determine if um what your tiering approach is in your company first because everybody looks at it a different way sometimes. Brenda: If you can if you can solidify that across the whole company, it’s going to be a lot easier that you don’t have to make trans translation. Brenda: So for example, if your risk and compliance company or department is using tier 1 2 3 4, find out what that criteria is and see if you can repurpose it. Brenda: Otherwise, if you can’t, you can make a thirdparty risk management or a supply chain management tiering approach. Brenda: You can use ABCD. Brenda: You could use red, orange, yellow, green. Brenda: You could use whatever it is that you want, but the profiling and tiering is important. Brenda: And it all happens at the very beginning when you’re going to be looking at using a supplier or a vendor. Brenda: So, basically, if you’re going through the request for proposal process, procurement will go and say these five or so companies are what we’re looking at. Brenda: Have information at the very get-go that’s going to give you criteria to say here is what they’re going to be doing for us. Brenda: Here’s the location that it’s going to happen in. Brenda: Here are the point of contacts that you’ll be talking to. Brenda: Here’s the financial information at a very high level. Brenda: Um, you can run threat intelligence reports on them so that you have a baseline of what’s happening in the wild. Brenda: But it’s really finding out that before you even start working with them what type of a company it is and what they’re doing for you and what kind of gotchas you need to look for. Brenda: So, there’s about 11 or 12 of them and Prevalent can help you find out what those are. Brenda: We have an intake process and an essentials process that can give you inherent risk before you even do business with them and that will help you to find out what’s the heavy lift that I’m going to have if I do decide to go with that company because we we already know that there’s going to be be some things that we need to look into.

Amy: Awesome. Amy: Thank you. Amy: No questions yet from the audience, but as a reminder, please throughout um if anything comes to mind, just write it down and we’ll ask Brenda and uh we’re here to help. Amy: All right, next question. Amy: So, what existing vendor data can be used for immediate risk intelligence?

Brenda: So, we touched on that a little bit just a second ago. Brenda: I would always say that if you use thread intelligence, that’s one of the ways that you can run information without having a point of contact. Brenda: You just need a domain name and it will tell you to what’s happening out in the wild if they are not secure in certain security domains. Brenda: Um, with prevalence, you can not only look at cyber security, but you also can look at business intelligence and financial intelligence. Brenda: So, it’s highly recommended that if you’re looking at a prioritization um aspect or even throughout your entire um life cycle of the third-party engagement, run that threat intelligence report. Brenda: The other thing is repurposing your questionnaires. Brenda: So, back in the day, and I’m not going to age myself because I keep getting older. Brenda: Everybody does. Brenda: I’m I’m pretending I’m still 21 or 25 or 29, whatever that number is,

Amy: however you feel.

Brenda: But back in the day, um, we had a situation where every year when the questionnaire to gather content would change because the threat landscape changed. Brenda: But if you think about it, the threat landscape was changing and we were catching up. Brenda: We have to get ahead of that. Brenda: So, I really proposed um a strategy that’s going to say we’re no longer doing I’ve talked about this before in many webinars, the one and done. Brenda: It’s important to do continuous evaluation and continuous evaluation means you gather what you need to at the very beginning for inherent risk. Brenda: You do your assessment and add components that are important and relevant for the residual risk. Brenda: you track those risks to closure and then when things happen when ransomware becomes important when IoT devices become more important when smart car stuff starts becoming I mean we’ve got smart cars coming all over the place and it’s going to be coming you know become more and more apparent pipeline things those are wakeup calls and those wakeup calls should not be ignored until the next questionnaire comes out those wakeup calls are really to say do you know if those suppliers and third parties are impacted by this situation and if they are what are you doing about it now not at the halfyear mark or the nine month mark or when the year comes so that’s what I would say about questionnaires and repurpose their answers but ask them to remind them to say okay has anything changed you can’t just say what you answered last time is exactly what you’re going to be this year because you may have had an audit that says you’re not doing as well as you thought you were doing in incident response or in multifactor authentication or things like that. Brenda: So they have to at least and I I don’t like this word the word attest but they have to at least attest or say we’re doing the same in our effectiveness for this particular control domain and by the way we’re answering all the deltas as they’re coming. Brenda: So make relationships with your vendors and suppliers and let them know that we’re not just going going to talk to you once. Brenda: We have a relationship now and relationships have to have time together and time together for us is going to be whenever I reach out very thoughtfully about what is happening in the environment today. Brenda: The other thing is um key controls. Brenda: So if you have key controls in your organization and what those are are really musthaves, these controls are the ones that we require all of our suppliers to have by engagement. Brenda: Then those will help you to set up and configure platforms for automation on what’s important based on their service types. Brenda: So you can do uh in external and internal quantification and identifying exactly what’s happening with those vendors whether you have a point of contact or you don’t. Brenda: Or you can look up point of contacts. Brenda: Um prevalent has a point of contact lookup and that will help you at least find someone within the company. Brenda: So don’t fear that okay I have 10,000 vendors or 3,000 vendors or even 25 but I don’t know who to go to. Brenda: Um you can always use a lookup feature as well. Brenda: The other thing is preconfiguring those risks. Brenda: So when you know your key controls you can rank those at the highest risk and when you rank them at the highest risk then it’s going to be things that are apparent and bubble to the top for your assessors to review. Brenda: And sometimes people have managed services helping them with their assessment. Brenda: So if you’ve outsourced your assessment due diligence to a risk operation command center whether it be at prevalent or somewhere else then those items will be completely available for them as well as for your organization if you’re like doing a hybrid approach. Brenda: So either you’re handing it off to someone or you’re doing it yourself. Brenda: But everyone should have the same voice and everyone should know what the risks are and we’ll be talking about that a little bit more. Brenda: Um also use risk association. Brenda: So what that means is that if you have a content gathering in a questionnaire or in thread intelligence, those things should match up together. Brenda: If a question is asked of the supplier or the vendor and something’s seen in the wild, those two things should say what they said and what we see match. Brenda: And if they don’t match, then they should say, okay, we have a risk or we have something we have to look at because what they’re saying is not what we’re seeing or what we’re seeing is not what they’re saying. Brenda: because it could go vice versa. Brenda: It could say, “Okay, they say they’re doing very well or we’re looking at a threat intelligence that’s um providing information that says they’re doing a great job in this security domain, but their questionnaire came back saying we’re not doing good.”. Brenda: You could go back to them and say, “Okay, well, this doesn’t look right. Brenda: It looks good out there on the outside. Brenda: Why is it not looking good on the inside?”. Brenda: So, it helps you to figure out um how to balance and it’s like a a double check. Brenda: The other thing is risk association can help you with if a question is asked somewhere in your questionnaire and then it’s asked again differently in a different security domain and they answer one way in one place and another way in the other then you can kind of do some checks and balances with the risk association with that as well. Brenda: Um we talked about thread intelligence of cyber business and financial make sure you always have those three because without one you will definitely have a scenario where you’re only seeing a part of the picture and we talked about profiling and tiering. Brenda: Oh networks and changes. Brenda: That’s the biggest one. Brenda: I almost forgot it. Brenda: So, networks are there for us to store a library of suppliers and vendors already completed information. Brenda: So, it cuts down on the delay of gathering content. Brenda: And what happens when I as a supplier might be in a network or an exchange with my completed content, my evidence, all of the information where I’m already working on risks. Brenda: What happens is if new company wants to look at my content, I have the ability to either give permission to a a sector like I might say for every healthcare sector uh customer I want them to be able to see my information or for every legal um industry customer I want them to see my information or I should be able to have the ability to say yes I’m doing business with this requesttor go ahead and share my information with them so it stays protected so don’t be af afraid of, oh my gosh, my my content, my information is up in some cloud being serviced by a a third party vendor. Brenda: What’s going to happen to it? Brenda: There are protection mechanisms put all over that to make sure that it is secure and not shared with the wrong companies andor without your permission. Brenda: So, it looks like we have a question, Amy. Brenda: I’m looking at two.

Amy: Yeah, couple questions here from the audience. Amy: So, the first one is regarding prevalent cyber risk rating product. Amy: um you know do we develop our own and how does it compare to Bitsite?

Brenda: Okay so all of that information is not one that I can talk about during this webinar but if you contact Amy that she will be getting the emails at [email protected] we have comparison documents that we can provide to you to say you know what does the different thread intelligence have how do we create the culmination and normally in most companies as well as prevalent is we are using the same source of information as other companies, but displaying it differently andor to the appropriateness of our platform and what we’re looking to do and accomplish for you. Brenda: So, there’s different companies that are a culmination of uh those organizations. Brenda: We may have different ones than Bitsite does, but you need to do your due diligence and get those documentation uh the comparison documents and find out what that information is.

Amy: Yeah. Amy: And that being said, I I took note of who asked a question. Amy: I’ll be happy to reach out with you after this webinar. Amy: We can chat a little bit more regarding that. Amy: Uh the next question from the audience. Amy: So is prevalent a vendor riskmanagement managed service or do you sell a platform for organizations to do it themselves? Amy: If so, what rough percentage does each represent of your overall business?

Brenda: So we do three things. Brenda: Um the first one is we have a platform that you can use yourself. Brenda: So it’s a self, you know, you can configure it yourself, you can create what you want to, but we have people that can help you professional services. Brenda: We have managed services which helps with that as well and rock services. Brenda: So the risk operation command center can do the data collection. Brenda: They can also do the analysis for you. Brenda: They could do the back and forth between um what you’re trying to gather and what the vendor has provided or supplier has provided as well as risk remediation. Brenda: So it goes that far. Brenda: We also have rapid response. Brenda: So that’s in the incident management realm that if we see there is something happening in the Wall Street Journal and the New York Times and our threat intelligence pings us and says we have a problem. Brenda: You need to go and help your vendors and your customers. Brenda: There’s uh rapid response as well. Brenda: And there are consulting and strategy services too. Brenda: So if you’re trying to build your program, we have people that can sit with you, look at what you’re doing today, even if you’re starting from scratch or you’re the most mature and try to help you to understand all the different ways to leverage the platform. Brenda: So if you’re looking at percentages, it really depends on the company. Brenda: Every company is different on where they are with their program. Brenda: Some of them are starting from scratch and some of them are really mature and it’s really catered to the the beauty is is that everything that we do is going to be catered to your needs. Brenda: So we would have a sit down with you. Brenda: We would talk about what you’re looking to accomplish and then we would be able to put different packages together that could help you.

Amy: Awesome. Amy: Thank you, Brenda.

Brenda: All right. Brenda: Great. Brenda: So, going on to the next item. Brenda: You thought this was only going to be like a half an hour, didn’t you, Amy?

Amy: I did. Amy: Wow. Amy: No, this is great. Amy: Keep the questions coming. Amy: And I really do like this question. Amy: So, obviously, we’re all really busy. Amy: So, with so much to do, so little time, and very limited resources, how can we accomplish more with less? Amy: Give us your wisdom.

Brenda: So, a little tiny story. Brenda: When I started in thirdparty risk, I’m sure all of you have heard if you’ve listened to me before, is I had this fall in my lap. Brenda: I did know anything about third party and it was a body of one. Brenda: It was just me and they came at me with okay you have 3,000 or 5,000 or 10,000 vendors that you’re going to have to assess. Brenda: And so when I looked at that then I became a team of two brought on another resource and then it kept expanding and expanding. Brenda: Now two questions were um asked of me by my chief information security officer at the time and they said all right there’s two things that can happen. Brenda: Either you’re going to do this with managed services and get some help from the outside or you’re going to hire people and they both have pros and cons. Brenda: Which pro and con do you want to go forward with? Brenda: And as I retrospect on that, I don’t think that I made m what I would call mistakes, but there are some hybrid approaches that I would possibly look at. Brenda: If I’m wanting to get done um maybe like a campaign of assessing things very fast, I would have a risk operation command center. Brenda: or managed services help me with that because it will get things done quickly. Brenda: They’ll be able to look in their networks. Brenda: They’ll be able to find out if the information’s already been gathered. Brenda: They’ll be able to give me what I need to know from a risk perspective. Brenda: And then very quickly, we would be able to identify where we are with what’s already been done. Brenda: That’s great. Brenda: And then again, I call them Tinker Bells and Lucky Charms. Brenda: If all of those individuals were doing things at a a standard level where I would say, “Okay, I want to do 200 of a week or I want to do all 3,000 at one time. Brenda: There would they would have bench strength to do uh to watch all of the responses come in. Brenda: And by configuring a platform with all the risks, the recommendations, the remediation timelines and doing that prep setup, that’s going to make it so that everything would be consistent. Brenda: It would be what the way that my company, whoever I work for, wants to look at their key controls. Brenda: There’s um the network and exchanges that we talked about before. Brenda: So using those those and and for those that aren’t in there, you can use a hybrid approach where you’re launching things out yourself. Brenda: So for that question that we had earlier, if you do um have a platform that people can use themselves, you can have a hybrid approach where you launch things yourself, but you also have managed services doing something for you. Brenda: So look at your tiers and really focus on your criticals and your highs and then let managed services or rock services do your mediums and your lows or or campaigns or things of that nature. Brenda: Um expand support out to additional departments. Brenda: So if you take an approach where you’re asking what you need to ask for not only yourself in your risk management or your supplier or vendor management area and you ask questions that are pertinent to DR, pertinent to business continuity, legal, privacy, procurement, then your your vendor and supplier is going to say, “Wow, this is like going to I guess an experience that I had is I you know going to a Honda car shop versus a BMW car shop. Brenda: They’re different. Brenda: So, it’s kind of like going to a place that has their ducks in a row and they give more um white glove service to you. Brenda: So, that’s kind of what you want to be for your vendors and suppliers. Brenda: They need to work on remediation, not content gathering. Brenda: They need to work on servicing you, not content gathering. Brenda: So, that’s that’s one of the items there. Brenda: Rapid response, making sure that you know very quickly who’s been impacted by an incident or a breach or a ransomware attack or malware. Brenda: And then knowing that you can tell your board, here’s who we work with that is having impact. Brenda: Here’s what we’ve done and here’s how long we’ve given them to close that disconnect. Brenda: And we will give you updates on either a daily or a weekly progress so that you know that the the bar of um impact is going to come to slim or change. Brenda: and then having that a platform that has the ability to visualize all the different connections of your third parties. Brenda: So I I am a proponent for the last five years of going and making sure you have assessment information whether it be just identifying for fourth and fifth and sixth parties that an assessment has been done to what the risks are and how that risk will have impact on the company of which you’re directly contracted with and knowing that in a picture format like a spider diagram and who what business units are using them. Brenda: So for example when I was at again Charles Schwab they had a twostory building that had a screen up on the wall and it would show if an impact happened the daisy chain of events that was going to trickle from that impact to the business units to what trades couldn’t be made and all kinds of things. Brenda: And that was way back in the day. Brenda: I was at uh Schwab way before 2007, so I’m sure it’s even better now. Brenda: But I was flabbergasted by like, oh my gosh, you know how to pivot based on exactly what’s going on so that you can quickly make adjustments to your business. Brenda: That has to happen for resilience for all of our companies globally. Brenda: And we’ve felt some of that pressure based on what we experienced in 2020 and even in 2021. Brenda: So if you have a platform form like prevalent that has the spider diagram and all of the connections of what business units using it, what are they transferring for data, which direction is it going, if something impacts, you can highlight it and see all the connections of what’s going to occur. Brenda: So that I would highly recommend you get into to help with accomplishing more with less because I can tell you it took a lot of manual effort to do things manually when you found out someone was impacted to determine how is the business business going to be with this? Brenda: How is how are we going what do we pivot to? Brenda: What company can we pivot to? Brenda: Do we have a backup company or do we have a concentration risk? Brenda: So hopefully that’s helpful.

Amy: All right, I got a question here regarding managed services. Amy: So how often does the work that prevalent does as a managed service provider for a typical client lead to the business owner having to switch vendors due to high residual cyber risk?

Brenda: I wouldn’t know the percentages of that. Brenda: But it’s a very good point that you’re making in your question that when you have managed services providing executive risk summary reports to you, you would have an internal process that would take that into a steering committee or whatever uh dispositioning program you have to say our threshold is they can only have these things that are in a certain state and if they’re missing everything then they need to look at removing them and working in touch with procurement and letting procurement know that we’ve got some very heavy risk issues and the business unit being involved in mitigating those. Brenda: So there’s a couple things that can happen within the platform. Brenda: You can track those remediations to closure. Brenda: You can use the executive risk summary report and the different risk register lenses to show the executives what the risk is to the business and you can share information with privacy and procurement and the risk compliance team and whomever to say I am either recommending that we move forward with this customer or this vendor or I’m recommending with remediation or I’m not recommending based on what the managed services is providing to us. Brenda: So they’ll do all of the heavy leg work. Brenda: They’ll give you the information for you to make the decision and then you move forward with your internal processes.

Amy: All right. Amy: And to piggy back on to that um the The audience asks, “I always worry that the only thing worse than an internal vendor risk management analyst being ignored when calling out risk is being ignored as an outside service provider.”. Amy: So, not really a question, but I want to pass it along to you.

Brenda: Yeah. Brenda: And that’s true because when when we’re doing our due diligence, whether it’s managed services or whether it’s our internal resources, our jobs are really really important. Brenda: I kind of think of them like a triage center in a hospital. Brenda: The doctor and the nurses and the surgery centers aren’t really going to know the next steps to take unless it’s appropriately triaged. Brenda: So, if you’re doing your due diligence, whether you’re hybriding that to a managed service company or you’re doing it with internally yourself or a hybrid approach, they are pro probably one of the most important constituents in the process because they’re the ones that are doing that hunting. Brenda: I call it the risk hunting. Brenda: And as soon as they find a risk, then that risk is something that has to be managed. Brenda: become aware of whatever it is that you have decided you’re going to do with those that is an appetizing tolerance for your company. Brenda: So, thank you for that statement and um I truly believe that those individuals are the most important um within the process in the life cycle.

Amy: Awesome. Amy: Yeah, keep the questions coming. Amy: So, moving on um speaking of risk remediation with risk remediation, the most important aspect in thirdparty risk management, what is the best way to manage them?

Brenda: So, remedi ation, like I had said before, is making sure that you’re going through a continuous evaluation process. Brenda: Run your threat intelligence and put thresholds and alerts that are going to tell you what when risks change. Brenda: Um, have reports available that are going to say, I have these different risks that are going to pop, their remediation date and deadline is coming up. Brenda: And then have it so that the business unit can or whoever is in charge of making those changes and keeping contact with the supplier to say, “Look, you’re about to expire on your timeline for your remediation. Brenda: Are you about done and can you send it over to us?”. Brenda: And also, do remember when you get a risk remediation, that doesn’t mean that it’s it’s done. Brenda: It means that you have to go verify it and make sure that it’s done. Brenda: So, there are certain certain protocols to do that. Brenda: We’ve talked a couple times in other webinars about virtual validation. Brenda: We used to have onsite visits when we can travel and I can’t wait until I mean travel’s happening a little bit more now but when we start traveling and seeing each other as companies and vendors and constituents again um until at which time that happens we found ways to do validation and validation is testing those risks to make sure that using specific protocols that what they’re saying and what we’re seeing is active and enforced. Brenda: So those are the kind of things with risk as well. Brenda: Um, but the best way to manage them is to have a system where you’re not taking your content out of the platform and putting it into a spreadsheet and looking at those spreadsheets. Brenda: You want to have a platform that’s going to tell you where you are on the life cycle of your assessment due diligence. Brenda: Um, if they’re in the remediation phase, if you’re still in the assessment phase, and then being able to slice and dice the content to say, you know what, this year we have so many suppliers to assess. Brenda: We’re going to focus on the critical and the high risks for each of our tiers and profiled suppliers. Brenda: Um, and we’re going to suppress, we’re not going to change the risk for the mediums and lows, but we’re going to just make it so that they don’t generate something for us a task to work on them. Brenda: We’ll know they’re there. Brenda: We’ll we’ll acknowledge that they exist, but we’re going to work on the things like ransomware, multiffactor, um, encryption of transit, fishing type stuff. Brenda: you know, things that are making it so that the hackers have an easier way of getting to us. Brenda: So that when we get to the next phase of our program, our policy will state we’re going to add the mediums and the low risks for year two or when we have accomplished identifying the high and critical risks. Brenda: So that’s another way to manage them as well.

Amy: All right, great. Amy: No questions. Amy: We’ll go to the next yet. Amy: All right, so Brenda, is it possible to complete a single assessment and meet multiple compliance objectives?

Brenda: Yes, and this is one of the magic things that happens within the prevalent solution. Brenda: We have excellent content managers that are um very highly skilled in NIST and ISO, GDPR, CCPA. Brenda: I mean, I could go on with all the different acronyms um and all of the regulatory frameworks. Brenda: And what’s very nifty, I think that’s from What age is that? Brenda: Like 1950s, I just wore like a groovy and nifty word. Brenda: So, what’s really awesome, okay, back in the 90s, what’s really great is that you have the ability of looking at information in a different lens. Brenda: So, I call it the magic button. Brenda: There are risk registers and different ways to see compliance screens that I would say, okay, I’m from the privacy department. Brenda: I want to see how the content that was gathered is reflected in GDPR compliance. Brenda: And I pushed this nice button within the entity and it shows me exactly where they are with compliance based on the content that was gathered. Brenda: So you don’t have to go back and say, “Okay, I need you to answer this GDPR questionnaire, which already could have been questions that you asked in the assessment for the overall third party situation, but can you do it again?”. Brenda: No, you can just It just t changes the lens. Brenda: It’s kind of like a camera where you focus. Brenda: So you focus for GDPR or you focus for NIST or you focus for ISO and you can look at it in different ways. Brenda: So, um, we’re we’re getting pretty sch snazzy with that. Brenda: And I really really like how much they’ve done with regards to making it so that we could see it in different ways.

Amy: Love the word sch snazzy. Amy: It’s great.

Brenda: Oh, I said that one, too. Brenda: Goodness gracious.

Amy: I was going to say rad. Amy: That seems pretty 90s.

Brenda: Rad. Brenda: Rad.

Amy: Love it. Amy: Um, so no questions yet. Amy: Uh, that being said, if you do have any questions, I know we’re getting um towards the end of our um hour here together, less than an hour, so we’ll go over some key takeaways. Amy: If anything comes to mind, um, please throw them in the Q&A function. Amy: Um, and I’ll let you uh do the key takeaways here, Brenda.

Brenda: All right. Brenda: So, I have I have five of them. Brenda: And so, because we had five topics, so I kind of like interlin linked that, but the first one is automation is key. Brenda: I want to make sure that you’re using the ability to push your life cycle with automation on status and certain criteria that’s being met and being able to use what we call active rules. Brenda: So, for example, if we have something that comes in at has a profile and tier intake process. Brenda: Then it will automatically launch the appropriate content that needs to be sent to the supplier. Brenda: And then when it comes back, the status will change as you know, you don’t have to go in and manually change the status. Brenda: And then when it’s assigned and the risks are identified and you push it along the process, um there’s certain things that can happen magically and automatically. Brenda: Otherwise, there’s a couple things that you may or may not have to do manually because you need to have that personal eye touch on it. Brenda: Having the notifications go out so that you don’t have to do the chaser emails. Brenda: That was one of the things that I just despise doing is having to chase people and you can make the information change and or be stagnant based on what notifications are going out. Brenda: You can tell them about your program at the beginning and give them expectations so that it’s very easy for them to identify what’s going to happen next. Brenda: You can remind them when things are coming. Brenda: do you have the ability to slice and dice the data? Brenda: So automation and having the ability to do that is like key for a process to move faster, but always have your program and process somewhat clearly defined in the beginning with the ability to change and tweak it as you go. Brenda: So do know that you’re not going to come in and say, “Okay, it’s going to be fantabulous and no hiccups are going to happen.”. Brenda: Hiccups will happen, but that’s supposed to because that means you have to improve something and it just continues to help you to grow in your life. Brenda: program. Brenda: The other thing is risk intelligence comes in many forms. Brenda: We’ve talked about cyber risk intelligence. Brenda: We talked about inherent risk. Brenda: We talked about profiling and tearing. Brenda: We talked about business intelligence, financial intelligence. Brenda: We now have uh uh other types of reports that we can give you that are even above and beyond what people have been expecting in the past that procurement can use. Brenda: Um share your information. Brenda: Risk intelligence should be shared and then make sure that you’re looking at that risk intelligence in different camera lenses, GDPR, CCPA, whatever that is. Brenda: The other one is obtain assistance from the experts. Brenda: So, if you’re just starting out, you’re you’re probably going to want to say, “Build this and give it to me so that it can be handed off so that I can just focus on risk remediation or risk management.”. Brenda: And that can happen. Brenda: Or you can have a hybrid approach where you have multiple people on staff and you’ve got this campaign that you need to do a lot with. Brenda: So they can help you with that campaign. Brenda: So think about when there’s temporary situations that you have to grow really quickly, they have the ability to help you with that. Brenda: So um don’t feel like you have to muddle along really slowly. Brenda: They can put a uh managed services can put a program together for you. Brenda: They consult with you. Brenda: They can do strategy services with you and a roadmap to say based on what we have in the platform today, which is a lot, we can help you do what you need to do. Brenda: But we’re also going to keep you apprised of the new things that are coming on a every month to every two month basis. Brenda: And we’ll be talking to you about leveraging those items based on what you’ve purchased from prevalent so that you can start using those because that’s the main goal is to make everything easier, faster, better, smarter, scalable. Brenda: And so you’ll want to keep up with the times on all the different components that are available. Brenda: Um run a relevant third party program or supply chain management program. Brenda: Don’t just have one question. Brenda: If you’re small, you can have one questionnaire. Brenda: I can understand maybe you have 25 assessments to do. Brenda: So, don’t think that you have to have different ones for each one. Brenda: But there’s situations where you may have contractors that are using your laptops. Brenda: So, why are you asking them questions about their laptop? Brenda: They’re using yours. Brenda: You should know how secure it is. Brenda: Or you may have someone who’s doing a software um coding for you and and you need to find out how they’re handling defect management. Brenda: because that’s how the hackers can get through is if there’s a code issue and then they come in through that way or um you might have ransomware that’s really important to you in the health care space and ransomware needs to be at the forefront of your questionnaires. Brenda: It’s nice to know all the other key controls but we’re dealing with ransomware right now. Brenda: So that’s something that could be a a proponent item for you. Brenda: And then finally the fifth thing is the responses need to be mapped to the compliance framework the regulatory require experiments and having that mapped will help you to use the camera lens to look at different views of the information that’s coming in and the way that you need to see it depending on who you are in what department. Brenda: So those are my five things. Brenda: So I will um I think we have one other polling question before we end today. Brenda: But as you’re looking at that polling question or a go ahead and put that up and then I could talk about the trusted partnership after you’ve put that up. Brenda: There it is.

Amy: So, we’re u essentially asking, are you looking to augment or establish a third-party risk program in 2021? Amy: And I know we’re getting closer to 2022. Amy: So, maybe looking into early next year as well. Amy: Uh, yes, no, I’m not sure. Amy: Give us an answer. Amy: And, uh, let you finish up here, Brenda.

Brenda: And that answer again goes to Amy. Brenda: So, if you want to talk to Amy more and maybe Amanda, too, they might share it. Brenda: Not sure. Brenda: But, um, it’s important for us to know what you’re trying to do because there are ways to help at every different level and you may be at a certain position in your particular program that you might want to even find out what else is out there. Brenda: So staying up to date on all of the different things that can be helpful and like I said many companies are starting to go enterprise approach and when you go enterprise approach there are other people who want to know well how does your program platform managed services help with procurement or how does it help with risk and compliance. Brenda: And so there’s many different things to show you. Brenda: And of course, we are a 2020 Gartner Magic Quadrant leader um strongest in strategy. Brenda: And that’s important because without strategy, you can’t continue to stay ahead of all of the different things that are happening. Brenda: And we also um have like the fastest growing vendor networks. Brenda: We have up to 128% of the growth in in 2020. Brenda: And we’re also doing Gartner quad insurance again this year. Brenda: So, those reports are soon to come out, I believe, in the next month or so or even a couple months at at most. Brenda: Um, we’ve got some really good trusted companies that we call our family friends and we work with them cohesively on what are they wanting to do with the platform that’s going to help them. Brenda: So, of course, we have experts that know a direction we want to go, but we also listen to our customers and our people are by far the most fun to work with. Brenda: So, I want to make sure that you get the opportunity to know that we we also pride ourselves on the individuals that are working within the company as well.

Brenda: And so if you have any questions as we had um talked about, we’ll go into that. Brenda: But if you need to send anything to Amy directly, it’s [email protected]. Brenda: We are on LinkedIn, we’re on Twitter, follow us. Brenda: We’re bringing we’re sending out white papers all the time trying to make sure that you’ve got thought leadership at your fingertips, whether it’s ESG related which is a very very hot topic whether it’s something that’s happened in the ecosystem that we’ve addressed and other types of reporting. Brenda: So any questions Amy? Brenda: Do we have anything out there?

Amy: Um not yet but I’m going to babble on for just a bit. Amy: So if anybody has any last minute questions take a moment use a Q&A function. Amy: Thank you everyone who um participated in our polling question. Amy: If you did answer yes you will expect to hear from myself or my counterpart Amanda Fina as a followup just to make sure that you’re covered and you know we are here to help and I know that uh Brenda covered our platform and our manager services pretty well but if you do have any deeper questions or want to learn more um please reach out like you said at info prevalent.net um also to mention if you did attend or register to this webinar you should expect an email from Amanda or myself right after this so you’ll have your information just in case. Amy: Um no last minute questions coming in but Brenda I know that I learned a ton and I’m sure that this is a good sign because everyone’s sitting here they’re thinking about, you know, what are they going to do next?

Brenda: Yeah. Brenda: Well, hopefully it’s something fun like they’re management maturity,

Amy: right? Amy: Seriously, you got you got people thinking and they’re in the right direction here. Amy: So, um yeah, you know, we are here to help. Amy: As I mentioned, um that being said, I guess we’ll give you some time back in your day. Amy: Thanks so much again for um blocking on an hour to chat with myself and Brenda. Amy: Again, if you have questions, please reach out. Amy: I hope that you’re walking away with actionable tips for getting the data you need to make clear, informed decisions while building executive confidence in your third party risk management program. Amy: Anything else, Brenda?

Brenda: No, just thank you very much. Brenda: It was a pleasure and an honor and I will see you soon.

Amy: Sounds great. Amy: Thanks so much, Brenda. Amy: Thank you, everybody. Amy: Have a great rest of your day. Amy: Bye. Amy: Bye. Amy: Bye.