Third-Party Risk Management: 5 Tips for Moving Off Spreadsheets

Amanda: Here we go. Amanda: Right, the webinar has started. Amanda: Yes, it started. Amanda: Hi everybody. Amanda: Welcome. Amanda: I hope everyone’s doing okay. Amanda: Um, I’m going to start a poll while we’re waiting, while we get some more people joining us today. Amanda: And we’re always curious, always would love to know what prompted you to join us for today’s session. Amanda: Is it educational? Amanda: Are you doing project research? Amanda: You know, We’re talking about moving away from spreadsheets. Amanda: This is a hot topic. Amanda: We get this all the time. Amanda: So maybe this is why because you have a project to move away from those. Amanda: Um you don’t know why you’re here. Amanda: You know, you’ll learn something. Amanda: You’ll probably be confused, but maybe it’ll help you. Amanda: And maybe you’re a prevalent customer. Amanda: And if you are, welcome back. Amanda: And hopefully we’ll be able to help you even more so than before. Amanda: So I’ll leave this up for a hot second here. Amanda: Alrighty. Amanda: Well, today we have have two excellent men here that is a part of our prevalent team. Amanda: We have Alistister Parr, ISO 27,01 lead auditor and impletor and our very own SVP of global products and services. Amanda: And plus we have a small feature with our content manager Thomas Humphre. Amanda: And they both will be um you know trying to help you guys get free from the tyranny of spreadsheets because no one wants to deal with those. Amanda: And a couple of housekeeping stuff. Amanda: You guys, we are all muted here. Amanda: Um, just want to give you a heads up. Amanda: You can’t talk, but please utilize the Q&A. Amanda: You can utilize the chat, but if you have a question, please put it in the Q&A because sometimes it will get lost in that chat if especially if it’s booming with some good conversation here and we will answer all of those as much as we possibly can. Amanda: As far as the poll questions, there’s one that’s happening still right now and there’s one at the end. Amanda: Please answer honestly because we do follow up based on your answers and you’ll probably hear from myself or a couple of my counterparts. Amanda: So, don’t be surprised if you’re wondering why we’re reaching out to you. Amanda: It’s because of what you say in these poll questions ultimately. Amanda: So, that’s pretty much it. Amanda: Oh, Amanda gave me an email saying I Okay. Amanda: Yep. Amanda: I will. Amanda: Sure. Amanda: No problem. Amanda: Um and then as as far as the recordings and the slides, you will get the recording tomorrow. Amanda: If you do want the slides, please let me know. Amanda: I can put my email in the chat. Amanda: Um I think that’s pretty much it for me. Amanda: Again, I’m Amanda. Amanda: I’m also the host of this webinar session, but all the brain and power is going to be coming from these two guys. Amanda: So, I’m going to hand it over to Alistister and you can go ahead and get started. Alastair Parr: Thank you very much, Amanda. Alastair Parr: And good morning, good afternoon, good evening wherever you are in the world. Alastair Parr: Obviously, you got Alistister here today and I’ve invited my esteemed colleague Thomas with me on the basis that uh Thomas has the blessed role historically of being exposed to assessments in the form of auditing as much as he’s been driving content and creation of content. Alastair Parr: So, we’re extremely lucky, at least I’m certainly lucky today, to be able to have Thomas to be able to support and give me some insights into what he’s seen and what he’s experienced across the board when it comes to assessments, assessment fatigue, and that general journey on a whole. Alastair Parr: So, welcome Thomas. Alastair Parr: Hello. Thomas Humphreys: Hello. Thomas Humphreys: No, thank Thank you for the very kind introduction, Alistister. Thomas Humphreys: Yes. Thomas Humphreys: Hello everyone. Thomas Humphreys: Um, for those of you who may not have been on um any any of uh webinars that I’ve I’ve done in the past, my name is Thomas Humphre. Thomas Humphreys: Um, and I I helped to build content within Prevalent, ranging from all the key uh sort of frameworks and regulations. Thomas Humphreys: Um, and as Alistister indicated, prior to my role at Prevalent, I used to be an auditor predominantly in ISO standards working in certification bodies in Singapore. Thomas Humphreys: and the UK and working on assessments globally as well. Thomas Humphreys: So, no, pleasure to be here. Alastair Parr: Thank you, Thomas. Alastair Parr: So, as you can probably tell, there’s a few topics we’re going to cover off today. Alastair Parr: As much as we’re going to give you some tips and insights into taking those first tentative steps towards moving off spreadsheets and moving into a more sort of cohesive process for managing third parties and the assessment journey. Alastair Parr: What we will cover off prior to that is well really what should an assessment achieve. Alastair Parr: So, if we take a step back and really understand why on earth are we actually sending each other assessments in the first place and filling up our days, as much as we’d like to do a good job and keep ourselves busy, there must be a bit more to it than that. Alastair Parr: We’ll then touch on what actually makes a good assessment. Alastair Parr: And I’m very intrigued to hear what Thomas has to say as well from his wealth of experience of building assessments that have been used by tens of thousands of organizers when they’re completing assessments. Alastair Parr: And we’ll discuss the criteria that normally falls into that camp. Alastair Parr: We’ll then move on to Well, why do we even bother transitioning off a spreadsheet? Alastair Parr: Surely, a spreadsheet is good enough. Alastair Parr: I think that could be a relatively straightforward question for us to answer today, but we’ll certainly touch on that. Alastair Parr: And then we’ll move on to some of the most common challenges that we see, not just from assessments and assessment migration, but also about the content, the engagement journey, everything that you tend to experience when you are dealing with somebody as in a human being. Alastair Parr: And then of course we’ll move on to the first tentative steps. Alastair Parr: So moving forwards and uh just hopefully you can all see the slides change now but um but why so what we have identified and this actually comes from a prevalent survey that we did in 2021 called TPRM at a crossroads but what we identified was that 45% of the participants still use spreadsheets in assessment workflows. Alastair Parr: Now that was particularly surprising to us uh on the basis that spreadsheets themselves have some inherent challenges and again we’ll touch on those shortly. Alastair Parr: 40% ignore areas such as anti-bribing corruption. Alastair Parr: So this was an interesting topic for us from the perspective of how broad assessments were in the sense of their coverage, how comprehensive they were. Alastair Parr: Were they touching on criteria beyond just control-based assessments which was some of the uh the early uh drivers and focus areas for assessments. Alastair Parr: We identified that twothirds of responders saw procurement exec and legal becoming more and more involved in the assessment workflows. Alastair Parr: Now, this was reassuring because we appreciate that there’s multiple vested parties in the assessment journey. Alastair Parr: It is not just a controlbased assessment. Alastair Parr: And just to qualify, we will share these slides afterwards as part of the recordings later on. Alastair Parr: So, by all means, if you see any value in these, you can certainly take them with you. Alastair Parr: 45% report experiencing a third-party data breach or incident with the last 12 months. Alastair Parr: Now, this was enticingly shocking to us because if 45% of those responders are seeing third party data breaches occurring within the last 12 months that suggests an issue and that suggests that control-based assessments aren’t necessarily giving us the level of visibility or we’re not reacting to them suitably. Alastair Parr: So spreadsheets as a mechanism clearly have some challenges particularly 45% of us are still using them. Alastair Parr: 32% are reporting that it takes longer than 30 days to meet third party risk audit requirements. Alastair Parr: That means reaching out to a vendor, giving them the spreadsheet, giving them the assessment, whatever it may be. Alastair Parr: And bear in mind, this is a blend. Alastair Parr: These are people who have spreadsheets and have automated workflows. Alastair Parr: So, if 32% of them are taking more than 30 days, that’s a relatively long period of time to get some form of engagement from someone who’s just about to sign a contract with you or has just recently done so and is trying to make themselves look good. Alastair Parr: And greater than 50% track contractual risks throughout the life cycle. Alastair Parr: Sorry, do not track contractual risks throughout the life cycle. Alastair Parr: So greater than 50% just qualify that are not actively managing risks downstream as they progress. Alastair Parr: Now if you want any more information about any of these metrics or findings or how we can specifically address any of these requirements, please feel free to reach out to us and we do have some uh literature on our website on our blog at prevalent.net which talks in a bit more detail about those and you can certainly get a bit of a package related to those. Alastair Parr: But as you can see in front of you there, there’s a pretty broad section of challenges and issues uh as well as evolving scenarios that will impact how we manage assessment workflows. Alastair Parr: So with that behind us, what should an assessment achieve? Alastair Parr: And by the way, we will go and spend some time answering some questions. Alastair Parr: We’ll try and weave them into the general discussion here as best we can. Alastair Parr: But equally, we do have that Q&A session at the end. Alastair Parr: So if we don’t manage to weave it in organically into our conversation today, we will absolutely cover it off in the Q&A section. Alastair Parr: as well. Alastair Parr: But what is ultimately an assessment trying to achieve? Alastair Parr: Why do we have an assessment in the first place? Alastair Parr: So the very nature of an assessment that we’re seeing for risk management specifically is there to provide insight into controls and deficiencies. Alastair Parr: That was the primary sort of organic use case people use it for, which is what are the issues that we’re facing when it comes to dealing with this third party. Alastair Parr: Uh and the value of it if you’re using a spreadsheet or otherwise is that it’s baselining data inputs from multiple vendors third parties whether you’re using proprietary assessment questions or your own uh sorry or one from uh a public source. Alastair Parr: You know, we appreciate that you’re trying to baseline it so you can accurately and consistently engage the vendor, understand the issues, and do it at scale. Alastair Parr: If you’re going to do it free form every single time, then that’s even worse than just simply using a spreadsheet. Alastair Parr: The assessments themselves are trying to provide an auditable record of a point in time situation. Alastair Parr: So, I send out an assessment to poor Thomas. Alastair Parr: Thomas is spending the next six hours of his day filling a now very kindly sends it back and from the minute he’s sent it to me it is out of date but um it’s very useful and it certainly provides some insight which I otherwise would not have been able to obtain. Alastair Parr: Traditionally the point of a spreadsheet based assessment is to glean information that you might not necessarily get from open sources. Alastair Parr: So if you’re passively scanning the the organization, if you’re doing business monitoring, if you’re looking at financial records, there’s of course information, demographics data that you can extrapolate But usually you’re using a control-based assessment via a spreadsheet to capture more information and more importantly qualify it by getting it direct from the horse’s mouth. Alastair Parr: You want the vendor to to state it so that you have that auditable record in case something happens and goes wrong. Alastair Parr: So what have we seen people sending via assessments and via those spreadsheets? Alastair Parr: And typically it’s five core areas that we’ve been seeing more commonly. Alastair Parr: There’s information security of course which ties into the threat piece on the right hand side. Alastair Parr: So that’s the controlbased data understanding vulnerabilities and weaknesses in relation to their security posture. Alastair Parr: Business continuity and resilience particularly in the last few years has taken a more prominent seat in this whole journey. Alastair Parr: Regulatory obligations and we’re going to hear a lot more from uh Thomas shortly on some of the regulations and compliance mandates that help drive these assessments and of course suitability as well. Alastair Parr: So that relate to ethics ESG, financial stability, quality management, suitability controls, etc. Alastair Parr: So there is a whole host of data that is being captured in the form of assessments and can be mapped back to uh any control-based information that we’re interested in. Alastair Parr: So Thomas is a resident expert of ours of a whole myriad of various controls, compliance frameworks, regulations, and has more acronyms that you can shake a stick at. Alastair Parr: So Thomas, I wonder if you could give us a bit of insight into how assessments support uh compliance and regulatory mandates. Thomas Humphreys: Absolutely. Thomas Humphreys: Thank you Alistister and hopefully everyone could see the page and what we’ve got on the page is you mentioned acronyms just it represents perhaps just a small volume of the complexities of of regulations, standards, best practice frameworks If you take a look at information security and IT security for example the likes of the NISTs the ISOs of the world uh SIGs uh socks cloud standards um from procurement perspective um some new and emerging and hot topics particular around ESG it’s certainly um gaining more and more traction and this represents perhaps one of the first challenges for any organization is where do we begin if If we want to look at assessing third parties, vendors against information security, data privacy, um some of the legal requirements and expectations that are being enforced onto us by regulatory bodies, uh key interested parties, our own customer base. Thomas Humphreys: Where do we begin? Thomas Humphreys: And this is what can make the whole journey so daunting and so complex. Thomas Humphreys: So having a look and understanding what frameworks, what best practices are really key to us and where do we want uh to focus on um is is really the first step in in being able to identify where do we want to go and how do we approach third parties and engage them in the right areas the right avenues um and I say the right type of assessments um one thing that we’ll come on to later on in the uh in the assessment in in discussion is how you can blend many of them together and where you can see a lot of synergies Um so to take ISO and NIST for example the way that both of them use governance and technical capabilities can help organizations to frame a wider um assessment around information and cyber security. Thomas Humphreys: So there’s a lot of thought process that needs to go into here but this represents a a large complex um uh uh piece that really needs to um to be explored by any organization. Thomas Humphreys: make sure that you’re looking at the right type of assessments, the right type of standards um when you begin that TPRM journey. Alastair Parr: Thank you, Thomas. Alastair Parr: And for those of you who would like to hear more of Thomas‘ words of wisdom as well, uh there are some recent webinars we’ve done on on the likes of NIST and we’ll have some content on some new ISO framework shortly as well. Alastair Parr: So, please feel free to check those out. Alastair Parr: But, um we will dive into a bit more detail on how we can blend some of these criteria and these various regul and frameworks into a good assessment and how we can make ultimately that journey better by not necessarily using a spreadsheet to do so. Alastair Parr: Thank you. Alastair Parr: So now I did say I’d try and weave in some of the questions as we move along. Alastair Parr: So just to highlight as well there was some questions about uh those who are using spreadsheets and whether we’re actually seeing uh improvements in in quantity over quality. Alastair Parr: And the sad reality is if I’d sort of hop back and uh and just touch on some of the data points for a moment there is that invariably people who are using spreadsheets are not necessarily getting the responses back from the third parties uh in the same time frames. Alastair Parr: We’ve actually done a fair few tests on our side and a spreadsheet takes longer to get back as opposed to a platform based hall or a standardized assessment format. Alastair Parr: So from a quality standpoint is either taking longer or you might not even necessarily get a formalized response back and the quality is usually very heavily impacted by the fact that the uh that the fields that tend to get populated are quite often unstructured. Alastair Parr: You can input your own variables. Alastair Parr: Uh the fact that people tend to use partial, full matches, etc. Alastair Parr: Uh and all this feeds into our next topic which is what makes a good assessment and then we’ll touch on some of the downfalls and pitfalls that you have when you start using spreadsheets for this. Alastair Parr: So one of the first components that helps drive a good assessment ultimately is suitable consideration of the third party life cycle. Alastair Parr: And what I mean by that is very often we see assessments coming through and this applies to when we get assessments ourselves where they are structured in a way where they’re clearly for a targeted audience. Alastair Parr: We will get an assessment from the infosc team. Alastair Parr: We will get an assessment from procurement which might cover financial stability payment terms etc. Alastair Parr: And we might get separate questions from the privacy team for example. Alastair Parr: Now it’s relatively disjointed and I appreciate they all have their own lens and their own interpretation. Alastair Parr: But from our perspective, one of the things that helps make a good assessment is suitably considering that entire journey. Alastair Parr: So is there a way that we can consistently capture the information that these different representatives of the business need in one fell swoop rather than spending the time peace meal reaching out to the third party, having their attention, then losing it for two weeks, getting it back again. Alastair Parr: I appreciate when you have the advantage pre-contract, they’re more likely to engage, but post cont contract that becomes a little tricky. Alastair Parr: So when we start considering the life cycle, we can start factoring in and considering how can we have a more structured assessment that’s not on a spreadsheet necessarily. Alastair Parr: At this point, we haven’t said why, but not on a spreadsheet necessarily that’s able to give you the information you need across the spectrum of that third party’s life cycle. Alastair Parr: So what else do we tend to consider? Alastair Parr: So we’ve talked about the spectrum in the sense of that entire journey for the third party. Alastair Parr: But there’s additional information that we tend to segment that out into. Alastair Parr: So there’s the assessment itself, but there’s also additional periphery data in the form of cyber monitoring or cyber insights even through the assessments, business intel, financial positions, financial statements, ownership hierarchies, operating locations, historical events, uh, and equally so events in the future. Alastair Parr: We have to give them the opportunity to be able to escalate those to you continually rather than just point in time. Alastair Parr: monitoring and tracking things like their certifications, which if you’re using a spreadsheet, the reality is you’re going to have a cell populated somewhere with the expiry date of a document and that’ll be buried away somewhere. Alastair Parr: And also their fourth or nth parties. Alastair Parr: So these wonderful things all amalgamate into creating a comprehensive profile. Alastair Parr: And if you’ve got all the relevant data that creates that, that’s when you can start really capturing and considering context. Alastair Parr: So the context of who that vendor is and what they do, you have a much better lens particularly if that’s unified in a single place uh into understanding what the challenges are, what they do uh and how they could potentially support the business better. Alastair Parr: Now that context also extends to internal business context. Alastair Parr: So a good assessment is considering internal systems. Alastair Parr: So capturing context and sending out assessments that’s going to help us understand where that third party sits in relation to business workflow. Alastair Parr: They become an intrinsic link to your organization. Alastair Parr: They’re helping generate revenue or they’re delivering a service of some value. Alastair Parr: So naturally, they are part of that chain. Alastair Parr: So what we strongly recommend through a good assessment is making sure that you’re capturing information from the business and also slotting in that third party into that internal workflow and journey. Alastair Parr: So you want to be asking questions that help you understand from the business owner or whoever the relationship owner is. Alastair Parr: What is the third party? Alastair Parr: What are the doing? Alastair Parr: Why are we engaging with them? Alastair Parr: What’s the value here? Alastair Parr: So, already we’re starting to see that a spreadsheet based workflow begins to fragment because we have these comprehensive profile aspects that we want to consider which we’re not necessarily considering. Alastair Parr: And then we also have the fragmentation of understanding from the business who they are and what they do. Alastair Parr: So, it’s already starting to present a bit of a challenge when we’re starting to do this on a spreadsheet unless you are the most organized, capable person in the world, and I certainly am not. Alastair Parr: So when we also start looking back at that good assessment criteria, there’s a series of things that we consider as fundamental in the definition of that assessment piece. Alastair Parr: And I’ll ask Thomas on the next slide to talk a bit more about how we can structure that. Alastair Parr: But just talking about the journey here, the things that we tend to see considered from a higher level for a good assessment uh includes things such as understanding from a maturity aspect. Alastair Parr: Do we actually need to make the most fantastic wonderful spreadsheet assessment in the world right now or does the business happily accommodate something that’s more straightforward that’s going to get data back from the third party quicker. Alastair Parr: So from a maturity definition standpoint you can start assessing your current maturity where you need to get to and then factor that into the types of criteria that you ask. Alastair Parr: We then suggest defining the key metrics. Alastair Parr: So if we’re actually looking at these assessments that we’re building and distributing, what does it need to include? Alastair Parr: So From a keymetric standpoint, it should be able to be completed within four hours, for example. Alastair Parr: It shouldn’t involve more than x number of participants in order to get the information in. Alastair Parr: It’s about understanding some of the uh the demographics really of that assessment and how it would be completed. Alastair Parr: Quite often, people will just populate everything they’re ever interested in under the sun in a big flat list in their spreadsheet. Alastair Parr: And the reality is you’re going to get mixed quality data and it’s going to take longer. Alastair Parr: So, we do recommend suggest and suggest considering what that assessment looks like and targeting the audience uh sorry targeting the assessment to the audience. Alastair Parr: Part of that is being driven by the scoping. Alastair Parr: So what are we actually trying to achieve from the assessment? Alastair Parr: What types of the comp what aspects of that comprehensive profile do we need to consider when we’re building it? Alastair Parr: So do we need to start reviewing against compliance, regulation, risk, privacy, anti-brien, corruption, modern slavery, etc. Alastair Parr: Some of these domains might be relevant or may not be relevant for you. Alastair Parr: And then start considering segmenting that based on the service lines and the subservices. Alastair Parr: So what is the third party doing and is there any way that we can create some degree of formula that says these criteria are going to this third party subset these criteria and domains are going to this other. Alastair Parr: So you can start being bit more calculated about who receives what rather than a one-sizefits all because let’s be honest Thomas doesn’t want to spend the next eight hours completing an assessment for me. Alastair Parr: Now if you do that correctly you can start standardizing and benchmarking against the third parties as sheet makes that difficult because you have unstructured data sat there. Alastair Parr: But if you are using any form of mechanism to be able to track and compare the vendors, that’s when you can start looking at that benchmarking and standardization. Alastair Parr: And that includes things such as the remediation planning at the top there. Alastair Parr: So building a journey. Alastair Parr: So rather than just getting the data and then having an individual sit there and interpret it, you can start planning and coordinating what that’s going to look like that broader journey. Alastair Parr: We’ll touch on that a bit more on the next slide. Alastair Parr: And then finally in this ties back to that key metrics criteria is the human factor. Alastair Parr: So those of you on the line may know or may not know, but Tuesday morning is the best time to send out an assessment. Alastair Parr: You’re most likely to get a participant to start completing it. Alastair Parr: We have the value of seeing metrics of people logging in, interacting with assessments based on distribution times and so on. Alastair Parr: But human factors are interesting. Alastair Parr: If you give somebody more than two weeks to complete an assessment, they’ll generally put it off and wait till later. Alastair Parr: Uh if you send it on a Tuesday morning, you have a high, as I mentioned, you have a higher rate of of uh of opening and actually interacting with it. Alastair Parr: If you send out uh an infographic style data sheet that articulates what you’re doing and why you’re doing it and have some form of executive buyin and sponsor uh referenced in that material. Alastair Parr: Again, that increases the chances of success. Alastair Parr: So, there’s lots of different criteria that you flesh around an assessment beyond just here’s a spreadsheet that will help reinforce your program. Alastair Parr: It will drive it forward. Alastair Parr: You’ll get better data quicker and ultimately you can then start focusing on the issues rather than just collecting data. Alastair Parr: So with that in mind, content. Alastair Parr: So there’s a few things you can see on the right here about what good content looks like. Alastair Parr: Uh so broadly speaking, Thomas, you’ve had very broad experience in dealing with building content both from structures, parent child relationships, mandatory evidence and documentation, including help text, remediation, defining key s is there any guidance or support or advice you’d have for those on the line on how to address it? Thomas Humphreys: Yes, absolutely. Thomas Humphreys: And um c certainly those those areas that you can see on on the right hand side um you know just starting off this journey of saying if if users know that we’ve identified the type of standard the type of regulation or framework that we need to to to work with and we need to engage our third parties on let’s use ISO 27,0001 um as an example. Thomas Humphreys: we can then begin to work out through some of the profiling through some of those key aspects of understanding our our third parties how we can shape that content how we can shape that assessment. Thomas Humphreys: So thinking about the question format and structure particularly if we’re dealing with lots of different types of third parties some maybe in a so-called tier one or high priority some in the so-called tier 2 three or four or lower priority and we want to make sure that the way we ask the questions and way those questions are formed and structured um not only best represents the the results the end results that we need to get out of the assessment but also helps the responder along because ultimately we need to make sure that whatever assessment we’re going out whether it’s a u multiple um uh multiple assessments across multiple uh standards or or or a singular survey um that obviously we get the best results. Thomas Humphreys: So how do we do that? Thomas Humphreys: In terms of the question format and structure, we need to start thinking about what type of questions. Thomas Humphreys: Now, there’ll be some cases um particularly from a regulatory standpoint where yes, no style questions are are more practical. Thomas Humphreys: There’s a there’s a black and white answer that you either have something or you don’t. Thomas Humphreys: You may have a data privacy policy or you haven’t developed a data privacy policy. Thomas Humphreys: For example, thinking about the GDPR uh CCPA, California privacy act um style of of of regulation and requirements. Thomas Humphreys: In some cases, there may be a need for more open-ended question. Thomas Humphreys: Um, if we’re looking at particular policies, so to take the ISO um 27,000 as an example, uh there may be more of a need to explore the way an access control policy has been formulated or type of encryption and encryption capabilities an organization has. Thomas Humphreys: And so maybe more uh relevant um and you may get more value out of understanding not just do they have an encryption policy or did they have an access control policy? Thomas Humphreys: But what are the key aspects that make up that policy? Thomas Humphreys: What are the key considerations the organization has implemented um to enable them to build an effective um uh suite of encryption tools or or systems to help manage their data security in a better format. Thomas Humphreys: Help text is very interesting here because again I mentioned that when you’re sending out assessments to responders obviously you want them to be able to fill out the survey the assessment as accurately as possible and obviously one way to do that is through the use of help text and almost guidance. Thomas Humphreys: Purpose here is uh not to tell them what question to answer or how to answer it in terms of select this one but to give them a wider view of the purpose of a question. Thomas Humphreys: Now this is particularly relevant when you’re looking at very small organizations versus very large complex organizations where you’re asking a subject around for example the use of firewalls or intrusion detection systems for information security or or the use of how they’re managing carbon footprinting when you’re looking at ESG um and again capturing and managing their carbon. Thomas Humphreys: Um it may be relevant to provide that level of guidance to make sure it’s clear the purpose of the question and and the context to which they should be answering related to the product and service they’re supplying to you. Thomas Humphreys: Lostly once we start to formulate these assessments based on clearly defined question and question types, help text and guidance. Thomas Humphreys: We can then look at the remediation as well and and domains. Thomas Humphreys: So let’s go back to the ISO uh standard as the example. Thomas Humphreys: Um for anyone who knows um ISO splits its its assessment into two aspects, a high level structure that looks at the context of the business, how it manages risk and the management format and then what it calls annex A which is the 113 different controls and control points and it may be relevant not just to bundle everything together into one very large survey, but to create them across into separate security control groups or domains. Thomas Humphreys: So you’re asking operational security controls um to a particular responder in an organization. Thomas Humphreys: Then you have business continuity or personnel security based controls or compliance-based controls that because they become modularized or or separated into separate domains make it easier for the responder. Thomas Humphreys: So they engage in the right right person. Thomas Humphreys: personel their end to make sure that they get the best uh uh answers and responses back to you. Thomas Humphreys: And then finally through the checkbox and question format structure, it’s also important and this is where the third party profile can come into it very effectively here is to make sure you’re not asking the wrong questions uh for the vendors. Thomas Humphreys: So to give you an example, if you’re aware that some organizations don’t produce systems or software in terms of development for you, there’s also no point asking them questions around system and software development if they don’t manage or hold or have access to personal information that may be privacy related questions that are just not relevant for that type of business. Thomas Humphreys: So making sure you format the questions in a way that uh you’re asking the right questions to the right responders or to the right third parties and still getting that level of assurance back that the type of results the type of risks or issues that are coming out or the positive sides the the uh control that have been implemented are appropriate to the type of business uh that you’re engaging. Alastair Parr: Brilliant. Alastair Parr: Thank you very much, Thomas. Alastair Parr: Insightful. Alastair Parr: So with that in mind, we understand some of the criteria that we’d expect to see in a good assessment. Alastair Parr: Now, you might be thinking, surely some chunks of this feed into a spreadsheet anyway, and surely that’s going to fit the bill. Alastair Parr: So why on earth are we going to bother transitioning off something that we’ve been using for decades and has served a purpose. Alastair Parr: And let’s be honest, we all know that spreadsheets are very capable. Alastair Parr: And those of you who are well-versed in how to create weird and wonderful uh assessments via spreadsheets, you’re probably quite happy to some extent. Alastair Parr: But there are some innate challenges with doing that. Alastair Parr: And when we start doing human-driven spreadsheet analysis, some of the more common things that we tend to see that start creeping out of the woodwork here is that as Thomas mentioned, there can be a degree of inconsistent interpretations when you’re dealing with remediation. Alastair Parr: If you have free form cells where someone’s able to input whatever they like or even a simple yes, no, the reviewer could be interpreting it badly. Alastair Parr: Whoever’s populating it, but equally so the person reviewing the results might be interpreting it differently. Alastair Parr: So you end up with an interp an inconsistent interpretation both for remediation and also the very nature of the assessment questions. Alastair Parr: We very often see that there’s a vendor reluctance to complete a spreadsheet. Alastair Parr: It will sit dormant relaxing in their inbox for a degree of time and will get burrowed away in a folder marked you and eventually they might get round to it after a series of chases. Alastair Parr: Now that lends itself to the challenge of unstructured storage. Alastair Parr: So you have an assessment in the form of a spreadsheet which quite often contains control-based data which would be lovely to see if you wanted to find a way to infiltrate that organization in some shape or form sitting on someone’s well in someone’s mailbox somewhere potentially sent unencrypted. Alastair Parr: from point to point and is just rife and ready to be misused, lost, etc. Alastair Parr: So that unstructured storage is not a great situation and also means you don’t necessarily have a secure transfer mechanism. Alastair Parr: Quite often when we receive assessments in a spreadsheet, it’s email based and we grit our teeth and it frustrates us but nonetheless we try and encourage and push at the very least a secure transfer mechanism rather than just plain email and there is that soft process for collection. Alastair Parr: What we mean by this is that if I send Thomas an email that he studiously buries away in his inbox, I need to remind Thomas every now and then to go and complete it for me. Alastair Parr: Weeks pass, etc. Alastair Parr: And eventually I might get a response back, but nonetheless, there’s that consistent driver and expectation that either myself or Thomas needs to remind one or other that this is to be done by someone at some point. Alastair Parr: So, it’s very manual in that respect. Alastair Parr: And then that leads into collaboration. Alastair Parr: Quite often the collaboration exercise that we tend to see is one of two things. Alastair Parr: I send that spreadsheet back with my red lines. Alastair Parr: So I say, “Thomas, here are the 113 controls that you’ve responded to and questions related to that. Alastair Parr: I have six additional questions. Alastair Parr: Can you add another column explaining what you’re doing about it?” Alastair Parr: Opens up more interpretation challenges, more vendor reluctance, more soft process for collection, and the process continues. Alastair Parr: And we eventually end gravitate down towards that spiral of never getting the data back. Alastair Parr: Uh and then of course we’ve got the manual remediation aspects. Alastair Parr: So manner Mediation for us here is really about the fact that I need to then go and interact with Thomas in order to get information back in order to do something with it. Alastair Parr: So spreadsheets are inherently challenging in that respect and they also tend to serve a point in time. Alastair Parr: So when we start using spreadsheets as a mechanism, you know, we appreciate that can be a point in time one and done approach. Alastair Parr: Uh and people feel that they can’t deal with the sheer volume of what’s being pushed their way. Alastair Parr: It could be a nuisance. Alastair Parr: is very much a nuisance in that respect. Alastair Parr: Equally so content could evolve and change over time and I’m not necessarily going to get the insight and understanding that from a spreadsheet to understand does this meet the compliance mandates the new ISO framework the new version 272 that comes out in a couple of years time it’s not necessarily going to be targeted and also retrospective and the final component on why spreadsheets can be a problem is that we appreciate that that’s just a single piece that comprehensive profile perception. Alastair Parr: So when we start looking at some of the other periphery things that we’re doing in order to assess these third parties, we’re looking at things like monitoring data, we’re looking at IT SEC issues, we’re doing passive scanning, we’re doing dark web investigations, we’re looking at contextual business information, have they had any violations, legal filings, are they financially secure, have they had any insolvenies, any payment deficiencies, are they on any global sanctions lists? Alastair Parr: Are they going bankrupt? Alastair Parr: Are they going for M&A? Alastair Parr: All these additional question questions that most people aren’t necessarily asking in those assessment spreadsheets. Alastair Parr: They’re using periphery data in order to support and identify that proactively. Alastair Parr: It’s where the entire third party space has evolved to try and add a degree of continuous monitoring rather than just rely on those point in time assessments. Alastair Parr: Now, we did have a question at the start which I saved intentionally for this slide where somebody inquired as to whether we know the percentage of those experiencing breaches at the start also use spreadsheets or do they use tools. Alastair Parr: Now, an interesting thing that we’ve pinpointed when we started to look at our percentage of vendors that have had a sorry, organizations that have had a data breach or incident through their vendors in the last 12 months being quite high. Alastair Parr: Something we began to learn when we dug into that is that part of the reason why the percentage was so high was because all of a sudden they now have monitoring capabilities that give them insights into deficiencies that they didn’t before. Alastair Parr: Historically, you’d send the control-based assessment out and you wouldn’t really know that the vendors had a challenge or issue. Alastair Parr: Nowadays, with the advent of things like monitoring insights, you can now start seeing, hey, they’ve now been added to a sanctions list. Alastair Parr: They’ve had a data breach, we’ve seen material about them on the dark web, etc. Alastair Parr: All of a sudden, you’re escalating the quantity of findings, events, data breaches, etc. Alastair Parr: That doesn’t necessarily mean that they weren’t there before. Alastair Parr: It just means that now all of a sudden we’re more aware of them. Alastair Parr: Something you don’t necessarily get purely from a spreadsheet. Alastair Parr: So, with that, in mind and understanding those some of the things that we can address by either expanding our reach beyond a spreadsheet and a single assessment uh we can also start considering how do we actually deal with some of these challenges that we’re seeing. Alastair Parr: So a few more data points that we’re seeing right now and this is from a 2020 uh survey that prevlet had issued out. Alastair Parr: So we realized that 52% of those we engaged with did not have a standard way to present risk data. Alastair Parr: So one of the one of the more common challenges here is how do we consistently interpret risk from all these assessments that we’re doing whether they’re on a spreadsheet or otherwise. Alastair Parr: And part of the challenge in the well the resolution here is by having a centralized risk register where you’re consistently mapping answers to risks and responses to likelihood of those risks occurring. Alastair Parr: That way you can be more meticulous in your interpretations over time. Alastair Parr: Now Thomas, I appreciate that you’ve had a fair bit of experience doing auditing from this respect. Alastair Parr: So How have you found the challenge of not being able to consistently interpret and grade and map risks in your experience? Thomas Humphreys: Sure. Thomas Humphreys: One of the perhaps the most uh uh fundamental I’d say uh issues uh certainly from a spreadsheet perspective and and sort of aligning that to creating a holistic risk register is just being able to sort through the volume and potentially vast volumes of issues and respons is, but it’s also that understanding at the end. Thomas Humphreys: And if you think with a centralized risk register, the ability to consolidate risks and issues um to investigate trends particularly across multiple organizations is made so much simpler. Thomas Humphreys: Um and so by having disperate registers capturing all sorts of risks um across a potentially very large vendor base is incredibly clunky and and and it it can actually cause more headache particularly when you’re looking at the reporting side and having to report back up to execs, senior management and other key stakeholders. Alastair Parr: Fantastic. Alastair Parr: Thank you. Alastair Parr: So from that perspective, if we’re addressing the challenge of of content in this standpoint, it’s about mapping responses back to risks and findings and linking the responses rather than just using the binary yes nos as Thomas alluded to earlier on. Alastair Parr: uh linking more contextualbased answers to likelihood values that we could then extrapolate overall risk scores for. Alastair Parr: And we’ll touch on that a bit more when we talk about some of the uh the quick wins you can apply. Alastair Parr: But the second core challenge group that we’re seeing from our analysis is that so 62% lacked a standardization process for reviewing assessments whether they’re spreadsheets or otherwise. Alastair Parr: 52% additionally had the uh failed to examine resource requirements. Alastair Parr: So we understand that we are following this process. Alastair Parr: How on earth then do we make sure that we’ve planned for that by using the right uh the right team structures and so on. Alastair Parr: And 59% were overspending on resources. Alastair Parr: This is they were using a savvy experienced person such as Thomas to sit there chasing assessments and getting data from assessments back rather than using that time more valuably on looking at risk remediation and guidance. Alastair Parr: So if you look at this as a as a group here having suitable roles and responsibilities and the right capacity planning and structure around it is very very important and the the advantage is if you have a structured workflow for assessment distribution and assessment collation whether you’re on a spreadsheet or otherwise is very important so you can get the people like Thomas focused on the right criteria being fixing risk interpreting risk variables and nuances as opposed to chasing and harassing people to get responses back is there anything you’d like to add to that to Tom Thomas Thomas Humphreys: um There’s there’s there’s a that term there I think and I think I think it hits nail on the head perfectly when we’re looking at this. Thomas Humphreys: It’s time time to market when you’re looking at standardized process having that buy in across the business to make sure that um the each respective business owner business owner um uh staff from from information technology um from legal from senior management from operations from across the board. Thomas Humphreys: If you have a consistent process of not only understanding your risk, but the way assessments are run, how it’s delivered to each respective business unit or business owner’s uh vendor and vendor base, but also that consistency in how we address them. Thomas Humphreys: Um, and making sure that the business risk appetite is represented is is is critical. Thomas Humphreys: And it’s and again, it just represents that that that disperate view that you can come from um in some cases very clunky and for burdensome uh uh spreadsheets and the process where business units and business owners are not speaking to each other. Thomas Humphreys: Um so it’s it just represents that that that importance of getting to a place where we can standardize the way of working and the way of managing third parties. Alastair Parr: Thank you Thomas. Alastair Parr: And then if we look at the final core challenge group that we’re seeing is uh remediation. Alastair Parr: So expanding on what Thomas has just said Then so we saw that 86% had inconsistent remediation guidelines on how to actually effectively deal with the data that comes back via the spreadsheet or via the assessment and 59% had incomplete risk scoring mechanisms. Alastair Parr: What we mean by this is ties to that initial criteria there of the content but they hadn’t established a way to consistently interpret how the risk score will change over time through things like the remediation steps uh that they apply downstream. Alastair Parr: So I know from my auditing days uh it was particularly challenging where another auditor had been on site and had or or had reviewed an assessment and hadn’t actually interpreted things the same way I had. Alastair Parr: They had their own domain knowledge. Alastair Parr: They might have been particularly good at say data loss prevention and focused heavily on that whereas another might be focused on physical security and so on. Alastair Parr: That lack of interpretation and focus and consistency in that focus is very very problematic. Alastair Parr: So a heavy percentage of the people we’ve been engaging with have challenges in making that consistent remediation guidance and interpretation guide clear to their audit teams. Alastair Parr: Thomas, I don’t know if that applies to anything or anything you want to add to that either. Thomas Humphreys: Yes, absolutely. Thomas Humphreys: And and and um again, for me, this this comes back to um background noise, apologies. Thomas Humphreys: This represents this this this concept of um knowing what risks to address, what risks to remediate. Thomas Humphreys: at the right time. Thomas Humphreys: And it’s it’s it can be so difficult um to to know where to begin without that structure around what do we remediate and at what time, particularly when you’re presented with potentially a large volume of risks and knowing which ones are critical priorities for us and the business at this point in time. Alastair Parr: Brilliant. Alastair Parr: Thank you, Thomas. Alastair Parr: So, the last point we’ll touch on before we talk about some constructive steps, tentative first steps that you can apply to help transition off those spreadsheets is the questionaire fatigue aspect. Alastair Parr: So it doesn’t matter whether we’re using spreadsheets or whether we’re using a technology to do so. Alastair Parr: We appreciate that there is a degree of questioner fatigue associated to that. Alastair Parr: And there’s a few things that we can do that help streamline and address that. Alastair Parr: So that’s participating in networks or exchanges where vendors answer once and share to multiple criteria. Alastair Parr: Uh automate the analysis of documents as well as they come back. Alastair Parr: So if they give you a sock 2 report instead have the mechanisms in place to automatically interpret that. Alastair Parr: Same for things like ISO 27,01 annexa as Thomas kindly touched on earlier on or standardize your assessments to common frameworks whether that’s the prevent compliance framework uh whether that is shared assessments SIG or something else that might be specific to your vertical having that standardization will make it easier for you to start getting those responses back from the vendor. Alastair Parr: Now you can certainly segment that use all the criteria we discussed earlier on but if you use standard terminology it may make life more straightforward. Alastair Parr: So when we start looking at our first tentative steps towards migrating off that, we appreciate there’s a fair few challenges that we’re looking to address and the reason why we’re moving off those spreadsheets, we don’t want to use disperate m multiple tools. Alastair Parr: We don’t want it to be stagnant sat somewhere. Alastair Parr: We don’t want to use binary responses. Alastair Parr: We want to be able to capture evidence consistently, interpret things consistently. Alastair Parr: Uh and we also want to make sure that it’s not overwhelming for those having to deal with the unstructured data. Alastair Parr: So where should we begin in making sure that we have a trans position that’s suitable to take us from this spreadsheet into something that is a better all round tool. Alastair Parr: So that could be a product itself uh or that could be using things like monitoring feeds etc. Alastair Parr: But what are the things that we actually need to consider? Alastair Parr: So point number one we’d say up front is to actually consider context. Alastair Parr: Focus on that context. Alastair Parr: We want to understand if we’re looking through our vendors what are they doing? Alastair Parr: Why are they doing it? Alastair Parr: Why are we even engaging with them? Alastair Parr: Not just from a spend standpoint, but what’s our risk appetite in relation to the services they provide? Alastair Parr: Where are they providing those services from? Alastair Parr: Uh and are there any particular compliance or regulatory obligations based on that service for processing activities and so on. Alastair Parr: So capture as much context as you can for your question sets or from the business and that lends itself to the broader business itself. Alastair Parr: So the vested parties within the organization. Alastair Parr: So we strongly recommend spending time through that scoping journey to understand what procurement, what legal, what the risk teams, what operational teams, what audit all need from that assessment component. Alastair Parr: So starting that workshop asking them what they’re currently sending via spreadsheets, mapping it against what you’re currently sending and work on the basis that you want to ask the question once to that vendor rather than multiple times in different ways throughout that journey. Alastair Parr: And then then you can start applying that context prior into making the whole journey a bit more palatable for the vendor and more interpretive for you. Alastair Parr: And when we start to look at that when we’re transitioning off that we really should again consider as we highlighted before that end to end life cycle that journey. Alastair Parr: So from the very start when we’re sending out assessments from sourcing and RFP through to that contract management criteria through to intake on boarding prioritization the risk assessments downstream controlbased assessments there’s lots of different stages there where we are asking questions Now, we appreciate that there might be situations where you can’t break that out. Alastair Parr: If you’re going through that very early stage RFI RFP, you’re limited in the number of control-based questions you can likely ask. Alastair Parr: However, if you look at your assessment, you should be able to stagger it. Alastair Parr: You should be able to say, right, this subset I’m going to ask at this point of the journey, this for this audience, and so on. Alastair Parr: You follow that process down, and you eventually have a assessment that’s broken out dealing with the right criteria and ideally collected in a relative short window just so you can make sure you get information back from the vendor in a timely way. Alastair Parr: And when we start considering that, that’s when we can start looking at that comprehensive profile, assessment data, cyber, business, financial, etc. Alastair Parr: Review all the criteria that you could group together. Alastair Parr: Group it together as best you can and then you can start removing any overlap against that. Alastair Parr: So you end up with a more succinct assessment group that you can use via not a spreadsheet, but ideally for a technology or something similar. Alastair Parr: And that’s where technologies tend to come into play more frequently is when you actually start looking at things like the end party mapping, the third parties of the third parties, their nth parties and so on. Alastair Parr: These are organizations that you’re most likely not going to send a direct assessments against, but you would want to include in your broader monitoring capabilities or at least get the third party insights into. Alastair Parr: So when you start looking at that transition from a spreadsheet to a more uniform structured assessment workflow and like cycle. Alastair Parr: Think about those end parties, understand who they are, what they’re doing. Alastair Parr: Capture whatever business information the third party has on those businesses and then embed them into your monitoring workflows as well. Alastair Parr: Look for things like concentration risk. Alastair Parr: And then the fifth criteria there is KRI and KPI based insights and data points. Alastair Parr: So ideally you’d be using that group of assessment data rather than having it siloed. Alastair Parr: You can aggregate it together and you’ve justif your investment immediately because you’re able to start looking at trends, deficiencies, anomalies both from a KPI standpoint, the performance of your entire program as well as the KISS. Alastair Parr: So you can see a common risks and deficiencies based on the assessment data as it comes back. Alastair Parr: You can see trends on completion times, SLAs against the organizations and teams uh and then start looking at anomalies as well. Alastair Parr: So let’s say this vendor changed answers games to the system in question four. Alastair Parr: You’re not going to see that from a spreadsheet uh but you’ll be able get that from that consolidated reporting piece. Alastair Parr: So think about some of the K eyes and KPIs that you’d want to extrapolate from your broader journey. Alastair Parr: So finally before we move into that Q&A session uh and component of the session, Thomas, I wonder if you give us a bit of insight into how we can best map frameworks, not just historical frameworks, but upcoming regulations as they emerge into that assessment journey without having to reassess and gauge the vendors multiple times. Thomas Humphreys: Yes, absolutely. Thomas Humphreys: And um so at the beginning um of of of the discussion today I mentioned that uh looking across uh the the range of the standards and frameworks. Thomas Humphreys: I mentioned ISO and this there there is a lot of synergy and close ties um with a lot of these best practices and requirements. Thomas Humphreys: And as we’re seeing more and more organizations now are requiring not just a single siloed assessment but a range of requ requirements from privacy to uh to information security to environmental um and some of the areas such as anti-bribery uh um and and and uh ESG as well. Thomas Humphreys: By establishing a common framework, you can start to map in each of those individual requirements and assessments into either one wider framework and and and assessment through the use of categorization through you make use of being able to map from a control level, but also from a a uh a functional level or domain level um based on the type of uh type of surveys or type of standards and best practices that you’re after. Thomas Humphreys: And obviously, one of the biggest pieces here is of twofold. Thomas Humphreys: On the one side, it means from the reporting perspective and reporting back up to senior management and interested parties, you can report on focusing on those best practices and requirements that are important for the organization. Thomas Humphreys: But then likewise when these standards are updated they’re revised such as 27,02 or there are other frameworks that are coming in that could be applicable for your existing assessment for example um data privacy. Thomas Humphreys: So we’ve seen from GDPR to the expansion of the likes of CCPA and there are more and more um uh North American uh state level uh privacy uh expectations and requirements coming on but having that structure in place now it helps you to do that continual improvement, continual monitoring so that if there are wider uh expectations and requirements from a privacy piece, it makes it easier to start to build them into your existing profile um not least when you’re trying to assess vendors on a yearon-year basis and and it makes makes it easier to then enable that mapping based on what they said in the past versus what new requirements are are coming into the fold. Alastair Parr: Fantastic. Alastair Parr: Thank you, Thomas. Alastair Parr: Now, just before we answer some of the questions we’ve got coming in, and by all means, please feel free to ask any questions uh in the Q&A. Alastair Parr: I believe we have another quick uh poll. Alastair Parr: Amanda, Amanda: we do. Amanda: Thanks so much. Amanda: Yeah. Amanda: So, the last question that we’re curious about is if you are looking to augment or establish a third party risk management program, uh there’s six more months left in this year. Amanda: Um we know this is another prime time for you guys to kind of start initi iations for some sort of program in place for third party risk management. Amanda: And I’m sure what we all discussed was super helpful and we can personally help with that too. Amanda: Um I think there’s one other question. Amanda: I don’t know if you see it. Amanda: You do. Amanda: You’re on top of it, right Alistair? Amanda: It looks like Alastair Parr: Yes. Alastair Parr: Yeah. Alastair Parr: Okay. Alastair Parr: So a lot of this is great help, but how do we apply this when assessing a oneperson shop business partner? Alastair Parr: Good question and it’s something we actually hear quite a lot which is we’re building these weird and wonderful structures for assessment workflows uh and trying to make it scalable for us as distributors so that we can better handle and manage risk. Alastair Parr: Uh but what is the criteria that we tend to see most when we start profiling a one person shop is that they’re not going to have 30 40 policies on hand funnily enough because they’re trying to do business um and they might have very limited knowledge on infosc unless the one person shop is dealing with infosc or privacy whatever it may be. Alastair Parr: So there’s going to be a limited amount of knowledge that they may have to the space. Alastair Parr: Uh and we’ve seen some interesting approaches to that. Alastair Parr: So we actually used to manage a uh network of vehicle repair centers. Alastair Parr: So over a thousand vehicle repair centers and they tend to be quite often one person shops or small small sites that have very limited knowledge on it. Alastair Parr: And the thing that we found most useful here was building collateral and building a pack that helps guide them. Alastair Parr: So the assessment became less tell us about all your risks and challenges and became more about here’s all the things you should be considering uh when you’re dealing with third party risk privacy ESG and so on and actually what we ended up doing was sending out through assessments supporting collateral. Alastair Parr: So rather than do you have an infoset policy yes or no it became do you do you have an infoset policy do you know what an infoset policy is if they select no then they automatically start to receive cont content. Alastair Parr: They receive baseline templates, guidance on what an infosc policy should contain, what it looks like, cut down version that’s geared towards someone who’s a one person band in that respect. Alastair Parr: So, it becomes less qualifying like you would do with a large organization and validating and becomes more geared towards education is in their interest and your interest to help bring them along to a better place. Alastair Parr: Uh, and that’s something we we haven’t spoken about too heavily, but certainly having that help text having collateral to be able to support them as well is a great step in fleshing out that assessment journey that you’re not necessarily going to get from a spreadsheet. Alastair Parr: So, very good question there. Alastair Parr: Thank you. Amanda: Yeah, super helpful. Amanda: Looks like that’s all we have. Amanda: Everyone’s saying thank you. Amanda: So, thank you guys both for your time. Amanda: We’re at three minutes before the hour and we’ll give you all three minutes back in your day. Amanda: Thank you everyone. Amanda: Hopefully it was insightful and hopefully we’ll see you all at the next one. Amanda: Bye fellas. Amanda: Thank you all. Amanda: Okay.