Gestión de riesgos de terceros: Riesgo inherente frente a riesgo residual

Ashley: Hola y bienvenidos a todos. Estamos encantados de teneros aquí. Os daré un minuto mientras esperamos a que todos se acomoden y se conecten. Pero mientras tanto, voy a lanzar nuestra primera encuesta porque tenemos curiosidad por saber qué os ha traído al seminario web de hoy. ¿Es por motivos educativos? ¿Estáis en las primeras fases del programa TPRM? ¿Sois clientes habituales? ¿Simplemente están aburridos y les encanta escuchar las voces de Scott y Romney? Si es así, no puedo culparlos. Pero, de cualquier manera, háganmelo saber. Y no puedo olvidarme de las presentaciones. Mi nombre es Ashley. Trabajo aquí en Prevalent en Desarrollo Comercial. Y nos acompaña un invitado muy especial, el vicepresidente senior y director de gestión de riesgos de terceros del Valley National Bank, Rodney Campbell. Hola, Rodney.

Rodney: Hola.

Ashley: Y no puedo olvidarme de Scott Lang, nuestro vicepresidente de marketing de productos. Hola, Scott.

Scott: Hola, Ashley.

Ashley: Y, eh, solo un pequeño recordatorio, este seminario web está siendo grabado y enviaremos la grabación junto con las diapositivas de la presentación poco después del seminario web. Actualmente, todos ustedes están en silencio, pero les animamos a participar. Por favor, escriban cualquier pregunta en nuestro cuadro de preguntas y respuestas para que podamos repasarlas al final de nuestro seminario web. Hoy Rodney hablará sobre la relación entre el riesgo inherente y el riesgo residual. Rodney, te cedo la palabra.

Rodney: Thank you Ashley and thanks to everyone for joining us. So today we’re going to talk about the true stories of a third party risk management professional um with a different twist on inherent risk and residual risk. Really, I want to focus on the disconnect between people, process, and technology and how that impacts the relationship between inherent and residual risk. Next slide. So, I want to make sure that everyone’s aware. I know that we’ve spoken a lot about inherent risk, residual risk from the technical perspective and also using technical terms, but I want to make sure that this particular message speaks to everyone. Um the individuals who work within TPRM, but also the individuals who are not within TPRM. Um the individuals who are uplifting a program for the first time. You’re trying to wrap your head around what should I do and what can I do. I want to make sure that we understand the relationship between inherent and residual risk. And as you see on screen, TPRM is an ecosystem of interconnected processes, tasks, and activities that together work to identify, assess, and mitigate risk posed by third party relationships. So the overall success of your program, third party risk management and the individuals that are stakeholders and contributors to the TPRM process. It requires business collaboration and organizational alignment. So again going back to what I mentioned originally, I want to discuss organizational factors that can prevent appropriate identification and mific mitigation of third party risk. Next slide. Now this is really interesting because I can tell you that many of us here today who are on this call, as I stated, you’re probably building a program and you’re trying to figure out where do I start? How do I look at this? So, I will say consider this. This is a learning opportunity for all of us. I think we’re all learners um in the making or subject matter experts in the making. So, consider this. If you were purchasing a home or a vehicle, you would verify all claims made by the seller before signing the agreement and issuing a payment. You would? Cuz I know that I would. So, why should you handle any other business transaction that you enter? Not be handled differently. So, imagine signing a contract for a new home or a new car. You’re going to make sure that you do your due diligence to make sure that that new home or new car is exactly as the seller stated it. So, why would you handle any other business transaction that you’re entering in differently? You would want to raise and position the same level of due diligence as you would if you were purchasing your own home or vehicle. Next slide, please. Your organizational role and responsibility in third party risk management. Now, this is really important because Again, you are more than likely a part of this process in your organization. Um, now whether or not you’ve been included in that process is another story, but I want to make sure that we understand for all of you here on the call, you’re probably a stakeholder, and a stakeholder can be many things within your business units. A stakeholder may be someone from your control function, a person who has a part or a role to play in your process. Are you engaged? Are you involved? Are you aware of what’s going on within the TPR process within your organization? You may be a vendor relationship manager. Now, I know many people are probably on this call cringing a bit because we know that a relationship management term has been dee has been deemed administrative processes in the past. We want to make sure that if you are the owner of a relationship, are you responsible for the relationship that you’re managing? Are you aware? Do you know what your supplier risk is? Do you know the impacts of your supplier risk? Are you utilizing your supplier engagement the way that it should be utilized? Are you engage with the supplier so that in the event of an issue or a risk event I would say can you contact them do you know who to contact so I think the vendor relationship manager role is very important is extremely important you’re part of the first line of defense and I think if you have no awareness as to what your role and responsibility is if you’re part of the first line of defense that’s probably something that you should discuss with your GPR team assuming that it’s centralized now internal audit internal audit again you’re probably pinching again but they are friends they help us get better so internal audit um have a role and responsibility in your TPR and program. Um they act as an effective challenge. They are the third line of defense. It’s important that you partner with internal audit because the goal is maturity. It’s evolution. You want to make sure that what you’re doing as an organization, you’re moving in the right direction, but you can’t do that alone. So no matter how smart you think you are, no matter how great and talented your team may be, you need to partner with their line of defense. It’s incredibly and crucially important. And then you think about senior leadership. This is really important because I want to say if you are part of senior leadership. You want to make sure that you understand what are the products and services that you’re utilizing to make your day-to-day business operations run as they should or run as expected. If something occurs within your business line, within your business function, are you aware? Are you aware of the number of products and services that you do utilize to operate as a business? And are you aware of the impacts and the risk? If you’re not aware, you should be. And I think engaging with your TPR team is critically important. I believe your TPR team should also engage with you. Remember collaboration is key. I also want to mention board of directors. Often times we do not mention the board of directors in TPRM. I think high level at the policy we do we talk about it in other calls. I see that other presentations and webinars mention the same thing. But I do believe board engagement and board awareness is important. It’s important because you are responsible for providing governance and oversight or management oversight for products and services that are supplying and supporting your organization. Many of these are critical core. Now, you want to make sure that if there are any if there any risk, anything that you identify that could potentially impact your organization, you want to make your board aware. Now, again, this is at a high level, but I do think that situational awareness, their engagement is critically important. Sourcing and procurement, you may or may not have a sourcing and procurement department. It may be integrated within your GPRM program as many are, but that relationship with GPRM is critically important. You are sourcing suppliers that your organization may potentially to use. If you’re disconnected, what you essentially do is overlook or probably bypass some of the processes that are required by TPRM. So, you want to make sure that sourcing and procurement are heavily engaged. They’re actively engaged. And TPRM is a department or as a function that can that can consist of many roles. So, not just the TPRM as a centralized unit, but also the control functions, the individuals that help support your business’s operations to make sure they run it sufficiently. Next slide. Whoa. An organizational issue. I tell you, this is a real organizational issue. And this is why I said I want to talk about inherent risk. I want to talk about the relationship between her risk and residuals from a different perspective. Not just getting into the semantics of risk categories. Not getting into this is what inherent risk assessment means for your organization. I want to talk about an organizational issue that prevents the complete accuracy of an inherent risk assessment. The identification of risk. in the mi in the mitigation of risk that you identify in that inherent risk assessment. Now look at this screen here. We see there are key organizational issues that prevent the proper identification and mitigation of third party inherent risk. Now some of these things and terms may be uh something that you’re well aware of and some of these may be terms that you’re unaware of. But think about what these means. Lack of corporate governance. What does that mean in your organization? You’re onboarding a supplier, a potential third party, critical or not. It’s important you have a process. If you don’t have a process in place, who knows who does what? What are the roles and responsibilities? How are they delineated throughout your process? At what point should this department or this function be involved? Who’s the stakeholder? What is the approval process? Do you all understand what is point A from point Z? When you don’t have corporate governance, processes are run all over the place. I can tell you that it isn’t repeatable. It isn’t reportable. It’s probably done many ways uh for many different things or many ways for some of the same things. Uh the next point is organizational silos and fragmentation that never happens. Of course it does. So organizational silos and fragmentation that is one of the biggest threats to onboarding any particular supplier. I say that because the silos the decisioning that is made within business departments need to be jointed not disjointed. But often times the ideas or the ideation the planning and identification of suppliers they’re done separately. So the greatest idea that one business function may have another business function who is an interdependent or interconnected department or maybe a shared service is completely unaware that will pose great risk to your organization. Fragmentation is often important too. You have business units that are probably working day-to-day side by side in parallel but they’re not communicating. So again you got to have that collaboration. You got to communicate. I think whenever there’s a third party engagement consider all of the risk consider all of the shared services and the shared responsib ility throughout your organization. So for example, if I’m a business function and I am looking to onboard a supplier, if that supplier has access to confidential information or confidential data, who should I involve? Exactly. I need to make sure I have the right people involved because if I don’t involve in the right people, the right departments, I’m going to make a decision solely based off of what I think and what I know. Now, keep in mind, I’m not in privacy. I’m not in information security, but I will make decision that a stakeholder within privacy and information security should be made aware of and should also participate in the uninformed independent decision makers that never happens. Of course it does. The uninformed and independent decision makers these are what I find to be the biggest threat to your organization whenever you’re dealing with third parties and products and services. The uninformed independent decision makers are individuals who are they’re they’re probably bright and brilliant at what they do. But the decisions that they’re making aren’t factbased. They’re decisions that are being based off of interpretation. Their perspective or perhaps their strategic goal or what their view of value is from dealing with a potential third party product or service engagement. I I think many times you see an organization you have a stakeholder or I would say business champion. Then the business champion wants to get this done. We need to get it done. That’s the individual who is kind of waving the flag of this particular third party product or service engagement. They’re telling you the reason why it needs to get done but they do not know how it’s getting done. They do not know the impacts. They do not understand the risk. They don’t understand the overall value and strategic purpose of third party products in service engagement. And this is critically important because that uninformed independent decision maker more than often times will be responsible for engaging suppliers and probably miser say misassessing but inaccurately assessing the inherent risk and also misidentifying the mitigation for the inherent risk as well. Internal misalignment Does that ever happen to you? It does. I’m going tell you why it happens. Internal misalignment is when you get a bunch of individuals, not in the room, but a bunch of individuals who are working toward the same common goal. You have the same purpose. Again, the product and service engagement make sense for your organization. The problem is this. When decisions are made that are disjointed, they’re not made together. We’re not connected. We are not all equally and collaboratively in agreement that this product and service engagement meets the same risk profile, meet the same measurements, the same goals. We we are in alignment with the impact. We understand the level of risk. We understand the holistic value. Then I can tell you that often times the actual product or service engagement as you intended it to be initially will not play out as originally planned. And another one which is probably most important now again take in mind these are not in any particular order. This isn’t a chronological order. This is justformational for all of you. Insufficient vendor betting practice. Vendor vetting is important. Often times we do not distinguish between vetting and onboarding. During that planning and identification process, are you verifying that the supplier is who they say they are? Are you looking at the infrastructure or corporate entity holistically? Are you asking for due diligence at the OnStar? Are you running old checks on your suppliers? What are you doing at the beginning to make sure that at the baseline level that these suppliers can pass stage one and get to stage two? I can tell you why it’s an organizational issue because often times you’re probably bypassing vetting or you’re consolidating vetting while contracting. So you presumably already selected as fire, but you haven’t the vetting process is to identify the impacts, identify the risk and discuss that internally with your group. Next slide please. Now here this is really important. An organizational recommendation and I have that in caps you see drive business value. value, quality service, and appropriate third party risk management practices. Now, everything that I just mentioned on the previous slide, here’s a way to address those things. Now, again, you have to make sure that you apply these techniques to your organization because it isn’t a one-sizefits-all. Everything is different. So, this is why I didn’t want to approach inherent risk and residual risk from the typical methodological perspective of this is what you do, this is the question that’s asked, and this is what you respond by. I think it’s important that we understand the people risk, the people element of how these process this can go wrong with the onstart. So when we talk about an organizational recommendation, I want to make sure that we address the concerns that I initially stated in the previous slide. So establish corporate governance, accountability, transpar transparency, fairness, responsibility, and risk management. Corporate governance is extremely important. How can you continue to source suppliers without a social strategy? Um has your strategy been operationalized? Do you have policies? Do you have rules? What is your governance? What is your framework? What is the process guidance? It’s easy. point a finger at a business function or an individual who isn’t doing the right thing. But if you don’t have process guidance to show them or point them in the right direction, then who’s at fault? I think that’s a shared responsibility. So if you are responsible for any TPR and program, you want to make sure that you provide effective process guidance. You want to make sure that you provide effective governance so that the individuals who play a role in a responsibility in this process have direction as to what needs to be done. Encourage crossunctional collaboration and stakeholder engagement. Be for engaging prospective third parties. Again, it goes back to the collaboration. You need cross functional collaboration. You need stakeholder engagement. It would be unwise and unfair of you to position or propose a potential product or service engagement to a stakeholder for sign off and not make them fully aware. So again, if you are a stakeholder, you want to make sure that before you are approving, before you are giving the two thumbs up to move forward with a product or service engagement, you have full awareness and transparency as to what the engagement tells not just the value, not just the cost savings, but the risks and the impact. And you want to make sure that your organization from a shared service perspective, they’re aligned and not unaligned. The understanding should be understood and not misunderstood. The next one, facilitate decision-m based on facts, not interpretation. This goes back to that uh uninformed and independent decision maker. And sometimes it’s not just one, it can be many. And many can be together or displaced or dispersed throughout the organization. You want to make sure that your decisions are fact-based. We’re moving forward with this supplier for these reasons. Your due diligence should be substantiated with actual work. Again, your decision making, the decisions that you’re making to onboard a supplier, not just simply because you need a product and service, but you need to make sure that you show true transparency, accountability, and due diligence for why you decided or determined to on board or engage this vendor. That needs to be fact-based. You cannot select or I would say you should not select a supplier based off of what you think. you should select a supplier based off of what you know and what you know may not be all the way good. I can tell you oftent times in in my previous life onboarding suppliers have not always been the greatest but those onboarding activities and processes were done with factbased decision-m not interpretation or what I think I knew simply because I have awareness of supply from a previous life and established internal business alignment on strategic goals purpose risks impacts and value before engaging. I mentioned this a few times again it goes back to that internal alignment. You need to make sure that the individuals who will play a role and responsibility in your process, they are align they’re aligned. If they’re unaligned, then that means you will have the perspective or idea of value with one group or one person and that can potentially raise or pose risk thereafter. So, how can you identify an inherent risk if individuals who are part of your risk function or individuals who are stakeholders in this shared collaborative process or shared service are not a part of the conversation or there are complet disagreement or have a complete misunderstanding of the product and service engagement that may be detrimental to your organization. So again, you need to make sure that your business functions are aligned, make fact-based decisions, but you do that cross functional collaboration and inclusivity of the groups that are a part of the shared service in the shared collaborative moment. Next slide, please. The ecosystem of third party risk management. So everything that we just talked about, we talked about the inherent risk, we talked about criticality and criticality we really didn’t talk about, but I want to be sure that criticality cannot be distinguished or just simply aligned by one person. It needs to be a collaborative moment. If you do not have all the groups, all the risk functions involved. Whose decision is it to be critical or non-critical? Whose decision is it that the inherent risk is high? Why is it high? Is it low? Is it medium? I think this is a collaborative moment. The engagement by your business functions. The engagement by the stakeholders is critically important to understand what the nature of the engagement is in the risk pose of your organization. So you want to make sure that you establish internal alignment so that you can establish an accurate inherent risk assessment for due diligence. We talk about that all the time. I think most of us on this call I can tell you me I’ve been on so many due diligence uh webinars. I’ve been a part of due diligence discussions. What should I collect? Can I collect it? If I don’t collect it, what can I or will I do? Those are all important questions. But I can tell you now, you will never know what to collect if you are not engaged at the OnStar. Remember, your inherent risk dictates a due diligence. Due diligence that’s collected is based off of the inherent risk posed to your pro by the product or service engagement and the inherent risk posed to your organization. But if you don’t have the right people involved to help identify that risk, then that would be a problem in itself. So you will miscalculate and probably unfortunately mischaracterize the inherent risk and unfortunately not collect the proper due diligence to mitate that inherent risk and the residual risk assessment as well. We talk about it, we pair due diligence, residual risk assessments together. We do. But here is the problem. A residual risk assessment is a point in time. It’s point in time assessment. It’s a moment in time where you collect a document. It can be a sock report. It can be a SIG, but is it is a document that is dated. The document isn’t up to date. Right now, me, you, all of your call, we’re looking to move forward with this product and service engagement, but your stock report and all of the other applicable due diligence material are not materials that reflect today. They may be materials that reflect last year. They may be materials that can reflect longer. So you want to make sure that you make informed fact-based decisions because for a sock report and again a stock report is really good, it is a control audit report, but I do want to make sure that we’re well aware that point in time assessments while they are efficient, I I do not find them to be entirely effective. So I do think you need to have other measures. Um continuous monitoring I believe is where you create strength is but h how are you continuously monitoring a supplier if you’ve misidentified the inherent risk and misidentified what should be done in the beginning so what I’m trying to show you is how these processes as an ecosystem are interconnected if you don’t if you don’t accurately assess the vendor at the onstar then your due diligence will be incorrect your residual risk assessment will be incorrect the residual risk profile will be incorrect selecting and contracting the supplier will be entirely incorrect because how can you memorialize the risk to do negligence anything that you found during the inherent risk assessment up into that residual risk assessment will be incorrect. So you can’t memorialize the right things as far as provisions are concerned in SLAs in your contract because everything was done incorrectly and your continuous monitoring is risk based. But how can you continuously monitor a vendor if you inaccurately um risk assess and have an inaccurate risk profile of the supplier? So what you’re seeing here is how all of these processes are connected but it’s really important that the people the people who are a part of these shared services are equally and actively involved and engaged in these processes because if you’re not then every subsequent step and every subsequent activity will be managed correctly. So again going back to that collaboration that internal business alignment make sure that you get your stakeholders involved. Make sure that you get them actively engaged. Let’s not present just the value of the contract at the cost of the proposition level. Let’s show a holistic view of what the contract is or the product or service engagement is. That includes the risk not including the risk simply because you may believe it’ll be a bottleneck or simply because you believe the stakeholders or the powers that be may decide to not move forward with your engagement again may be detrimental to your organization. So you need to be as transparent as you possibly can so that all of the right people who are in the room can make fact-based decisions. Next slide. Now before I say thank you, I I do want to make sure that we address any questions um that may be in Q. So, I’ll let Ashley or Scott to let me know if there’s any questions and we can talk through that. So, before handing it off to Scott,

Ashley: Sí, hola, Rodney. Veo que tenemos un par de preguntas en la cola. Tenemos una de Ed, que pregunta: «¿Cómo se puede enfatizar con éxito la importancia de calcular el riesgo inherente de la población de terceros ante las partes interesadas internas?».

Rodney: ¿Cómo se puede enfatizar con éxito? Supongo que estás proporcionando informes trimestrales a la junta directiva, porque creo que tus principales accionistas son muy importantes y cruciales. Si no son conscientes del riesgo que supone tu producto o servicio, lamentablemente no podránayudarle, no pueden hacer ni ser lo que usted necesita que sean, por lo que creo que el informe trimestral a la junta directiva es importante, ya que es una oportunidad para comunicarse con los altos cargos de su organización, informarles de la situación de su organización a nivel de TPR, informarles del riesgo e informarles de las oportunidades de madurez y mejora. Si lo hace, creo que hay una buena oportunidad no solo de que su programa sea aceptado, sino también de que se mejore y madure.

Ashley: Excelente. Tenemos un par de preguntas más en el chat, pero Scott, voy a pasarle la palabra y luego podemos responder al resto al final.

Scott: Awesome. Thank you, Ashley. Uh, hi everybody. My name is Scott Lang. BP product marketing here at Prevalent. Uh, I just wanted to share a couple things about Prevalent, uh, here. to draft off of Rodney’s presentation regarding inherent residual risk. Uh just to touch on on a few ways that you preing can help you simplify that process of calculating inherent risk. Uh trans translating findings into action to ultimately reduce your risk profile and get down to an acceptable level of residual risk uh over time. Uh and really it all comes down from our perspective. What our customers tell us is that they want to accomplish any one of three things. The first in their TPR program. Anyway, the first thing uh they want to accomplish is getting the data they need to make better decisions. And from an onboarding or inherent risk perspective, that includes getting the right set of intelligence and the right people involved in the process to understand uh you know the company’s initial risk exposure and then identifying what types of due diligence is required uh based on the results of of kind of that very very baseline assessment. A second is increasing efficiency and and breaking down silos as Rodney mentioned. you know, there are awful lot of people in organizations involved in third party risk and um you know, I I grew up on a farm and the analogy we always used was if you have a lot of people’s hands on the plow, that plow’s not really going to go in a straight line. So, you know, who’s you know, who’s responsible, who’s accountable uh for third party risk, who contributes to it, who needs to be consulted and informed about it, and bring those people together under a single source of the truth of data and processes so that you can, you know, accomplish your organizational goals. Uh and then finally evolving and scaling uh their third party risk management programs uh over time. Chances are that program is going to change not necessarily from a scope creep perspective but you’re going to bring on new vendors and suppliers. Uh new third parties are going to be introduced to deliver goods uh goods and services to your to your enterprise to help you deliver on your expectations to your customers. Uh so how do you adjust and be agile uh over time and account for any any of those types of changes that uh that happen as as the or organization evolves. You know, our approach to addressing the third party risk man uh third-party risk management challenge and you know those three objectives that you saw on the on the previous screen are to look at risk at every stage of the third party risk management life cycle. You know, so often we take a look at risk on some level during the sourcing and selection phase or making sure that that company matches you know your company’s risk profile. uh in addition to the good or service that you’re going to be, you know, purchasing from them or utilizing being fed for purpose. Uh and then maybe we do some assessments or we look at on a contract renewal, but you know, how often is the that level of discipline and rigor carried out throughout the rest of that relationship life cycle? We see that problem happen uh pretty frequently and it involves a lot of different teams in the business, whether it be the procurement, vendor, supplier management teams, IT security teams, legal compliance, data privacy uh and many others. So we see these you know unique and distinct challenges at every one of these u phases of the relationship and our approach is to deliver a prescriptive process that helps you to um recognize and mitigate those risks at every stage. So that as that relationship progresses from the point that you source and select a vendor to the point where you offboard and terminate uh that vendor when the relationship ends you have the assurance that you’ve got visibility into the risks that you’ve got an action plan to mitigate risk down to an acceptable level and have the documentation and memorialization of evidence to prove it to the auditors. Um, and from our perspective, it really comes down to three things. Uh, that is simplifying and speeding up onboarding with a single source of the truth and a process that the entire enterprise can leverage. Second, streamlining that ongoing assessment process and closing gaps in risk coverage that often happens when different teams are involved in managing thirdparty risk and maybe using different tools. and different sources of intelligence and insights to get a picture of of whether that that third party um you know brings risk to the business and then finally unifying teams across the life cycle which I addressed. So starting in the lower left uh off to the uh to the uh to the lower right I guess in our in our half moon shape here you know what we can help you accomplish at the sourcing and the selection phase is adding automation and intelligence to RFX processes RFP RFI processes, you know, so often those things are done in silos, they’re done in spreadsheets, there isn’t a lot of automation involved, and there effectively isn’t a lot of risk visibility involved in whether or not um or in a in a new vendor or supplier that you’re looking to onboard. Um second, at the intake and onboarding phase, we can, you know, give you that single source of supplier truth, one supplier profile, uh one set of intake processes, one set of contracting and onboarding process that is extensible throughout the enterprise. So you’re ing and from the same himnil so to speak. And third, scoring inherent risks, something very close to our topic today. Um, you know, we give you the ability to score and categorize suppliers, you know, based on datadriven insights. It’s a combination of an eight question internal survey that you and other members of the team collaborate on answering as well as incorporating outside intelligence on potential compliance problems, financial risks that this meers might uh expose you to. Uh, a history of data breaches and cyber for security problems uh you know governance issues and and more all to give you a score to help you then uh prescribe a path to a more complete due diligence uh once onboarding is completed. Um fourth you know our specialty is in um streamlining and automating the ongoing risk management uh process and we deliver specific capabilities in our platform that enable you to do that across multiple different risk types. Now historically you know it vendor manage agement third party risk management was the domain of the security team and largely is is still today um because of the sensitivity of the data and systems and processes that you know you’re ultimately exposed to um or uh as a result of doing business with a third party. Um but you know our for example the prevalent platform has more than 200 builtin assessment templates uh that enable you to u you know question and and pose to um um uh to uh uh to to vendors specific risk based issues that you know are that matter to your business or matter to the board. Next is monitoring and validation um or validating the results of those assessments with continuous cyber security business reputational and financial insights. You know a lot can happen in between the time that you make an onboarding decision and that you finish your due diligence and and contract renewal happens. So we help you fill the gaps between those different um uh you know this you know those different types of assessments with the intelligence to to you know keep the team ab breast of any challenges that that that vendor might be facing and because not all risks are dedicated to um uh you know cyber or you know ESG risks or compliance risks or operational risks. Sometimes a risk is a performance-based risk. And we give you the ability to measure and manage your supplier effectiveness with built-in KPIs and KIS. And then finally, inevitably, uh, you know, like Neil Saddaka said, breaking up is hard to do. Um, so when it comes time for that vendor relationship to end and and that contract to terminate, you know, so often we see, you know, companies don’t have the rigor and the discipline built into the process to properly properly offboard the vendor and mitigate, you know, the long tail risk that you can be exposed to to. So we give you the, you know, the checklists and the document management and the compliance reporting uh to close that process off. You know, we address multiple different types of risks or risk areas um uh with our our platform and that helps you to give uh helps give you a good view of your inherent risk, measure the progression of that risk over time and then get you down to a level of of residual risk that’s acceptable to the business. And these are the kind of the general six categories that that we deliver uh risk insights into whether it’s an assessment built in the platform or whether it’s uh the result of continuous monitoring insights and intelligence uh that um uh you know that we consume uh and then correlate against those assessment results you know on your behalf and I won’t uh belabor the point read the fine fine print there you know how do we deliver it we deliver it um in a way that leverages the three great strengths of Prevalent and that is number one the people the experts that we have that help you um that do the hard work on on on your behalf if you desire that excuse me and that’s onboarding vendors managing them uh remediating executing assessments uh and then incorporating a tremendous amount of intelligence and data from a half a million different sources uh and putting that into a format that can help you make good decisions housing it in the platform with all the workflow and the automation and more uh to help you ultimately get down to that that level of residual risk that satisfies you know your board requirements. Look at the end of the day we want three things for you not three things from you and those three things for you are number one um to help your organization your third party risk management program uh be much smarter in its approach and that’s delivering you the comprehensive insights uh datadriven analytics and role-based reporting for multiple different teams throughout the enterprise. The second to give you a single source of the truth uh to combine assessments and monitoring together and then look at uh risk throughout the entire life cycle from onboarding to offboarding in a much more unified fashion that you might be doing it with spreadsheets or maybe with some disparate tools that really don’t talk to one another. And then finally, as I mentioned before, it’s a very prescriptive uh intelligentbased approach that gives you built-in recommendations uh remediations and more to extend out to your vendors and uh third parties and other suppliers um that ultimately you know can help you get down to the to the level that that you’re willing to accept. So you know from prevalent perspective that’s what our approach is to addressing the the problem of thirdparty risk management. Um and I think it ties in very closely to kind of what Rodney talked about today in terms of the big challenges that organizations face in thirdparty risk and um you know you know what the overriding issues are to get from an inherent to a proper residual risk score. So you So, at that point, I’ll stop talking. I’ll open it back up to Ashley. Ashley, if we have any other questions uh for either Rodney or myself, I’m happy to uh to take those now.

Ashley: Hola, Scott. Muchas gracias. Voy a lanzar nuestra segunda encuesta para que podamos hacer un seguimiento de cualquier proyecto que puedas tener. Tenemos curiosidad por saber si estás pensando en establecer o ampliar un programa de riesgos de terceros durante este año. Y, por favor, sé sincero, porque haremos un seguimiento contigo. Pero mientras tanto, Ron, vamos a leer algunas de estas preguntas. Me encanta ver toda la participación y sé que querías volver sobre la pregunta de Ed, que era: ¿cómo se puede enfatizar con éxito la importancia de calcular el riesgo inherente de tu población de terceros ante tus partes interesadas internas?

Rodney: Sí, esa es una pregunta que yo también quería retomar, porque creo que me imagino que ED podría estar en la misma situación en la que yo me encontraba hace muchos años. ¿Cómo se consigue la participación de las partes interesadas? Y no me refiero solo al consejo de administración, porque creo que hay que dar pasos graduales para llegar a ese punto. Es posible que ya se tenga acceso, participación o incluso compromiso a ese nivel de informes trimestrales, o quizá no. Así que tus partes interesadas, en lo que respecta a la alta dirección y los altos cargos, ahora son de vital importancia. Creo que para cada relación con terceros deberías tener una evaluación de riesgos inherentes. Creo que el riesgo inherente y la distinción entre inherente y residual, porque cada vez más me encuentro con que las organizaciones solo informan sobre el riesgo residual. Supervisan y gestionan únicamente el riesgo residual y no tienen una verdadera transparencia ni conocimiento del riesgo inherente que plantean sus compromisos con productos o servicios. Por lo tanto, creo que es importante hacer hincapié en el riesgo inherente que plantean los productos o servicios, y no solo en el riesgo tras la implantación de controles, ya sean internos o externos. Debe asegurarse de que su alta dirección y sus altos cargos, y creo que ese es el modelo colaborativo que he mencionado, se comprometan a menudo. Nos centramos en la gestión de las relaciones internas. Eso significa la organización y nuestras relaciones externas con el proveedor. Pero creo que ese mismo modelo es importante a nivel interno. Por lo tanto, es importante que, si se encuentra en el ámbito de la gestión de riesgos de proveedores, forme parte de esa función. Se trata de un proceso de procesos y actividades interconectados. Por lo tanto, su colaboración y su compromiso con todas esas personas no solo puede ser algo positivo, sino que puede ser un requisito. Y creo que tener esa colaboración y crear una comprensión fundamental o básica ayudará a la alta dirección a apoyar e incluso defender lo que estás tratando de hacer en todas sus organizaciones.

Ashley: Excelente. Y ahora, Scott, tenemos una pregunta para ti de Mary, que pregunta: «¿Cómo ayuda Prevalent a una organización a completar las revisiones anuales de los informes de calcetines?».

Scott: Buena pregunta. Nuestra opinión sobre los informes SOCK es que, si usted ha contratado a un proveedor externo de auditoría y este le ha entregado un informe SOCK, lo que hacemos es ayudarle a interpretar ese informe. Por lo tanto, ofrecemos un servicio en el que revisamos el informe con usted. Extraemos los riesgos y controles clave y los incorporamos a nuestra plataforma como riesgos que usted puede seguir a lo largo del tiempo y a los que puede llegar a una conclusión aplicando medidas correctivas o más. Por lo tanto, no necesariamente ejecutamos el informe SOCK 2 ni lo completamos en su nombre, pero una vez hecho, podemos ayudarle a trasladarlo a una plataforma para que pueda gestionar los riesgos en lugar de quedarse con ese PDF en la mano pensando: «Oh, ¿y ahora qué hago?».

Ashley: Gracias, Scott. Y ahora, Rodney, tenemos otra pregunta para ti. Alguien ha preguntado: «¿Para qué porcentaje de los proveedores se debería llevar a cabo una mitigación activa del riesgo, teniendo en cuenta que el inventario se divide en tres niveles: alto, medio y bajo? Esto se da por sentado, ya que la mayoría de los programas de TPRM son equipos pequeños».

Rodney: De acuerdo. Entonces, cuando hablamos del porcentaje de proveedores para los que se debe llevar a cabo una mitigación activa del riesgo, creo que se debe mitigar activamente el riesgo cuando se identifica. Ahora bien, el nivel en el que se haga será diferente. Obviamente, no se gestionará y supervisará a un proveedor de bajo riesgo como se haría con uno crítico o de alto riesgo, o incluso moderado, pero depende de la propensión al riesgo de su organización. También depende del riesgo que se identifique de forma inherente. Eso es importante, simplemente porque he oído a muchas organizaciones, e incluso a algunos programas o profesionales de TPRM, mencionar que un proveedor de bajo riesgo no requiere ninguna mitigación. Por lo tanto, lo hemos identificado de forma inherente como de bajo riesgo y no hay nada que debamos hacer. Bueno, les diré que no estoy de acuerdo, porque lo que hoy puede ser intrínsecamente bajo por razones imprevistas, mañana podría ser intrínsecamente alto o moderado. Y eso puede suceder por muchas razones. Tal vez sea un cambio sustancial en el producto o servicio real. Así que, hoy puede contratar a un proveedor para un producto y servicio concretos, y mañana contratará al mismo proveedor para un producto o servicio diferente. Lo que he observado es que la mayoría de las organizaciones, o muchas de ellas, no todas, pero cuando se tiene un proveedor que suministra múltiples productos o servicios, existe una desconexión. Por lo tanto, si se ha calificado de forma inherente o originalmente como bajo, entonces se hacen los productos y servicios posteriores de la misma manera o se miden o califican. Creo que eso es incorrecto e inexacto. No creo que sea el enfoque adecuado. Debe asegurarse de que se evalúe cada producto y servicio, se evalúe el riesgo, no solo la relación, sino también el producto y el servicio, y debe asegurarse de que, sea cual sea la evaluación de riesgo inherente, así es como quiere gestionarlo y supervisarlo, por lo que creo que necesita actividades de mitigación de riesgos. Si se trata de un riesgo bajo, como mínimo, debe gestionarlo y supervisarlo con una frecuencia basada en ese riesgo bajo.

Ashley: Excelente, gracias, Rodney. Y ahora, Scott, tenemos otra pregunta tuya. Alguien ha preguntado si hay interfaces externas dentro de la plataforma predominante para recopilar de manera eficiente los datos necesarios de forma regular.

Scott: Sí, en realidad nuestra plataforma incluye una API REST abierta que le permite integrarse con fuentes externas de inteligencia que añaden contexto adicional a la puntuación o las evaluaciones de sus proveedores. Ahora bien, también ofrecemos nuestra propia solución de supervisión continua que incluye datos cibernéticos, financieros, empresariales, reputacionales, ESG, fugas de datos, etc., que pueden consumirse y añadir ese contexto para usted, o bien disponemos de la API abierta que le permite integrarse con otras herramientas que ya pueda tener instaladas.

Ashley: Gracias, Scott, y volvemos contigo, Rodney. Tony ha preguntado por uno de los aspectos más desafiantes del riesgo que estoy empezando a notar, que es crear y mantener un modelo eficaz de participación de las partes interesadas. ¿Qué consejos clave darías para empezar a desarrollar eso y que resulte más impactante para los gestores de riesgos legales?

Rodney: Verás, me encanta esa pregunta porque nos lleva de vuelta al punto y al propósito originales de la presentación de hoy. Todos los riesgos son importantes, pero creo que el riesgo humano ha sido un factor crítico por muchas razones en muchas áreas diferentes, pero creo que ese compromiso tuyo y de tus otras funciones es importante. Quiero creer que ahora mismo te encuentras en la fase inicial, quizá en el nivel básico de la construcción de tu programa. ¿Cómo se consigue la participación de la línea de defensa circular? Bueno, ¿ha identificado primero quiénes componen la segunda línea de defensa en su organización? ¿Tiene una política o algún tipo de estructura de gobernanza que establezca qué funciones o grupos dentro de su organización son o componen la segunda línea de defensa? Creo que eso es importante. Y no solo a nivel de política, sino más allá de lo que está escrito en el papel, es necesario que haya una participación activa con su segunda línea de defensa. Creo que eso es importante. Lo que he visto en algunas organizaciones es que pueden tener un grupo de relaciones públicas barato y múltiples funciones de riesgo porque cubren múltiples ámbitos de riesgo, pero ninguno de ustedes se comunica o conecta realmente, lo cual es un problema fundamental, se lo puedo asegurar, porque juntos, de forma colaborativa, están protegiendo la entidad que es su organización, por lo que la inclusividad en la colaboración es obligatoria, es necesaria, es importante que ustedes, como función de control de riesgos, se comuniquen con la función de control de riesgos vecina y tal vez el riesgo queestán revisando puede no estar relacionado, pero aún así, al hablar de productos y servicios de terceros, recuerden los procesos y actividades interconectados e interdependientes, por lo que, en cierto nivel, al menos deben tener conciencia de la situación, incluso si en ese momento no están participando activamente en la corrección o mitigación de algún nivel de riesgo. Por lo tanto, creo que es importante establecer un rincón con sus funciones de riesgo internas con una segunda línea de defensa para revisar qué productos o servicios son críticos, de alto riesgo o moderados, y revisar dónde puede haber problemas, escaladas o probablemente áreas para remediar. Asegúrate de que todos estén alineados en cuanto a cómo ven el riesgo externamente y qué están haciendo internamente para abordar esos riesgos o los posibles impactos de esos riesgos externos.

Ashley: Gracias, Rodney. Y ahora tenemos otra pregunta de Christina, también para ti, Rodney, que pregunta: «¿Cómo se fusionan dos TPR cuando dos entidades están en proceso de fusión?».

Rodney: Dos programas TPRM pro. ¿Es esa la pregunta? ¿Cómo se fusionan dos TPRM? Supongo.

Ashley: De acuerdo.

Rodney: Sí.

Ashley: Me gusta que Christina fuera rápida. Sí.

Rodney: Interesante. Entonces, cuando hablamos de fusiones y adquisiciones, es importante que tengas una visión clara, y me refiero a una visión transparente y clara, de cuáles son esos productos y servicios. Supongo que formas parte del comprador. ¿Es así? ¿O eres tú el comprador? Si puedes responder a esa pregunta. Probablemente sea del tipo «por determinar». De acuerdo. Gracias. De acuerdo. Ahora bien, esa decisión va a ser multifacética, porque mi perspectiva va a ser la de TPR y la profesional. Creo que esa decisión es más bien una cuestión que compete a los altos directivos y a las partes interesadas, porque hay que evaluar el TPR y los programas, y yo voy a ser muy sincero sobre qué TPR y qué programa serían más eficaces para su organización. Eso es importante. La eficacia. Ahora bien, tal vez haya una consolidación porque usted tiene los productos y servicios que requieren los recursos y esa capacidad está disponible. Pero hay que medir la eficacia del programa de TPRM, no solo en el estado actual, sino también en el futuro. Creo que se trata de evolución y madurez. Por lo tanto, si estás en un programa de TPRN o gestionas un programa de TPR, tu organización debe determinar si la eficacia de tu programa de TPRN no solo se ve afectada por la situación actual, sino también por la situación futura. Eso es importante. Ahora estoy diciendo que respondo a esta pregunta teniendo en cuenta que no sé si se consolidará o se dividirá. Pero habrá que tomar una decisión, porque no se pueden tener dos programas TPR en una misma organización. O se consolidan o uno de los programas TPR tendrá que ser el programa Wayne, diría yo.

Ashley: Gracias, Rodney. Y ahora te devuelvo la palabra, Scott. Alguien ha preguntado: «Has mencionado que Prevalent supervisa los riesgos cibernéticos y de cumplimiento normativo. ¿Se trata de una supervisión en tiempo real? Me refiero a cuando se produce una filtración de datos o un incidente cibernético en un tercero. ¿La parte de supervisión de Prevalent nos notifica esos incidentes?».

Scott: Sí, la respuesta corta es sí. Es tan en tiempo real como los anuncios o las infracciones se anuncian. Por lo tanto, la mayoría de los SLA o herramientas de supervisión cibernética le darán un margen de 20 a 4 horas entre el momento en que se descubre un incidente o, por ejemplo, se publica el CVE o se anuncia una violación de datos, y el momento en que usted lo notifica, y nosotros nos ajustamos a ese SLA estándar del sector, que, como sabe, en un plazo de 24 horas se transmitirá a través de su instancia de la plataforma predominante y le permitirá tomar algunas decisiones basadas en ello.

Ashley: Gracias, Scott Rodney. Alguien preguntó: ¿crees que los documentos de Sock son más valiosos que un documento SIG no auditado?

Rodney: Vaya, ¿cuántas veces me han hecho esta pregunta? Bueno, creo que depende. No creo que sean más valiosos en sí mismos. Sí creo que un documento SIG no auditado contiene información muy útil que se puede aplicar. Pero lo tengo en cuenta teniendo en cuenta la importancia del proveedor, el riesgo, la calificación de riesgo del proveedor, el compromiso con el producto y el servicio en general. Diría que los informes de existencias son muy buenos. Me gustan los informes de existencias, pero también puedo decirte que, al igual que muchos otros documentos que recibimos de proveedores o terceros, son puntuales.me interesa más el presente que lo que revisó un auditor el año pasado, porque quiero contratar a este posible tercero hoy, quiero firmar un acuerdo hoy y estoy mirando documentación que validaba la suficiencia de los controles externos de hace un año, por lo que mi decisión actual, mi decisión basada en hechos, se basa en información y materiales que se proporcionaron hace un año. Así que es como tirar una moneda al aire. Creo que es necesario obtener toda la información relevante posible para respaldar si se trata de la SA correcta o si es una sig, obtener toda la información sustancial y toda la documentación posible para corroborar y respaldar eso, porque creo que los controles compensatorios son necesarios siempre que se trata de evaluaciones puntuales, documentación puntual. Y voy a terminar. No voy a terminar, pero también diré a todos los participantes en la llamada que entiendo la importancia de la evaluación del riesgo residual. Todos sabemos lo que significan las evaluaciones, no solo para las organizaciones. Sabemos lo que significan para los auditores. Sabemos lo que significa para los reguladores. Pero, por favor, no bajen la guardia ni pierdan de vista su supervisión continua. Creo que gran parte de su valor reside en los riesgos emergentes, no en los riesgos actuales o que se están produciendo en este momento, sino en los riesgos emergentes, aquellas cosas que podrían dañar o afectar a su organización. Deben ser conscientes de ello. Por lo tanto, obtengan información relevante para hoy y utilicen también la información que pueda ser relevante para ayer, aplíquenla conjuntamente y tomen decisiones basadas en hechos.

Ashley: Gracias, Rodney. Y entonces Julia preguntó: «Si una organización decide ser más conservadora y gestionar solo los riesgos inherentes, ¿cuál dirías que es la ventaja de incluir los riesgos residuales?».

Rodney: De acuerdo, también he oído esta pregunta muchas veces y creo que es una moneda al aire. Depende al 50 % de la organización. Depende del perfil de riesgo. Algunas de estas preguntas o las respuestas que he oído dar a otras personas son muy holísticas. Yo lo veo así: ¿cuál es la propensión al riesgo de su organización? Creo que hay que tener en cuenta estas cosas a la hora de determinar si es adecuado adoptar un enfoque conservador y gestionar solo el riesgo inherente. No me opongo a ello. Sabemos que ese es el riesgo inherente. Lo que sugiero es que, aunque creo que el riesgo inherente y el perfil de riesgo residual son importantes, también creo que es importante revisar el riesgo inherente. Muchas organizaciones, volviendo de nuevo al riesgo residual, lo utilizarán solo para actividades de gestión y supervisión. Así que, una vez realizada la evaluación del riesgo residual, probablemente gestionará y supervisará basándose en el riesgo residual. Yo diría que no. Siempre hay que volver a revisar el riesgo inherente. Hay que volver a revisar si ha habido algún cambio significativo en la relación, porque el perfil de riesgo puede cambiar. Es posible que haya habido cambios contractuales. Es posible que haya habido adendas o modificaciones que requieran más actividades de gestión de riesgos, o que haya habido cambios que reduzcan el nivel de las actividades de gestión de riesgos. Pero creo que revisar siempre el riesgo inherente es igualmente importante. Creo que es algo que todas las organizaciones en este ámbito de TPRM deberían hacer y no centrarse únicamente en la evaluación del riesgo residual. Así que tengo que decir que, en respuesta a esa pregunta, es una moneda al aire. Depende de la propensión al riesgo. Depende del tamaño de su TPR y de la capacidad del programa. También depende del tamaño de su inventario de expansión de terceros.

Ashley: Gracias, Romney. Y una última pregunta para ti. Alguien preguntó: «¿Cuántos empleados tienes y a cuántos proveedores gestionas?».

Rodney: ¿Y por eso esa persona es la pregunta anónima?

Ashley: Sí.

Rodney: De acuerdo. Bueno, te diré esto. Tengo un equipo de entre 7 y 10 personas y un inventario que es anónimamente grande. Diré que me reservaré ciertas cosas para mí. Tienes que concederme eso.

Ashley: o dime que me contactes fuera de línea. Por supuesto. Por supuesto. Bueno, muchas gracias Rodney, Scott y a todos por todas sus preguntas. Ambos nos dieron información muy valiosa hoy y espero verlos a todos en sus bandejas de entrada o en un futuro seminario web previo. Saludos a todos y disfruten el resto de su miércoles.

Scott: Adiós a todos.

Ashley: Gracias, Rodney. Adiós. Adiós a todos.