Cómo salvar la brecha entre el riesgo de terceros y la gestión de contratos

Melissa: Feliz jueves a todos. Es fantástico ver que todos están empezando a unirse. Vamos a esperar un poco para que todos se acomoden, se conecten y se aseguren de tener su taza de café. Voy a empezar con nuestra primera encuesta. Hay dos. Aquí está la primera. Mientras esperan pacientemente, si ya han asistido a alguno de nuestros seminarios web, ya saben cómo funciona. Pero siempre nos da curiosidad saber qué los trae al seminario web de hoy. ¿Es por motivos educativos? ¿Están en las primeras etapas de su programa de riesgos de terceros? ¿Son ustedes clientes actuales de Prevalent? Sé que algunos de ustedes ya estaban en esa situación esta mañana. Así que, solo háganmelo saber. Voy a dejar esa encuesta ahí mientras empiezo con una pequeña introducción. Tenemos aquí a un invitado muy especial, Tom Rogers. Como pueden ver, es el fundador de Vendor Centric, que es probablemente lo que los ha traído aquí en primer lugar. Se le considera un líder intelectual en la gestión de proveedores y un asesor de confianza para organizaciones de todo Estados Unidos. También contamos con Scott Lang, nuestro vicepresidente de marketing de productos aquí en Prevalent. Y, por supuesto, yo misma. Me llamo Melissa. Trabajo en desarrollo empresarial y normalmente soy la encargada de hacer el seguimiento después de este seminario web. Seguro que ya he charlado con algunos de ustedes. Si no soy yo, les llamarán Amanda, Landon o Null. Estén atentos a ellos. Hoy, Tom profundizará en el tema titulado «Cómo salvar la brecha entre el riesgo de terceros en la gestión de contratos». Como recordatorio rápido, queremos valorar su tiempo, así que no duden en utilizar la sección de preguntas y respuestas para aquellas preguntas candentes. Se perderán en el chat, así que asegúrense de utilizar esa sección de preguntas y respuestas. Esto también se está grabando. Lo recibirán en su bandeja de entrada hoy más tarde o mañana. Por último, todos tienen el micrófono silenciado, así que utilicen el chat si necesitan comunicar algo que no sea para la sección de preguntas y respuestas. Aparte de eso, voy a pausar esta encuesta y dejaré que nuestro experto Tom tome el relevo.

Tom Rogers: Awesome. Thanks so much, Melissa. And uh welcome everyone. Good morning, afternoon, or evening depending on where you’re coming in from. Uh as Melissa mentioned, I’m Tom Rogers. I’ll uh be your guide through today’s webinar. Um and the topic we’ll be covering is really bridging the gap between thirdparty risk and contract management. Uh but really we’ll be talking also kind of holistically around thinking about other components of how your managing vendors in addition to risk and contract and all those other pieces that fit in because this topic isn’t just about thirdparty risk and contract it’s really about holistically uh managing those vendor relationships. I’ll be talking specifically about some areas where risk and contract tie in. Um but this whole topic around a more holistic approach to vendor management is is a big area right now as a lot of organizations are either getting something started and up and running off the ground or they’ve got an existing program and they’re they’re trying to take it to the next level. So, let me give you kind of a quick overview of what I’ll be covering today in the uh webinar. So, uh there’s really three goals I’ve got. Um one would be uh giving you a sense of where TPRM and contract life cycle management along in the uh align along the life cycle of kind of managing those relationships. with third parties. So, where do those pieces come together, right? And then as you think about where those pieces come together, what are the types of control points that you can put into place to really help create better alignment between contract and uh management and thirdparty risk management? Um, and and what does that look like? And then lastly, as you’re looking to potentially put some of these control points in place, where does that fit within the overall governance structure of managing those vendor and thirdparty relationships to make sure that the types of things that you do as you want to enhance controls and create better alignment kind of stick right and that’s where the governance piece comes in and I’ll talk about that a little bit on the back end um I’ve got uh the webinar is kind of broken down into into two parts uh the first part is really talking about the uh kind of the the why and the the what and the back part really talking about the the how. And so, um, as Melissa had mentioned, if you have questions along the way, just pop them into chat. Um, there’ll be some natural points in which we’ll, uh, we’ll break for questions, but, uh, Melissa will pop in if there’s something that comes up that she wants to bring up as well. Okay. So, with that as a background, let’s just hop in. So, the first part here I want to talk about is really um, uh, why it makes sense to to align and kind of wear those key alignment parts are in that that contract management relationship. So the way we think about contracting and um is really it’s broken down into into two parts, right? So you kind of have all the things that you do on the front end of a of a relationship with a with a new third party. So that can include everything from uh sourcing, going out and finding somebody, determining who you want to work with. It can include diligence on that third parties. So doing those risk assessments and and diligence on them before you go into contracting and it also includes you know the process for negotiating those contracts and deals. So all those things that happen on the front end those pre-contract activities then is once you get those contracts in place right and then it becomes all the activities related to managing those relationships. So it’s SLA management it’s managing to deliverables invoices things like that. But it also includes things like managing contract modifications um when there’s changes to scope. Uh and it includes also on the back end making sure that once a contract is done and terminated that there’s a a way to close it out and uh kind of remove that that contract and and do it in a structured way so that you’re offboarding the relationship. So that that contract management piece uh isn’t just once the contract signed, it’s all the things that get done on the front end and all the things that get done on the back end, right? So, there’s a lot of stuff that happens as you’re managing these contracts with the third parties. So, when you think about risk, risk really presents itself throughout that whole relationship, right? So, there’s pre-contract risk and diligence that needs to be done to evaluate what you’re getting into and making sure those risks are identified and and appropriately mitigated. And then there’s the ongoing monitoring of those risks on the back end, right? And making sure that as things come up, uh, that there’s alignment there and that those risks are being managed and mitigated and effectively dealt with as part of the general management of the contract, too. So, so risk doesn’t just happen at a point in time. It really happens through that that whole relationship from end to end. Um, so it’s important that those risk activities and these contracting activities all kind of come together and and have tight alignment. Um, Um, but what we typically find in a lot of our clients and the organizations that we’re working with is that there are lots of gaps that happen along the way where misalignment can occur and and risk and contracting aren’t working together. Right? So, let me give you a couple uh quick practical examples of where we see that and where some of these common gaps are. And I’ll focus really around this diligence piece here because this is probably what a lot of people are doing right now. So, so think about um when you’re entering into a contract, right? Everybody’s got standard contract provisions. This is one which um it was from a client of ours and it’s around a term and termination provision. And you can see on the on the bottom part here, there’s an actual requirement that they have for the vendor that they’re working with that that vendor is going to return, request or delete with written certification, deletion any protected information in their control. And they even go on to say that any protected information in possession of their affiliates and subcontractors. Right? So you think about the typical contract process. We’ve got, hey, we’ve got a contract. We’re negotiating with this third party. We’re we’re asking them to comply with this. So where risk comes in is, hey, we’ve got to make sure that this third party has the necessary policies and controls to live up to the requirement. Um, oftentimes though, these contractual requirements go into place and and there may not have been a full risk assessment that’s actually done around these contractual requirements. Risk assessments get done kind of in their own silo. Contract standards and provisions get done in their silo and there’s not a connection between the two. So what’s important here and where gaps occur is when organizations have standard contract terms, they’re not aligned to the risk assessment procedures that are done. And so something’s missing in here in this part of the process. And then if you look at this bottom part here where they’re requiring this of their affiliates and subcontractors, part of this risk assessment needs to ensure that they’re evaluating this vendor’s management of their own third parties, right? So how does this vendor kind of go through and manage their third parties? Are they require those third parties to have contractual provisions that align to what the actual uh client is requiring of them? and that those all flow down throughout the process. Right? So this is one area in where we see that there are definite gaps that happen where you know vendors are being requested to comply with certain contractual requirements but the risk assessments don’t always support their ability to to uh know whether they have the right policies and procedures to do it. So that’s that’s one area. The kind of the flip side of that would be in cases where um you’re doing a risk assessment and do the residual risks that come out of that risk assessment actually make their way into the contract. Right? So in this case, this is another example from a client. They’re a a large international NGO and they have requirements to um kind of receive and evaluate financial statements for certain types of third parties that they work with. So you can see down here they have a a due diligence question where they ask whether uh the third party had any ificant deficiencies or material findings in their most recent audit report. So the risk assessment is did they find anything? If they do though, what makes its way from that risk assessment into the actual contract? This is another gap that we see occur where the folks that are actually managing the risk assessment process, whether it’s the vendor management office, third party risk, maybe it’s finance is doing this, maybe it’s infosc is finding something up here that there’s community unication between those that are doing the risk assessment, those that are negotiating and actually creating the contract to ensure that this these risks that need to get remediated make their way into the contractual language. Right? So these are just a couple of gaps that we see on on a regular basis where risk and contracting really need to be aligned and oftent times there’s not. So either language doesn’t make its way into the contract or or certain risk assessment procedures are not done. So the way we we kind of talk about all right so what do you do and how do you start to close some of these gaps is really by creating structure that aligns contract management with thirdparty risk management and that’s where a framework comes in. And so um a framework enables you to really bring together operationally all the different components of managing that vendor relationship. So cont contract and third party risks don’t live individually. They actually come together under a common structure and common framework in how they’re managed, right? So, there’s lots of different frameworks out there for managing third parties. This is ours and the one we use. And as you can see on the uh the just to kind of orient you as to how this is set up. So, on the outer ring here, we kind of have the the life cycle stages. So, basically u the different activities and flow that goes through and managing the third parties, right? All the way from sourcing through doing risk assessments and due diligence through contracting and and onboarding that vendor or third party, making purchases, doing ongoing management and monitoring all the way through termination and offboarding, right? So, the stages kind of are the different activities that need to get managed that are inclusive of thirdparty risk and contracts. And then the inner part is really operational governance that that holds it all. together. So these are where you’re creating policies and standards, right? They’re not standalone policies for contract and not standalone policies for risk, but really policies for managing that that end to end relationship supported by standards, supported by procedures, supported by the people, skills and training that need to get the work done, the technology and reporting that you need all the way through kind of oversight and and management of everything as well. So this framework creates kind of the the I guess the glue or the structure that kind of pulls everything together and helps to support that alignment of the third party risk activities with the contract management activities. Right? But within the framework and within these different areas, there are really certain key points that are really important to align contract and third party risk management together. Excuse me. Because while they happen through about the whole process there’s there’s specific points in which third party risk and contract management really really come together and that’s where the alignment truly needs to happen. So as you think about the framework and as you think about where those points are there’s three that are really important. So one obviously is when you’re doing the initial risk assessment and you’re doing the the contract development right and I talked to that kind of on the on the early stage there. um is that not only do we need to make sure that any contractual provisions that we’re requiring the vendor to comply with are uh kind of evaluated from a due diligence standpoint, but that anything that comes up from a residual risk standpoint also makes its way into contract when contractual language is required. So, this is a is a key point of alignment. The second key point of alignment between risk and contracting is once that contract’s up and running, kind of the the ongoing management and monitoring of both risk and contract performance and making sure that um there’s the right procedures that are established and the right communication that’s happening uh to kind of take risks that come up and take contractual issues that come up and and have those folks coordinate on those to to manage those effectively as well. Then the last uh area of alignment is really on the back end here and that’s the termination and offboarding. And I think as we, you know, as I think about the types of organizations that we’re working with, a lot of them are um we have some clients with some mature programs, but we have a lot of clients that are just on the front end of this and just getting things going. And I think this last piece, this kind of termination and offboarding is where we see the least maturity out of most of our clients. There’s there’s no formal structure in place to go through and really ensure that all contractual obligations have been met. And as certainly that all those risk pieces that that are still in the contract like data destruction like maybe return of uh or transfer of intellectual property things like that that that happens in an organized and structured way so that um so there’s a d-risking of that relationship right so that’s a key point of alignment in the in the life cycle as well so so really as we think about um where can contract and thirdparty risk come come together in a much better way. It’s these three places that we we really focus on and then really determine what types of practical processes and controls should be in place to help support that alignment better. And so that’s what I’m going to um kind of start getting into on the on the back end of the presentation here. But I wanted to just pause for a second. Melissa, I know some things have been coming in through chat a little bit and see if there might be any any questions so far.

Melissa: Eh, nada demasiado urgente en este momento. Um, todo el mundo está emocionado por conseguir las diapositivas al final. Así que te dejaré decidir y veré con qué te sientes cómodo. Pero hasta ahora la participación ha sido positiva. Así que te dejaré continuar.

Tom Rogers: Muy bien. Genial. Genial. Eso es lo más importante, ¿no? Tenemos, ya sabes, una razón para relacionar el riesgo de terceros con la contratación. Hay diferentes puntos en la relación que son realmente críticos para establecer esas conexiones. Así que ahora la cuestión es: ¿qué hacemos? ¿Cómo mejoramos esas conexiones? ¿Cuáles son algunos de los puntos de control que son importantes? Y eso es en lo que quiero centrarme en la segunda parte de la presentación. Tengo cuatro puntos de control que me gustaría repasar con ustedes. Empezaré por el primero, que es la aprobación del contrato. Mientras pensamos en ello, voy a retroceder un segundo. Pensemos en esta evaluación inicial de riesgos y en la contratación. Es como asegurarnos de que todos los riesgos residuales se hayan incluido en el contrato. Y la mejor manera de hacerlo es tener un buen punto de control durante el proceso de aprobación del contrato, ¿verdad? Porque eso ayudará a garantizar que los riesgos residuales se remedien. Revisamos el lenguaje contractual para asegurarnos de que estén incluidos y de que todo esté bien atado antes de ejecutar el acuerdo con el proveedor. Así que, en la práctica, eso se consigue mediante algún tipo de control durante el proceso de aprobación. Lo que están viendo aquí, eh... He sacado algunas ilustraciones para compartirlas con ustedes. Este es un formulario de muestra de uno de nuestros clientes. Es una gran compañía de seguros. En realidad, lo han automatizado, por lo que no es un formulario manual, pero básicamente, cuando llegan a la aprobación de un contrato, pasan por un proceso de recopilación de información básica sobre el contrato para empezar a crear el perfil, el resumen ejecutivo, el nombre del contrato, cosas así, pero pueden ver aquí abajo, en esta sección inferior, que antes de que se apruebe el contrato, también están haciendo algunas cosas relacionadas con la gobernanza y la gestión de riesgos para la relación contractual en el futuro. Así que lo que quieren hacer aquí no es solo asegurarse de que los riesgos residuales se reflejen en el lenguaje contractual, sino que también quieren asegurarse de que haya un control para hacer cosas como asignar un propietario del contrato, que es este gestor de relaciones designado, ¿verdad? Así que, en realidad, se aseguran de que alguien después del contrato sea responsable de gestionar realmente esos entregables y de señalarlos y asignar esa responsabilidad, lo que parece algo bastante básico, pero en muchos casos hay mucha incertidumbre y confusión sobre quién es realmente el propietario de esa relación y de ese contrato. Por lo tanto, se refuerza aquí para asegurarse de que son responsables de la supervisión de los riesgos y de la supervisión contractual. Y también hacen otras cosas aquí en torno a la segmentación, se realizó una evaluación de riesgos. Y luego, esta última parte aquí, en la parte roja, es realmente asegurarse de que haya un paso en el proceso que, en este caso, es su oficina de gestión de proveedores. En realidad, están verificando que se haya realizado la evaluación de riesgos, que se haya realizado el análisis de riesgos residuales y que, si hay algo que se necesitara y que surgiera de ese análisis y que deba incluirse en el contrato, se haya hecho. Así que la VMO se encarga de dar el visto bueno y, si surge algún problema, son ellos los que se encargan de averiguar qué hay que hacer antes de la aprobación final del contrato. Melissa, he visto que has aparecido.

Melissa: Tengo una pregunta para ti. Uno de los mayores retos que suelo ver es que la contratación y la diligencia debida se realicen en paralelo o que la contratación comience después de una evaluación de luz verde, lo que puede llevar tiempo, y ese es el problema. En tu opinión, ¿cuál es el método más claro para la contratación/evaluación, ya sea en paralelo, donde el acuerdo se puede negociar pero no se puede firmar hasta que concluya la evaluación, o un enfoque en cascada, donde la contratación no comienza hasta que se haya sancionado o aprobado toda la diligencia debida de la evaluación?

Tom Rogers: Vaya, esa fue una pregunta muy bien redactada. Estuvo genial.

Melissa: Yo no lo escribí. Entonces,

Tom Rogers: Sí. No, eso estuvo genial. Una pregunta estupenda. Bueno, aquí va mi opinión. Creo que, en la práctica, ambas cosas van en paralelo, ¿no? Quiero decir, los empresarios necesitan cosas. No pueden esperar a que se complete todo el proceso de diligencia debida para empezar a negociar un acuerdo contractual. Así que, en la práctica, lo que solemos ver y lo que generalmente recomendamos es que la contratación vaya de la mano de la diligencia debida, de modo que se puedan avanzar estas cosas, pero haya una verificación final y una pausa al final para asegurarse de que el contrato se pueda ejecutar y firmar hasta que se haya completado el proceso de aprobación y la diligencia debida y se hayan abordado también los riesgos residuales. Por lo tanto, normalmente vemos que ambas cosas van en paralelo y creemos que es la forma más práctica de abordar la situación.

Melissa: Perfecto. ¿Tienes tiempo para una más?

Tom Rogers: Claro.

Melissa: Una fácil para ti. ¿Qué significa «segmentación de proveedores»?

Tom Rogers: De acuerdo. En este caso, la segmentación de proveedores es realmente su riesgo, perdón, es realmente su tarificación de riesgos. Por lo tanto, utilizan un nivel de riesgo alto, medio y bajo que se deriva de su evaluación de riesgos inherente. Y eso es lo que han establecido aquí. Se trataba de un proceso manual. Básicamente, crearon el formulario y luego lo introdujeron en su plataforma de software para automatizar todo. Así, la evaluación de riesgos se realiza automáticamente, al igual que la audiencia de riesgos, pero querían un marcador de posición para asegurarse de que eso se incluyera en el perfil del proveedor.

Melissa: Perfecto. Muy bien. Te dejo continuar.

Tom Rogers: Sure. Hopefully that answered those two those two questions. So, thanks guys. Keep keep the questions coming. That’s helpful. Um, so, so this first control point around contract approval is is important. This is where we’re aligning contracting with the risk piece. So, a couple some keys to think about here. Um, so one of which is is to make sure that that the process is actually documented, right? So, um, a lot of times m the the misalignment that happens and the gaps happen because there is no documented process and there’s no clarity on roles and responsibilities and who’s to do what. So, uh documentation of that and being clear on the process with a supporting form or workflow is really important, right? Uh secondly is also um in a in a best case scenario would be to also have contractual standards that kind of match back to some of the your most common residual risks that come up. So that for example, if somebody, you know, if you’re if you’re going in and you’re doing a a risk assessment and you would normally expect that the vendor would have a sock report and let’s say they don’t have a sock audit, kind of what are you going to do, right? So there’s probably some additional diligence that you might do, but you also might have some contractual language that says, you know, you’re allowed to come out for an on-site visit, things like that, right? So if you know what those contractual standards are, are when some of your most common residual risks arise, you you make that process a lot smoother and it makes it much easier to kind of bake those into the contract once your risk assessment is done. So that’s a second thing. And then uh the third thing is is that um making sure not only is the risk assessment process documented, but that contract review and approval process is documented as well. And so you know where the misalignment can happen is if you’ve got third party risk policies and procedures and contract management policies and procedures. Our approach and and how we work with our clients is we bring everything together into one set of holistic policies and procedures for managing the endto-end relationship. So that includes everything from sourcing through risk assessments through contracting and onboarding oversight all the way through the backend um contract termination offboarding as well. So to the extent that you can not only define these but bring them together into one holistic view of managing that endto-end relationship that really helps as well but documentation here and and having these standards is a big part of supporting this this contract approval control okay so that’s control point one and that’s dealing with the front end prior to entering into a contract uh the second control point that I wanted to to talk about is really on the contract management side and once the relationship begins, right? So, here’s where we want to have a process in place to kind of communicate and escalate risks that present during contract management. And this is where um we see a lot that communication starts to break down because you’ve got different people in different roles and different departments within the organization that are doing different types of oversight and monitoring uh and management of either risk or the contract and they’re not kind of talking to each other and there’s no process to be able to support them to do it. Right? So in this case, this is a a just a screenshot. This is actually from the prevalent platform that monitors certain types of risks, right? So you know in this case, you know, you might have a vendor that’s being monitored and some issues came up around regulatory and legal risks. So what do you do and how do you who’s monitoring this. So, is this the vendor management office that’s monitoring it or thirdarty risk? Is this uh compliance that’s monitoring it? Is it the business owner? Right? So, who’s kind of monitoring the different pieces that happen during contract management? And how do you have a a a system and a process to be able to bring those together to kind of make some decisions and escalate them? So, the alignment here is really about creating structure to this process and being clear on who’s monitoring what and how to escalate issues as they come up. So, some of the keys that that we kind of talk about here during this contract management process, again, it gets back to roles and responsibilities on who’s doing the monitoring. And this is especially for newer programs and they’re trying to figure out kind of the roles of different subject matter experts and um who looks at financial statements versus who monitors systems like this versus who’s monitoring information security risks, things like that. It’s creating those roles and responsibilities as to as to who has has those uh um uh those responsibilities, sorry, as well as the contract and the service level agreements and deliverables, which is typically the business owner. So clarifying those is key. Um and then once you’ve clarified those, being able to have systems that when those risks come up, when those issues come up, that they actually can be either automatically identified in the system and then communications kind of go out to provide line of sight to all the different stakeholders involved or a way that if a risk presents itself and uh needs to be say manually entered into a system like a contract problem that it can actually do that be entered into the system and then some communication to go out to provide visibility to all the different stakeholders as well because it’s all about providing line of sight and keeping those communications open as to what’s going on. And then once things come up, it’s really figuring out, all right, so is this issue uh something that needs to be dealt with or not? And if it is, who kind of runs point on all of that? And and this is a big challenge for a lot of organizations, especially if folks are trying to push it down to the business owners because the business owners are typically not going to be the ones to know how to deal with a lot of the issues that come up. not information security experts, they’re not financial health experts, right? So, so who runs point to actually determine when a risk requires escalation and how it gets dealt with? Our approach is is that should really be centralized somewhere within the vendor management office or the third party risk group and that they should be the quarterback to figure out what to do with that and to get the right people involved in the process so that you’ve got all the right stakeholders that can kind of come together, make decisions, and decide what they what they want to do. But having the the the vendor management office or third-party risk office, whatever you might have in your organization, kind of be the quarterback to do that, right? So, they’re running point to figure out how to get the risk dealt with. And that might mean contract modifications, right? Or it may in worst case scenario potentially mean contract termination. So, the last key around risks that might come up during contract management and how to deal with them is if you have risks that um can potentially be dealt with through some additional controls, great. If there’s requirements you need to place on the third party to be able to do that through mods in the contract, but you also want to have a way that if you if something does come up that is beyond your risk appetite that’s really going to create an issue that the contract vehicle needs to have a way for you to be able to get out of it when that happens. Um the most common way to do that is through some type of um uh you know termination for convenience language. Uh generally there’s always stuff in the contract for termination for cause. Um but you want to give yourself some flexibility here in the contract that if there’s something that just can’t be mitigated and you need to get out, you need to have the ability to do that. So this control point is all around when risks present. Um how do you kind of centralize How do you have line of sight to the right stakeholders? Who should be the quarterback to figure out what to do with them? And then how do you modify or get out of the relationship if you need to? So these four keys kind of support uh this whole contract management control point here. Okay, pause there. Melissa, any questions on that?

Melissa: Sí, en realidad es el momento perfecto. Según tu experiencia, ¿quién suele tener la última palabra a la hora de aceptar un determinado nivel de riesgo? Y luego DD lo señala entre paréntesis y al final se contrata. ¿Son los responsables del negocio? ¿El equipo jurídico o el equipo de TPRM tienen derecho de veto? ¿Existe un comité de riesgos?

Tom Rogers: Sí, esa también es una gran pregunta. Sinceramente, hay de todo. Y creo que depende en parte del tamaño de la organización y de su madurez. En última instancia, debe depender del riesgo. Por lo tanto, debe existir un proceso para que las partes interesadas pertinentes tomen decisiones sobre si aceptar o no el riesgo, y para ello podría ser un comité. Algunos de nuestros clientes tienen comités de riesgo o comités de riesgo de terceros en los que, cuando surge un riesgo que no puede ser resuelto por, por ejemplo, el VMO y el propietario de la empresa, se remite a ese comité y entonces ellos pueden tomar esa decisión de forma colectiva. Así que podría ser, ya sabes, que el comité incluyera a gente de gestión de proveedores o de riesgo de terceros, de cumplimiento normativo, posiblemente de asuntos legales, de seguridad de la información... Hay diferentes personas que pueden formar parte de ese comité. Sin embargo, muchos de nuestros clientes no tienen tanta estructura. Creo que eso suele reservarse para organizaciones más grandes y maduras. Por lo tanto, lo hacen de una manera un poco más ad hoc. Y, por lo general, lo que ocurre es que quienquiera que esté al frente de la oficina de gestión de proveedores es responsable de reunir a las partes interesadas adecuadas en función del riesgo y, a continuación, esas partes interesadas toman la decisión de forma colectiva. Por lo tanto, los propietarios de las empresas realmente no toman esa decisión. Obviamente, tienen que tener voz y voto en eso. Pero no queremos que tomen una decisión sobre algo que es como un riesgo para la seguridad de la información. ¿Verdad? Realmente necesitamos que Infos. tenga un papel en eso o en el riesgo de cumplimiento o algo así. Por lo tanto, es esa BMO la que dirige el proceso y reúne a las partes interesadas, y eso suele ser más bien de forma ad hoc, a medida que surgen esas necesidades. Lo que hacen es identificar quiénes son todas las partes interesadas en sus funciones, de modo que cuando esos problemas se agravan, saben quiénes son los miembros del grupo ad hoc que se reúne. Así que esa es una respuesta larga. Yo diría que he visto ambas cosas. Veo menos estructuras de comité, a menos que se trate de una organización realmente grande y madura que lo haga.

Melissa: Perfecto. Gracias.

Tom Rogers: Awesome. Thanks, Melissa, and thanks for the question. All right, so let’s see. How are we doing on time here? All right, so let’s go through um I’m going to go through the next two control points and then I’ll I’ll pause for questions there and I’ve got one thing to kind of finalize from the back end. So the control point three here. All right, so we talked about risk the present. So what about contract mods? Right. Um, this is an area where I think it’s easy to to have a gap that comes up. Um, especially primarily when there’s a scope change, right? So, so what we’re what we’re concerned with here is that a business owner goes through and does a contract mod that changes the the scope of the relationship that may bring more risk into the organization based on the scope change, right? Um, and if Uh, and if there’s more risk that’s brought into the organization, there needs to be a an alignment and a pause with thirdparty risk to say, hey, we’re making the scope change. We’re adding, you know, let’s just say we we hired a vendor to do a project and now we want to outsource something to them, right? Or we hired a vendor to do some initial consulting work and now we’re going to be buying software from them. So that that scope change creates a different relationship potentially with more risks if you’re outsourcing. something or if you’re leveraging technology, maybe the the front-end diligence that you did didn’t include those aspects because they weren’t present in the initial scope of work, but in the new scope of work, they are. So, this modification alignment is important here. And it’s basically saying, hey, look, when we have a contract modification, there needs to be a process in place to to kind of stop, see what the the scope change is and whether it it changes the nature of the relationship to the extent that we need to reassess the risk. Right? So, in this example, this is just kind of a sample change order from one of our our clients again. Um, and they they’ve made some change where they’re doing a they’re licensing and implementing some software, right? I kind of clean this up. Um, but that would be one example. So, so what we really need to do is is pause, make sure that whoever’s managing the contract mod, notifies risk that the mod is happening. and that they’re able to get together and and really say what’s the details of the scope change. Is it enough that it’s changing the inherent risk that we’re accepting and do we need to go through and do additional level of due diligence based on this modification? Right? So, so that’s what we’re getting at there and what we want the control to be. So, some of the keys here again process making sure there’s a documented process for contract mods, right? And that there’s also a process to go through and redo that inherent risk assessment to see whether there’s new risks that need to be assessed based on the scope change and that if there are new risks and if the due diligence shows that there’s some residual risks that need to be remediated right that we we bake that into the contract. So it’s a similar process to what we talked about before it’s just happening for for the modifications right uh so that’s a control point that’s important around the mods. Um, and now as we work our way through the relationship, we’re on the back end and uh you’re getting towards termination, whether the termination is uh proactive, where you’re doing it because of a of a breach or for convenience or whether it’s just naturally expiring is that last control point that we want to get in place, which is to make sure that as the contract winds down, whatever risks uh remain are are kind of being uh alleviated from the relationship uh to the extent that you can as the the contract obligations are being closed out as well. Right? So um this was the same example I showed you guys earlier around term and termination where we’ve got this um you know they have to delete uh let’s see return or delete with a written certification all the PI right so in this case risk needs to be aligned with contracting to make sure that this was actually done. They get the attestation um and that that that risk can kind of be removed from the relationship and that that third party either no longer has that that data, right? Um or that they’ve returned it, right? And that they’ve attested that they’ve done it as well. So So syncing up on here is is really around making sure that there’s a formalized documented process can sense a theme here, right? Documentation. Um, and then also as you’re thinking about one of the things I didn’t mention is based on the nature of the relationship from a risk standpoint, you also want to make sure that if this is um this is a critical vendor, right, that you’re terminating that you should have a contingency plan in place already for the vendor. Um, and that the contingency plan was enacted prior to determination. So if you’re winding down that relationship of somebody that you’ve outsourced something to or or if they’re providing a key key software, right, that there’s already been uh some discussion and planning in place on how you’re either have a new vendor in place to kind of handle that outsourcing and provide the software. Maybe you’re going to bring some of that inhouse so that there’s no risk to um pausing or or creating problems. with operations with that that that vendor’s contract being terminated, right? And we’ve seen some issues with this before where something happened with a vendor, somebody moved quickly to terminate, and then the client was left with a major um disruption to their operations that they had to quickly try to uh uh to resolve. So, contingency plans are important here. Um also, you know, a lot of focus uh with with risk management, risk ments is around data, but remember there’s lots of non-data risks that need to be addressed as well. So that might be transfer of intellectual property if there is any something as simple as badging, right? So did a vendor have access to your office, right? Okay, get the badge back so they no longer have access or or turn off those rights. So all these things should be factored into a formal uh termination and closeout process that’s documented, right? Um and then there should be some final control in place. Um, again, this is oftentimes the vendor management office can be the the quarterback on this, the business owner might be kind of running it and responsible for it, but somebody needs to just make sure that everything’s done. And while client while organizations will try to push that on the business owner, practically it just won’t happen because they either have too many things on their plate or they’re not going to be held accountable for it. So, if you have a fun like a VMO that can support this. It’s great if they can kind of provide that that final check as well to make sure all these things are done. You you’ve derisked that relationship as well as got all the contract deliverables and obligations that that vendor was responsible to do. So, so creating that connecting those dots around d-risking and and offboarding the contract here at the end is important. Okay. So, that kind of uh you know in summary of those control points. As you think about that life cycle, right? We’ve got here during contracting and onboarding, we need an approval process. Uh where the risk and and third party uh sorry where risk and contract management come together. Again around contract management when risks present, they need to be escalated and how does that make its way into the contract if needed. Uh the third one is around the modifications. If there’s scope changes that need to be addressed, they are in the contract. And then lastly, it’s making sure as the contract winds down, all the the kind of the d-risking activities happen in in concert with that as well. Okay. Um, so that’s that’s my um my thoughts on kind of where the alignment’s really important between third-party risk and contracting. Some of the things you can do from a uh a control standpoint to support that. Obviously, all the stuff really needs to be um baked into some type of structure uh um that that kind of is the glue that holds it together so it’s not just done on an ad hoc way. Um and so that kind of is a good segue into my last point which is really around all right so as you think about all the different places where you need to make that alignment how do you make sure they kind of fit together right uh and and stick and that’s where this this governance comes into play. So this is kind of the inner side um the inner circle of the framework that I showed you earlier uh where really it’s it’s the glue that that ends up holding all those activities together. So when I talked a lot about documentation policies and procedures again bringing everything together into one common set of policies and procedures for managing these vendor and thirdparty relationships that’s where you can start to really get alignment between CLM Don’t treat them as separate. Bring them together into a common set of policies, standards, and procedures. Right? Secondly is um a lot of our clients find this very helpful is as you’re starting to build out roles and responsibilities. One way is to kind of make that more granular with a lot more clarity is to create REI charts. Um and REI charts are simply the REI stands for responsible, accountable, consulted, and informed. And it’s just a a way to really define what stakeholders are involved in different parts of the process around contract and thirdparty management, what they’re supposed to be doing. Are they responsible for something or should they just be consulted and informed and creating that clarity so everybody knows what their roles are throughout um third party risk and contracting, right? Uh then a third piece here on the on the governance piece that helps hold it together is to to really establish and integrate systems around around managing vendors both from a risk and contract management standpoint. And so that could either be, you know, two different systems that kind of come and talk together so you have one source of truth, right? Or it could be one single system that allows you to support both those contract and thirdparty risk management activities, which would make it even easier. But but you can’t have contract systems and thirdparty systems live separately. They they should be coming together to create a cohesive source of truth view for that relationship and all those activities that need to be involved. And then on the back side here, you think about kind of the structural stuff. There’s just making sure that there’s the appropriate oversight and reporting. So that gets back to do you have a risk committee um or not? Or maybe you have a a a management committee that might be responsible for that, right? What type of reporting should they be getting? How do you escalate things? All that happens kind of over here when you establish control and in doing it together with thirdparty risk and contracting. And then the last piece is um you know for again for more mature organizations if you have an internal audit function something like that is to really to make sure that they’re aligned and things are working as they should is to do those periodic assessments and testing of um um of all your activities to ensure that everybody’s kind of doing what they should be doing and then cleaning up any any gaps or areas where you need to make improvements. So, so that’s a kind of that’s my last um bit of uh kind of thought I wanted to share with you was really this governance structure is is key to everything. It’s the glue that holds it all together. If you don’t have these things, it’s really easy for for misalignment to happen. Um not only with contract and and third party risk, but with compliance and term and all the other pieces that go into managing that vendor relationship. So, um, so that’s that’s really what I’ve got primarily on the slides I wanted to share with you today. Um, Melissa, I see we’re at 12:49. So, um, maybe we have time for one quick question or I can turn it back over to you and Scott.

Melissa: Bueno, voy a dejar que Scott se encargue a partir de aquí y luego, eh, veamos si nos queda tiempo para algunas preguntas y respuestas.

Scott Lang: Genial. Eh, Tom, ¿podrías pasar mi diapositiva, por favor? Usa el principio. En fin,

Tom Rogers: um

Tom Rogers: Lo siento. Y tengo... Creo que vamos a compartir esta presentación, ¿verdad, Melissa?

Melissa: Tú decides. Um

Melissa: compartiremos la terraza. Sí.

Scott Lang: Era todo lo que quería.

Tom Rogers: Sí. Tengo... Así que pueden ponerse en contacto conmigo si tienen alguna pregunta o consulta después. De todos modos, gracias. Y te paso la palabra, Scott.

Scott Lang: Yeah, you can uh keep going. Um and just, you know, we’ll flip over to me. I’ve just got a couple points I want to cover on what prevalence perspective is on aligning uh contract life cycle with third-party risk life cycle. Um and it might be good for me just to kind of walk through a few things here, talk about our perspective and give Melissa a chance to kind of triage all the questions that came in. Fantastic engagement everyone from all the questions you’re asking. Definitely keep it up. Keeps these discussions lively, real, interactive and and kind of grounded in actual situations. So thank you for the engagement. Keep it coming. you know, from our perspective, you know, Tom kind of walked through a very holistic approach to looking at, you know, how managing a contract, how managing CLM relates to managing a vendor. And, you know, we, if you want to sum it up, you know, it’s a very timeconsuming manual process. You’re probably using a CLM tool uh in a silo that maybe doesn’t have great interaction with the way you’re assessing your vendor. What that leaves is um some disjointed views of the risk a vendor brings to you from a contractual perspective. Are they meeting their SLAs’s? Is the right contractual language in there? Uh versus how you’re assessing the risk that the vendor brings to you inherently. Security, IT related risk, data privacy risks, reputational risks, whatever. Um it’s also a version control nightmare that you want that you well understand better than anyone else. But um what it results in is that you know you can’t really track details very effectively. Really doesn’t give you great visibility into the contract to the liv cycle and what what ends up happening? You got folks going rogue in the organization, maybe going outside of established contracting and purchasing cycles um maybe you know signing some paper they shouldn’t be signing and you know it leaves the business unprotected um from a you know potential you know contractual problem in the future. Uh it leaves you not in se in sync and you know it it it can introduce a lot of business risk with all those real business consequences kind of backending that. So I Guess the point I’m trying to make is if you’re looking at CLM and TPRM differently, uh, you know, bringing them together holistically is the is is the better path to go. Tom, next slide, please. You know, so um, you know, our our approach on this is to offer a solution that fully integrates with the thirdparty risk management life cycle and the solution is called contract essentials. Um, at the heart of the solution is the ability to centralize uh the creation distribution, discussion, retention, and review of vendor contracts. We’ve implemented workflow into our solution that helps to automate the progression of that contract through its life cycle. And you can see a bit of a representation of that on the right hand side. So at the end of the day, you can treat contracts with the same level of discipline as you’re treating uh other types of risks that come through um you know, the regular engagement with the vendor. So you know, got couple of high level capabilities available in the solution. You know, built-in workflow to again help you automate the progression of contracts and review uh until a signature is obtained. And then the ability to then extract key um uh contractual provisions or language that you can then automatically implement into, you know, S contractual SLA monitoring, for example. Uh it’s got built-in version control to allow you to, you know, make changes and re-upload new uh new versions and then implement discussion tabs in there as well so that if you just want to simply ask a question to the contract manager uh or internal procurement person you know you can do that as well. Next slide please Tom. You know we see contract life cycle management um is its own thing of course and so is thirdparty risk but we see contract life cycle touching multiple stages of the third party risk life cycle. It isn’t just about sourcing and selecting good vendors or simplifying the process of negotiating and kind of version control and and upload and such, but also from an onboarding perspective, it’s all, you know, making sure that you’ve got the review, the redlinining and approvals processes in place so that when you make a decision on a vendor, you can quickly execute and get them on boarded uh come to a contractual provision uh agreement and then agree on what SLAs and then move forward to more uh comprehensive due diligence uh which means it’s totally appropriate as you’re measuring SLAs’s and performance throughout the life cycle, right? Okay. Sourcing and selecting vendors, intaking and onboarding, performing some level of inherent risk, doing due diligence assessments and remediation, validating those results through continuous monitoring, monitoring their performance over the life cycle, and then finally speaking to something that that I think Tom is really clear about in the in the slides was uh offboarding and termination. Uh that gives you a central repository that’s tracking not just um you know final contractual requirements and obligations that have to be met. but how that aligns with the rest of your third party, you know, risk tasks, breaking access, cutting off physical access to systems, you know, things like that. Next slide, please, Tom. Um, you know, multiple different people throughout the enterprise is uh or can you know benefit from uh the integration of CLM and and thirdparty risk. You know, legal folks, you folks who are managing contracts on a regular basis, you know, they save a lot of time by automating those cumbersome processes. and more importantly keeping their stakeholders updated involved. Procurement shortens purchasing cycles by making sure everybody’s adhering to the process uh by offering it centrally and requiring everybody to kind of play into that system and then looking you know at uh contractual risks as well as business risks. And then IT security and risk management teams as well uh have a derivative benefit of reducing the risk of a downstream business disruption by making sure contracts have the provisions that are enforcable in the contract and can measure that throughout the life cycle as well. Next slide, please, Tom. You know, and that just kind of aligns with the rest of our approach on managing thirdparty risk. You know, we start out by uh offering you the ability to um source and select a vendor appropriately through, you know, RFX essentials, intake and onboard and contract with contract essentials and then perform deep uh, you know, inherent risk and then ongoing due diligence, assessment, and remediation in our platform all the way through the life cycle so that you can continuously reduce risks not just from a contract perspective but from a holistic risk perspective. Next slide please. You know at the end of the day our approach is is founded on three driving principles. Number one we hope to make you know you smarter with regard to risk through a very datadriven and comprehensive approach that adds context uh to help unify your processes and teams and break down silos not just your risk and thirdparty teams but also now legal and procurement teams as Well, and to do it in a way that’s prescriptive with built-in intelligence, recommendations or mediations so that everybody knows what’s happening to everybody else at the same time and you can produce great reporting uh improve your organizational consistency and process and eventually close the loop on risk from contracting, you know, uh onward to offboarding. And that’s really our approach uh to kind of how we address, you know, thirdparty risk and and CLM together. Um I’ll stop talking now. You know, we can open it up to questions if you guys have questions for Tom. especially or even a few for me. I’m happy to take those as well. Melissa, back to you.

Melissa: Genial. Gracias, Scott. Um, vamos a pasar a la sección de preguntas y respuestas, pero antes de hacerlo, tengo una última pregunta para ti. ¿Estás pensando en ampliar o establecer un programa de riesgos de terceros en 2022 o incluso a principios de 2023? No puedo creer que ya haya pasado la mitad del año. Um, así que respóndeme con sinceridad. Es solo por curiosidad y para hacer un seguimiento. Como he mencionado antes, seré yo o uno de mis compañeros, Amanda, Null o Landon. En cuanto a las preguntas y respuestas, tengo una pregunta para ti, Tom. ¿Cómo gestionas los puntos de control de los contratos con tus proveedores críticos frente a los proveedores de alto riesgo?

Tom Rogers: Eh, puntos de control de contratos. Eh, creo que la pregunta es, si lo interpreto correctamente, si se trata de los cuatro tipos de puntos de control que he mencionado anteriormente, ¿verdad? ¿Y hay alguna diferencia entre gestionarlos o se gestionan de forma diferente con los proveedores críticos y de alto riesgo frente a los demás? Creo que esa podría ser la pregunta. Así que voy a dar mi propia interpretación. Um, diría que los puntos de control son los mismos. Por lo tanto, no hay ningún cambio en los puntos de control en cuanto a si el proveedor es crítico o no, de alto riesgo o medio, o de bajo riesgo, ¿verdad? Porque pensemos en... Sé que tenemos poco tiempo, pero un ejemplo rápido podría ser: «Oye, tienes una modificación. Originalmente, el proveedor podría haber sido segmentado o clasificado como de bajo riesgo, ¿verdad? Pero supongamos que la modificación lo convierte en alto riesgo porque ahora decides externalizar algo a él o tienes un sistema que le compras. Por lo tanto, realmente no se trata tanto de la clasificación de riesgo y la criticidad, sino más bien del punto de control. Para aplicarlo de manera coherente a toda tu población de proveedores. Espero haberlo interpretado correctamente, pero no debería haber ningún cambio en los controles.

Melissa: Perfecto. Bueno, lo has calculado perfectamente. Nos queda aproximadamente un minuto y medio. ¿Puedo hacer una pregunta más?

Tom Rogers: Sí, claro. Lo haré en 60 segundos o menos.

Melissa: De acuerdo. Leeré lo más rápido que pueda. ¿Podría hablar un poco más sobre cómo conectar sus memes de riesgo y expertos en contratación con los propietarios de negocios que, según ha mencionado, pueden no tener un conocimiento tan matizado o profundo del riesgo? ¿Existe alguna práctica recomendada rápida para garantizar que no se pierda nada en la traducción?

Tom Rogers: Sí, eso es como una conversación de una hora. Esa es una gran pregunta. Es difícil, ¿verdad? Es muy difícil. Y, ya sabes, cuanto más grande te haces, más difícil es. Así que no sé si tengo una respuesta rápida para eso, aparte de decir que lo que hemos descubierto que funciona muy bien es recordar lo que he comentado antes sobre las carreras, que ese proceso ha ayudado mucho a muchos de nuestros clientes, porque les hace pasar por él y definir realmente su proceso, así como identificar qué partes interesadas están involucradas en cada momento y quiénes deben participar realmente y quiénes solo necesitan estar informados o ser consultados. Así que, tal vez mi respuesta rápida sea empezar por averiguar quiénes son y cuáles son sus funciones y responsabilidades. Quizás utilizar algo como un modelo estructurado de carreras, ¿no?, sea el punto de partida. Y luego es cuestión de, bueno, conseguir que trabajen juntos es como una conversación completamente diferente. Y eso conlleva cierta gestión del cambio y formación, coordinación por parte de la VMO como quarterback para atraerlos. Pero ese modelo de carreras probablemente sería un buen punto de partida si aún no tienes algo así, porque realmente ayuda a aclarar todo.

Melissa: Perfecto. Bueno, eso es todo por hoy. Espero que hayan disfrutado de este seminario web. Gracias también por su participación. Les hemos dado mucho en qué pensar, estoy segura. Nos vemos pronto en sus bandejas de entrada. Adiós.

Tom Rogers: Gracias, Melissa.

Melissa: Adiós.