Comment combler le fossé entre la gestion des risques liés aux tiers et la gestion des contrats ?

Melissa : Bon jeudi à tous. Je suis ravie de vous voir tous vous connecter. Nous allons attendre quelques instants que tout le monde s'installe, se connecte et prenne son café. Je vais lancer notre premier sondage. Il y en a deux. Voici donc le premier. Pendant que vous attendez patiemment, si vous avez déjà participé à l'un de nos webinaires, vous savez comment ça marche. Mais nous sommes toujours curieux de savoir ce qui vous amène au webinaire d'aujourd'hui. Est-ce à des fins éducatives ? En êtes-vous aux premières étapes de votre programme de gestion des risques tiers ? Êtes-vous actuellement client de Prevalent ? Je sais que certains d'entre vous sont déjà dans ce cas. Alors, faites-le-moi savoir. Je vais laisser ce sondage en ligne pendant que je commence par une petite introduction. Nous avons ici un invité très spécial, Tom Rogers. Comme vous pouvez le voir, il est le fondateur de Vendor Centric, ce qui est probablement ce qui vous a amenés ici en premier lieu. Il est considéré comme un leader d'opinion dans le domaine de la gestion des fournisseurs et comme un conseiller de confiance pour des organisations partout aux États-Unis. Nous avons également Scott Lang, notre vice-président du marketing produit ici chez Prevalent. Et moi-même. Je m'appelle Melissa. Je travaille dans le développement commercial et c'est généralement moi qui assure le suivi après ce webinaire. J'ai déjà discuté avec certains d'entre vous, j'en suis sûre. Donc, si ce n'est pas moi, vous entendrez Amanda, Landon ou Null. Soyez donc à l'affût. Aujourd'hui, Tom abordera le sujet intitulé « Comment combler le fossé entre les risques liés aux tiers dans la gestion des contrats ». Pour rappel, nous voulons valoriser votre temps, alors n'hésitez pas à utiliser la section Questions-Réponses pour poser vos questions brûlantes. Elles risquent de se perdre dans le chat, alors assurez-vous d'utiliser cette fonctionnalité. Euh, cette session est également enregistrée. Vous la recevrez dans votre boîte de réception plus tard dans la journée ou demain. Enfin, vous êtes tous en mode silencieux, alors utilisez le chat si vous avez besoin de communiquer quelque chose qui ne concerne pas la boîte de questions-réponses. Euh, à part cela, je vais mettre ce sondage en pause et laisser notre expert Tom prendre le relais.

Tom Rogers: Awesome. Thanks so much, Melissa. And uh welcome everyone. Good morning, afternoon, or evening depending on where you’re coming in from. Uh as Melissa mentioned, I’m Tom Rogers. I’ll uh be your guide through today’s webinar. Um and the topic we’ll be covering is really bridging the gap between thirdparty risk and contract management. Uh but really we’ll be talking also kind of holistically around thinking about other components of how your managing vendors in addition to risk and contract and all those other pieces that fit in because this topic isn’t just about thirdparty risk and contract it’s really about holistically uh managing those vendor relationships. I’ll be talking specifically about some areas where risk and contract tie in. Um but this whole topic around a more holistic approach to vendor management is is a big area right now as a lot of organizations are either getting something started and up and running off the ground or they’ve got an existing program and they’re they’re trying to take it to the next level. So, let me give you kind of a quick overview of what I’ll be covering today in the uh webinar. So, uh there’s really three goals I’ve got. Um one would be uh giving you a sense of where TPRM and contract life cycle management along in the uh align along the life cycle of kind of managing those relationships. with third parties. So, where do those pieces come together, right? And then as you think about where those pieces come together, what are the types of control points that you can put into place to really help create better alignment between contract and uh management and thirdparty risk management? Um, and and what does that look like? And then lastly, as you’re looking to potentially put some of these control points in place, where does that fit within the overall governance structure of managing those vendor and thirdparty relationships to make sure that the types of things that you do as you want to enhance controls and create better alignment kind of stick right and that’s where the governance piece comes in and I’ll talk about that a little bit on the back end um I’ve got uh the webinar is kind of broken down into into two parts uh the first part is really talking about the uh kind of the the why and the the what and the back part really talking about the the how. And so, um, as Melissa had mentioned, if you have questions along the way, just pop them into chat. Um, there’ll be some natural points in which we’ll, uh, we’ll break for questions, but, uh, Melissa will pop in if there’s something that comes up that she wants to bring up as well. Okay. So, with that as a background, let’s just hop in. So, the first part here I want to talk about is really um, uh, why it makes sense to to align and kind of wear those key alignment parts are in that that contract management relationship. So the way we think about contracting and um is really it’s broken down into into two parts, right? So you kind of have all the things that you do on the front end of a of a relationship with a with a new third party. So that can include everything from uh sourcing, going out and finding somebody, determining who you want to work with. It can include diligence on that third parties. So doing those risk assessments and and diligence on them before you go into contracting and it also includes you know the process for negotiating those contracts and deals. So all those things that happen on the front end those pre-contract activities then is once you get those contracts in place right and then it becomes all the activities related to managing those relationships. So it’s SLA management it’s managing to deliverables invoices things like that. But it also includes things like managing contract modifications um when there’s changes to scope. Uh and it includes also on the back end making sure that once a contract is done and terminated that there’s a a way to close it out and uh kind of remove that that contract and and do it in a structured way so that you’re offboarding the relationship. So that that contract management piece uh isn’t just once the contract signed, it’s all the things that get done on the front end and all the things that get done on the back end, right? So, there’s a lot of stuff that happens as you’re managing these contracts with the third parties. So, when you think about risk, risk really presents itself throughout that whole relationship, right? So, there’s pre-contract risk and diligence that needs to be done to evaluate what you’re getting into and making sure those risks are identified and and appropriately mitigated. And then there’s the ongoing monitoring of those risks on the back end, right? And making sure that as things come up, uh, that there’s alignment there and that those risks are being managed and mitigated and effectively dealt with as part of the general management of the contract, too. So, so risk doesn’t just happen at a point in time. It really happens through that that whole relationship from end to end. Um, so it’s important that those risk activities and these contracting activities all kind of come together and and have tight alignment. Um, Um, but what we typically find in a lot of our clients and the organizations that we’re working with is that there are lots of gaps that happen along the way where misalignment can occur and and risk and contracting aren’t working together. Right? So, let me give you a couple uh quick practical examples of where we see that and where some of these common gaps are. And I’ll focus really around this diligence piece here because this is probably what a lot of people are doing right now. So, so think about um when you’re entering into a contract, right? Everybody’s got standard contract provisions. This is one which um it was from a client of ours and it’s around a term and termination provision. And you can see on the on the bottom part here, there’s an actual requirement that they have for the vendor that they’re working with that that vendor is going to return, request or delete with written certification, deletion any protected information in their control. And they even go on to say that any protected information in possession of their affiliates and subcontractors. Right? So you think about the typical contract process. We’ve got, hey, we’ve got a contract. We’re negotiating with this third party. We’re we’re asking them to comply with this. So where risk comes in is, hey, we’ve got to make sure that this third party has the necessary policies and controls to live up to the requirement. Um, oftentimes though, these contractual requirements go into place and and there may not have been a full risk assessment that’s actually done around these contractual requirements. Risk assessments get done kind of in their own silo. Contract standards and provisions get done in their silo and there’s not a connection between the two. So what’s important here and where gaps occur is when organizations have standard contract terms, they’re not aligned to the risk assessment procedures that are done. And so something’s missing in here in this part of the process. And then if you look at this bottom part here where they’re requiring this of their affiliates and subcontractors, part of this risk assessment needs to ensure that they’re evaluating this vendor’s management of their own third parties, right? So how does this vendor kind of go through and manage their third parties? Are they require those third parties to have contractual provisions that align to what the actual uh client is requiring of them? and that those all flow down throughout the process. Right? So this is one area in where we see that there are definite gaps that happen where you know vendors are being requested to comply with certain contractual requirements but the risk assessments don’t always support their ability to to uh know whether they have the right policies and procedures to do it. So that’s that’s one area. The kind of the flip side of that would be in cases where um you’re doing a risk assessment and do the residual risks that come out of that risk assessment actually make their way into the contract. Right? So in this case, this is another example from a client. They’re a a large international NGO and they have requirements to um kind of receive and evaluate financial statements for certain types of third parties that they work with. So you can see down here they have a a due diligence question where they ask whether uh the third party had any ificant deficiencies or material findings in their most recent audit report. So the risk assessment is did they find anything? If they do though, what makes its way from that risk assessment into the actual contract? This is another gap that we see occur where the folks that are actually managing the risk assessment process, whether it’s the vendor management office, third party risk, maybe it’s finance is doing this, maybe it’s infosc is finding something up here that there’s community unication between those that are doing the risk assessment, those that are negotiating and actually creating the contract to ensure that this these risks that need to get remediated make their way into the contractual language. Right? So these are just a couple of gaps that we see on on a regular basis where risk and contracting really need to be aligned and oftent times there’s not. So either language doesn’t make its way into the contract or or certain risk assessment procedures are not done. So the way we we kind of talk about all right so what do you do and how do you start to close some of these gaps is really by creating structure that aligns contract management with thirdparty risk management and that’s where a framework comes in. And so um a framework enables you to really bring together operationally all the different components of managing that vendor relationship. So cont contract and third party risks don’t live individually. They actually come together under a common structure and common framework in how they’re managed, right? So, there’s lots of different frameworks out there for managing third parties. This is ours and the one we use. And as you can see on the uh the just to kind of orient you as to how this is set up. So, on the outer ring here, we kind of have the the life cycle stages. So, basically u the different activities and flow that goes through and managing the third parties, right? All the way from sourcing through doing risk assessments and due diligence through contracting and and onboarding that vendor or third party, making purchases, doing ongoing management and monitoring all the way through termination and offboarding, right? So, the stages kind of are the different activities that need to get managed that are inclusive of thirdparty risk and contracts. And then the inner part is really operational governance that that holds it all. together. So these are where you’re creating policies and standards, right? They’re not standalone policies for contract and not standalone policies for risk, but really policies for managing that that end to end relationship supported by standards, supported by procedures, supported by the people, skills and training that need to get the work done, the technology and reporting that you need all the way through kind of oversight and and management of everything as well. So this framework creates kind of the the I guess the glue or the structure that kind of pulls everything together and helps to support that alignment of the third party risk activities with the contract management activities. Right? But within the framework and within these different areas, there are really certain key points that are really important to align contract and third party risk management together. Excuse me. Because while they happen through about the whole process there’s there’s specific points in which third party risk and contract management really really come together and that’s where the alignment truly needs to happen. So as you think about the framework and as you think about where those points are there’s three that are really important. So one obviously is when you’re doing the initial risk assessment and you’re doing the the contract development right and I talked to that kind of on the on the early stage there. um is that not only do we need to make sure that any contractual provisions that we’re requiring the vendor to comply with are uh kind of evaluated from a due diligence standpoint, but that anything that comes up from a residual risk standpoint also makes its way into contract when contractual language is required. So, this is a is a key point of alignment. The second key point of alignment between risk and contracting is once that contract’s up and running, kind of the the ongoing management and monitoring of both risk and contract performance and making sure that um there’s the right procedures that are established and the right communication that’s happening uh to kind of take risks that come up and take contractual issues that come up and and have those folks coordinate on those to to manage those effectively as well. Then the last uh area of alignment is really on the back end here and that’s the termination and offboarding. And I think as we, you know, as I think about the types of organizations that we’re working with, a lot of them are um we have some clients with some mature programs, but we have a lot of clients that are just on the front end of this and just getting things going. And I think this last piece, this kind of termination and offboarding is where we see the least maturity out of most of our clients. There’s there’s no formal structure in place to go through and really ensure that all contractual obligations have been met. And as certainly that all those risk pieces that that are still in the contract like data destruction like maybe return of uh or transfer of intellectual property things like that that that happens in an organized and structured way so that um so there’s a d-risking of that relationship right so that’s a key point of alignment in the in the life cycle as well so so really as we think about um where can contract and thirdparty risk come come together in a much better way. It’s these three places that we we really focus on and then really determine what types of practical processes and controls should be in place to help support that alignment better. And so that’s what I’m going to um kind of start getting into on the on the back end of the presentation here. But I wanted to just pause for a second. Melissa, I know some things have been coming in through chat a little bit and see if there might be any any questions so far.

Melissa : Euh, rien de très urgent pour le moment. Tout le monde est impatient de voir les diapositives à la fin. Je vous laisse donc décider et voir ce qui vous convient le mieux. Mais jusqu'à présent, l'engagement est positif. Je vous laisse donc continuer.

Tom Rogers : D'accord. Super. Super. Voilà pour les grandes lignes, n'est-ce pas ? Nous avons, vous savez, une raison de relier les risques liés aux tiers à la passation de contrats. Il existe différents points dans la relation qui sont vraiment essentiels pour établir ces liens. Il s'agit donc maintenant de savoir : que faisons-nous ? Comment améliorer ces liens ? Quels sont les points de contrôle importants ? Et c'est sur cela que je voudrais me concentrer dans la deuxième partie de cette présentation. J'ai donc quatre points de contrôle que je voudrais passer en revue avec vous. Je vais commencer par le premier, qui est l'approbation du contrat. Pour y réfléchir, je vais revenir en arrière un instant. Nous réfléchissons ici à cette évaluation initiale des risques et à la passation de marchés. Il s'agit de s'assurer que tous les risques résiduels ont été pris en compte dans le contrat. Et la meilleure façon d'y parvenir est de mettre en place un bon point de contrôle pendant le processus d'approbation du contrat, n'est-ce pas ? Cela permettra en effet de s'assurer que les risques résiduels sont pris en compte. Nous examinons les termes du contrat pour nous assurer qu'ils y figurent et que tout est bien réglé avant que vous ne signiez l'accord avec le fournisseur. Concrètement, cela se traduit par un certain type de contrôle pendant le processus d'approbation. Ce que vous voyez ici, euh, j'ai sorti quelques illustrations, euh, juste pour vous les montrer. Voici un exemple de formulaire provenant d'un de nos clients. Il s'agit d'une grande compagnie d'assurance. En fait, ils ont automatisé ce processus, ce n'est donc pas un formulaire manuel, mais en gros, lorsqu'ils en arrivent à l'approbation d'un contrat, ils passent par un processus qui consiste à recueillir certaines informations de base sur le contrat afin de commencer à établir le profil, le résumé exécutif, le nom du contrat, etc. Mais vous pouvez voir ici, dans cette section inférieure, qu'avant que le contrat ne soit approuvé, ils effectuent également certaines tâches liées à la gouvernance et à la gestion des risques pour la relation contractuelle à venir. Ce qu'ils veulent faire ici, ce n'est pas seulement s'assurer que les risques résiduels soient pris en compte dans le libellé du contrat, mais aussi s'assurer qu'il y ait un contrôle pour faire des choses comme désigner un responsable du contrat, qui est le gestionnaire de relations désigné, n'est-ce pas ? Ils s'assurent donc que quelqu'un, après la signature du contrat, est responsable de la gestion effective de ces livrables, qu'il les signale et qu'il attribue cette responsabilité, ce qui semble assez élémentaire, mais dans de nombreux cas, il y a beaucoup d'incertitude et de confusion quant à savoir qui est réellement responsable de cette relation et de ce contrat. Ils renforcent donc ce point ici pour s'assurer qu'ils sont responsables de la surveillance des risques et de la surveillance contractuelle. Ils font également d'autres choses ici, comme la segmentation, l'évaluation des risques. Et puis, cette dernière partie ici, en rouge, consiste à s'assurer qu'il y a une étape dans le processus, qui dans ce cas est leur bureau de gestion des fournisseurs. Ils vérifient en fait que l'évaluation des risques a été effectuée, que l'analyse des risques résiduels a été faite et que tout ce qui ressort de cette analyse et qui doit être intégré au contrat a été fait. Le bureau de gestion des fournisseurs valide donc tout cela et, s'il y a des problèmes, c'est lui qui prend les devants pour déterminer ce qui doit être fait avant l'approbation finale du contrat. Euh, Melissa, j'ai vu que tu étais apparue.

Melissa : J'ai une question à vous poser. L'un des plus grands défis que je rencontre généralement concerne la signature des contrats et la diligence raisonnable, qui sont soit effectuées en parallèle, soit différées jusqu'à l'obtention d'un feu vert, ce qui peut prendre du temps, et c'est là que réside le problème. Selon vous, quelle est la méthode la plus claire pour la conclusion des contrats/l'évaluation, soit en parallèle, où l'accord peut être négocié mais ne peut être signé avant la fin de l'évaluation, soit selon une approche en cascade, où la conclusion des contrats ne commence qu'une fois que toute la diligence raisonnable d'évaluation a été sanctionnée ou approuvée ?

Tom Rogers : Waouh, c'était une question très bien formulée. C'était génial.

Melissa : Je ne l'ai pas écrit. Donc,

Tom Rogers : Oui. Non, c'était génial. Excellente question. Voici mon avis. Je pense que dans la pratique, les deux vont de pair, n'est-ce pas ? Je veux dire, les chefs d'entreprise ont besoin de certaines choses. Ils ne peuvent pas attendre que toute la diligence raisonnable soit effectuée pour commencer à négocier un accord contractuel. Donc, en pratique, ce que nous voyons généralement se produire et ce que nous recommandons généralement, c'est que la conclusion du contrat aille de pair avec la diligence raisonnable, afin que vous puissiez faire avancer les choses, mais qu'il y ait une vérification finale et une pause à la fin pour s'assurer que le contrat peut effectivement être exécuté et signé jusqu'à ce que le processus d'approbation soit terminé, que la diligence raisonnable soit achevée et que tous les risques résiduels aient été traités. Nous constatons donc généralement que ces deux processus se déroulent en parallèle et pensons que c'est la manière la plus pratique de procéder.

Melissa : Parfait. Et avez-vous le temps pour une dernière question ?

Tom Rogers : Bien sûr.

Melissa : Une question facile pour vous. Que signifie « segmentation des fournisseurs » ?

Tom Rogers : D'accord. Dans ce cas, la segmentation des fournisseurs correspond en réalité à leur niveau de risque, pardon, à leur niveau de risque réel. Ils utilisent donc une classification en trois niveaux de risque (élevé, moyen et faible) qui découle de leur évaluation des risques inhérents. Et c'est ce qu'ils ont mis en place ici. Il s'agissait d'un processus manuel. Ils ont essentiellement créé le formulaire, puis ils l'ont intégré à leur plateforme logicielle afin de tout automatiser. Ainsi, l'évaluation des risques est effectuée, l'audition des risques est effectuée automatiquement, mais ils voulaient un espace réservé pour s'assurer que cela soit inclus dans le profil du fournisseur.

Melissa : Parfait. Très bien. Je vous laisse continuer.

Tom Rogers: Sure. Hopefully that answered those two those two questions. So, thanks guys. Keep keep the questions coming. That’s helpful. Um, so, so this first control point around contract approval is is important. This is where we’re aligning contracting with the risk piece. So, a couple some keys to think about here. Um, so one of which is is to make sure that that the process is actually documented, right? So, um, a lot of times m the the misalignment that happens and the gaps happen because there is no documented process and there’s no clarity on roles and responsibilities and who’s to do what. So, uh documentation of that and being clear on the process with a supporting form or workflow is really important, right? Uh secondly is also um in a in a best case scenario would be to also have contractual standards that kind of match back to some of the your most common residual risks that come up. So that for example, if somebody, you know, if you’re if you’re going in and you’re doing a a risk assessment and you would normally expect that the vendor would have a sock report and let’s say they don’t have a sock audit, kind of what are you going to do, right? So there’s probably some additional diligence that you might do, but you also might have some contractual language that says, you know, you’re allowed to come out for an on-site visit, things like that, right? So if you know what those contractual standards are, are when some of your most common residual risks arise, you you make that process a lot smoother and it makes it much easier to kind of bake those into the contract once your risk assessment is done. So that’s a second thing. And then uh the third thing is is that um making sure not only is the risk assessment process documented, but that contract review and approval process is documented as well. And so you know where the misalignment can happen is if you’ve got third party risk policies and procedures and contract management policies and procedures. Our approach and and how we work with our clients is we bring everything together into one set of holistic policies and procedures for managing the endto-end relationship. So that includes everything from sourcing through risk assessments through contracting and onboarding oversight all the way through the backend um contract termination offboarding as well. So to the extent that you can not only define these but bring them together into one holistic view of managing that endto-end relationship that really helps as well but documentation here and and having these standards is a big part of supporting this this contract approval control okay so that’s control point one and that’s dealing with the front end prior to entering into a contract uh the second control point that I wanted to to talk about is really on the contract management side and once the relationship begins, right? So, here’s where we want to have a process in place to kind of communicate and escalate risks that present during contract management. And this is where um we see a lot that communication starts to break down because you’ve got different people in different roles and different departments within the organization that are doing different types of oversight and monitoring uh and management of either risk or the contract and they’re not kind of talking to each other and there’s no process to be able to support them to do it. Right? So in this case, this is a a just a screenshot. This is actually from the prevalent platform that monitors certain types of risks, right? So you know in this case, you know, you might have a vendor that’s being monitored and some issues came up around regulatory and legal risks. So what do you do and how do you who’s monitoring this. So, is this the vendor management office that’s monitoring it or thirdarty risk? Is this uh compliance that’s monitoring it? Is it the business owner? Right? So, who’s kind of monitoring the different pieces that happen during contract management? And how do you have a a a system and a process to be able to bring those together to kind of make some decisions and escalate them? So, the alignment here is really about creating structure to this process and being clear on who’s monitoring what and how to escalate issues as they come up. So, some of the keys that that we kind of talk about here during this contract management process, again, it gets back to roles and responsibilities on who’s doing the monitoring. And this is especially for newer programs and they’re trying to figure out kind of the roles of different subject matter experts and um who looks at financial statements versus who monitors systems like this versus who’s monitoring information security risks, things like that. It’s creating those roles and responsibilities as to as to who has has those uh um uh those responsibilities, sorry, as well as the contract and the service level agreements and deliverables, which is typically the business owner. So clarifying those is key. Um and then once you’ve clarified those, being able to have systems that when those risks come up, when those issues come up, that they actually can be either automatically identified in the system and then communications kind of go out to provide line of sight to all the different stakeholders involved or a way that if a risk presents itself and uh needs to be say manually entered into a system like a contract problem that it can actually do that be entered into the system and then some communication to go out to provide visibility to all the different stakeholders as well because it’s all about providing line of sight and keeping those communications open as to what’s going on. And then once things come up, it’s really figuring out, all right, so is this issue uh something that needs to be dealt with or not? And if it is, who kind of runs point on all of that? And and this is a big challenge for a lot of organizations, especially if folks are trying to push it down to the business owners because the business owners are typically not going to be the ones to know how to deal with a lot of the issues that come up. not information security experts, they’re not financial health experts, right? So, so who runs point to actually determine when a risk requires escalation and how it gets dealt with? Our approach is is that should really be centralized somewhere within the vendor management office or the third party risk group and that they should be the quarterback to figure out what to do with that and to get the right people involved in the process so that you’ve got all the right stakeholders that can kind of come together, make decisions, and decide what they what they want to do. But having the the the vendor management office or third-party risk office, whatever you might have in your organization, kind of be the quarterback to do that, right? So, they’re running point to figure out how to get the risk dealt with. And that might mean contract modifications, right? Or it may in worst case scenario potentially mean contract termination. So, the last key around risks that might come up during contract management and how to deal with them is if you have risks that um can potentially be dealt with through some additional controls, great. If there’s requirements you need to place on the third party to be able to do that through mods in the contract, but you also want to have a way that if you if something does come up that is beyond your risk appetite that’s really going to create an issue that the contract vehicle needs to have a way for you to be able to get out of it when that happens. Um the most common way to do that is through some type of um uh you know termination for convenience language. Uh generally there’s always stuff in the contract for termination for cause. Um but you want to give yourself some flexibility here in the contract that if there’s something that just can’t be mitigated and you need to get out, you need to have the ability to do that. So this control point is all around when risks present. Um how do you kind of centralize How do you have line of sight to the right stakeholders? Who should be the quarterback to figure out what to do with them? And then how do you modify or get out of the relationship if you need to? So these four keys kind of support uh this whole contract management control point here. Okay, pause there. Melissa, any questions on that?

Melissa : Oui, en fait, c'est le moment idéal. D'après votre expérience, qui prend généralement la décision finale d'accepter un certain niveau de risque ? Et puis, entre parenthèses, signalé par DD et qui finit par être contracté. Est-ce les détenteurs d'entreprises ? Le service juridique ou l'équipe TPRM ont-ils un droit de veto ? Y a-t-il un comité des risques ?

Tom Rogers : Oui, c'est également une excellente question. Honnêtement, cela varie énormément. Euh, et je pense que cela dépend en partie de la taille et de la maturité de l'organisation. Euh, en fin de compte, cela doit dépendre du risque. Il devrait donc y avoir un processus en place pour que les parties prenantes concernées puissent décider d'accepter ou non le risque, et cela pourrait être un comité. Certains de nos clients ont des comités de gestion des risques ou des comités de gestion des risques tiers qui, lorsqu'un risque ne peut être résolu par le VMO et le propriétaire de l'entreprise, le transmettent à ce comité qui peut alors prendre une décision collective. Ce comité peut être composé de personnes issues de la gestion des fournisseurs ou de la gestion des risques tiers, de la conformité, éventuellement du service juridique, de l'infosec, etc. Il peut y avoir différentes personnes dans ce comité. Cependant, beaucoup de nos clients n'ont pas une structure aussi élaborée. Je pense que cela est généralement réservé aux organisations plus grandes et plus matures. Ils procèdent donc de manière un peu plus ponctuelle. Et généralement, la personne qui dirige le bureau de gestion des fournisseurs est chargée de réunir les bonnes parties prenantes en fonction du risque, puis ces parties prenantes prennent collectivement cette décision. Ce ne sont donc pas les chefs d'entreprise qui prennent cette décision. Ils doivent évidemment avoir leur mot à dire. Mais nous ne voulons pas qu'ils prennent une décision concernant un risque lié à la sécurité de l'information. N'est-ce pas ? Nous avons vraiment besoin que les services informatiques jouent un rôle dans ce domaine, ou dans le domaine des risques de conformité ou autre. C'est donc le BMO qui dirige les opérations et qui rassemble les parties prenantes, généralement de manière ponctuelle, lorsque le besoin s'en fait sentir. Ce qu'ils font, c'est identifier toutes les parties prenantes dans leurs rôles afin que, lorsque ces problèmes s'aggravent, ils sachent qui fait partie du groupe ad hoc qui se réunit. Voilà, c'est une longue réponse. Je dirais que j'ai vu les deux cas de figure. Je vois moins souvent la structure de comité, sauf si vous êtes vraiment une organisation plus grande et plus mature qui fonctionne ainsi.

Melissa : Parfait. Merci.

Tom Rogers: Awesome. Thanks, Melissa, and thanks for the question. All right, so let’s see. How are we doing on time here? All right, so let’s go through um I’m going to go through the next two control points and then I’ll I’ll pause for questions there and I’ve got one thing to kind of finalize from the back end. So the control point three here. All right, so we talked about risk the present. So what about contract mods? Right. Um, this is an area where I think it’s easy to to have a gap that comes up. Um, especially primarily when there’s a scope change, right? So, so what we’re what we’re concerned with here is that a business owner goes through and does a contract mod that changes the the scope of the relationship that may bring more risk into the organization based on the scope change, right? Um, and if Uh, and if there’s more risk that’s brought into the organization, there needs to be a an alignment and a pause with thirdparty risk to say, hey, we’re making the scope change. We’re adding, you know, let’s just say we we hired a vendor to do a project and now we want to outsource something to them, right? Or we hired a vendor to do some initial consulting work and now we’re going to be buying software from them. So that that scope change creates a different relationship potentially with more risks if you’re outsourcing. something or if you’re leveraging technology, maybe the the front-end diligence that you did didn’t include those aspects because they weren’t present in the initial scope of work, but in the new scope of work, they are. So, this modification alignment is important here. And it’s basically saying, hey, look, when we have a contract modification, there needs to be a process in place to to kind of stop, see what the the scope change is and whether it it changes the nature of the relationship to the extent that we need to reassess the risk. Right? So, in this example, this is just kind of a sample change order from one of our our clients again. Um, and they they’ve made some change where they’re doing a they’re licensing and implementing some software, right? I kind of clean this up. Um, but that would be one example. So, so what we really need to do is is pause, make sure that whoever’s managing the contract mod, notifies risk that the mod is happening. and that they’re able to get together and and really say what’s the details of the scope change. Is it enough that it’s changing the inherent risk that we’re accepting and do we need to go through and do additional level of due diligence based on this modification? Right? So, so that’s what we’re getting at there and what we want the control to be. So, some of the keys here again process making sure there’s a documented process for contract mods, right? And that there’s also a process to go through and redo that inherent risk assessment to see whether there’s new risks that need to be assessed based on the scope change and that if there are new risks and if the due diligence shows that there’s some residual risks that need to be remediated right that we we bake that into the contract. So it’s a similar process to what we talked about before it’s just happening for for the modifications right uh so that’s a control point that’s important around the mods. Um, and now as we work our way through the relationship, we’re on the back end and uh you’re getting towards termination, whether the termination is uh proactive, where you’re doing it because of a of a breach or for convenience or whether it’s just naturally expiring is that last control point that we want to get in place, which is to make sure that as the contract winds down, whatever risks uh remain are are kind of being uh alleviated from the relationship uh to the extent that you can as the the contract obligations are being closed out as well. Right? So um this was the same example I showed you guys earlier around term and termination where we’ve got this um you know they have to delete uh let’s see return or delete with a written certification all the PI right so in this case risk needs to be aligned with contracting to make sure that this was actually done. They get the attestation um and that that that risk can kind of be removed from the relationship and that that third party either no longer has that that data, right? Um or that they’ve returned it, right? And that they’ve attested that they’ve done it as well. So So syncing up on here is is really around making sure that there’s a formalized documented process can sense a theme here, right? Documentation. Um, and then also as you’re thinking about one of the things I didn’t mention is based on the nature of the relationship from a risk standpoint, you also want to make sure that if this is um this is a critical vendor, right, that you’re terminating that you should have a contingency plan in place already for the vendor. Um, and that the contingency plan was enacted prior to determination. So if you’re winding down that relationship of somebody that you’ve outsourced something to or or if they’re providing a key key software, right, that there’s already been uh some discussion and planning in place on how you’re either have a new vendor in place to kind of handle that outsourcing and provide the software. Maybe you’re going to bring some of that inhouse so that there’s no risk to um pausing or or creating problems. with operations with that that that vendor’s contract being terminated, right? And we’ve seen some issues with this before where something happened with a vendor, somebody moved quickly to terminate, and then the client was left with a major um disruption to their operations that they had to quickly try to uh uh to resolve. So, contingency plans are important here. Um also, you know, a lot of focus uh with with risk management, risk ments is around data, but remember there’s lots of non-data risks that need to be addressed as well. So that might be transfer of intellectual property if there is any something as simple as badging, right? So did a vendor have access to your office, right? Okay, get the badge back so they no longer have access or or turn off those rights. So all these things should be factored into a formal uh termination and closeout process that’s documented, right? Um and then there should be some final control in place. Um, again, this is oftentimes the vendor management office can be the the quarterback on this, the business owner might be kind of running it and responsible for it, but somebody needs to just make sure that everything’s done. And while client while organizations will try to push that on the business owner, practically it just won’t happen because they either have too many things on their plate or they’re not going to be held accountable for it. So, if you have a fun like a VMO that can support this. It’s great if they can kind of provide that that final check as well to make sure all these things are done. You you’ve derisked that relationship as well as got all the contract deliverables and obligations that that vendor was responsible to do. So, so creating that connecting those dots around d-risking and and offboarding the contract here at the end is important. Okay. So, that kind of uh you know in summary of those control points. As you think about that life cycle, right? We’ve got here during contracting and onboarding, we need an approval process. Uh where the risk and and third party uh sorry where risk and contract management come together. Again around contract management when risks present, they need to be escalated and how does that make its way into the contract if needed. Uh the third one is around the modifications. If there’s scope changes that need to be addressed, they are in the contract. And then lastly, it’s making sure as the contract winds down, all the the kind of the d-risking activities happen in in concert with that as well. Okay. Um, so that’s that’s my um my thoughts on kind of where the alignment’s really important between third-party risk and contracting. Some of the things you can do from a uh a control standpoint to support that. Obviously, all the stuff really needs to be um baked into some type of structure uh um that that kind of is the glue that holds it together so it’s not just done on an ad hoc way. Um and so that kind of is a good segue into my last point which is really around all right so as you think about all the different places where you need to make that alignment how do you make sure they kind of fit together right uh and and stick and that’s where this this governance comes into play. So this is kind of the inner side um the inner circle of the framework that I showed you earlier uh where really it’s it’s the glue that that ends up holding all those activities together. So when I talked a lot about documentation policies and procedures again bringing everything together into one common set of policies and procedures for managing these vendor and thirdparty relationships that’s where you can start to really get alignment between CLM Don’t treat them as separate. Bring them together into a common set of policies, standards, and procedures. Right? Secondly is um a lot of our clients find this very helpful is as you’re starting to build out roles and responsibilities. One way is to kind of make that more granular with a lot more clarity is to create REI charts. Um and REI charts are simply the REI stands for responsible, accountable, consulted, and informed. And it’s just a a way to really define what stakeholders are involved in different parts of the process around contract and thirdparty management, what they’re supposed to be doing. Are they responsible for something or should they just be consulted and informed and creating that clarity so everybody knows what their roles are throughout um third party risk and contracting, right? Uh then a third piece here on the on the governance piece that helps hold it together is to to really establish and integrate systems around around managing vendors both from a risk and contract management standpoint. And so that could either be, you know, two different systems that kind of come and talk together so you have one source of truth, right? Or it could be one single system that allows you to support both those contract and thirdparty risk management activities, which would make it even easier. But but you can’t have contract systems and thirdparty systems live separately. They they should be coming together to create a cohesive source of truth view for that relationship and all those activities that need to be involved. And then on the back side here, you think about kind of the structural stuff. There’s just making sure that there’s the appropriate oversight and reporting. So that gets back to do you have a risk committee um or not? Or maybe you have a a a management committee that might be responsible for that, right? What type of reporting should they be getting? How do you escalate things? All that happens kind of over here when you establish control and in doing it together with thirdparty risk and contracting. And then the last piece is um you know for again for more mature organizations if you have an internal audit function something like that is to really to make sure that they’re aligned and things are working as they should is to do those periodic assessments and testing of um um of all your activities to ensure that everybody’s kind of doing what they should be doing and then cleaning up any any gaps or areas where you need to make improvements. So, so that’s a kind of that’s my last um bit of uh kind of thought I wanted to share with you was really this governance structure is is key to everything. It’s the glue that holds it all together. If you don’t have these things, it’s really easy for for misalignment to happen. Um not only with contract and and third party risk, but with compliance and term and all the other pieces that go into managing that vendor relationship. So, um, so that’s that’s really what I’ve got primarily on the slides I wanted to share with you today. Um, Melissa, I see we’re at 12:49. So, um, maybe we have time for one quick question or I can turn it back over to you and Scott.

Melissa : Hum, je vais laisser Scott prendre le relais, puis nous verrons si nous avons encore un peu de temps pour répondre à vos questions.

Scott Lang : Génial. Euh, Tom, si tu pouvais passer ma diapositive, s'il te plaît. Utilise le début. Bref,

Tom Rogers : hum

Tom Rogers : désolé. Et j'ai... Je pense que nous allons partager cette présentation, n'est-ce pas, Melissa ?

Melissa : C'est toi qui décides. Euh...

Melissa : on partagera la terrasse. Oui.

Scott Lang : Tout ce que je voulais.

Tom Rogers : Oui. Je suis à votre disposition si vous avez des questions ou des demandes après la réunion. Merci beaucoup. Je passe la parole à Scott.

Scott Lang: Yeah, you can uh keep going. Um and just, you know, we’ll flip over to me. I’ve just got a couple points I want to cover on what prevalence perspective is on aligning uh contract life cycle with third-party risk life cycle. Um and it might be good for me just to kind of walk through a few things here, talk about our perspective and give Melissa a chance to kind of triage all the questions that came in. Fantastic engagement everyone from all the questions you’re asking. Definitely keep it up. Keeps these discussions lively, real, interactive and and kind of grounded in actual situations. So thank you for the engagement. Keep it coming. you know, from our perspective, you know, Tom kind of walked through a very holistic approach to looking at, you know, how managing a contract, how managing CLM relates to managing a vendor. And, you know, we, if you want to sum it up, you know, it’s a very timeconsuming manual process. You’re probably using a CLM tool uh in a silo that maybe doesn’t have great interaction with the way you’re assessing your vendor. What that leaves is um some disjointed views of the risk a vendor brings to you from a contractual perspective. Are they meeting their SLAs’s? Is the right contractual language in there? Uh versus how you’re assessing the risk that the vendor brings to you inherently. Security, IT related risk, data privacy risks, reputational risks, whatever. Um it’s also a version control nightmare that you want that you well understand better than anyone else. But um what it results in is that you know you can’t really track details very effectively. Really doesn’t give you great visibility into the contract to the liv cycle and what what ends up happening? You got folks going rogue in the organization, maybe going outside of established contracting and purchasing cycles um maybe you know signing some paper they shouldn’t be signing and you know it leaves the business unprotected um from a you know potential you know contractual problem in the future. Uh it leaves you not in se in sync and you know it it it can introduce a lot of business risk with all those real business consequences kind of backending that. So I Guess the point I’m trying to make is if you’re looking at CLM and TPRM differently, uh, you know, bringing them together holistically is the is is the better path to go. Tom, next slide, please. You know, so um, you know, our our approach on this is to offer a solution that fully integrates with the thirdparty risk management life cycle and the solution is called contract essentials. Um, at the heart of the solution is the ability to centralize uh the creation distribution, discussion, retention, and review of vendor contracts. We’ve implemented workflow into our solution that helps to automate the progression of that contract through its life cycle. And you can see a bit of a representation of that on the right hand side. So at the end of the day, you can treat contracts with the same level of discipline as you’re treating uh other types of risks that come through um you know, the regular engagement with the vendor. So you know, got couple of high level capabilities available in the solution. You know, built-in workflow to again help you automate the progression of contracts and review uh until a signature is obtained. And then the ability to then extract key um uh contractual provisions or language that you can then automatically implement into, you know, S contractual SLA monitoring, for example. Uh it’s got built-in version control to allow you to, you know, make changes and re-upload new uh new versions and then implement discussion tabs in there as well so that if you just want to simply ask a question to the contract manager uh or internal procurement person you know you can do that as well. Next slide please Tom. You know we see contract life cycle management um is its own thing of course and so is thirdparty risk but we see contract life cycle touching multiple stages of the third party risk life cycle. It isn’t just about sourcing and selecting good vendors or simplifying the process of negotiating and kind of version control and and upload and such, but also from an onboarding perspective, it’s all, you know, making sure that you’ve got the review, the redlinining and approvals processes in place so that when you make a decision on a vendor, you can quickly execute and get them on boarded uh come to a contractual provision uh agreement and then agree on what SLAs and then move forward to more uh comprehensive due diligence uh which means it’s totally appropriate as you’re measuring SLAs’s and performance throughout the life cycle, right? Okay. Sourcing and selecting vendors, intaking and onboarding, performing some level of inherent risk, doing due diligence assessments and remediation, validating those results through continuous monitoring, monitoring their performance over the life cycle, and then finally speaking to something that that I think Tom is really clear about in the in the slides was uh offboarding and termination. Uh that gives you a central repository that’s tracking not just um you know final contractual requirements and obligations that have to be met. but how that aligns with the rest of your third party, you know, risk tasks, breaking access, cutting off physical access to systems, you know, things like that. Next slide, please, Tom. Um, you know, multiple different people throughout the enterprise is uh or can you know benefit from uh the integration of CLM and and thirdparty risk. You know, legal folks, you folks who are managing contracts on a regular basis, you know, they save a lot of time by automating those cumbersome processes. and more importantly keeping their stakeholders updated involved. Procurement shortens purchasing cycles by making sure everybody’s adhering to the process uh by offering it centrally and requiring everybody to kind of play into that system and then looking you know at uh contractual risks as well as business risks. And then IT security and risk management teams as well uh have a derivative benefit of reducing the risk of a downstream business disruption by making sure contracts have the provisions that are enforcable in the contract and can measure that throughout the life cycle as well. Next slide, please, Tom. You know, and that just kind of aligns with the rest of our approach on managing thirdparty risk. You know, we start out by uh offering you the ability to um source and select a vendor appropriately through, you know, RFX essentials, intake and onboard and contract with contract essentials and then perform deep uh, you know, inherent risk and then ongoing due diligence, assessment, and remediation in our platform all the way through the life cycle so that you can continuously reduce risks not just from a contract perspective but from a holistic risk perspective. Next slide please. You know at the end of the day our approach is is founded on three driving principles. Number one we hope to make you know you smarter with regard to risk through a very datadriven and comprehensive approach that adds context uh to help unify your processes and teams and break down silos not just your risk and thirdparty teams but also now legal and procurement teams as Well, and to do it in a way that’s prescriptive with built-in intelligence, recommendations or mediations so that everybody knows what’s happening to everybody else at the same time and you can produce great reporting uh improve your organizational consistency and process and eventually close the loop on risk from contracting, you know, uh onward to offboarding. And that’s really our approach uh to kind of how we address, you know, thirdparty risk and and CLM together. Um I’ll stop talking now. You know, we can open it up to questions if you guys have questions for Tom. especially or even a few for me. I’m happy to take those as well. Melissa, back to you.

Melissa : Génial. Merci, Scott. Hum, nous allons passer à la boîte de questions-réponses, mais avant cela, j'ai une dernière question à vous poser. Envisagez-vous de renforcer ou de mettre en place un programme de gestion des risques liés aux tiers en 2022 ou même début 2023 ? Je n'arrive pas à croire que l'année soit déjà à moitié écoulée. Hum, répondez honnêtement. Hum, nous sommes simplement curieux de savoir et nous ferons un suivi. Comme mentionné précédemment, ce sera soit moi, soit l'un de mes collègues, Amanda, Null ou Landon. Hum, en ce qui concerne les questions-réponses, j'ai une question pour vous, Tom. Hum, comment gérez-vous vos points de contrôle des contrats avec vos fournisseurs critiques par rapport aux fournisseurs à haut risque ?

Tom Rogers : Euh, les points de contrôle des contrats. Euh, donc je pense que la question est, si je comprends bien, qu'il s'agit des quatre types de points de contrôle que j'ai mentionnés tout à l'heure, n'est-ce pas ? Et y a-t-il une différence entre la gestion... ou sont-ils gérés différemment avec les fournisseurs critiques et à haut risque par rapport aux autres ? Je pense que c'est peut-être la question. Je vais donc donner ma propre interprétation. Hum, je dirais que les points de contrôle sont les mêmes. Il n'y a donc pas de changement dans les points de contrôle selon que le fournisseur est critique ou non, à haut risque ou à risque moyen ou faible, n'est-ce pas ? Parce que réfléchissons-y, je sais que nous avons peu de temps, mais un exemple rapide pourrait être, disons, une modification. À l'origine, le fournisseur aurait pu être classé ou hiérarchisé comme présentant un faible risque, n'est-ce pas ? Mais disons que la modification le fait passer à un risque élevé, car vous décidez maintenant de lui sous-traiter quelque chose ou vous achetez un système auprès de lui. Donc, ce n'est pas tant une question de classification des risques et de criticité, mais plutôt une question de point de contrôle. Il s'agit d'appliquer cela de manière cohérente à l'ensemble de vos fournisseurs. J'espère avoir bien interprété cela, mais il ne devrait y avoir aucun changement dans les contrôles.

Melissa : Parfait. Eh bien, tu as parfaitement choisi ton moment. Il nous reste environ une minute et demie. Est-ce que je peux poser une dernière question ?

Tom Rogers : Oui, bien sûr. Je vais le faire en moins de 60 secondes.

Melissa : D'accord. Je vais lire aussi vite que possible. Pouvez-vous nous en dire un peu plus sur la manière dont vous mettez en relation vos experts en risques et en contrats avec les chefs d'entreprise qui, comme vous l'avez mentionné, n'ont peut-être pas une compréhension aussi nuancée des risques ? Existe-t-il des bonnes pratiques rapides pour s'assurer que rien ne se perde dans la traduction ?

Tom Rogers : Oui, c'est une conversation qui peut durer une heure. C'est une excellente question. C'est difficile, n'est-ce pas ? C'est vraiment difficile. Et vous savez, plus vous grandissez, plus c'est difficile. Je ne sais pas si j'ai une réponse rapide à cette question, mais je peux vous dire que ce qui fonctionne très bien, d'après notre expérience, c'est de se rappeler ce dont j'ai parlé tout à l'heure à propos des courses. Ce processus a beaucoup aidé bon nombre de nos clients, car il les oblige à définir clairement leur processus et à identifier les parties prenantes impliquées à chaque étape, celles qui doivent être réellement engagées et celles qui doivent simplement être informées ou consultées. Donc, ma réponse rapide serait peut-être de commencer par déterminer qui ils sont et quels sont leurs rôles et leurs responsabilités. Utiliser un modèle structuré comme le modèle Racy, par exemple, pourrait être un bon point de départ. Ensuite, il s'agit de les amener à travailler ensemble, ce qui est une tout autre histoire. Cela implique une certaine gestion du changement, de la formation et une coordination de la part du VMO, qui joue le rôle de quarterback pour les rassembler. Mais le modèle Racy serait probablement un bon point de départ si vous n'avez pas déjà quelque chose de similaire, car il aide vraiment à clarifier les choses.

Melissa : Parfait. Eh bien, c'est tout le temps dont nous disposons pour aujourd'hui. J'espère que vous avez apprécié ce webinaire. Merci également pour votre participation. Je suis sûre que nous vous avons donné matière à réflexion. Je vous retrouve bientôt dans vos boîtes de réception. Au revoir.

Tom Rogers : Merci, Melissa.

Melissa : Au revoir.