How to Scale Your Third-Party Risk Management Program in Difficult Economic Times

Melissa: Hello and welcome. Happy Wednesday. Um it’s great to see everyone start joining. Um I’m going to give you a minute just while we wait for people to get situated and connected. And in the meantime, I’m going to launch our first poll. And if you’ve attended one of our webinars before, this may look familiar, but we’re always curious to know what’s bringing you to today’s webinar specifically. Is it um educational? Are you in the beginning stages of your TPRM program? Maybe a current prevalent customer? Just, you know, let me know. Um, let’s begin by getting some intros started. My name is Melissa. I work here in business development. And if you’ve been to any of the last four webinars, you’ve probably seen me here. Um, but today we are joined by our very own CMO, Mike Yaffy. Hi, Mike.

Mike Yaffy: Hello.

Melissa: And then, um, our CEO and founder of Cyber Marathon Solutions, Bob Wilkinson. Hi, guys.

Bob Wilkinson: Hi, everyone.

Melissa: So, today Bob’s going to be guiding us through today’s topic, how to scale your thirdparty risk management program in different ult economic times. Um, this webinar is being recorded as you can see. So, you’ll get this along with the slideshow in your inbox later today or tomorrow depending on your time zone. And then lastly, you’re all muted. So, uh, you know, if you do have to say something pressing, you know, use the chat, but if it is a Q&A, throw it in the Q&A box so we can, you know, attack that when we need to. And without further ado, I will let Bob jump into it. Go ahead.

Bob Wilkinson: Okay. So, the format that we’re going to use today is uh, actually that Mike’s going to be interviewing me and I’m going to be talking about the impact of uh economic uh difficult times recession uh can have on a third party risk management program and how it’s important to focus on uh some very specific topics um in light of that. So without further ado,

Mike Yaffy: It’s a good picture, Bob. The lighting was good in that one. I’m already teasing him about the lighting because right before we got on the phone, everybody, I’m like, “Bob, you’re too dark. Everybody wants to see your bright shining face.” So, he just moved a light right before the call. So, I’m very happy with the lighting. So, I think we did a good job. Um, guys, look, if you have any questions, Bob has been doing this uh for 20, 30 years. Uh, he has, and he’s humbly, he’s not going to introduce himself, but I will. He’s established um a lot of thirdparty risk programs at major brands that everybody would recognized credit card companies, banks. He’s been doing this for a while. Um, one of the foremost experts in this, so when he talks, most people listen, right? So, we’re super lucky to have him. Uh, two things. If you have questions, uh, feel free to use the, um, Q&A chat function. Uh, I will try to get to them in real time. If not, we’ll pull them to the end. And two, I do live in Boston. I know I have a Dodgers jersey there. People ask. Uh, got to hang out with Kirk Gibson at one of the five most famous home runs. So hopefully you know who that is. Um but without ado, why don’t we get right into it, Bob. So look, first question that we talked to um is what do you need to do? What should you be focusing on? You know, look, there’s layoffs. Amazon just laid off 10,000 people. Twitter did. I you know, I it clearly has to do with higher recession rates, the economy rebalancing itself out, but it’s the reality that we live in now. So So, you know, I’m sure people are thinking about, so how how do I do this? How do I get through a TPR program? How do I scale it when I’m heading into next year if there’s going to be challenges?

Bob Wilkinson: Okay, Mike, thanks. That’s uh that’s really seems to be the burning question of the moment, uh particularly with the the large number of tech layoffs that, uh that we’re seeing and the ripple effects it’s having, um all the way down to the effects that it’s having on uh startup companies and how funding for a lot of startups is drying up and how it’s no longer an acceptable business model to be having hyper growth if you’re burning through money. You actually have to show some kind of profitability and for companies with uh pristine balance sheets, yeah, you can get funding. But uh the world has changed. So there’s a few things that um uh I’d like to talk about as far as, you know, things to focus on during a recession.

Mike Yaffy: Can I ask you a question? You just brought up a really good point. Doesn’t when you have these trickle down, so you have a layoff at Amazon, okay, you know, Amazon’s not going out of business, but it generally trickles down, right? So then doesn’t this either on the the supply or the risk side, whatever you want to talk about, doesn’t that introduce more risk because of a downturn economy? Right? It might make a business less stable. They might have a a more difficult time doing fulfillment. They might not be the same supplier that they were if they’re also suffering from lower business, fewer employees, they can’t fulfill as a supplier to the upstream business as they did before. Right?

Bob Wilkinson: That’s in fact exactly one of the key things that we need to be aware of as we go forward in this environment. Um the example that I’ll use is um a a unicorn company that I know and deal with um that I was having a discussion with recently told me how some of the smaller suppliers in the space that they operate in are calling them up and saying, “Hey, would you like to buy us?” You know, case in point, funding’s drying up. And when you when you get to that position, one of the key things you need to focus on is the financials. of those third parties that you consider critical to your business operations because financials can degrade very quickly in this environment and you just have to be really sensitive to that fact. You have to keep up to date. You have to look for deteriorating financial trends.

Mike Yaffy: So how often should you be assessing the risk with because look there’s there’s it operational risk but then there’s the financial risk on the supplier, right? We’ll have some procurement and IT people, but now I’m just thinking about like how often should you be evaluating the overall stability of a tier one supplier?

Bob Wilkinson: Well, you know, the short answer is every day. But, uh, you know, as a practical matter, the the challenge and and and the migration that we’re seeing in how things operate uh within companies. We need to be focused um on an ongoing basis to the risk that’s going on in companies, but we need to do that in a more holistic way. We need to focus not just on financials because financials are one aspect of it, but we also need to focus on compliance. And compliance is something that can change very quickly. And when I talk about compliance, um I’m talking about not just rules and regulations like anti-bribery and corruption or AML. I’m also focused on what might be going on with a company in terms of negative news. So negative news h on one of your suppliers has a ripple effect of negative news on your brand. So you need to focus on that. But in an environment where there are financial pressures from the economy on companies. That’s also a heightened environment for regulatory focus. So regulators will say, are you making the investments you need to make to properly manage and mitigate risk? Because when you enter into this environment, budgets get cut, but regulations don’t. And we’re at a moment now on the cusp of new regul guidance being issued uh both in in the US in Canada and also in Europe and these regulations are going to have a financial impact as they always.

Mike Yaffy: So Bob what in a nutshell like who do they affect everybody everybody does third parties is it financial like just give us the cliffnotes version of what’s coming.

Bob Wilkinson: Well well primarily and this comes back to financial because financial is the most regulated sector so And from that perspective, this is going to hit financial particularly hard. But what happens in financial is really the trends setter for what’s going to happen across all industry that you need to be aware of. So uh particularly with the financials, you’re going to start to see legislation emerging around ESG. So for example, one of the draft uh OC regulations is uh the climate impact on financial institutions where it talks about, you know, what is the impact on institutions where they do their lending today? Are you lending a lot of mortgage money to places that are very.

Mike Yaffy: Not as much as they were, right?

Bob Wilkinson: Yeah. Yeah. But uh and certainly not at the rate they were from a financial p perspective, but the point being that companies uh portfolios are going to be impacted by changing climate and both in the short term and in the longer term. And when you look at that for example um in the US some of the longer term impacts of climate are banks that are lending in areas where climate is going to have a bigger impact are are going to have to explain to the regulators how they’re addressing the impact on lowincome communities where climate change is having a bigger impact. So we get into discussions of fair lending and things like that that so financials are primary but also look at what the Biden administration has done with China and the export of chips so high-end chip technology there are restrictions being put in place in export of that technology to China which is going to have impacts on the semiconductor chip makers so you’re going to see that combined with um uh directives on the government side. Uh particularly on the military side where you have to have detailed knowledge of your supply chain and you have to ensure that certain entities in certain countries are nowhere in your supply chain down to the manufacturer of the smallest chip and that’s uh uh the the DoD national budget um I think it’s 997 where where there are specific restrictions on what companies can do with certain suppliers.

Mike Yaffy: So I going to the next question. So how look you know what I’m hearing is reassess risk ensure that you’re you’re you’re checking every day especially as there might be some economic conditions that affect your suppliers or vendors. So how do you what’s the recommendation for the folks who are listening? How do you do this with leaner declining budgets and headcount right or you don’t get the heads next year to scale your party program,

Bob Wilkinson: Right? So, so remember you have to,

Mike Yaffy: You have to focus on what’s most critical to you and you also have to take into consideration.

Mike Yaffy: Yep.

Mike Yaffy: For those advance the slide too just so people.

Bob Wilkinson: Yeah, sure.

Mike Yaffy: There we go.

Bob Wilkinson: So, so what you want to do is you want to make sure you have the right mix of third parties that you have sufficient redundancy in your supply chain and that when you’re monitoring things like financials. If you see degradation, you’re not waiting for things to fall apart before you start planning should you need to consider an exit. You have to think of these things in advance. Now, from an economic perspective, and and I’ve been a big advocate of this all along, is whenever your business comes to you and wants to use a new supplier, the first question you need to ask is, do you have a supplier who already does that for you? Because if you do, you’ve already done your due diligence. You have a contract in place. It’s just a matter of expanding the relationship and it makes it more financially efficient using a supplier you already have and you are decreasing risk because you were sharing less of your information, less of your network and infrastructure access with third parties. So that’s an important aspect of it. The other is how you automate your supply chain risk management activities. If you’re still sending out Excel questionnaires to your third parties to get your risk assessments done. Um, you know, that ship sailed a long time ago. You have to look at automation and what technology can do for you and how you’re going to leverage that to be more efficient in the operation of your program. So, those are important considerations there.

Mike Yaffy: Right on. Let’s Bob, I want to actually let’s skip this one. We’ll come back to this. I think the next question actually ties. So based on your last past experience, right? We were talking about this during our prep call. You know, I remember when the market crashed and I was just starting, right? But in 2001, then there was the 2008 housing crisis. Look, it I mean it’s cyclic. Every seven years it happens. The economy bounces back. But what are the lessons here? Because you’ve seen this type of stuff go down while working in third party. So you know what’s the What’s the advice here? I mean, mine would be first, stay calm, right? It’s the Animal House. I don’t know how many of you seen. Stay calm. There’s nothing to see here. Stay calm. There’s nothing to see.

Bob Wilkinson: Yes. You get run over by the herd.

Mike Yaffy: Right. Exactly.

Bob Wilkinson: Exactly. So, you know, there’s um the first point I would make is that uh third party risk management can have a significant contribution to cost savings when the pressure is on. And And I’ll tell you a story in a past life when I was part of a vendor management committee of a large financial institution and uh 2009 happened the great recession. We were looking across the organization on how we might be able to save money. So part of that involved looking at all of the third parties were reusing the contracts the master service agreements that we had in place. Uh, in the case of one major technology provider, as we delve deeply into this, we found out we had eight master service agreements with that particular technology provider.

Mike Yaffy: That’s crazy. By the way.

Bob Wilkinson: All priced differently. So, you can imagine that the call we had with that technology company was uh very interesting. We’re going to have one agreement. We’re going to have one price net. By doing that, by reviewing the relationships we have and understanding where we’re duplicating services unnecessarily. We were able to save in the course of that year hund00 million out of our budget for third parties. So that is an important factor in how we manage um third party risk when we’re in a situation where financials are important.

Mike Yaffy: I will say though Bob and look I guys didn’t introduce myself there’s not much to it but I’ve been in information security marketing for for 22 years. So you pick up a few things, right? So I know enough to be dangerous. I don’t know, you know, a fraction of what Bob does. But it does feel like, look, when you have security teams, they’re typically thought of as a cost center and risk avoidance. I feel like finding that, you know, savings, and correct me if I’m wrong, but that doesn’t happen all the time, but it’s it’s it it’s avoiding on the front end as you onboard some a potential a vendor that could potentially disrupt your business, right? You know, where you don’t know that a key part for a car is being made in the Ukraine and now nothing’s coming in and out of their crane. You have visibility into those things or on the IT side, these vendors aren’t doing proper IT security and are and they’re accessing your data and they’re introducing a risk. So, look, I know it’s third party risk management, but it does feel like security and risk is always it’s a cost center but a necessary cost of doing business. I mean how do you think of it? Am I off?

Bob Wilkinson: No. No. It it it it is a cost of doing business and and certainly the regulation behind it uh drives the need to address it but it’s also an opportunity to help focus the business proactively in terms of the relationships that they have. You know the point I made about before you on board anybody look and see if you have someone who’s already doing that. So it doesn’t have to be the situation where third party is a source of unending cost growth because the other factor you have to look at is organizations on average and this is anecdotal not scientific um organizations may grow 10% a year in the number of third parties they have nobody is funding 10% budget increases for third party risk based on the fact that your your number of third parties is growing 10% a year.

Mike Yaffy: And and look and I I say this all the time. This is marketing. This is everything else. It it Yeah, fine. Prevalence sells a platform. I get it. But it you have to be able to automate and scale. It doesn’t have to be there’s a lot of places. You might have a GRC. They have modules. We have module. There’s a lot of places to go is what I’m saying. And it’s but you have to be able to prioritize your vendors, identify who they are, figure out their level of priority, and figure out what the heck you’re going to do to validate them as a good fit for your business, right? I mean, that’s in a nutshell that that’s what you have to do. But remember that the the unfettered growth in the number of third parties that you have, you look at particularly at larger organizations, larger organizations got large both through organic and inorganic growth. Yeah,

Bob Wilkinson: Made acquisitions.

Mike Yaffy: Tell me the number of companies that have made acquisitions that have a process in place to go through and rationalize all of the third parties that came with the deal.

Bob Wilkinson: Yeah, it’s it’s an after.

Mike Yaffy: And and I’ll tell you, I could count uh um on one hand the number of companies I’ve seen where they’ve even attempted to do that. So, there’s a lot of inherent inefficiency in the process. So, how do you how do you How do you attack that? How do you how do you get at that? And uh you know between the growth, between the acquisitions, between all of it, you just have far more third parties than I would argue um you realistically need.

Mike Yaffy: So go back to slide eight. The now it fits, right? Which is sorry we’re jumping around folks, but this is this is how we do it. You right. So you identify a vendor. You’re like we need to buy widget X or Y, how do you what should you really be doing when you onboard them?

Bob Wilkinson: Okay, so onboarding uh for me always starts with one question. Do you have somebody who already does it? It has to start with that question because that gets at the core issue which is the unfettered growth. So that’s part number one. The second part is instead of jumping in and doing an assessment right away. You ask the third party if they have an independent risk assessment that’s already been completed in the last 12 months, for example, and then you don’t have to do the risk assessment. You get what’s current and available and you can make an assessment based on that. The biggest problem that that companies that that businesses have with their thirdparty risk management process is how long how long it takes to get through an onboarding. You know, everybody has to wait for all the assessments to do. If you’re a large banking organization, it you may have to go through five, 10. I’ve even heard examples where you have to go through 20 assessments before somebody can make a decision to onboard a company. And at a certain level, it’s, you know, it’s overkill. And it’s the difference between managing risk and ensuring compliance.

Mike Yaffy: You got, it’s got to work for the business, too. Look, you know, I used to, you know, People 10 years ago would talk about multiffactor, right? When you get your phone and that six-digit code, they’re like, “People aren’t going to do that or they don’t want security to risk get in the way.” Um, you can’t be the department of no, by the way, right? Or find reasons not. It has to it a a cso I used to work with um used to work at, um, oh, it was in the Pacific Northwest, a healthcare thing. He used to tell me he’s like, “Look, what my job is is to say, look, we can either accept the risk, deny the risk, or we explain the risk to the board, right? And say, you know, there’s a mitigation strategy, but it’s going to cost more. If we do it at this level, it’s this. If we deny it, okay, because of X, Y, and Z, but it has to function within the business, right? It can’t, you know what I mean, Bob? It it can’t be.

Bob Wilkinson: We are the secure enablers of the business opportunity. And anybody who says anything else misses the point. Agreed.

Mike Yaffy: I can’t tell you how many times I’ve walked into a room and here here are the no police. No, here are the enablers of your business opportunity. And that’s what we’re there to do. That’s how we do it. And you talk about the different risks. You can remediate risk, you can accept risk, and you can transfer risk. And the classic case for transferring risk is cyber insurance. But when you accept risk as a business person, you have to sign off on that. risk and you have to define the compensating controls that you’re going to use by accepting that risk. And there are times where business units want to assume risk which is beyond the scope of their business and will affect the whole organization and there that those are the times when people who work in security have to say no. So you have to understand the risk and you have to educate the business on what that risk is and then you have to say If you’re going to accept risk, what are your compensating controls? It just can’t be blindly accepted.

Mike Yaffy: Agreed. And you know, it’s funny. I was talking to somebody today. I want to do another topic next year on, you know, who are the business and I guess it’s it’s probably different but probably somewhat similar. Who are the lines of business folks that you need to kind of talk to and understand? Say, “Hey, look, the we’re we’re onboarding vendors. I would like us as a team to work together to understand and agree on a set of criteria, that’s the right word, for bringing on a vendor without it being overly burdensome but fair and reasonable to our business. And quite frankly, if they’re a tier one vendor that you’re relying on for core functionality, I do think more stringent set of assessments and continuous monitoring is reasonable and and and warranted. But so who’s the who do you need to kind of work with internally? What are the who are the the teams that you’re like look in every case you always have to talk to X Y and Z and get them on?

Bob Wilkinson: Right well I I think that uh there’s a few things there Mike and and you need to think about uh how you build relationships with those other stakeholders in the process and what I would focus on first is your procurement organization because they’re the funnel through which RFIs and RFPs get generated to identify by third parties or when a business knows who they want to work with, they have to work with the procurement organization to get all the logistics done. You have to consider the legal function because at the end of the day, you need a contract in place. So, you have to consider that. One of the uh functions that I focus on is helping those people responsible for risk management in your organization understand how you’re managing thirdparty risks. And by that, I mean operational risk. management and enterprise risk management because they can be by keeping them informed. One of your strongest supporters and sponsors in the in when when things particularly get tough by by explaining both to senior management and the board that risk mitigation is a critical activity that just because things are getting tight in the economy we can’t neglect.

Mike Yaffy: So what why do procurement people want to what’s the win for the procurement person? I’m a third-party risk person. I’m going to the procurement people and say, “Hey, look, I I know you might have onboarded this, but now I’m doing an IT security review uh of the vendor is and I’m asking is the win that you’re like, look, we can really validate that this is a tier one vendor is great from a business and a technical capability to support us.” Is that the win? for the procurement people that it gives them?

Bob Wilkinson: The procurement people are under enormous pressure to get deals done for the business. Time is of the essence. They they hear from the business. The business might say, “Well, I’m going to sign next week a contract with tier one vendor A and you know, and they’re just letting the third party risk team know that or even after the fact as it happens sometimes. Um the ability to have a good line of communication with procurement to make things happen quickly on behalf of the business. At the end of the day, the reason we’re in business is to make businesses successful and to get the heck out of the way with the deals that they want to do as quickly as we can. So, the primary win for procurement is supporting them in the efficient processing of onboarding of third parties.

Mike Yaffy: So, make it go faster, better, more secure,

Bob Wilkinson: Faster, faster.

Mike Yaffy: Right? Faster,

Bob Wilkinson: Faster while doing what you need to do to comply with uh law and regulation.

Mike Yaffy: And risk.

Bob Wilkinson: So, it’s compliance, it’s speed, it’s greater level of depth in terms of organ uh information on that vendor, especially when it’s a tier one. So, they can feel better about getting more better and yes, I’m just making stuff up. More better info more quickly,

Mike Yaffy: Right? And and That’s that’s the key mechanism for how companies get onboarded in is through the procurement process. And now there there are these checks and balances that we describe as thirdparty risk management. How that third-party risk management works together with procurement in support of the business to help them realize their goals as quickly as possible. But at the same time applying a dose of common sense to say can we use somebody we already have? Can we make this more efficient? And the other part that comes with that is how can we automate the process of onboarding and streamline it and move companies that we do want to have relationships with into our continuous monitoring processes more quickly.

Mike Yaffy: Makes sense, guys. And just for you out there, if you have any questions, if you want to ask something in real time, I’m happy to do it. If you want to wait till the end or just keep listening, I get it. No worries. But we’ll absolutely try to get them. been chatting the checking the chat function. So far, nobody’s sending anything. We must have them enthralled, Bob. So, uh, why don’t we jump to slide 14. We’ve talked about this a lot. You’re adding 10% more vendors. TPRM, people are either being asked to formalize a program and like, look, if you’re doing a spreadsheet right now, and I’m sure people are laughing, you’re like, I wish I even had a spreadsheet, right? Um, so I’m sure there are people who are just bl, you know, sending out a few emails, maybe a spreadsheet. But if you’re doing that, you’re behind at this point. But if you’re adding more vendors, if your business is doing stuff, um, oh, hey, uh, Melissa, Sam, one of our guys is on the webinar, just texted. He said, it says the chat function is disabled. I don’t know if it is or isn’t, but thank you for letting me know, Sam. This is real time. This is real time. Hey, you gotta do it.

Melissa: Let’s see. if I can adjust some settings here, but I know the Q&A function is working, so please feel free to use.

Mike Yaffy: So, we do that, too. But I didn’t want to miss any important questions. So, that’s great.

Melissa: Thanks for the heads up. Um,

Mike Yaffy: This is where my add kicks in and it’s fantastic because I can do all these things. Oh, Shu, I just got your chat. We’re good. So, Bob, people are adding more vendors. You’re doing a bunch of stuff like that. Um, how do you how do you deal with it? How do you keep up? Like, full well, let’s just say you can’t treat all vendors equally and it’s okay to say like look it with the people in the tech and the budget spend this is what we can reasonably achieve I mean that’s where I would start but why don’t you flip over to the next slide and then we can.

Bob Wilkinson: Right so you know part of it is you know being proactive and how you how you build your inventory becomes an important question there do you understand what you even have and how can you make that available to people to leverage what exists. The other part of this is being proactive and reaching out to your business partners periodically to say what’s coming down. Are you looking at bringing new third parties on at least for your critical business activities? Now, part of that you could meet with the business, but businesses at the end of the day are responsible for managing the relationships that they outsource. And this is not something that um is talked about a lot, but it’s a it’s a critical point. Businesses can outsource functionality, but they cannot outsource responsibility and accountability.

Bob Wilkinson: And in fact, by regulation, businesses are required, for example, in banking to do quarterly performance assessments documented of their third party relationships. So if a regulator comes in to do an exam, they can say to you, okay, so where are your documented performance reports for the last year on on third party A, third party B, and third party C? And if you don’t do that, you’re not complying with regulation. So there’s a need to have a clear relationship management function within businesses that are responsible for owning that relationship. So when third party risk does an assessment and we identify issues. We should not be the necessarily the ones chasing the business the the vendor to fix it. That should be done by someone in the business who owns the relationship with that third party and that’s an important differentiator. So, uh we just got a really great question from Hold please. Sorry, just looking at all the questions now they’re coming in. Um Eugene won’t give it as Eugene great question. He says he’s been in procurement for 20 years and they are rewarded by savings and not risks mitigated. Bob, what’s your comment on that?

Bob Wilkinson: Well, you know, that’s uh that is true, but at the same time, risks that are unmitigated are much more expensive to an organization than any savings they might achieve.

Mike Yaffy: That’s what I would where I was at too, right? If you bring on a crappy vendor, quite frankly, because you don’t look at the risk, and then they flame out.

Bob Wilkinson: And you have to resource.

Mike Yaffy: Or they get hacked or they res you have to resource a vendor or the vendor introduces risk because there wasn’t I hear what you’re saying but I think there has to be some look at I always joke about our sales guys that comp plans drive behavior and Eugene I get it if your sole focus is you know your comp is 100% tied to how much money do you save or how much can you beat down a potential vendor then that’s what I would do too. But it it seems to be missing a whole side of the Rubik’s cube for lack of a better right where Bob where you’re like you know the cost of having a breach or having a vendor and you know flame out in the middle and then having your I keep using the example your car part not be delivered and you can’t build BMWs is a little bit more challenging right.

Bob Wilkinson: Well you know they’re they’re they’re there they’re there are commodity rel ationships which are driven by price and beating people down on price. And then there are strategic relationships that should be built on trust and that there is a value opportunity, a gain share to be had by both parties in the relationship. And one of the things that you should focus on in a third party risk management program is your outreach to your third parties, at least your critical third parties. and how you build relationships of trust with them because when you build relationships of trust, they are more willing to share with you and the relationship is more beneficial to both parties. So focusing on just beating third parties down on cost if that’s an organization’s directive and you’re in that procurement role, that’s going to drive your behavior, but that is a short-sighted behavior which ultimately can end up costing more. That’s what I would say to that. So you want to be driven by cost. That’s fine. You’re going to get bit by regulation. You’re going to end up paying the money back and you don’t get the full value out of the relationships with the companies you have.

Mike Yaffy: Bob, a lot of people No, I I think that’s a great answer and I think it’s right. I I I do. Uh right. And and you don’t want to swing the pendulum so far where again, right, you got 20 things you got to do on the procurement or sourcing side, but there should be some happy medium. Um Bob, talk about I I have Since I joined prevalent been here four years I have felt very strongly that the way procurement and IT security are successful is getting language in contracts right right on the right on you know right up front and saying we have the right to assess we have the right to monitor we have the right to quite frankly demand or require remediative activities in the event that you are deemed deficient. Um Where where are you on that? I know it’s not even in here, but I wanted to ask.

Bob Wilkinson: Yeah. Yeah. Well, contracts is a is a big deal and how you approach them is really important. I mean, there are certain things that you need to have in there both for good business practice and because also regulation requires it. So, the the the big three are the right to audit, which is basically yes, you agree that I could perform a risk assessment on your company. Breach notification when there’s a data breach. um you want them to notify you as soon as possible, 24, 48 hours tops, uh of when they become aware of a breach. But remembering with breaches that the time between an organ and organization being compromised and discovery of the breach is on average 270 days. So that means somebody’s in your network for a long time surfing around doing damage. So you want breach notification. Then the third thing is you want to comb compel your third parties to remediate issues that are found. Third party risk management is exactly that. It’s risk management. It’s not third party compliance or we would call it that.

Bob Wilkinson: Risk management means when you find issues, when you assess and you identify them that you fix and remediate them. Otherwise, quite frankly, don’t bother doing a risk assessment. Don’t bother having a third-party risk program because if you don’t fix the things you find. You’re not managing risk.

Mike Yaffy: At the end of the day.

Mike Yaffy: Look, Bob, and I came, this has been something that has plagued security and just because I’m old, right? But it’s, you know, I I came from a vulnerability management and penetration testing background, right? The vulnerability management is when you scan the outside of a network and look for potential holes, report on them, then see if you can do some proactive hacking, hack yourself, right? To see if there’s a real vulnerability. You would discover tens of thousands of vulnerabilities. Do you know how many that the server team might address in any given month? Two, three, but they would address them, but it even took a while for them to agree to sit down at the table and have a conversation. I think you absolutely have to be pushing. And Bob, this if you would go right over to slide 18. Um, this kind of slides right in there, but you have to be able to enforce a fix. you know, if you’re just sitting there and you know, I get that a lot of it’s compliance, but to do this the right way, which is what we preach a lot here, right? Where you can actually have a significant positive impact, you got to be able to affect change,

Bob Wilkinson: Right? And the way that the way you affect change, one way you can affect change that I find particularly effective is you report on the identified issues by business, share that with the business, give them the opportunity to fix it or to come up with the plans and the dates by which they will fix it. And then you share it with management and no business will want to show up with their senior management as the one who never gets issues for third party remediated. That is a big red flag. That’s a that that is a carrot and stick approach. You share the issue report before it’s published or shared with anybody else with the businesses and ask them what they’re doing to remediate. If they don’t remediate, they’re the ones who are going to be called and nobody wants to be at that level called out in front of their peers.

Mike Yaffy: That’s just the fact.

Mike Yaffy: You got to just shine light on it and say this is a risk.

Bob Wilkinson: That’s what it is,

Mike Yaffy: Right? And I’ve addressed this and is there a little CYA element to it? But I’ve addressed this and here’s the potential solution. Now, we can either choose to proceed or not, but it’s your job to call out the risks, folks.

Bob Wilkinson: Right? And it’s not just calling them out and it’s not just tracking the plan because um what happens is people so come up with a uh a corrective action plan which invariably is the end of the end date of a quarter or the end date of the year. So I find a vulnerability, a critical vulnerability right now and somebody tells me they’re going to fix it June 30th next year. Okay, that’s your plan. I’m going to come back every few months and ask you for progress on that because I know if I wait till June 30th, it’ll just end up being a retarget.

Mike Yaffy: That’s part of the game. Or close out the issue and open a new one with a new target date. So, there’s a whole bunch of ways that people try to game that system, none of which I think are valid or am. So, it’s not just having shining the light, it’s shining the light and checking back before the date it’s due to make sure that progress is actually being made.

Mike Yaffy: Yep. Uh I’m going to read something from Kevin just It feels like he’s in violent agreement, but I’m going to read it. Bob, why don’t you flip to the next slide while we’re doing it? Uh the entire reason for TPRM is to populate the right to audit paragraph with justification and examples of the need uh to evaluate during the initial assessment and reassessment and then list the unmitigated findings with an agreed upon SLA for full remediation or have the ability to exit the relationship.

Bob Wilkinson: Agreed. You know, that’s a that’s that’s absolutely a way to summarize it because if it’s in the contract that the third party has to remediate identified issues within an acceptable and agreed upon time frame, then that’s a violation to contract terms if they don’t do it. And it does give you the leverage if that’s the way they want to go. I can’t believe third parties like to do that, but there are always cases where they say too bad and then you have to make a a judgment call. whether you really want to do business with those people.

Bob Wilkinson: So, and people who argue about those clauses upfront when you’re negotiating a contract, you have to wonder what they’re going to do when the rubber meets the road and things do need to be fixed.

Mike Yaffy: Yeah. Why? I mean, that should be like, you know, we want to work in concert, we want to work together, right? If you’re objecting to that, it to me it’s a it’s not a red flag, but it’s at least something to maybe pay a little bit more attention to.

Bob Wilkinson: Exactly. It certainly is. And, you know, and and In any third party risk program, you have to have a balance between what you need to do to manage risk and what you need to do for compliance purposes. You know, when you when when regulations are passed, and we’re going to see new regulations on third party risk come out in the US in the not too distant future, you know, how are we going to ensure we’re compliant with those regulations? But remember, compliance does not equal risk management. And just ticking a box and saying, “I did my assessment. And I know large organizations that do this. Well, you know, it stops after I complete the assessment because I was able to tick the box. That’s not the point of the program. The point of the program is effectively mitigating and managing risk. Hard stop. That’s what.

Mike Yaffy: You can do it, but it’s it takes a little effort. But that’s the job, right? I mean, it really is the job. At.

Bob Wilkinson: The end of the day, it’s not compliance checklist. It’s not like I did it, my auditor certified it.

Bob Wilkinson: That’s why leveraging the other people in the organization such as the enterprise risk function and working closely with them. They are a lever for you to use to help in this conversation with the business to get things remediated because if enterprise risk says the job isn’t getting done and things aren’t getting remediated, you know, they’re reporting to senior management in the board and nobody wants to be that person who goes up in front of the board. why aren’t we getting this done? The other aspect is that when you’re considering a major outsourcing deal, if you work in financial services, you better make sure the board was briefed before the deal is done because that’s another aspect of it. So, you didn’t you can’t just go out and say, I’m going to outsource this whole business function to uh you know, third party A without knowledge and concurrence by the board. asking transparency.

Mike Yaffy: Yep. A quick question. It takes uh somebody sent in, “It takes two years to change a vendor or a solution. How do you get out of a risk event with a supplier or change a vendor when it will take you two years?”

Bob Wilkinson: Well,

Mike Yaffy: I mean, I might say that’s insane that it takes you.

Bob Wilkinson: Yeah. Well, you know, it does.

Mike Yaffy: That’s my It very simply has to do if it’s a strategic relationship, which is what this sounds like. like that you have an exit plan. So you can outsource a process to a third party, but you can’t outsource the knowledge you need to maintain to operate that process in a business. So there’s a difference. I can outsource the process, but I better keep somebody around who knows how things actually work in case I need to bring it back in, in case I need to exit with that vendor. And for critical relationships. You should have at least before you outsourced it, thought about an exit strategy and what you need to do if this doesn’t work out. That’s called planning.

Mike Yaffy: Yeah. I mean, right, you just have to have the exit. If it takes two, then you have to be have a process, right? That.

Bob Wilkinson: And if you don’t have a process, it’ll take you two years.

Mike Yaffy: You might not be able to change it, but you better be able to operate within it. I mean, I guess, right? I it you know,

Mike Yaffy: Um Bob, we’re up against it. Melissa, do we have a a a poll, another poll question? Are we good?

Melissa: Yeah, we have one that we usually stay till the end, but you know, do you have anything else going on? We do have no more questions as of now, but they keep trickling in.

Mike Yaffy: So, um Bob, uh why don’t Melissa, why don’t you call up the the question? We can bang that one out and then um,

Melissa: And then we’ll uh save time for to give Bob just kind of closing thoughts.

Mike Yaffy: Sounds good. Yeah, this is the second poll. Um, I’m sure a lot of you guys have seen this before. We’re just curious to see if there is uh, you know, something you want to augment or establish in the TPRM world. I know 2023 budgets are getting cemented pretty soon, if not now. So, let us know so we can follow up accordingly. And be honest because we do follow up. It’s not just for fun. Um,

Mike Yaffy: You won’t hurt our feelings if you say no. If you say yes, there’s a good chance Melissa might give you a phone call. So,

Melissa: Yes, probably within the day. probably almost immediately, but.

Mike Yaffy: I’m calling you right now.

Melissa: Yeah, go ahead, Mike.

Mike Yaffy: Uh, no, I was just gonna say, so guys, if you have spreadsheets and you’re thinking about getting some automation, somebody asked a question around that if you need some help either figuring it out. Look, Bob, why don’t you slap up your contact info, too, so people have that.

Mike Yaffy: Um, so if anybody Look, Bob’s if you need some guidance in terms of um what to do, how to architect how to build. I can’t think of anybody who’s better and has done it more um with a lot of large companies. So, you know, if you’re not, you know, if you’re a little bit spob could probably offer you a lot of relevant advice and help you sell the benefits of a program. I’ll get the 5-second on prevalent is if you know you need a platform, right, or managed services to help you do this. I think the cool thing is we have software that you can do this yourself. Um and we have a whole managed service team. So, So, if you hate doing assessments as much as most people do um and bouncing that around, we can actually do that for you and just give you results. So, that was the whole 12 seconds or like that. But Bob, back to you. Any closing thoughts?

Bob Wilkinson: Yeah, when you think about the economic environment and if we do end up heading in the direction of a recession and we don’t have a soft landing, we can already see the financial constraints that are playing out across businesses and you know, the layoffs, etc. So when we think about third party risk, we have to think about what efficiencies we can bring to the table and it is not efficient to have an endless flow of new third parties coming on. So structuring your inventory so that you understand what third parties actually do for you both from a product perspective and from a risk perspective understanding where duplication may occur to help the business leverage the existing relationships that you have decreases the amount of exposure of your company and of your company’s assets and data and allows you at the same time to realize financial savings. So you decrease risk, you have financial savings and in the context of how third parties continue to spiral up the number of outsourcing arrangements that companies are undertaking, you can play a key role in hap helping manage the expense growth that results from third parties being endlessly added and reach out to your businesses. Work with procurement to understand when things are coming down that do need to be done so you can be an efficient partner and help onboard in support of your business and their goals the key third parties that you need to get on boarded.

Mike Yaffy: Great. Super solid advice for the last hour, folks. I hope everybody enjoyed it. Bob, thank you so much for doing this. And uh Melissa, I’ll turn it back to you for any uh closing housekeeping stuff.

Melissa: Yeah, I mean, I loved all the questions today, guys. That’s what makes these webinars really fun. And I hope you appreciated the, you know, the different format that we that we did today. Um and you know, I wish we could get to even more questions in the future, but um Bob, Mike, you guys gave us some great insight of what to expect in the upcoming year. And I mean, that’s it for me. I hope to see you all at the next webinar.

Mike Yaffy: Thanks all. Speak soon.

Bob Wilkinson: Thanks much. Take care everyone. Good.