Third-Party Risk Management: What to Expect in 2023

Melissa: much Melissa and hello everybody. Alistair Parr: So uh for those who haven’t met me before I was slightly younger and skinnier I think in this picture but um I’m Alistister Parr the SVP of products and services over here at Prevalent. Uh I’ve had the joy of conducting many many audits over my years particularly against third parties and I’ve come from a sort of a third party risk management background uh and have certainly spent a fair bit of time helping build and craft various products and services around TPRM. third party life cycle management. So today what are we going to explore? So the various bright minds are prevalent. Uh we all came together and started to delve and consider what are the various things that we’re expecting to see. What are the trends that we’re starting to see emerge that we’re going to feed into 2023 in third party risk management. And the various top men and women have ultimately collaborated and we produced a list of the 10 most pertinent things that we think you’re going to see as a general theme moving into next year. So, as a general structure, what I’d like to do today is actually take you through some of those 10, give you some of the insights and background as to why we think it’s pertinent. Um, highlight some of the criteria that will ultimately take effect uh into next year. We’re certainly starting to see some of those trends emerge already uh this year. And uh if you have any thoughts or questions, we’d like to keep it interactive. I’ll do my best to weave in answers as I go through the sessions today. you know, we have an hour of which we’ll reserve a period of time at the end for Q&A, but I’ll try and weave in as much as I can as we go through the session and try and keep it as organic as possible. So, without further ado, what are the 10 top things we’re expecting to see over the course of 2023? First, first and foremost, so we are expect now we’ve highlighted this in previous years. Alistair Parr: For those who’ve uh who’ve been with us and joined these webinars previously, we’ve seen evolutions of certain topic points and certainly some are net new completely net new but um an evolution here for us is the fact that the old annual and manual approach to TPRM is becoming the exception rather than the norm. Now this is music to my ears from a risk perspective uh because when you start of course dealing with thousands, tens of thousands, hundreds of thousands of third parties unless you have a small army you’re not going to get through them at least not in any meaningful cadence. Uh this is thankfully starting to to to to dwell and dwindle as a as a requirement. We’re seeing people now actually start to on board and think pragmatically and use technologies and use various automations and processes to manage their TPRM process and why what is it that we’re actually seeing around that. So when we start looking at automated programs, scalable programs, the most effective ones that we’re seeing are working on a sort of a triage process. and we’re expecting that to emerge and become more and more prolific into 2023. So you can see in front of you we’ve given an indicative example of a common triage that we would tend to see. So let’s say mysterious customer A here or or third party risk management program A here has 15,000 third parties. Across those what we’re normally seeing is that all of those in a good practice environment in a high maturity environment is going through profiling and taring. So when we start talking about uh automation and reoccurring that profiling and tearing will be at least annually and it will involve the business. It will involve using various data streams that they’ve got internally to help categorize, profile and tier those respective third parties. You’d expect that number to start to dwindle as you can see as that chart goes on. But moving into B 4,000 of those for example would be subject to interactive assessments. Of course going through 4,000 assessments does require a degree of automation. Alistair Parr: of which two and a half thousand will be subject to continuous monitoring in the form of using passive uh scans whether it’s business financial etc and out of those 1500 of those are more likely to be subject to regular tracked risk management. So when we raise the point that old annual and manual uh is becoming the exception rather the norm we don’t purely mean here that we’re going to see everybody using a technology here to assess engage every third party in the state because that’s not pragmatic. That’s not practical and certainly not going to happen in 2023. What we’re actually seeing here is that annual Emanuel is evolving into this more established triage process where we’re being pragmatic about the level of resource and engagement that we have. Not everything is truly automated, nor will it ever be in a in a true risk management field. And you can see is that those numbers start to dwindle down. So 300 will be subject to regular annual event management. Uh 100 of those might be subject to validation audits on a regular basis, 20 requiring an on-site and 25 of those might have an ad hoc event that requires termination. So we’re seeing annual and manual becoming pragmatic and scalable in that respect. So allocating the right resources and using the right technologies to pull and filter through third parties. We’ve seen a lot of organizations pick this up into 2022 and we absolutely expect more and more to establish and rightsize their program into a similar methodology moving into 2023 as people improve their broader maturity posture. So moving onwards, onwards and upwards, observation number two, what are we predicting in 2023? We expect that third party risk management is evolving into third-party life cycle management. Now what do I actually mean by that? So risk management of course is a very specific discipline. We’re looking at addressing risk and typically we see risk management for third parties being driven or centralized around information security. The reality is as 2022 has evolved and this has fed into 2023, we’re seeing the life cycle becoming far more prominent. Now that’s partly because we’re seeing business users and various business representatives working together. Alistair Parr: And that’s uh ultimately incorporating multiple components of of a life cycle and a framework. But it also means that we’re seeing things beyond risk start to take a degree of prominence. This could be contract management, the sourcing and selection and intake proc. process. Uh this could be the ongoing SLA performance tracking and of course onboarding and offboarding as their own distinct workflows in the life cycle. Not necessarily risk management things could be tied to risks, but fundamentally what we’re seeing is that all of these disperate business areas and functions that amalgamate into the life cycle of third parties is being seen as a single piece. You know, risk management is becoming life cycle management. So the question We’re expecting the various executives to start asking into 2023 is how can I start associating these into a single journey. What metrics and information could I capture from procurement, infosc, legal and of course uh supplier management into giving me a holistic view in how third parties are being managed. This transcends CISOs, this transcends risk personnel and risk uh uh subject matter experts and feeds into things like CP OS the chief procurement officers the COOs of organizations the CIOS and of course that’s very useful if we start looking at third party programs because of course that’s where a significant amount of investment is coming from for our programs so the more airtime that we all collectively get when we’re managing TPRM uh with the CIOS the CPOS the COOs of our organizations the more likely we are to be able to get the resources necessary to be able to support our programs effective ly. So we see risk management evolution into life cycle management continuing into 2023 as people ultimately aggregate and the various disperate feeds into one and that’s leading into a larger broader conversation when we start looking at vendor management on a whole. Next SLA performance management becomes more actionable in the third party life cycle. What do I mean here? Alistair Parr: So of course supplier life cycle management SLAs’s looking at their key metrics performance management as a whole historically and even into 2022 we’ve seen most organizations looking at SLA and performance management as a separate process usually it would be a value ad potentially a lot of organizations don’t even really track the SLAs’s of an organization or a vendor uh until something significant happens they start putting up contracts and looking at SLAs and performance management when something is bad. Now, that’s not very effective. It’s not scalable. It doesn’t feed into things like renewal conversations. And these are the sorts of things that we’re starting to see organizations consider as a value ad to their life cycle program. So, what do we mean by that? SLA performance management. Into 2023, we’re going to see more and more organizations develop structures to track SLA and performance and We’re going to see more and more organizations embed that into those life cycle programs. That means more structure, more governance around it rather than just saying have the the business representative. We own the relationship, sending the ad hoc email and we’re starting to see these getting on boarded into technologies and platforms that actually track these metrics and force calculations to come out of it. Now SLAs’s can vary. They can of course be things like service uptimes. That could be service delivery. Uh that could be of course relating to software provisions. There’s obviously multiple factors and every single contract will have its own nuance around it. But the challenge we’re seeing people start to consider into 2023 is how can I take SLAs’s and performance clauses from contracts and make them actionable in the life cycle? And we predict and what we’re expecting people to do in 2023 is to actually start using automations and technologies. So looking at machine learning, natural language processing technologies to actually call out those clauses from those various artifacts and documents and the contracting life cycle and actually populate those into their life cycle tools. The value on this is that I’ve got 15,000 vendors. Alistair Parr: I don’t need to read 15,000 contracts because candidly I would probably want to go and move to Barbados and sit in the sun instead. So what these tools are going to enable us to do is actually take those clauses out, baseline them, and build some automations around So for example, if uptime 99.9% is a requirement, we will see that becoming a reoccurring task where the onus is passed on to the vendors themselves to self-report and provide the detail. When that’s standardized in 2023, we’ll see that roll up into central reporting. We’ll start seeing that roll up into metrics and dashboards that we can actually deal with and we can actually start using that information in negotiations. One of the biggest challenges we’ve seen in third party and third party life cycle management over the years is being able to articulate the value that the investments are bringing back to the business. So many organizations see it as an insurance policy and candidly that’s not a very sensible way of looking at it but we’d like to think in 2023 more and more people are going to consider how can we demonstrate a return of investment of these programs and things like SLA performance management we’re able to track third parties and use it in negotiations and procurement and renegotiation means that we have that advantage of actually taking a dollar, pound or euro value or yen, whatever you may use and applying that to the program. The program has been able has enabled us to renegotiate 70 contracts of which the total renegotiation value is 20 million for example. That’s tangible value that that PL that program is bringing back to the business and we see that being a core driver moving into 2023 when people start considering SLA and performance management as going to be driven by renegotiations first and foremost. Secondary, we’re going to see it being driven by things like quality considerations. Uh but we’re seeing more and more organizations considering that now that technologies are reaching the point where they’re able to provide some degree of automation and scale to that workflow. Very interesting space for us and we’re very excited to see how that’s going to evolve into 2023 and even 2024 as programs start to evolve. Alistair Parr: So on Onwards on our journey of our 10 predictions from the bright minds of prevalent. Number four is organizations will assess and monitor their third party vendors and suppliers across both IT and nonIT risk domains. Some of you may have seen this in historical predictions and we feel it’s come true. We think a lot of the times we’re moving into 2021 and 2022 we have seen that natural evolution of program is extending beyond an information security review, checking controls, you know, these these basic foundational criteria into being more holistic. And holistic in the sense of we’re not just talking about additional domains in the sense of uh considering additional control areas for information security. We’re looking at building what we call a a 360deree or a comprehensive profile. So what that means is that when you actually start looking at a vendor and you start Looking at a vendor profile, there’s multiple factors that we can consider. We could be looking at their cyber posture. We could be looking at uh the business state. We could be looking at their financial risk. We could be looking at ESG of course becoming more and more prominent ad hoc events. We could be looking at their certifications or regulatory posture. We could be looking at their four party chain. But when you start looking at there’s feed data and then there’s of course the control areas as well. And what we’re expecting to see continue happen into 2023 is third parties are going to be assessed from multiple business areas, privacy, legal, procurement, infosc. And they’re all going to be using multiple different uh feed vectors, cyber, business, financial insights, events, etc. to give us information across multiple domains. And we’re already seeing that happen in 2022 quite heavily and evidently as those of you who join webinars on a regular basis will know when we start looking at things like ESG. So environmental uh and social criteria are becoming more and more prominent uh and organizations are expecting it more than anything else. Things like modern slavery statements, anti-bribery and corruption, um ABMS structures. These are all things that are becoming more normal and expected in a program that we expect to continue into 2023. Alistair Parr: But why? Why are we seeing this and why do we expect it to continue? You the reality is as things converge into life cycle management, there is a requirement for more collaboration and interaction internally within the organizations. So as we’re reaching out to a vendor, we’re doing it once wherever possible. It’s more sensible. It’s more efficient and more logical. But then that’s also being supported by the fact that the the technology ecosystems that we’re all using have better integrations, better monitoring c capabilities, better feeds, broader feeds, in factory things like geopolitical information. All of that is allowing us to be able to consider this information and use it more effectively. So the net outcome of all of this is that we’ll have the capability to be able to build these comprehensive profiles to feed different parts of the life cycle and then in turn we use the different technologies that we’ve got to try and pull and populate that data. So it’s not just relying on assessment curation. incalation. It’s also pulling in data from adjacent feeds. We are well on the way for this particular requirement, but we only expect it to become the norm again rather than the exception. And organizations who are quite far on their maturity curves are already doing a a good reasonable chunk of this. But we’re seeing more and more express interest in that workflow. So continuing our journey, our number five prediction here, and by the way, these are prioritized It’s simply a a list. So we wait them all equally. But number five is that geographic and political insights will become increasingly accessible in TPRM and of course TPLM solutions. So what do we mean by here? A geographic insight is of course understanding the locations where a third party is operating in and therefore being able to react when say hurricane Ian happens to affect some of their localized sites or there’s an issue such as uh the Ukraine Russia war and conflict which is causing issues uh in particular geographies. So there are these geographic challenges and of course political challenges based on geographies as well that are contributing to third party risk and affecting things like the resilience and efficiency of our third parties. Alistair Parr: Of course co and the impacts of COVID brought a lot of attention uh in prior years to operational resilience of third parties. Uh but as we see more localized events starting to occur and equally tools becoming more and more capable of looking and identifying these these uh localized events, we’re seeing more and more expressed interest in being able to manage these and how do we predict organizations to address this into 2023. So the biggest challenge that we see in this space is the fact that it’s quite commonly accessible and identifiable to see where does a third party party actually reside from a head office standpoint. So you’re able to go and look at the various feed providers, their registered office addresses, their websites, and you’re able to pinpoint and say, “Okay, prevalence increasing is all the localized sites that might be impacted. We might be contracting Prevalent, for example, to provide a service, but the service is being provided by a regional site. It might be operated out of Canada or South America or Europe, wherever it may be. We don’t really get that level of visibility. So, the two things we predict people to start doing into 2023, number one is actually embedding localized site identification into assessments. So, people as part of their profiling and tearing exercises are going to start reaching out more and more to understand where there might be localized sites that might be impacted. Once they know where they are, they’re going to use tools to be able to document those. and track those. Secondary, the tools are going to evolve to give us better insights into that supply chain. This could be based on using things like shipping manifests to understand how data is flowing uh or assets are flowing to our third party estates uh or or even to simply looking at uh things like um uh matching to understand if their company name is being used in multiple locations and what those addresses are. Uh so there’s different ways of looking at databases to be able to identify regional sites. Alistair Parr: It’s not perfect and I think we we expect it’s going to take a while before it reaches a point where it’s fully matured in this space, but it’s a start to identify these localized areas, these localized sites that might be impacted by adverse situations. So looking at 2023, let’s say a sizable amount of third party programs have a degree of visibility, not perfect, a degree of visibility. What do they do with that? We are expecting in 2023 organizations to start building processes around reacting to regional adverse events or geopolitical events. So for example, a hurricane Ian situation occurs that affects the southeast of the US. We’ll be looking at notification mechanisms to inform the third party programs of these these localized events and automatic processes to identify the vendors that they need to engage with to understand if it’s going to affect the program or not. So the building of these processes to be able to map localized events uh to the localized vendors rather than doing an onmass communication to everybody and 90% of the vendor estate sitting there wondering what on earth hurricane Ian may be for example it’s an evolving challenge one we don’t expect to be solved purely in 2023 but we expect to see headway in organizations demanding solutions and workflows either from the COO teams and offices and the operational teams uh down through operational resilience of course but it’s certainly an interesting topic point that we’re very keen ourselves to continue working on and see how how we can support clients in that journey. So number six near real time intelligence will drive adoption of trusted supplier networks. What do we mean by this? When we start looking at these supplier network estates and there’s multiple networks out there from multiple providers and we see different organizations in fact even using multiple networks in some cases rather than just one in order to aggregate data and make quick informed decisions on third parties. So the trend we’re expecting to see is real-time intelligence will be a core driver for this and why why do we see this? Alistair Parr: So why are people actually investing in a network in the first place is because it’s ultimately attempting to solve the problem of identifying issues of a third party expediously. So can we get this information very very quickly and with a minimal amount of resource and effort or additional interactions. So the advantage of a network means that it has data readily available. It’s consumable. It should be current and accurate and it allows us to make make an informed decision and get back to the business quickly. Something we’ve been hearing a lot about when we go and speak to clients in 2022 is that the third party program owners are concerned about one key metric. How good does that program look to the rest of the organization who doesn’t really care about risk? They want to consume a service and they want to do it quickly and they want to get on with their jobs. They’re not risk professionals and they certainly aren’t there to to want to try and drive risk. That’s of course the program’s focus. So these business users pass a third party that they want to interact with. They’ve already made that decision through to procurement, through to these life cycle teams, these third party life cycle teams, and they sit back and they want an answer. They want it quickly. So these program owners are keen to be able to demonstrate value back to the business and say, “Here you go. Here’s a decision. It’s taken us two days, not two weeks, for example.” Those are some of the things that are keeping them up at night. time. So this is where we’re seeing adoption of supply networks being a a key resolution here which is how can we bring that time to decision down and the third party networks are able to do this. Now when we start looking at assessments assessments need to be maintained over time they’re not just a you know they become a point in time exercise and we need to get approvals from third parties in most cases to share detailed control findings. Now when you got supporting networks with continuous monitoring and passive monitoring, cyber insights, business financial ESG scores, fourth party data and so on. Alistair Parr: All of these various attributes are usually there to be shared without necessarily getting an approval from the third party. So it’s immediate insights to drive decisions and it also enables reactions uh once an event occurs. So when we have a log 4j or an opensl issue for example, What we’re able to do is basically say across your estate it looks like 10% are vulnerable. For example, it’s about making quick informed decisions. So when we make the prediction that near real-time intelligence is going to drive adoption of the third party networks, what we really mean here is people are going to be picking up networks because they see the value in the continuous monitoring feeds, the real-time intelligence and importantly the collaboration of multiple third part uh sorry multiple clients together. multiple business users, multiple programs working together uh in order to drive vendors to give data quickly. If a vendor needs to share their position once and it gets shared to 50 60 70 different uh programs at once, vendors happy programs could be more uh expedient. So number seven, what are we expecting to see? We’re expecting to see one to many compliance mapping. become more real. And what do we mean by that? When we start looking at these programs, a lot of these programs are looking to drive compliance frameworks and compliance regulation uh ultimately compliance for the organization. Now, what we see is there’s always an evolution of red tape regulations over time and as organizations seek to align to those, they often have a fear that they need to try and change their program. to a a huge huge degree. So what we’re expecting to see happen in 2023 is more organizations become confident that solutions in play are able to look at the various regulations and compliance frameworks out there in order to do a better one-to-one mapping uh and one to many mapping. And what I mean by that is we will ask a single question to a vendor potentially a year ago or we get some information to drive a decision year ago, a new framework comes out. We should be able to apply that framework to that question and see the impact across our entire estate. We shouldn’t have to keep reassessing. Alistair Parr: We shouldn’t have to keep re-engaging with vendors because there’s a new ISO framework out that we need to go and compare the results to against. You know, the technologies out there are becoming more and more capable now of actually qualifying regulatory compliance based on data. And the way that we see that working is that you essentially have cross mapping become more and more the norm uh across a third party program. And so when the business the compliance teams the audit teams start saying hey there’s a new ISO 27,0001 framework or standard out how does our third party estate compare to that or there’s a new OC bulletin the requirement out what’s our posture the programs will be able to give an informed decision across their entire estate within hours rather than weeks or months A trend I’m sure you might be seeing here in our conversations is time and having a some degree of expedience in how we’re managing these programs. And this is a good example of that. Yeah, we’re seeing organizations trying to simplify the program and using a single targeted assessment and remapping against that assessment to the various regulatory requirements that they’re exposed to. Some of the things that now we have touched on this in prior years but one of the things that we see becoming a solution here that’s driving adoption is that it is getting more simple. There are more uh resources available that simplify uh the association of various frameworks and regulatory standards to one another. There’s more collateral being provided by the various players in the space and even the regulators themselves that make things slightly more transparent. Uh no longer are people having to sit back themselves and remap say reference X to ISO reference Y to FCA requirements. so and so and so on. It’s not effective. It’s not good use for all of us to be doing the same things behind the scenes. So we are seeing the value of resources uh both tech technological resources and of course uh resources in industry as well and that is driving uh that compliance one to many adoption. So on to number eight sock reporting will be better incorporated into TPRM practices. Alistair Parr: I was going to spend a little bit of time on this because it’s been a very interesting trend for us into 2022 and that is that sock 2 particularly sock 2 type two uh documentation and artifacts over the 2022 period have become more and more common as evidences and artifacts being provided by third parties. So we find this interesting when we start looking at the third party estate for one main reason is the fact that it’s a good insight. It’s a third partydriven assessment of an organization uh to understand the controls and mechanisms that they put in place and it’s validated over time. Great. It’s a useful document. Um it can give us in some cases a bit more insight than say a 27 pound certification sea whatever it may be. But there are some common challenges that we’re seeing with sock 2 material where we’re seeing uh changes in how people adapt and react to them. So reports typically tend to not be consistent. Each auditing body, each auditing firm will manage their reports in different ways. Uh there’s a very small degree of consistency between document to document. So when people are getting these sock two reports, they’re having to sit there siphon through it and trying to identify what are the actual you know common criteria, what are the failures, what are the control failures and trying to siphon through walls of text to make a decision. Great if we’re doing one vendor, if we’re doing 10, 000 20,000 vendors 20,000 artifacts that’s not scalable and ultimately we’re seeing third party programs getting I rate with that the other challenge with the sock reporting piece and sock 2 type two reports is that the actual scope itself can be somewhat interpretive it might might contain certain control areas it may not based on the perceived scope so what we’re seeing organizations do is they’re actually starting to consider is the scope sufficient number one and number two how can I standardize this sock report into something that I can leverage in my standard assessment workflows. And what we’re expecting to see more and more of into 2023 is organizations looking for workflows that a standardize these various disperate documents and bchanism to automate the analysis of it. Alistair Parr: So we start looking at these various findings for example and these ES we’re expecting organizations to say we want to be able to take out the common criteria the control failures etc and put them in a different standard document or we want to be able to adapt it into our common standard assessment framework. So whether it’s their uh the shared assessment SIG whether it’s their own proprietary format the PCF etc they want to be able to adapt the control identifications from a sock two report or even to a lesser extent a sock one report and put it into to their local assessments. They are then also looking to do that without having to bring in consultants, wheel in high highly skilled resources in order to drive this. So what are the trends? What are we seeing the market do to react to these requirements? And into 2023, we are expecting better automated document analysis in thirdparty programs. This does of course transcend just two reports but this is the most common example where we’re expecting things to evolve uh to start with. So we are seeing tools using that machine learning capability we spoke about earlier on for contracts uh OCR etc to be able to take and call out control areas and to be able to populate assessments automatically and also build custom reports and call out in a structured way where there might be issues. So in 2023 we’re going to see an evolution of that. We’re not going to see the problem just magically get solved. And when you look at all the various providers out there doing this, there’s always going to be a degree of manual effort here because machine learning needs to evolve. I don’t think anyone’s at a state yet where it’s perfect. But what we’re seeing as a trend is that more and more organizations are trying to remove the the 70% of noise. They want the the automations to be able to standardize. They want the automations to tell them where they need to look in a document to focus on it or at the very least make suggestions on crossmapping from a document to an assessment. This will also extend in 2023 to any document. If someone provides their policy set, we want to be able to identify the challenges to that. Alistair Parr: If we somebody uploads a um a SIG, for example, but we’re using our own proprietary formats for assessments, we want to be able to crossmate that and make suggestions. We do not expect and we don’t predict in 2023 that the industry is going to get to a point where this is completely automated. Um, equally so from a risk standpoint that presents a bit of a challenge and a bit of a fear. But what we do expect to happen is that the uh the space will evolve to a point where we’re able to pull out and call out key challenges and clauses that might be a concern much like contracts earlier on with SLA and performance management. Beyond that sock 2 specifically, we are expecting sock 2 to become a broader more accessible document. and acceptable document for third-party life cycle programs. There’s a great amount of detail in these top two reports, type two reports particularly and we are seeing good value even from our own managed services in taking these materials, analyzing them and getting support from the necessary consulty tier resources where necessary. But again 2023 about will be about efficiency and automation. How can we do that in a more scalable way? So, Number nine, observation, the TPRM tent expands. A lovely phrase if I do say do say so myself. But what do we actually mean by that is that um we obviously mentioned that third party risk management is evolving into third party life cycle management. And what we’re seeing is that there is of course multiple parts of the business getting invested in this program. So procurement legal risk operations audit. Just a few examples of ones that we’ve, you know, we’ve discussed that going to have a vested interest in it. Uh but it is really multiple people collaborating and working together that’s going to make a program successful. So what we’re seeing is that people are looking for that single source of truth. They are talking to third parties. They want to ask them once for things and then they want to feed that into the broader teams. For example. Now the teams themselves all have their disperate technologies but into 2023 what we’re expecting to see is that more of them are going to agree we want a single source of truth on our third parties. Alistair Parr: So we’re seeing life cycle take prominence here instead of risk management where all of their data is getting amalgamated into a few distinct systems that become the central source of truth for third party risk and life cycle management. So procurement of course want to understand about cost reduction and selection that helps the broader process because we’re demonstrating that return on investment. We’re seeing the legal teams of course feeding into that procurement process up front, the legal reviews, looking at contracts, regulatory alignments, mandating things like audits on sites, remote assessments and so on, and ultimately getting involved where there might have been an issue or a deficiency from SLA or performance management. We’re seeing the risk teams continue their long-standing tradition of sending out assessments, understanding control failures and control areas. We see operations looking at resilience with the additional focus that we’re seeing these days from um uh of course things like uh COVID uh and also from COS ultimately dictating to understand how third parties are going to affect uh revenue deliver uh revenue delivery and then of course we have the audit teams checking everything making sure that everything’s effective uh looking at compliance looking at things like ESG data which is feeding into things like marketing campaigns where the organization is showing off its uh it its green posture or its modern slavery stance etc. So marketable values that we’re bringing back from the program from procurement and audit of course but all of this is amalgamating together. The teams are beginning to work together and we expect to see that continue into 2023. We’re seeing more and more budgets getting amalgamated uh into a centralized function and we’re seeing the teams finally getting to a point where they believe that collaboration together is going to be more effective, more efficient, uh, and of course have a greater weight when we’re talking to the third party estate. Now, interestingly, we’ve seen it ourselves on the receiving ends as we go through contract negotiations and where we’re actually a third party providing services ourselves. Alistair Parr: We’re actually seeing all of these different parts of the business starting to work together into a far more cohesive journey. And I must say, as a vendor, as a third myself. It is a much more pleasant place to be. Vendors are enjoying this workflow because it’s streamlined. It’s far more disperate. We’re talking to procurement and legal at the same time and they’re talking to each other. So, we’re not rearticulating the same information again and again. And because of that, you’re seeing third parties get better buyin and better interaction uh of course with the respected teams. So, it’s a win for everybody in that perspective. I have just realized that operations appears to be a tree on this slide. Uh that’s no disrep respect of course to operations teams uh but they are of course uh the very root and foundation of all that we’re doing in the business. So of course naturally that’s what we mean by uh by that indication and illustration there. So looking at number 10. So this is that uh small elephant getting rather larger um in the room right now which is the economy. I’m sure unless you’ve been living under a rock for the last six, nine, 12 months or so, you’re very aware of the fact that various or various countries around the world are going through various states of inflation. There’s anxiety in markets and of course there’s a degree of concern around how that’s going to impact budgets and decisions moving into the 2023 calendar year. So we have a few predictions based on uh based on the economy specifically here. So as much as there is a degree as sorry a degree of uncertainty uh in various markets and geographies at the moment. We actually see this as a positive driving force for third party life cycle programs. Why that might sound somewhat contradictory when it becomes a race to improve the efficiencies and control resources of a third party program and there’s additional scrutiny on budgets. We are very much expecting that to translate into better decisions where we might have of people sat on a bench doing the same repetitive tasks and not making much difference. Alistair Parr: While the business historically might have been happy to sit there and absorb that cost, improved scrutiny on third party budgets shouldn’t necessarily mean a reduction in staff count. But what it should mean is an adjustment of the technology spends and the process spends to make sure that we’re being efficient. The businesses in 2023 and the business owners, the executives and the shareholders are going to want to see improvements. and what sort of improvements are we going to expect from a third party program should mean well we still need the same degree of exposure and awareness from a third party but we need to start looking at how can we use our resources more effectively are there better ways on the market uh to be able to capture this data engage with vendors collect this information how can we reduce the workload on the existing resource so that they’re able to do more and continue to drive risk reduction for us and get the teams to work collaboratively into the uh the TPLM tent for example And the answer to that is that we’re going to see TPRM specifically starting to evolve. More and more people are going to be concerned and uh considerate of their maturity of their program. They’re going to be look at efficiencies. They’re going to be looking at ways to be able to maintain the same level of visibility at a minimum if not scale. And they’re going to be looking at smarter ways to do so. So there’ll be a renewed interest uh in the market space to understand what can we do to be more effective. So that stagnation of a program that might have occurred in previous years will evolve into a rethink and audit a better consideration on how can we improve maturity and be more effective as teams. Of course there might be some budgets in certain sectors that might get constrained into 2023. You know we’re mindful of course that that may happen in certain spaces but the broader expectation from us is that we have seen TPRM and TPLM evolve. as a key requirement in industries. We know that it’s a requirement based on regulatory frameworks that are coming out and ultimately enforcing requirements on people to be able to drive and deliver against it. And because of that, it’s not going away. Alistair Parr: It’s not a it’s not a situation of do we scale back our program into 2023. It’s a case of how can we evolve and make it uh ultimately more effective. So looking at our top 10 and key 10 takeaways and we actually started from our perspective we probably had in the region of about 25 to 30 common trends observations that we’re seeing that are going to evolve into 2023 but the various bright minds of prevalence sat down and curated it down to sort of our top 10 takeaways there and our top 10 observations but you might see a few trends against it which is organizations are looking at TPLM instead of TPRM we’re seeing that uh communication and collaboration across the respect business resources which is certainly a positive thing. We’re seeing the technologies evolve into starting to look at geopolitical and geographic localized events and automations at looking at unstructured data and making it more effective and efficient. So we aren’t expecting programs to stutter in the sense of slow down. We’re expecting them to become automated, more efficient, uh more collaborative across the business and fundamentally more secure. which is lovely news for those of us who are third party life cycle professionals uh who want to see this evolve into a good successful state where we are able to manage and mitigate risk across our business. So we will be moving over to a Q&A section in just a moment but uh before I do I’m actually going to hand over to Scott who can give you a bit of insight into uh into prevalence specifically and how we actually approach some of these challenges and then we’ll go over to the Q&A piece. So Scott, are you there? Scott: I am indeed, Alistair. Thank you so much. I’m just going to share my screen here with everyone. Just a quick check. Alistar, can you uh can you see my screen? Alistair Parr: Indeed. Thank you. Scott: Awesome. All right, everybody. Um, you know, Alistair brought up some some really interesting points about, you know, where we think the market is headed in the coming year. You using information from, you know, a myriad of customer conversations. Um, you know, partner and and analyst interactions and more. But a lot of it really congeals around the concepts that Alistair just finished his presentation with, and that is increased levels of automation and efficiency and as one of the one of the uh predictions said, kind of an expanding tent of thirdparty risk. That includes, you know, not just traditional IT security and business resilience and data privacy concerns, but also understanding two things. Number one, that risk is is inclusive of of concepts like you know business events and finances and reputation but also risk happens at every stage of that relationship life cycle. Not just the point where you want to determine if you know this this particular vendor supplier is sound enough for you to want to do business with at the onboarding phase but it also includes you know measuring risk over time and performance and more all the way all the way to the point of a the end of the life cycle. So great takeaways from Alistister. I I just wanted to walk through very briefly you know how how prevalent can help uh address uh some of the challenges in the third party risk life cycle. You know we see you know your path in moving toward a more mature more programmatic approach to thirdparty risk. Whether you’re building a program from scratch or optimizing an existing one tends to be three big challenges that get in the way. Uh the first is the fact that it’s so darn manual. You know we do a survey every year to the market and it shows between 40 and 45% of respondents still use spreadsheets to gather information basically from their from their you know thirdparty vendors and suppliers and you know the minute that thing goes out it comes back there’s a lot of back and forth involved maybe you store it on SharePoint or some fileshare or somewhere and it’s out of date and that really leads to kind of that second point where um you know you’re dealing with a lot of old information without a continuous feed of information that flows into a single place to help you visualize any updates on suppliers or vendors or third parties throughout a year or relationship or in between those point in time assessments, you’re really missing out on the opportunity to to get ahead of certain risks. That’s because data tends to be out of date. And the third thing third kind of trend we’re seeing out there as well is now everybody has their hand in thirdparty risk in some way or another. Uh you know, where it used to be primarily an exercise that was led either by a procurement manager or a sourcing professional trying to onboard a good supplier for the company. or an information security analyst, you know, making sure that a new IT vendor has the right, you know, data and access security policies in place to keep, you know, systems and data protected. Well, now everybody wants a say in it and, you know, some executives are involved. There’s a lot of board visibility, um, you know, legal teams, compliance teams, more as this discipline continues to evolve as we have seen in the last year and are going to see in in the future, you know, the need to have a solution that is much more automated, uh, much more inclusive is inclusive of data that you would consider real time and third is applicable, usable and extensible to multiple teams throughout the enterprise is really going to be paramount. You know that’s what we specialize in. We specialize in bringing together multiple different teams, multiple different data sets, multiple different risk concerns into a single platform that manages the life cycle of that thirdparty vendor and supplier risk. From the point where you’re sourcing and selecting a vendor to the point where you’re eventually going to terminate and offer that relationship, ship. We see distinct risks risks happening at every one of those stages of the life cycle more than just simply onboarding a vendor and doing some pre-contract due diligence and then doing some annual reassessment uh at contract renewal. But at each one of those uh different stages, you know, we break it down into three buckets, if you will, of onboarding, assessment, and management. But, you know, at the end of the day, we’ve got underlying capabilities, professional services, and you know, one-on-one customer support that that helps customers move move through those stages you know much more effectively you know ultimately to achieve a set of benefits that are applicable to multiple teams in the enterprise you know we mentioned that it’s more than just procurement more than just IT security more than just risk management but inclusive of multiple different departments uh who who can benefit from a combined solution of not just assessment data but also continuous you know data feeds to help add context to decisions and as you look at the life cycle you know you see faster decision times, faster onboarding, you know, less risk in making a sourcing and selection decision by getting that level of intelligence and automating the process. You know, reducing the time you have to spend executing those assessments by you know, using built-in workflow and templates to assess the the uh you know, the vendor that way. And then monitoring performance and then validating results through external data feeds and and ultimately when you wind down a relationship, having the the checklists and and the important information there to to make sure that you know you wind down a relationship, you know, you’re you’re crossing all the uh te’s and dotting the eyes. You don’t cross eyes and dot te’s, do you? No, I always mess that up. Um, you know, customers use our solution to address multiple different use cases. It’s, you know, we talk about procurement related use cases, needing to perform pre-contract due diligence or supplier resilience assessments or determining whether or not a company has a modern slavery statement or um uh you know was addressing certain anti-bribery and corruption laws or ESG concerns. Also, customers use the platform to help assess you know your traditional IT security concerns, data privacy concerns that align with certain you know compliance regulations uh and then a whole host of additional compliance uh you know regs that we have specific uh templates for in the solution and they can back that up with you know continuous uh data to to give you a real-time view of it. You know also also From my perspective, you know, what we’re trying to do in thirdparty risk is to enable three things for you. You know, number one is um to help you and your team just frankly be smarter and to give you the intelligence that you need to make the decisions at the right time of the relationship, whether you’re looking at the risk posture of a vendor you’re looking to on board, looking to renew a relationship and need to look at of, you know, their various security postures or whatever. Um, And second to unify it together. Bring that data together in a single platform. So you’re not using 10 12 different data feeds or three three four different platforms all unified by a single workflow that you know enables risks risk elevations and triage to happen you know programmatically throughout throughout the life cycle. And then finally speaking programmatic a prescriptive approach uh that gives you as much automation and workflow and templates possible to speed the process make it more automated and efficient as Alistar said. the ultimate outcomes here. That’s really what I wanted to share with you today from you know from from a prevalent perspective and in terms of how we can help um backing up kind of what Alistair talked about in terms of his trends you know markets moving fast lots of new um you know trends a lot of new risks a lot of the same old risks still emerging their heads you know the more we can kind of plan for the future and take stock right now of kind of where we are and start to identify where the gaps are and kind of move in that direction in the coming year So, you know, that that’s our perspective here. Scott: Back to you, Melissa. Melissa: All right. Thank you, Scott. Um, now would be the best time if you have any questions, drop those in um to the Q&A part, if you will, and I will launch our second poll real quick. All right, there we are. Um, you know, we want to know, is there a project happening? I know budgets are quickly getting established for 2023, so maybe you’re in the same boat. Um, and then while you do that, we’re going to go ahead and chip away these questions. So, keep them rolling. I see a few of them already surfaced. So, Alistar, I have our first one here for you. Um, it says, I see different companies evolving with the concept of continuous monitoring of third parties such as, you know, security scorecard, bitsite, etc. Um, those are some of them to name. Do you see value in introducing these solutions for thirdparty continuous monitoring in 2023 and onwards? Alistair Parr: Yes. Um, absolutely. So, from my perspective, um, There’s so many different ways of looking at continuous monitoring that um and yeah, there’s a few out there that tend to focus on very specific components. So some of them are very much cyber based. So they’re looking at um say passive vulnerability scanning of of an environment and really most of these providers most of what they’re doing is they’re taking very very similar data. A lot of them be getting the same information and they’re applying their own localized analytics. And what they’re doing is they’re basically giving you a a grade, a scorecard, a a fair based, you know, dollar value um based on that analysis, but the underlying data tends to be the same. They are certainly valuable, but where we’re seeing in 2023, the space evolving is it’s not really just about one feed. You know, they’re all getting similar information and they’re doing their analytics on it, but what a good program is doing is it’s getting multiple criteria. It’s building a comprehensive profile. It’s looking at cyber feeds. It’s looking at business events. It’s looking at uh regulatory sanctions lists, for example. It’s looking at ESG data. So the the geographic locations through continuous monitoring. It’s taking all that information and doing more than just looking at them in isolation. It’s applying cross comparisons between those data sets so that continuous monitoring becomes really that comprehensive 360deree profile. That is where there’s going to be real value in these solutions into 2023 uh beyond what you’re seeing in the market space right now today. Good question. Thank you. Melissa: Awesome. All right, we have another one. Um how do we integrate TPRM to SRM solutions to have supplier 360 view and integrate to source to contract? Alistair Parr: So um it’s interesting because historically things have been quite disparate. You see multiple technologies when you start looking at um supplier piece and much like that last question you might have a procurement team using their technology infosc using um cyber for example cyber feeds you know there’s multiple multiple workflows multiple distinct technologies contributing to that. What’s working is that some organizations are starting to integrate them to one another using APIs, using connected marketplaces like prevalence, or they’re looking at a solution that’s going to be able to give them consolidation. Can they take data from system A, system B, feed it into that master record, that single single um lens of truth as it was? That takes time. It’s not a quick fix by any stretch. Uh and to do it right will take, you know, months as opposed to days. in most cases. Good question. Melissa: All right, we have time for Alistair Parr: What was that? Alistair Parr: Sorry, Melissa. Yes, we do seem to have a lot of questions coming through, so I think you might more. Melissa: It’s great. Um, yeah, one more should work. I mean, is there one that particularly standing out to you that you can see? I don’t want to pick the final one. Alistair Parr: So, just skimming through these, there obviously are lots. Apologies everybody. I can’t get to all of them, but there’s a good question here about um do you see fourth party becoming part of the conversation more and into 2023. So you may have seen fourth party not being mentioned too much by us today. Uh and that’s not because it’s not a topic point. It absolutely is. Uh but we’re seeing some of that continuous monitoring that comprehensive profiles uh incorporating fourth party analysis. People are asking vendors who the fourth parties are. They’re getting context around what they do and then they’re weaving it into the program. There’s still challenges and we see those challenges continue in 2023 to get a accurate full picture of the fourth party estate. It’s always going to involve some interactions with the third parties to get that level of information. But things such as the networks out there help this. Uh and equally so things like the um the scans, the comprehensive profiling scans all help give some baseline information for fourth parties. So it is important. It’s not going away. It’s been there for a few years, but we’re just seeing technologies improving in how they’re able to contribute um to those fees. Good question. Melissa: Perfect. Well, That brings us to the to the end of everything. Thank you everyone for all your questions. I wish we could get to all of them, but um maybe if you want to there’s info at prevalent.net. Maybe Alistair’s generous enough to provide that for you, his own personal email. But um I know he did give us some great insight of what to expect in the upcoming year. Um I hope to see many of you at a future webinar. I know we have a lot coming up this month. And that’s it for me. Anything else from you guys? Alistair Parr: That’s it. So thank you very much everybody. Hope you have a lovely day. Melissa: All right. Take care. Bye, guys. Bye, everyone.