Gestion des risques liés aux tiers : Risque inhérent et risque résiduel

Ashley: Bonjour et bienvenue à tous. Nous sommes ravis de vous accueillir. Je vais vous laisser une minute pour que tout le monde puisse s'installer et se connecter. Mais en attendant, je vais lancer notre premier sondage, car nous sommes curieux de savoir ce qui vous amène à participer au webinaire d'aujourd'hui. Est-ce pour des raisons éducatives ? En êtes-vous aux premières étapes du programme TPRM ? Êtes-vous déjà un client régulier ? Êtes-vous simplement ennuyés et aimez-vous entendre les voix de Scott et Romney ? Si c'est le cas, je ne peux pas vous en vouloir. Mais quoi qu'il en soit, faites-le-moi savoir. Et je ne peux pas oublier de me présenter. Je m'appelle Ashley. Je travaille ici chez Prevalent dans le domaine du développement commercial. Et nous sommes rejoints par un invité très spécial, Rodney Campbell, vice-président senior et responsable de la gestion des risques tiers chez Valley National Bank. Bonjour, Rodney.

Rodney: Bonjour.

Ashley: Et je ne peux pas oublier Scott Lang, notre vice-président du marketing produit. Salut, Scott.

Scott: Salut, Ashley.

Ashley: Je vous rappelle rapidement que ce webinaire est enregistré et que nous vous enverrons l'enregistrement ainsi que les diapositives de la présentation peu après le webinaire. Vous êtes tous actuellement en mode silencieux, mais nous vous encourageons à participer. Veuillez poser vos questions dans notre boîte de questions-réponses afin que nous puissions y répondre à la fin du webinaire. Aujourd'hui, Rodney va nous parler de la relation entre le risque inhérent et le risque résiduel. Rodney, je te laisse la parole.

Rodney: Thank you Ashley and thanks to everyone for joining us. So today we’re going to talk about the true stories of a third party risk management professional um with a different twist on inherent risk and residual risk. Really, I want to focus on the disconnect between people, process, and technology and how that impacts the relationship between inherent and residual risk. Next slide. So, I want to make sure that everyone’s aware. I know that we’ve spoken a lot about inherent risk, residual risk from the technical perspective and also using technical terms, but I want to make sure that this particular message speaks to everyone. Um the individuals who work within TPRM, but also the individuals who are not within TPRM. Um the individuals who are uplifting a program for the first time. You’re trying to wrap your head around what should I do and what can I do. I want to make sure that we understand the relationship between inherent and residual risk. And as you see on screen, TPRM is an ecosystem of interconnected processes, tasks, and activities that together work to identify, assess, and mitigate risk posed by third party relationships. So the overall success of your program, third party risk management and the individuals that are stakeholders and contributors to the TPRM process. It requires business collaboration and organizational alignment. So again going back to what I mentioned originally, I want to discuss organizational factors that can prevent appropriate identification and mific mitigation of third party risk. Next slide. Now this is really interesting because I can tell you that many of us here today who are on this call, as I stated, you’re probably building a program and you’re trying to figure out where do I start? How do I look at this? So, I will say consider this. This is a learning opportunity for all of us. I think we’re all learners um in the making or subject matter experts in the making. So, consider this. If you were purchasing a home or a vehicle, you would verify all claims made by the seller before signing the agreement and issuing a payment. You would? Cuz I know that I would. So, why should you handle any other business transaction that you enter? Not be handled differently. So, imagine signing a contract for a new home or a new car. You’re going to make sure that you do your due diligence to make sure that that new home or new car is exactly as the seller stated it. So, why would you handle any other business transaction that you’re entering in differently? You would want to raise and position the same level of due diligence as you would if you were purchasing your own home or vehicle. Next slide, please. Your organizational role and responsibility in third party risk management. Now, this is really important because Again, you are more than likely a part of this process in your organization. Um, now whether or not you’ve been included in that process is another story, but I want to make sure that we understand for all of you here on the call, you’re probably a stakeholder, and a stakeholder can be many things within your business units. A stakeholder may be someone from your control function, a person who has a part or a role to play in your process. Are you engaged? Are you involved? Are you aware of what’s going on within the TPR process within your organization? You may be a vendor relationship manager. Now, I know many people are probably on this call cringing a bit because we know that a relationship management term has been dee has been deemed administrative processes in the past. We want to make sure that if you are the owner of a relationship, are you responsible for the relationship that you’re managing? Are you aware? Do you know what your supplier risk is? Do you know the impacts of your supplier risk? Are you utilizing your supplier engagement the way that it should be utilized? Are you engage with the supplier so that in the event of an issue or a risk event I would say can you contact them do you know who to contact so I think the vendor relationship manager role is very important is extremely important you’re part of the first line of defense and I think if you have no awareness as to what your role and responsibility is if you’re part of the first line of defense that’s probably something that you should discuss with your GPR team assuming that it’s centralized now internal audit internal audit again you’re probably pinching again but they are friends they help us get better so internal audit um have a role and responsibility in your TPR and program. Um they act as an effective challenge. They are the third line of defense. It’s important that you partner with internal audit because the goal is maturity. It’s evolution. You want to make sure that what you’re doing as an organization, you’re moving in the right direction, but you can’t do that alone. So no matter how smart you think you are, no matter how great and talented your team may be, you need to partner with their line of defense. It’s incredibly and crucially important. And then you think about senior leadership. This is really important because I want to say if you are part of senior leadership. You want to make sure that you understand what are the products and services that you’re utilizing to make your day-to-day business operations run as they should or run as expected. If something occurs within your business line, within your business function, are you aware? Are you aware of the number of products and services that you do utilize to operate as a business? And are you aware of the impacts and the risk? If you’re not aware, you should be. And I think engaging with your TPR team is critically important. I believe your TPR team should also engage with you. Remember collaboration is key. I also want to mention board of directors. Often times we do not mention the board of directors in TPRM. I think high level at the policy we do we talk about it in other calls. I see that other presentations and webinars mention the same thing. But I do believe board engagement and board awareness is important. It’s important because you are responsible for providing governance and oversight or management oversight for products and services that are supplying and supporting your organization. Many of these are critical core. Now, you want to make sure that if there are any if there any risk, anything that you identify that could potentially impact your organization, you want to make your board aware. Now, again, this is at a high level, but I do think that situational awareness, their engagement is critically important. Sourcing and procurement, you may or may not have a sourcing and procurement department. It may be integrated within your GPRM program as many are, but that relationship with GPRM is critically important. You are sourcing suppliers that your organization may potentially to use. If you’re disconnected, what you essentially do is overlook or probably bypass some of the processes that are required by TPRM. So, you want to make sure that sourcing and procurement are heavily engaged. They’re actively engaged. And TPRM is a department or as a function that can that can consist of many roles. So, not just the TPRM as a centralized unit, but also the control functions, the individuals that help support your business’s operations to make sure they run it sufficiently. Next slide. Whoa. An organizational issue. I tell you, this is a real organizational issue. And this is why I said I want to talk about inherent risk. I want to talk about the relationship between her risk and residuals from a different perspective. Not just getting into the semantics of risk categories. Not getting into this is what inherent risk assessment means for your organization. I want to talk about an organizational issue that prevents the complete accuracy of an inherent risk assessment. The identification of risk. in the mi in the mitigation of risk that you identify in that inherent risk assessment. Now look at this screen here. We see there are key organizational issues that prevent the proper identification and mitigation of third party inherent risk. Now some of these things and terms may be uh something that you’re well aware of and some of these may be terms that you’re unaware of. But think about what these means. Lack of corporate governance. What does that mean in your organization? You’re onboarding a supplier, a potential third party, critical or not. It’s important you have a process. If you don’t have a process in place, who knows who does what? What are the roles and responsibilities? How are they delineated throughout your process? At what point should this department or this function be involved? Who’s the stakeholder? What is the approval process? Do you all understand what is point A from point Z? When you don’t have corporate governance, processes are run all over the place. I can tell you that it isn’t repeatable. It isn’t reportable. It’s probably done many ways uh for many different things or many ways for some of the same things. Uh the next point is organizational silos and fragmentation that never happens. Of course it does. So organizational silos and fragmentation that is one of the biggest threats to onboarding any particular supplier. I say that because the silos the decisioning that is made within business departments need to be jointed not disjointed. But often times the ideas or the ideation the planning and identification of suppliers they’re done separately. So the greatest idea that one business function may have another business function who is an interdependent or interconnected department or maybe a shared service is completely unaware that will pose great risk to your organization. Fragmentation is often important too. You have business units that are probably working day-to-day side by side in parallel but they’re not communicating. So again you got to have that collaboration. You got to communicate. I think whenever there’s a third party engagement consider all of the risk consider all of the shared services and the shared responsib ility throughout your organization. So for example, if I’m a business function and I am looking to onboard a supplier, if that supplier has access to confidential information or confidential data, who should I involve? Exactly. I need to make sure I have the right people involved because if I don’t involve in the right people, the right departments, I’m going to make a decision solely based off of what I think and what I know. Now, keep in mind, I’m not in privacy. I’m not in information security, but I will make decision that a stakeholder within privacy and information security should be made aware of and should also participate in the uninformed independent decision makers that never happens. Of course it does. The uninformed and independent decision makers these are what I find to be the biggest threat to your organization whenever you’re dealing with third parties and products and services. The uninformed independent decision makers are individuals who are they’re they’re probably bright and brilliant at what they do. But the decisions that they’re making aren’t factbased. They’re decisions that are being based off of interpretation. Their perspective or perhaps their strategic goal or what their view of value is from dealing with a potential third party product or service engagement. I I think many times you see an organization you have a stakeholder or I would say business champion. Then the business champion wants to get this done. We need to get it done. That’s the individual who is kind of waving the flag of this particular third party product or service engagement. They’re telling you the reason why it needs to get done but they do not know how it’s getting done. They do not know the impacts. They do not understand the risk. They don’t understand the overall value and strategic purpose of third party products in service engagement. And this is critically important because that uninformed independent decision maker more than often times will be responsible for engaging suppliers and probably miser say misassessing but inaccurately assessing the inherent risk and also misidentifying the mitigation for the inherent risk as well. Internal misalignment Does that ever happen to you? It does. I’m going tell you why it happens. Internal misalignment is when you get a bunch of individuals, not in the room, but a bunch of individuals who are working toward the same common goal. You have the same purpose. Again, the product and service engagement make sense for your organization. The problem is this. When decisions are made that are disjointed, they’re not made together. We’re not connected. We are not all equally and collaboratively in agreement that this product and service engagement meets the same risk profile, meet the same measurements, the same goals. We we are in alignment with the impact. We understand the level of risk. We understand the holistic value. Then I can tell you that often times the actual product or service engagement as you intended it to be initially will not play out as originally planned. And another one which is probably most important now again take in mind these are not in any particular order. This isn’t a chronological order. This is justformational for all of you. Insufficient vendor betting practice. Vendor vetting is important. Often times we do not distinguish between vetting and onboarding. During that planning and identification process, are you verifying that the supplier is who they say they are? Are you looking at the infrastructure or corporate entity holistically? Are you asking for due diligence at the OnStar? Are you running old checks on your suppliers? What are you doing at the beginning to make sure that at the baseline level that these suppliers can pass stage one and get to stage two? I can tell you why it’s an organizational issue because often times you’re probably bypassing vetting or you’re consolidating vetting while contracting. So you presumably already selected as fire, but you haven’t the vetting process is to identify the impacts, identify the risk and discuss that internally with your group. Next slide please. Now here this is really important. An organizational recommendation and I have that in caps you see drive business value. value, quality service, and appropriate third party risk management practices. Now, everything that I just mentioned on the previous slide, here’s a way to address those things. Now, again, you have to make sure that you apply these techniques to your organization because it isn’t a one-sizefits-all. Everything is different. So, this is why I didn’t want to approach inherent risk and residual risk from the typical methodological perspective of this is what you do, this is the question that’s asked, and this is what you respond by. I think it’s important that we understand the people risk, the people element of how these process this can go wrong with the onstart. So when we talk about an organizational recommendation, I want to make sure that we address the concerns that I initially stated in the previous slide. So establish corporate governance, accountability, transpar transparency, fairness, responsibility, and risk management. Corporate governance is extremely important. How can you continue to source suppliers without a social strategy? Um has your strategy been operationalized? Do you have policies? Do you have rules? What is your governance? What is your framework? What is the process guidance? It’s easy. point a finger at a business function or an individual who isn’t doing the right thing. But if you don’t have process guidance to show them or point them in the right direction, then who’s at fault? I think that’s a shared responsibility. So if you are responsible for any TPR and program, you want to make sure that you provide effective process guidance. You want to make sure that you provide effective governance so that the individuals who play a role in a responsibility in this process have direction as to what needs to be done. Encourage crossunctional collaboration and stakeholder engagement. Be for engaging prospective third parties. Again, it goes back to the collaboration. You need cross functional collaboration. You need stakeholder engagement. It would be unwise and unfair of you to position or propose a potential product or service engagement to a stakeholder for sign off and not make them fully aware. So again, if you are a stakeholder, you want to make sure that before you are approving, before you are giving the two thumbs up to move forward with a product or service engagement, you have full awareness and transparency as to what the engagement tells not just the value, not just the cost savings, but the risks and the impact. And you want to make sure that your organization from a shared service perspective, they’re aligned and not unaligned. The understanding should be understood and not misunderstood. The next one, facilitate decision-m based on facts, not interpretation. This goes back to that uh uninformed and independent decision maker. And sometimes it’s not just one, it can be many. And many can be together or displaced or dispersed throughout the organization. You want to make sure that your decisions are fact-based. We’re moving forward with this supplier for these reasons. Your due diligence should be substantiated with actual work. Again, your decision making, the decisions that you’re making to onboard a supplier, not just simply because you need a product and service, but you need to make sure that you show true transparency, accountability, and due diligence for why you decided or determined to on board or engage this vendor. That needs to be fact-based. You cannot select or I would say you should not select a supplier based off of what you think. you should select a supplier based off of what you know and what you know may not be all the way good. I can tell you oftent times in in my previous life onboarding suppliers have not always been the greatest but those onboarding activities and processes were done with factbased decision-m not interpretation or what I think I knew simply because I have awareness of supply from a previous life and established internal business alignment on strategic goals purpose risks impacts and value before engaging. I mentioned this a few times again it goes back to that internal alignment. You need to make sure that the individuals who will play a role and responsibility in your process, they are align they’re aligned. If they’re unaligned, then that means you will have the perspective or idea of value with one group or one person and that can potentially raise or pose risk thereafter. So, how can you identify an inherent risk if individuals who are part of your risk function or individuals who are stakeholders in this shared collaborative process or shared service are not a part of the conversation or there are complet disagreement or have a complete misunderstanding of the product and service engagement that may be detrimental to your organization. So again, you need to make sure that your business functions are aligned, make fact-based decisions, but you do that cross functional collaboration and inclusivity of the groups that are a part of the shared service in the shared collaborative moment. Next slide, please. The ecosystem of third party risk management. So everything that we just talked about, we talked about the inherent risk, we talked about criticality and criticality we really didn’t talk about, but I want to be sure that criticality cannot be distinguished or just simply aligned by one person. It needs to be a collaborative moment. If you do not have all the groups, all the risk functions involved. Whose decision is it to be critical or non-critical? Whose decision is it that the inherent risk is high? Why is it high? Is it low? Is it medium? I think this is a collaborative moment. The engagement by your business functions. The engagement by the stakeholders is critically important to understand what the nature of the engagement is in the risk pose of your organization. So you want to make sure that you establish internal alignment so that you can establish an accurate inherent risk assessment for due diligence. We talk about that all the time. I think most of us on this call I can tell you me I’ve been on so many due diligence uh webinars. I’ve been a part of due diligence discussions. What should I collect? Can I collect it? If I don’t collect it, what can I or will I do? Those are all important questions. But I can tell you now, you will never know what to collect if you are not engaged at the OnStar. Remember, your inherent risk dictates a due diligence. Due diligence that’s collected is based off of the inherent risk posed to your pro by the product or service engagement and the inherent risk posed to your organization. But if you don’t have the right people involved to help identify that risk, then that would be a problem in itself. So you will miscalculate and probably unfortunately mischaracterize the inherent risk and unfortunately not collect the proper due diligence to mitate that inherent risk and the residual risk assessment as well. We talk about it, we pair due diligence, residual risk assessments together. We do. But here is the problem. A residual risk assessment is a point in time. It’s point in time assessment. It’s a moment in time where you collect a document. It can be a sock report. It can be a SIG, but is it is a document that is dated. The document isn’t up to date. Right now, me, you, all of your call, we’re looking to move forward with this product and service engagement, but your stock report and all of the other applicable due diligence material are not materials that reflect today. They may be materials that reflect last year. They may be materials that can reflect longer. So you want to make sure that you make informed fact-based decisions because for a sock report and again a stock report is really good, it is a control audit report, but I do want to make sure that we’re well aware that point in time assessments while they are efficient, I I do not find them to be entirely effective. So I do think you need to have other measures. Um continuous monitoring I believe is where you create strength is but h how are you continuously monitoring a supplier if you’ve misidentified the inherent risk and misidentified what should be done in the beginning so what I’m trying to show you is how these processes as an ecosystem are interconnected if you don’t if you don’t accurately assess the vendor at the onstar then your due diligence will be incorrect your residual risk assessment will be incorrect the residual risk profile will be incorrect selecting and contracting the supplier will be entirely incorrect because how can you memorialize the risk to do negligence anything that you found during the inherent risk assessment up into that residual risk assessment will be incorrect. So you can’t memorialize the right things as far as provisions are concerned in SLAs in your contract because everything was done incorrectly and your continuous monitoring is risk based. But how can you continuously monitor a vendor if you inaccurately um risk assess and have an inaccurate risk profile of the supplier? So what you’re seeing here is how all of these processes are connected but it’s really important that the people the people who are a part of these shared services are equally and actively involved and engaged in these processes because if you’re not then every subsequent step and every subsequent activity will be managed correctly. So again going back to that collaboration that internal business alignment make sure that you get your stakeholders involved. Make sure that you get them actively engaged. Let’s not present just the value of the contract at the cost of the proposition level. Let’s show a holistic view of what the contract is or the product or service engagement is. That includes the risk not including the risk simply because you may believe it’ll be a bottleneck or simply because you believe the stakeholders or the powers that be may decide to not move forward with your engagement again may be detrimental to your organization. So you need to be as transparent as you possibly can so that all of the right people who are in the room can make fact-based decisions. Next slide. Now before I say thank you, I I do want to make sure that we address any questions um that may be in Q. So, I’ll let Ashley or Scott to let me know if there’s any questions and we can talk through that. So, before handing it off to Scott,

Ashley: Oui, bonjour Rodney. Je vois que nous avons quelques questions en attente. Ed nous demande : « Comment réussir à faire comprendre à vos interlocuteurs internes l'importance de calculer le risque inhérent à votre population tierce ? »

Rodney: Comment réussir à mettre l'accent sur ce point ? Je suppose que vous fournissez des rapports trimestriels au conseil d'administration, car je pense que vos principaux actionnaires jouent un rôle essentiel et crucial. S'ils ne sont pas conscients des risques liés à votre produit ou service, ils ne pourront malheureusement pasvous aider, ils ne peuvent pas faire ou être ce dont vous avez besoin. Je pense donc que le rapport trimestriel au conseil d'administration est important, car il permet de communiquer avec les cadres supérieurs de votre organisation, de leur faire savoir où en est votre organisation au niveau du TPR, de leur faire connaître les risques et de leur faire connaître les possibilités de maturité et d'amélioration. Si vous faites cela, je pense qu'il y a de bonnes chances non seulement que votre programme soit adopté, mais aussi qu'il soit amélioré et mûris.

Ashley: Excellent. Euh, nous avons encore quelques questions dans la boîte de discussion, mais Scott, je vais vous passer la parole et nous répondrons aux autres questions à la fin.

Scott: Awesome. Thank you, Ashley. Uh, hi everybody. My name is Scott Lang. BP product marketing here at Prevalent. Uh, I just wanted to share a couple things about Prevalent, uh, here. to draft off of Rodney’s presentation regarding inherent residual risk. Uh just to touch on on a few ways that you preing can help you simplify that process of calculating inherent risk. Uh trans translating findings into action to ultimately reduce your risk profile and get down to an acceptable level of residual risk uh over time. Uh and really it all comes down from our perspective. What our customers tell us is that they want to accomplish any one of three things. The first in their TPR program. Anyway, the first thing uh they want to accomplish is getting the data they need to make better decisions. And from an onboarding or inherent risk perspective, that includes getting the right set of intelligence and the right people involved in the process to understand uh you know the company’s initial risk exposure and then identifying what types of due diligence is required uh based on the results of of kind of that very very baseline assessment. A second is increasing efficiency and and breaking down silos as Rodney mentioned. you know, there are awful lot of people in organizations involved in third party risk and um you know, I I grew up on a farm and the analogy we always used was if you have a lot of people’s hands on the plow, that plow’s not really going to go in a straight line. So, you know, who’s you know, who’s responsible, who’s accountable uh for third party risk, who contributes to it, who needs to be consulted and informed about it, and bring those people together under a single source of the truth of data and processes so that you can, you know, accomplish your organizational goals. Uh and then finally evolving and scaling uh their third party risk management programs uh over time. Chances are that program is going to change not necessarily from a scope creep perspective but you’re going to bring on new vendors and suppliers. Uh new third parties are going to be introduced to deliver goods uh goods and services to your to your enterprise to help you deliver on your expectations to your customers. Uh so how do you adjust and be agile uh over time and account for any any of those types of changes that uh that happen as as the or organization evolves. You know, our approach to addressing the third party risk man uh third-party risk management challenge and you know those three objectives that you saw on the on the previous screen are to look at risk at every stage of the third party risk management life cycle. You know, so often we take a look at risk on some level during the sourcing and selection phase or making sure that that company matches you know your company’s risk profile. uh in addition to the good or service that you’re going to be, you know, purchasing from them or utilizing being fed for purpose. Uh and then maybe we do some assessments or we look at on a contract renewal, but you know, how often is the that level of discipline and rigor carried out throughout the rest of that relationship life cycle? We see that problem happen uh pretty frequently and it involves a lot of different teams in the business, whether it be the procurement, vendor, supplier management teams, IT security teams, legal compliance, data privacy uh and many others. So we see these you know unique and distinct challenges at every one of these u phases of the relationship and our approach is to deliver a prescriptive process that helps you to um recognize and mitigate those risks at every stage. So that as that relationship progresses from the point that you source and select a vendor to the point where you offboard and terminate uh that vendor when the relationship ends you have the assurance that you’ve got visibility into the risks that you’ve got an action plan to mitigate risk down to an acceptable level and have the documentation and memorialization of evidence to prove it to the auditors. Um, and from our perspective, it really comes down to three things. Uh, that is simplifying and speeding up onboarding with a single source of the truth and a process that the entire enterprise can leverage. Second, streamlining that ongoing assessment process and closing gaps in risk coverage that often happens when different teams are involved in managing thirdparty risk and maybe using different tools. and different sources of intelligence and insights to get a picture of of whether that that third party um you know brings risk to the business and then finally unifying teams across the life cycle which I addressed. So starting in the lower left uh off to the uh to the uh to the lower right I guess in our in our half moon shape here you know what we can help you accomplish at the sourcing and the selection phase is adding automation and intelligence to RFX processes RFP RFI processes, you know, so often those things are done in silos, they’re done in spreadsheets, there isn’t a lot of automation involved, and there effectively isn’t a lot of risk visibility involved in whether or not um or in a in a new vendor or supplier that you’re looking to onboard. Um second, at the intake and onboarding phase, we can, you know, give you that single source of supplier truth, one supplier profile, uh one set of intake processes, one set of contracting and onboarding process that is extensible throughout the enterprise. So you’re ing and from the same himnil so to speak. And third, scoring inherent risks, something very close to our topic today. Um, you know, we give you the ability to score and categorize suppliers, you know, based on datadriven insights. It’s a combination of an eight question internal survey that you and other members of the team collaborate on answering as well as incorporating outside intelligence on potential compliance problems, financial risks that this meers might uh expose you to. Uh, a history of data breaches and cyber for security problems uh you know governance issues and and more all to give you a score to help you then uh prescribe a path to a more complete due diligence uh once onboarding is completed. Um fourth you know our specialty is in um streamlining and automating the ongoing risk management uh process and we deliver specific capabilities in our platform that enable you to do that across multiple different risk types. Now historically you know it vendor manage agement third party risk management was the domain of the security team and largely is is still today um because of the sensitivity of the data and systems and processes that you know you’re ultimately exposed to um or uh as a result of doing business with a third party. Um but you know our for example the prevalent platform has more than 200 builtin assessment templates uh that enable you to u you know question and and pose to um um uh to uh uh to to vendors specific risk based issues that you know are that matter to your business or matter to the board. Next is monitoring and validation um or validating the results of those assessments with continuous cyber security business reputational and financial insights. You know a lot can happen in between the time that you make an onboarding decision and that you finish your due diligence and and contract renewal happens. So we help you fill the gaps between those different um uh you know this you know those different types of assessments with the intelligence to to you know keep the team ab breast of any challenges that that that vendor might be facing and because not all risks are dedicated to um uh you know cyber or you know ESG risks or compliance risks or operational risks. Sometimes a risk is a performance-based risk. And we give you the ability to measure and manage your supplier effectiveness with built-in KPIs and KIS. And then finally, inevitably, uh, you know, like Neil Saddaka said, breaking up is hard to do. Um, so when it comes time for that vendor relationship to end and and that contract to terminate, you know, so often we see, you know, companies don’t have the rigor and the discipline built into the process to properly properly offboard the vendor and mitigate, you know, the long tail risk that you can be exposed to to. So we give you the, you know, the checklists and the document management and the compliance reporting uh to close that process off. You know, we address multiple different types of risks or risk areas um uh with our our platform and that helps you to give uh helps give you a good view of your inherent risk, measure the progression of that risk over time and then get you down to a level of of residual risk that’s acceptable to the business. And these are the kind of the general six categories that that we deliver uh risk insights into whether it’s an assessment built in the platform or whether it’s uh the result of continuous monitoring insights and intelligence uh that um uh you know that we consume uh and then correlate against those assessment results you know on your behalf and I won’t uh belabor the point read the fine fine print there you know how do we deliver it we deliver it um in a way that leverages the three great strengths of Prevalent and that is number one the people the experts that we have that help you um that do the hard work on on on your behalf if you desire that excuse me and that’s onboarding vendors managing them uh remediating executing assessments uh and then incorporating a tremendous amount of intelligence and data from a half a million different sources uh and putting that into a format that can help you make good decisions housing it in the platform with all the workflow and the automation and more uh to help you ultimately get down to that that level of residual risk that satisfies you know your board requirements. Look at the end of the day we want three things for you not three things from you and those three things for you are number one um to help your organization your third party risk management program uh be much smarter in its approach and that’s delivering you the comprehensive insights uh datadriven analytics and role-based reporting for multiple different teams throughout the enterprise. The second to give you a single source of the truth uh to combine assessments and monitoring together and then look at uh risk throughout the entire life cycle from onboarding to offboarding in a much more unified fashion that you might be doing it with spreadsheets or maybe with some disparate tools that really don’t talk to one another. And then finally, as I mentioned before, it’s a very prescriptive uh intelligentbased approach that gives you built-in recommendations uh remediations and more to extend out to your vendors and uh third parties and other suppliers um that ultimately you know can help you get down to the to the level that that you’re willing to accept. So you know from prevalent perspective that’s what our approach is to addressing the the problem of thirdparty risk management. Um and I think it ties in very closely to kind of what Rodney talked about today in terms of the big challenges that organizations face in thirdparty risk and um you know you know what the overriding issues are to get from an inherent to a proper residual risk score. So you So, at that point, I’ll stop talking. I’ll open it back up to Ashley. Ashley, if we have any other questions uh for either Rodney or myself, I’m happy to uh to take those now.

Ashley: Bonjour, Scott. Merci beaucoup. Je vais lancer notre deuxième sondage afin que nous puissions vous recontacter pour tout projet que vous pourriez avoir. Nous sommes simplement curieux de savoir si vous envisagez de mettre en place ou de renforcer un programme de gestion des risques tiers au cours de l'année. Et soyez honnête, car nous vous recontacterons. Mais en attendant, Ron, lisons quelques-unes de ces questions. J'adore voir tout le monde participer et je sais que tu voulais revenir sur la question d'Ed, qui était : comment réussir à souligner l'importance de calculer le risque inhérent à ta population de tiers auprès de tes parties prenantes internes ?

Rodney: Oui, c'est une question que je voulais également aborder, car je pense que ED pourrait potentiellement se trouver dans la même situation que moi il y a plusieurs années. Comment impliquer vos parties prenantes ? Et je ne parle pas seulement du conseil d'administration, car je pense qu'il faut passer par des étapes progressives pour en arriver là. Vous avez peut-être déjà accès, participez ou êtes même impliqué au niveau des rapports trimestriels, ou peut-être pas. Vos parties prenantes, c'est-à-dire la haute direction et les cadres supérieurs, sont donc d'une importance cruciale. Je pense que pour chaque relation avec un tiers, vous devriez procéder à une évaluation des risques inhérents. Je pense qu'il faut distinguer les risques inhérents des risques résiduels, car je constate de plus en plus que les organisations ne rendent compte que des risques résiduels. Elles surveillent et gèrent uniquement les risques résiduels et n'ont aucune transparence ni aucune connaissance réelle des risques inhérents à leurs produits ou services. Je pense donc qu'il est important pour vous de mettre l'accent sur le risque inhérent au produit ou au service, et pas seulement sur le risque après la mise en place de contrôles, qu'ils soient internes ou externes. Vous devez vous assurer que votre direction et vos cadres supérieurs, et je pense que c'est le modèle collaboratif que j'ai mentionné, s'engagent souvent. Nous nous concentrons sur la gestion des relations en interne. Cela signifie donc l'organisation et nos relations externes avec le fournisseur. Mais je pense que ce même modèle est important en interne. Il est donc important que vous, si vous travaillez dans le domaine de la gestion des risques liés aux fournisseurs, fassiez partie de cette fonction. Il s'agit d'un processus de processus et d'activités interconnectés. Votre collaboration et votre engagement avec toutes ces personnes peuvent donc être non seulement une bonne chose, mais aussi une nécessité. Et je pense que cette collaboration et la mise en place d'une compréhension fondamentale ou de base aideront la direction à soutenir et même à défendre ce que vous essayez de faire dans l'ensemble de leurs organisations.

Ashley: Excellent. Scott, nous avons une question pour vous de la part de Mary, qui demande : « Comment Prevalent aide-t-il une organisation à réaliser ses examens annuels des rapports sur les chaussettes ? »

Scott: Excellente question. Notre approche des rapports SOC consiste à vous aider à interpréter le rapport que vous avez obtenu auprès d'un prestataire d'audit tiers. Nous proposons donc un service dans le cadre duquel nous examinons le rapport avec vous. Nous en extrayons les principaux risques et contrôles, puis nous les cartographions sur notre plateforme sous forme de risques que vous pouvez ensuite suivre au fil du temps et auxquels vous pouvez apporter une conclusion en appliquant des mesures correctives ou autres. Nous n'exécutons donc pas nécessairement le rapport Sock 2 ni ne le complétons à votre place, mais une fois qu'il est prêt, nous pouvons vous aider à le traduire en une plateforme afin que vous puissiez réellement gérer les risques au lieu de tenir ce PDF entre vos mains en vous demandant « Oh, que dois-je faire maintenant ? ».

Ashley: Merci, Scott. Rodney, nous avons une autre question pour vous. Quelqu'un a demandé : « Pour quel pourcentage des fournisseurs devriez-vous mettre en place des mesures actives d'atténuation des risques, sachant que l'inventaire est divisé en trois niveaux : élevé, moyen et faible ? Cela part du principe que la plupart des programmes TPRM sont gérés par de petites équipes. »

Rodney: D'accord. Donc, quand on parle du pourcentage de fournisseurs pour lesquels vous devriez mettre en place des mesures actives d'atténuation des risques, je pense que vous devriez atténuer activement les risques là où ils ont été identifiés. Encore une fois, le niveau auquel vous le ferez variera. Évidemment, vous ne gérerez pas et ne surveillerez pas un fournisseur à faible risque comme vous le feriez pour un fournisseur à risque critique, élevé ou même modéré, mais cela dépend de la propension au risque de votre organisation. Cela dépend également du risque que vous identifiez intrinsèquement. C'est important, tout simplement parce que j'ai entendu beaucoup d'organisations, voire certains programmes ou professionnels du TPRM, mentionner qu'un fournisseur à faible risque ne nécessite aucune atténuation. Nous l'avons donc intrinsèquement identifié comme présentant un faible risque et nous n'avons rien à faire. Eh bien, je ne suis pas d'accord, car ce qui peut être intrinsèquement faible aujourd'hui pour des raisons imprévues pourrait être intrinsèquement élevé ou modéré demain. Et cela peut se produire pour de nombreuses raisons. Il peut s'agir d'un changement important dans le produit ou le service réel. Ainsi, aujourd'hui, vous pouvez faire appel à un fournisseur pour un produit ou un service particulier, et demain, vous ferez appel au même fournisseur pour un produit ou un service différent. J'ai constaté que la plupart des organisations, ou du moins beaucoup d'entre elles, mais pas toutes, lorsqu'elles ont un fournisseur qui fournit plusieurs produits ou services, il y a un décalage. Ainsi, si vous avez initialement évalué le risque comme faible, vous évaluez les produits et services suivants de la même manière, ou vous les mesurez ou les évaluez. Je pense que c'est incorrect et inexact. Je ne pense pas que ce soit la bonne approche. Vous devez vous assurer que chaque produit et service est évalué, que les risques sont évalués. Il ne s'agit pas seulement de la relation, mais aussi du produit et du service, et vous devez vous assurer que, quelle que soit l'évaluation des risques inhérents, c'est ainsi que vous souhaitez les gérer et les surveiller. Je pense donc que vous devez mettre en place des mesures d'atténuation des risques. S'il s'agit d'un risque faible, vous devez au minimum le gérer et le surveiller à une fréquence correspondant à ce faible risque.

Ashley: Excellent, merci Rodney. Scott, nous avons une autre question qui nous vient de vous. Quelqu'un a demandé s'il existe des interfaces externes au sein de la plateforme courante permettant de collecter efficacement les données requises de manière régulière.

Scott: Euh oui, en fait, notre plateforme comprend une API REST ouverte qui vous permet de vous connecter à des sources d'informations externes qui ajoutent du contexte supplémentaire à, euh, vous savez, vos évaluations ou vos notes attribuées à vos fournisseurs. Vous savez, nous proposons également notre propre solution de surveillance continue qui inclut des données cyber, financières, commerciales, réputationnelles ESG, des flux de données sur les violations de données, tout ce qui peut être utilisé et ajouter ce contexte pour vous. Nous disposons également d'une API ouverte qui vous permet de vous intégrer à d'autres outils qui sont peut-être déjà en place.

Ashley: Merci Scott, et revenons à vous, Rodney. Tony a posé une question sur l'un des aspects les plus difficiles du risque que je commence à remarquer, à savoir la mise en place et le maintien d'un modèle efficace d'engagement des parties prenantes. Quels sont les principaux conseils que vous donneriez pour commencer à mettre en place ce modèle afin de relever un défi plus important pour les gestionnaires de risques juridiques ?

Rodney: Vous voyez, j'adore cette question, car elle revient au point de départ et à l'objectif de la présentation d'aujourd'hui. Euh, tous les risques sont importants, mais je pense que le risque humain a été un facteur critique pour de nombreuses raisons dans de nombreux domaines différents, mais je pense que votre engagement et celui de vos autres fonctions est important. Je veux, je veux, je veux croire qu'en ce moment, vous en êtes au tout début, peut-être au niveau zéro de la construction de votre programme. Comment mettre en place une ligne de défense circulaire ? Avez-vous d'abord identifié qui compose la deuxième ligne de défense dans votre organisation ? Avez-vous une politique ou une forme de structure de gouvernance qui définit quelles fonctions ou quels groupes au sein de votre organisation constituent réellement la deuxième ligne de défense ? Je pense que c'est important. Et pas seulement au niveau politique, mais au-delà de ce qui est écrit sur le papier, vous devez vous engager activement auprès de votre deuxième ligne de défense. Je pense que c'est important. D'après ce que j'ai pu observer dans certaines organisations, vous disposez peut-être d'un service de relations publiques bon marché et d'un groupe qui assume plusieurs fonctions de gestion des risques, car vous couvrez plusieurs domaines de risque, mais aucun d'entre vous ne communique ou ne se connecte réellement, ce qui est un problème fondamental, je peux vous le dire, car ensemble, vous protégez l'entité qu'est votre organisation. L'inclusivité dans la collaboration est donc obligatoire, elle est nécessaire, il est important que vous, en tant que fonction de contrôle des risques, communiquiez avec la fonction de contrôle des risques voisine et peut-être que le risque que vousexaminez n'ont peut-être aucun rapport, mais il s'agit tout de même de produits et de services tiers. N'oubliez pas que les processus et les activités sont interconnectés et interdépendants. À un certain niveau, vous devez donc au moins avoir une connaissance de la situation, même si vous n'êtes pas activement engagé à remédier ou à atténuer un certain niveau de risque à ce moment-là. Je pense donc qu'il est important de mettre en place un coin avec vos fonctions de gestion des risques internes et une deuxième ligne de défense pour examiner quels produits ou services sont critiques, à haut risque ou modérés, et où il peut y avoir des problèmes, des des escalades ou des domaines susceptibles de nécessiter des mesures correctives. Assurez-vous que vous êtes tous d'accord sur la manière dont vous considérez les risques externes et sur ce que vous faites en interne pour faire face à ces risques ou aux impacts potentiels de ces risques externes.

Ashley: Merci, Rodney. Nous avons une autre question qui nous parvient de Christina, également pour vous, Rodney. Elle demande : « Comment procédez-vous pour fusionner deux TPR lorsque deux entités sont en cours de fusion ? »

Rodney: Deux programmes TPRM pro. C'est bien ça, la question ? Comment procéder pour fusionner deux TPRM ? Je suppose.

Ashley: D'accord.

Rodney: Oui.

Ashley: J'aime bien que Christina ait été rapide. Oui.

Rodney: Intéressant. Donc, quand on parle de fusions-acquisitions, il est important d'avoir une vision claire, et je veux dire une vision transparente, de ce que sont ces produits et services. Je suppose que vous faites partie de l'acquéreur. Est-ce le cas ? Ou êtes-vous l'acquéreur ? Si vous pouvez répondre à cette question. Elle est probablement du genre « à déterminer ». D'accord. Merci. D'accord. Cette décision va donc être multiforme, car mon point de vue sera celui d'un TPR et d'un professionnel. Je pense que cette décision relève davantage de la haute direction et des parties prenantes, car vous devez évaluer le TPR et les programmes, et je vais être tout à fait honnête avec vous : quel TPR et quel programme seraient les plus efficaces pour votre organisation ? C'est important. L'efficacité. Maintenant, il y a peut-être une consolidation, car vous disposez des produits et services qui nécessitent les ressources et cette capacité est disponible. Mais vous devez mesurer l'efficacité du programme TPRM, non seulement dans l'état actuel, mais aussi dans l'état futur. Je pense qu'il s'agit d'évolution et de maturité. Donc, si vous participez à un programme TPRN ou si vous gérez un programme TPR, votre organisation doit déterminer si l'efficacité de votre programme TPRN n'est pas seulement affectée pour aujourd'hui, mais si elle sera affectée pour demain, pour l'état futur. C'est important. Je réponds à cette question sans savoir si le programme sera consolidé ou divisé. Mais une décision devra être prise, car vous ne pouvez pas avoir deux programmes TPR dans une même organisation. Soit vous consoliderez les deux programmes, soit l'un des deux programmes TPR devra être le programme Wayne, je dirais.

Ashley: Merci, Rodney. Je vous renvoie la balle, Scott. Quelqu'un a demandé : « Vous avez mentionné que Prevalent surveille les risques cybernétiques et les risques de conformité. Est-ce en temps réel, c'est-à-dire lorsque des violations de données ou des incidents cybernétiques se produisent chez un tiers ? Le service de surveillance de Prevalent nous en informe-t-il ? »

Scott: Oui, la réponse courte est oui. Euh, c'est aussi instantané que lorsque les annonces ou les violations sont rendues publiques. Vous savez donc que la plupart des SLA ou des outils de cyber-surveillance vous accordent un délai de 20 à 4 heures entre le moment où un incident est découvert ou, par exemple, où le CVE est publié ou où une violation de données est annoncée, et le moment où vous en êtes informé. Nous nous conformons à la norme SLA de l'industrie, qui prévoit que dans les 24 heures, l'information sera transmise à votre instance de la plateforme courante, ce qui vous permettra de prendre certaines décisions en fonction de cela.

Ashley: Merci Scott Rodney. Quelqu'un a demandé si vous pensiez que les documents Sock avaient plus de valeur que les documents SIG non vérifiés.

Rodney: Oh mon Dieu, combien de fois m'a-t-on posé cette question ? Hum, je pense que cela dépend. Je ne pense pas qu'ils aient plus de valeur en soi. Je pense qu'un document SIG non audité contient des informations très utiles qui peuvent être appliquées. Mais je prends cela en considération en fonction de l'importance du fournisseur, du risque, de la notation de risque du fournisseur, hum, de l'engagement général en matière de produits et de services. Je dirais que les rapports Sock sont extrêmement bons. J'aime les rapports Sock, mais je peux aussi vous dire que, comme beaucoup d'autres documents que nous recevons des fournisseurs ou de tiers, ils reflètent une situation ponctuelle. JeJe m'intéresse davantage à la situation actuelle qu'à ce qui a été examiné par un auditeur l'année dernière, car je souhaite m'engager avec ce tiers potentiel aujourd'hui, je souhaite conclure un accord aujourd'hui et j'examine des documents qui ont validé la suffisance des contrôles externes il y a un an. Ma décision actuelle, ma décision fondée sur des faits, est donc basée sur des informations et des documents fournis il y a un an. C'est donc un peu comme tirer à pile ou face. Je pense qu'il est important d'obtenir autant d'informations pertinentes que possible pour déterminer si c'est la SA qui est correcte ou si c'est une signature, obtenir autant de substance, autant de documentation et d'informations que possible pour étayer et soutenir cela, car je pense que des contrôles compensatoires sont nécessaires chaque fois que vous avez affaire à des évaluations ponctuelles, à de la documentation ponctuelle. Et je vais juste en rester là. Je ne vais pas conclure, mais je dirai également à tous les participants à cette conférence téléphonique que je comprends l'importance de l'évaluation des risques résiduels. Nous savons tous ce que ces évaluations signifient, et pas seulement pour les organisations. Nous savons ce qu'elles signifient pour les auditeurs. Nous savons ce qu'elles signifient pour les régulateurs. Mais ne relâchez pas vos efforts et ne perdez pas de vue votre surveillance continue. Je pense que vous accordez beaucoup d'importance aux risques émergents, non pas aux risques actuels ou qui se produisent actuellement, mais aux risques émergents, aux éléments qui pourraient potentiellement nuire ou avoir un impact sur votre organisation. Vous devez en être conscient. Obtenez donc les informations pertinentes pour aujourd'hui et utilisez également les informations qui peuvent être pertinentes pour hier, appliquez-les ensemble et prenez des décisions fondées sur des faits.

Ashley: Merci Rodney. Julia a ensuite demandé : « Si une organisation choisit d'être plus prudente et de ne gérer que les risques inhérents, quel serait selon vous l'avantage d'inclure les risques résiduels ? »

Rodney: D'accord, j'ai également entendu cette question à plusieurs reprises auparavant et je pense que c'est pile ou face. 50/50, cela dépend de l'organisation. Cela dépend du profil de risque. Certaines de ces questions ou les réponses à ces questions que j'ai entendues d'autres personnes sont très holistiques. Je vois les choses ainsi : quel est le niveau de tolérance au risque de votre organisation ? Je pense que vous devez prendre ces éléments en considération lorsque vous déterminez s'il est approprié ou non d'adopter une approche conservatrice et de gérer uniquement le risque inhérent. Je ne m'oppose pas à cela. Nous savons qu'il s'agit d'un risque inhérent. Ce que je suggère, c'est que je pense que le risque inhérent et le profil de risque résiduel sont importants, mais je pense également qu'il est important de réexaminer le risque inhérent. De nombreuses organisations, revenant à ce risque résiduel, l'utiliseront uniquement pour les activités de gestion et de surveillance. Ainsi, une fois votre évaluation du risque résiduel terminée, vous gérerez et surveillerez probablement en fonction du risque résiduel. Je dirais que non. Vous devriez toujours revenir en arrière et réexaminer le risque inhérent. Vous devez revenir en arrière et voir s'il y a eu des changements importants dans la relation, car votre profil de risque peut changer. Les conditions contractuelles peuvent avoir changé. Vous avez peut-être eu des avenants ou des modifications qui nécessitent davantage d'activités de gestion des risques, ou il y a peut-être eu des changements qui réduisent le niveau des activités de gestion des risques. Mais je pense qu'il est tout aussi important de toujours réexaminer le risque inhérent. Je pense que c'est quelque chose que toutes les organisations dans ce domaine TPRM devraient faire et ne pas se concentrer uniquement sur l'évaluation du risque résiduel. Je dois donc dire que la réponse à cette question est incertaine. Cela dépend de l'appétit pour le risque. Cela dépend de la taille de votre TPR et de la capacité de votre programme. Cela dépend également de la taille de votre inventaire d'expansion des tiers.

Ashley: Merci, Romney. Et puis une dernière question pour vous. Quelqu'un a demandé : « Quelle est la taille de votre équipe et combien de fournisseurs gérez-vous ? »

Rodney: Et c'est pour ça que cette personne est-elle cette question anonyme ?

Ashley: Oui.

Rodney: D'accord. Eh bien, je vais vous dire ceci. J'ai une équipe de 7 à 10 personnes et je dispose d'un stock anonyme très important. Je dirais que je garderai certaines choses pour moi. Vous devez me laisser faire.

Ashley: ou dites-le-moi hors ligne. Bien sûr. Bien sûr. Eh bien, merci beaucoup Rodney, Scott et tout le monde pour toutes vos questions. Ils nous ont tous deux donné d'excellentes informations à retenir aujourd'hui et j'espère vous revoir tous dans vos boîtes de réception ou lors d'un prochain webinaire pré-lien. Salut à tous et passez une bonne fin de journée.

Scott: Au revoir tout le monde.

Ashley: Merci Rodney. Au revoir. Au revoir tout le monde.