Strategies to Audit-Proof Your TPRM Program

Melissa: kick things off with some intros. My name is Melissa. I work here in business development. And we have a few guests as you can see. We have Thomas Humphreys who is our content manager and Alastair Parr, our senior vice president of global products and services. Welcome back, guys. Alastair Parr: Thanks for having us. Melissa: And last but not least, you can see we have Scott Lang. He’s with us. He’s our VP of product marketing. He’ll dive into how we may be able to mature your TPR and program at the end of this session. So, hello Scott. Scott Lang: Hello there, Melissa. Melissa: A little bit of housekeeping. This webinar is being recorded. So, you will get a copy of this and the slideshow shortly after in your inbox and you’re all muted. So, just use that Q&A box, like I said, for any of those burning questions you have during the webinar. You can ask anonymously, too. So, don’t be shy. And without further ado, Alastair and Thomas are going to dive into how you can prepare for smoother TPRM audits. So, go ahead guys. Alastair Parr: Lovely. Thank you very much, Melissa. And hello, everybody. Good afternoon, good evening, wherever you may be. So, I’m I’m blessed to be joined today by the lovely Thomas Humphreys. Thomas is of course our content manager. Hello Thomas. Thomas Humphreys: Hello. Alastair Parr: Great. And I appreciate some of you may have been in these sessions before, but for those who are new, essentially what we’ll do is we’re going to talk through from a high level what the the key challenges are and then dive into some of the specifics and how we can address it. I’ll touch on the agenda in a moment, but why are we specifically qualified to be spending some time with you today? Hello all. I’m Alastair Parr. I’m the SVP of products and services over here at Prevalent. And I’ve had the joy in a in a previous life of auditing for the best part of 10 years and dealing with third party programs at scale. Now, these tend to be in very highly regulated environments. So whether you’re you’re big, small, in your specific vertical, the chances are myself and Thomas, we’ve been exposed to some of the regs that you’re dealing with day-to-day and we’ve seen how some of your peers have ultimately addressed and resolved some of the solutions. So we’ll do our best to impart that today to you. But Thomas, would you like to give us a bit more of an update on who you are and why you’re here? Thomas Humphreys: Absolutely. So yes, good morning, good afternoon, good evening everyone. My name is Thomas Humphreys as Alastair has mentioned I’m the content manager at Prevalence. I work to develop assessments and frameworks based on various standards, laws, regulations, and guidelines. Not too dissimilar to to to yourself, Alastair. I’ve been in auditing for 10 just over 10 years now. Principally working with international standards around ISO and local standards in in various countries operating both multinational and very small organizations and again similarly through various regulated environments. regulated industries as well. Alastair Parr: Lovely. Thank you, Thomas. And just to clarify, while we said similar numbers of years auditing, I would say Thomas has probably had a bit more auditing experience than me. So, Thomas is our audit expert today. I’m I’m but a babe with my Alastair Parr: Thanks, Thomas. So, moving on to the next slide. What are we actually going to address in a bit more detail for you today? Over the course of the next circuit, 4550 minutes or so, we’ll dive into some of the common drivers for TPR audits. So, why on earth are we actually getting audited. This is twofold. Whether we’re talking about regulatory obligations here or whether we’re talking about purely internal drivers, there’s there’s of course common drivers across both. We’ll also start looking at how do we actually evaluate and respond to those findings. The reality is we have an auditor come in or potentially remotely review what we do, check our homework and make some determinations. How do we actually respond to that and manage it proportionately? Then based on that, we’ll touch on good risk prioritization, remediation. So we identify controls failures and risks from those audits. How do we actually manage that in an effective way and what are some of the program metrics we can consider from that? And then finally, we’ll move on to some of the criteria that help minimize the chances of that regulatory violation. Now, while we aren’t going to specifically hone in too much on one particular sector or regulation here, you know, the objective is to highlight the commonalities really. So, what are the trends and some a few specifics on what we see across the space itself. Lovely. So, without further ado, on the next slide, Thomas, would you like to give us a bit more insights on some of the common drivers? Thomas Humphreys: Absolutely. So, yes, hello everyone and and thinking about TPIM and TPM all this in the broadest sense. I guess we have to ask the question is why is it becoming such a hot topic and an everinccreasing topic now as Alastair said as we’re not going to focus on one particular industry but I’ve given you a few examples on the screen here where we’re finding more and more regulators in some cases leading industry bodies taking a more focused approach on on third party risk, the wider supply chain risk management process. This is giving rise to an increased oversight in terms of the level of due diligence, the controls that are in place or that should be in place from an industry perspective or from a regulation perspective that many organizations are now facing. Obviously, on top of this, we’re finding that there’s more push from various industries to drive for best practice, I guess, as a means of demonstrating to to to regulators, agencies that the third party supply chain is being managed effectively and whether it’s concerns around resiliency, security, privacy. I guess we’re getting into usual suspects now in terms of key topics here. Again, it seems to be ever increasing, not just looking at one particular industry, but across the board. It’s important to highlight obviously external concerns and pressures outside of both regulators and industry bodies as well. Obviously, not least immediate customers and other key st holders and where there’s again wider concern for privacy and protection of information or systems or data for example but also where where we’re also seeing an increase and uptake in the volume of threats and issues that are being countered and where these threats and issues are causing significant disrup disruption. Again greater communication being received from external bodies from customers to say what are you doing about this and how is this being affected? with your wider supply chain. And then of course the actual threats and issues themselves that can range from cyber threats. I keep losing track on the volume of ransomware attacks that we’ve seen over the past two to three years and other malware attacks to other nonsecurity related issues geopolitical issues for example areas around governance and good governance practices. And these are all areas that can can help to to further scrutinize the wider the TPRM practice and launch and become focus points for conducting audits and assessments on your wider third party landscape. Alastair Parr: So, it’s certainly interesting. I think from my perspective, I’d say that the majority of people I speak to, as much as some of the regulators and industry pressures are the drivers themselves for the audits, they tend to be conducted internally more than anything else. So, when as much as we’re talking about whether it’s EBA or NYCFS, P, whatever it may be, it very often tends to be the fact that we’re having to communicate with an internal team and that internal team is having to relay that information to vested parties, senior parts of the business and of course the execs. So those drivers itself I think you you touched on it very well Thomas there which is as much as some of the the regulator the regulators and industry pressures there are some of the drivers with the external factor the reality is there is that’s translating into internal pressure which is pushing for more regular more stringent audits Thomas Humphreys: absolutely and that’s yeah it’s an interesting point to look at I guess it’s always it’s always I guess easier to look at well there were external companies asking us to that’s putting pressure. But that internal I guess that internal compliance function level of of of oversight that they now need given taking in all these different factors in are we managing it effectively and as you said particularly engaging with multiple different aspects of a business internally and making sure that communication is there and that that level of response is is also critical. So it’s very much an internal and an external focus I guess that we need to apply when looking at audits. um thinking about audits. So what what what do what does an audit bring to the table bring to the business? What what benefits if any can we see? Like any audit, you know, the focus is on due diligence, focuses on having a detailed assessment and and principally to have some clear insight into the working practices of a of a supplier of a third party based on product and service it’s applying to us. And looking even further forward around the wider supply chain and its outsourced components that may impact us as a business. So there’s always going to be a need to make sure that the order is enabling us to validate those contractual obligations that we have or that third party has with us or that we’ve enforced with that third party. Are they doing what’s being agreed? We already touched on the compliance and many companies and larger companies certainly may have a GRC or governance risk and compliance function and so there’s always their over overview and assurance that they want to plug into the audits to make sure that everything is being done by the book in line with policy and procedure. Obviously, threat identification, we mentioned it at the start and with the everinccreasing volume of of of threats, whether it’s ransomware and and cyber security or privacy or or political or geographical based threats as well and even environmental based threats. We want to make sure that when audits are conducted, whether it’s by ourselves, whether it’s by an external auditing body, they’re also providing us with some insight into how organizations responding whether it’s to a specific threat or threats overall. It’s also worth mentioning that improvements improvement and continued improvement is always a key aspect as well. Although we obviously making sure that that the organizations comply with with with due diligence with practices with standards there should always be aspects to look at in terms of how can we build continue improvement whether that’s impro improvement from a third party relationship perspective methods of controls activities to ensure best practices in cyber security or data privacy for example are being carried out or where there’s where there’s opportunity to mature controls whether it’s governancebased controls or some others. So there’s a few different aspects that I guess we need to consider in terms of what do we want to get out of an audit and the potential areas that they can show us and enlighten us about a third party and a third party’s engagement. Alastair Parr: Just want to take a moment as well to encourage those of you to ultimately feed some questions into the Q&A. We’ve seen a few of them already pop up. We will do our best to try and weave some of these into the general talk track itself. But one I wanted to call out in particular here is I’ve had a question on the right to audit clause specifically in contracts. So I appreciate when we talk start talking contracts here. We’re talking about not just necessarily our internal audit obligations here. We’re talking about those imposed on us by our third parties. So it’s a TPRM audit in the sense of we are being audited or we’re using it to audit our respective third parties. So Thomas, do you have any insight yourself on how often they can actually use that realistically in a in a in a contract life and really what that would entail from an audit perspective? Thomas Humphreys: Sure. So yes, it’s a great question. The right to audit clause is is a very is becoming a more common clause that we’re finding. The key aspects when you’re looking at these type of contracts or or generally contracts with other organizations, whether it’s, you know, third parties and suppliers and the wider supply chain is is obviously measuring the performance of that organization. Obviously the right to order it aspect of that is is is obviously a key part of that and key perhaps the most valuable part of of getting that level of insight and into into those working practices. So it’s becoming a more common laws that we’re finding. Of course it’s important to know as with anything contractual it needs to be mutually agreed between both parties. In terms of frequency of carrying out those audits from my own experience or auditing across various standards we typically see at least a year occasionally. They can be more frequently than an annual annual assessment, but in those cases that depends very much on the relationship between the two organizations and perhaps the severity or criticality of the process operation or or product and services being provided as well. So in some cases you can see by annually for example formal audits but more often than not finding at least in an annual exercise is more than enough is sufficient because it’s then followed up by other clauses and other reporting capabilities. as well that that back up that audit process. Alastair Parr: And just to add to that as well, so what I’ve typically seen and we’ve done roundts where we’ve got the feedback from the community on this and there’s a cross-section of different verticals is that the the right to audit is gradually weaving itself into the contracts on third party risk management and life cycle management, but it’s not necessarily commonplace at this point. We are still seeing through the procurement teams and legal teams people redlining the right to audit where they are asking for more clarity on the specifics around it. What does right toward it mean? What’s the frequency? What’s the the level of detail? And then pushing back to dilute that clause itself. Where people, and this is purely anecdotal here, but what we’re seeing people tend to fall into from a redlinining perspective is the opportunity to be able to see a series of reports, a series of documentation on a set came, you know, once a year. The the ability to see more than just the table of contents on their policy sets, get copies of the 27,0001 statement statement of applicabilities, the sock 2 type reports, etc. And it tends to be a rarity to be able to get a true on-site audit these days across third parties, unless you are spending a pretty significant sum of them. And Thomas Humphreys: that’s yeah, that’s actually a very good point. And and I think if you looked many years ago, idea of a physical on-site audit would have been perhaps more of the go-to area, but these these these the these reviews are are as as you’ve indicated getting less so in terms of that physical on-site and and there’s other capab abilities to assess an organization particularly as you mentioned with the costs involved as well. So that brings with with it with it I guess some conundrums as well. So multiple audits, multiple issues potentially. So you’ve already explained that there are different drivers, different aspects coming in. So we’ve got internal concerns to think about. We have perhaps regulatory bodies putting more pressure on us. We have industry or sector leading organizations also giving us queries or or or challenging inms terms of our our program and TPRM assessment. And so I guess this gives the danger of a potentially an assessment overload particularly when you’re looking at potentially different reporting and reporting timelines particularly from regulators and having that balance of what are we looking at from an internal compliance perspective versus external compliance external feeds coming in whether it’s whether it’s I say industry function specific or regulatory and I guess then let’s ask the question what’s the best way to deal with this how do we how do we get to a stage where we’re not overloaded with too many assessments on a on a on an annual basis, for example. Can we consolidate to a stage where a TPRM audit or true audit captures all of those key aspects, whether it’s internal and external compliance, whether it’s reporting capabilities or whether it’s focusing on particular controls or aspects of of of TPRM. And so that’s the challenge I guess we need to sort of address here and understand is how do we balance all of these different inputs So we can have one clear output and process outcome at the end of it. Alastair Parr: We’ve had a couple of comments as well coming in at the same time here. So I’d like to touch on a on a few of these that relate specifically to the issues around the drivers for this as well. David doing one good comment which is highlighting that TPRM now means that we need to have an infosc expert contract experts and lawyers associated to that. And really that’s that’s consistent as when you look at a TPRM function beyond the audit piece you are looking at a procurement privacy legal, compliance, risk, all merging into one. Now, historically, they had their own distinct lanes and were dealing with the third parties somewhat independently. And that convergence now means that people are essentially seeing their jobs fall into sort of a ven diagram across across the lot. We would specifically recommend when you’re dealing with contract clauses, as much as you will need some support from your legal teams, procurement teams, typically tear it. So, the the right to audit that you require in a contract clause should be more stringent. for your critical vendors and less so potentially for your tier ones and tier threes. And the best way we usually see people getting that across tends to be ultimately mandating your contract templates and your SLAs’s and then normalizing them over time. You know, historically we appreciate there’s lots of different contract templates and variations. When you start standardizing it and weaving that into your renewal process, you will have more luck and more support on that. Alastair Parr: And another question and another comment I wanted to touch on as well is is as much as we might have these contractual clauses, which adds a bit of teeth to these processes. The fact that we are trying to actually then conduct these assessments quite often the response we get post contract post payment is not the best. It’s a bit lackluster where they’re not necessarily engaging with us. It’s it’s a common issue in the audit process. But that’s why I feel and Thomas you might have your own view. I’d love to hear it as well which is we need to be relatively prescriptive in that initial upfront procurement stage to ascertain what we need from them and make sure it’s clear. If you have a buried clause That’s basically saying we will audit you very vaguely. You’re not going to get that engagement. You haven’t set expectations up front. It’s much like managing your customers and your clients, which is set the expectations at the outset of a contractual term. Highlight to them what your TPRM process is from an audit perspective and why you’re doing it. Get their buy in. It’s not a draconian, you know, we say you shall with the stick, but there are adjacent benefits to it. If we see a gap in their process, if there’s documentation out there that’s in inaccurate, you know, we’re helping check that work for them and giving them a periphery benefit without having to pay consultancy for it. Do you have any thoughts on that? Thomas Humphreys: Yeah, I I completely agree. It’s it’s the concept of auditing I think can still in some cases get a bad rap in terms of you know the old style perhaps concept of auditing where where where companies may be going in almost like inspectors and saying thou shalt do this and this and this and if you haven’t there’s there’s you know and and and and you can sort of understand why I you get a lot of arms crossed and saying you know we’re going to be very uncooperative. So it is important to make it clear as you said from the outset particularly from a contractual perspective the right toward it and the right to assess but also and we’ll hopefully see this in the next few pages as well in terms of when you’re scoping assessments as well. And the clearer you are on understanding why you’re assessing and exactly what you’re assessing as well you’re going to get the best possible outcome because the more vague you are the more difficult it’s going to be. particular if you’re trying to extract what’s happening here, how does this process operate, what type of uh areas are we trying to understand whether you know whether you’re doing this in the right way possible. So the clearer that scope is, the clearer that assessment approach is being exact is only going to help you in the long run. Again, particularly also with the relationship because I guess it’s also key to note that you know this is not always going to be a one one time only thing. More often than not, these relationships are longunning and so you want it to be in the best possible shape. on the outset. Alastair Parr: Now, please do keep the questions coming. I have seen one as well asking if we have any resources on fundamentals for TPRM audits, ISO audits, etc. So, I I defer to yourself, Scott, if I may, on that one. Scott Lang: Yeah, absolutely, Alastair. Uh, hi everybody. We do have a library what we call compliance checklists available on our website. What I will do later on in the presentation is I’ll be sharing a little bit more about prevalent and I’ll include a link for you to access some of those checklists. We have 35 different checklists to choose from across cyber security framework. like ISO, Nest and others history frameworks, data privacy regulations and even regulations as well. So we’ve invested pretty heavily in creating content to help you understand the meaning behind the regulatory and framework based requirements, best practices to look for and then kind of we’ve mapped some capabilities of the prevalent platform in there as well to help kind of close the loop on on on how to help simplify that process. So again, we’ll address that a little bit later in the presentation, but make sure we answer that question now. Thanks, Alastair. Alastair Parr: Great. Thank you, Scott. we forge ahead onto our next slide. I appreciate we’ve actually had a lot of questions coming in on the right toward it. So, apologies if we don’t get to all of them at the moment. We’ll try and weave some in at the tail end if we can do. But one last one I’ll just cherry pick at this point in time. Pot luck all of you who’s commented. But essentially, yes, the right to audit does not mean you actually get any response to the questions or access to the right information or people. Fully agree. And that’s where it’s key to actually specify specifically their their obligations. And that’s why we feel it’s appropriate to have that structured from a tiering model. tier one, tier two, tier three, whatever it may be, critical vendors piece. And you only really have the opportunity to do that at renewal or initial engagement. So that’s why it’s important if you’re risk focused to make sure that you’ve got your legal and procurement teams in line with you there to help cement that when you have the teeth, when you’re paying them money. And the cost of exercising the right to audit can vary of course based on those tiers, but that should be embedded directly into you know your TPRM program. You should understand the associated cost of analysis, remediation of their their criteria. And that’s of course where the the myriad of technologies and capabilities such as prevalent out there are able to help on that. How can we do this effectively, efficiently, at scale at a at a reasonable cost. Alastair Parr: So we’ll try and come back to more of these if we can a bit further on, but please continue to keep giving your feedback everybody. We do value it and to you Thomas. Thomas Humphreys: Yeah. No, absolutely. Yeah, there’s been some fantastic commentary and some good good questions. So yeah, absolutely keep them coming. So now we move on to I guess the next part of the part of the webinar. around so how to evaluate and respond to to audit findings to audit reports. You’ve gone through the process of of being able to conduct an assessment. It’s let’s say assumption it’s gone very well. They’ve been engaging. We’ve been able to ascertain and identify controls and findings and issues and nonconformities all in one. And there may be that we’ve engaged an external party to conduct an assessment on our behalf external auditing body for example. So I mentioned at the previous slide this idea of of being very clear and terms of the scope and and being able to scope out what the purpose of the order is from the outset and the control areas being assessed. So what do we need to consider in terms of a again from a contractual or terms of reference perspective are there technical controls and areas that we need to do a deeper dive into. So if we’re engaging with a third party perhaps who has access to sensitive information, sensitive data or systems for example, they’re producing critical components that’s going to go into a larger a larger document or larger assessment then we need to we need to make sure that we’re clear in how that scope how that scope operates. Secondly, it’s back to that regulatory and compliance requirements piece. So, have we reviewed upcoming current and regulatory expectations? We’ll have a look at two examples of these requirements in a short while. Have external pressures for TPOM oversight been factored into that supplier due diligence and supplier contracts as well. So, I guess the key thing to ask to to to identify here is particularly in thinking about new regulatory and compliance requirements. Some of these can range from the expectation to have clear reporting lines and clear communication lines for example in event of an information or data breach through to specifics around technical capabilities. And so we need to make sure that that audit that’s been conducted in that TPM hasn’t gone into that level of detail to able to identify certainly from a from a regulatory perspective whether that organization meets or exceeds those requirements and if they don’t obviously why not and where there are specifics from an external perspective. How have we incorporated it into our due diligence? One of the difficulties can be if you already have a very clear contract in place within the organization and there are new regulatory or or or legal frameworks coming into play and is making sure that they’re appropriately weaved in to contracts to agreements to to to assessments. that you’re so that you’re meeting your your due diligence with those key interested parties. So there’s a few key areas to think about in terms of the first steps in in perhaps responding to or or scoping out an audit and an audit plan. Alastair Parr: We’ve had a couple of comments actually about even I suppose step zero on this which is if we’re on the receiving end of a request to be audited. So before we actually have the evaluation piece and deciding what we’re going to do on the back of an audit which is people finding it frustrating essentially where they themselves as a as a provider of services are paying for sock one, sock two, type one, type two audits or detailed ISO searchs of course of statement applicabilities or detailed reports and they feel that they’re still getting requests for an audit above and beyond the documentation itself. So from a an audit perspective, why are we doing that for some some cases is sometimes themselves looking at things like sock two, type two, looking at or type one even and then looking at things like ISO appreciate scope is key. So even if the audit is as foundational as understanding what the scope of that actually is whether all the appropriate controls have been covered tied to that or not. That might in itself be a component of the audit and we might stop there. So we quite often see the process where you have phases of due diligence. You know that a lot of the regulations themselves are mandating that we have appropriate and ultimately an appropriate understanding or belief that we’ve done the necessary due diligence to to get the information that we need. That can quite often be check the documentation available, validate the scope itself and confirm some of the control f is aligned to it. That may be enough. Of course, there’s some organizations that have the power and impetus to be able to to push back, gravitate to be able to push back on that and say you must play by our rules, which is you use our standards, our processes, etc. But for those who’ve commented on it, the sock one, sock two, ISOerts, whatever it may be, certainly should be cutting back on the volume of third party third party audits that you’re exposed to. Thomas Humphreys: Yeah, absolutely. Alastair Parr: Thanks, Thomas. Thomas Humphreys: So, we’ve gone through the stage where an order has been conducted. It’s the company’s been assessed and and there are a series of issues, findings, nonconformities. Obviously, these can range to small to very quite large volumes of risk and there’s always a danger that without having a bigger picture, it can be quite difficult to understand what do we do with all of these risks. If you don’t have a clear plan and process in place, managing those risks can be quite difficult. And that’s why it’s so critical to understand first off what are the critical controls that we need to that we need to pay attention to what’s the critical areas that we set out as part of the the scope and the assessment that we need to that we need to focus on. At the same time, we need to be thinking about what those minimum business requirements are. What I mean by that is where we may have crit critical controls and technical controls that allow us to provide that focus based on this this bunch this set of risks that we’ve now received. What do we do with them? How do we respond to them? Let’s focus on critical control points, but also minimum business compliance requirements, regulatory compliant requirements, and anything else that’s feeding in the assessment. And obviously, the more of this type of data, the more understanding and clarity we have is going to make responding and managing these audit findings, these audit risks a lot easier or certainly a lot easier to to navigate around. And of course, the tail end of all risk management process or one of the tail ends is that whole treatment piece and around the remediation of of risks. of risk tasks and and and critical control areas. So obviously without this structured process when we receive audit violations or or or or clear risks and concerns from the from the assessor often what we viewed from from engaging with the third party it can make a a lot more difficult to work out what do we start with first and and and and how do we see that bigger picture of the success or failure of that TPR of that third party. or or areas where we need to be concerned about from a from a legal perspective, for example, that we need to be responding to in a timely manner. So, the earlier that we can get a clear risk process in place, the easier it’s going to be to help deal with and respond to to those risks, whether it’s very few or quite large volumes of risk, which I guess Alastair as well comes back to some of the taring as well and the severity and and criticality of some of those third parties and those engagements as well that allow us to have some level of focus in terms of how we how we respond and how we treat audit findings. Alastair Parr: We’ve also had a couple of commentary points around specifically when we’re evaluating audit findings, how can we rest assure that we’re getting access to the right information. Appreciate from the vendor side that we don’t necessarily, you know, we might have shared services, there might be criteria where just from a confidentiality perspective, we can’t expose the information we may be requested from from an audit perspective. Alastair Parr: So, it’s worth noting that I’d say from an audit standpoint, we aren’t necessarily erned about the detail of the the information itself. We don’t need to see the rows of data and that perspective. It’s about the process. It’s about the controls. Now, they should be relatively anonymized from a from a review perspective. We should be able to see the fact that you have data loss prevention rules in place that are there to control egress, for example, egress of information. We don’t necessarily need to see rules that refer to specific client names and references. You know, most auditors understand that and consider that in their evaluation process and their response process. And as long as it’s articulated clearly up front, that this is what we can provide you which is the process and the criteria around it and the scope that is usually suffice without having to you know look at another client’s data of course that’s understood would you agree Thomas Thomas Humphreys: no agree completely and and yes I think it only gets more complex where particularly from an putting the auditor’s hat on where you can’t see that full process you can’t see the full end to end there’s a clear blocker there rather than as you said we can’t show you this commercially sensitive data information. I’ve I’ve been involved in assessments where again due to the confidentiality of of of what’s being shown, there’s only a limited amount of information on offer, but then there’s a clear approach to say, but this is how the process operates and this is how how how you know how we deal with these issues or concerns. So, you can still see the end-to-end process and and and there’s validation that, you know, they’re performing it as expected. That’s critical. It’s where you can sometimes see those blockers where it becomes more comp comp and more concerning which which we which you do find from time to time. So understanding issues and audit violations. So it’s important when receiving audits and and audit reports or or writing an audit report if you are internally focused and and looking at a third party is making sure there’s very clear understanding of where a nonconformity or a violation has occurred. What’s the area? What’s what’s the cause of that non-conformity? Why it’s occurred as well because this is the type of data that particularly if you’re going back in terms of a reporting standpoint, you’re reporting up to senior management or the wider business, you need to obviously be able to explain where and why non-conformities or violations have occurred. That’s only then going to make it easier when you set those those treatment plans, those remediation activities or communications in place. There should always be sufficient detail that enables you to form that clear opinion on how severe these issues are. What’s the level of impact it is causing to the business as a result of this this this violation? So as much detail as possible within the audit reports only going to make it easier to to form say those those clear opinions but write those clear statements in terms of where do we need to get to to address these violations. And again hopefully this all then wraps around having enough detail to then report back to top management to the wider business other stakeholders if if necessary to say this is what’s happened and this is how we’re going to deal with it. It’s really critical to make Make sure you have a clear understanding of why something’s happened and and and what’s the result of it or or what’s what’s the root cause of it as well. And that brings on to the actual reporting piece as well. So communicating findings to internal stakeholders and how how you respond up the chain. If you’re on the receiving end of a report or if you’ve written a series of reports yourself across a series of third parties, how do we communicate this across the business? It comes from two angles. One of them will always be looking up the top to see management, executive management, XCO, leadership. And there’s, I guess, a few key key questions that leadership would always be interested in. Number one, should we be worried? Is there anything here that’s that’s that’s going to keep us awake at night? Are there critical risks and issues that could cause us pain down the road? Whether it’s whether it’s brand or reputational damage, legal or regulatory regulatory concerns. So, as much insight as possible where those risks and non-conformities have occurred and that level of business impact is really really critical and obviously the clearer we can explain that to to to top management to senior management with that clear direction where the business should be taking what actions should be should be should be being conducted as well obviously it’s not just senior management as well given nowadays again I think someone mentioned in in the comments you know TPRM is isn’t just an an isolated area of an organization it involves many areas of a business many many many different wheels from compliance to procurement to to to technical business functions and other operational areas as well. So there should be clear engagement across the business in terms of what violations are what they where they’ve come from and how it impacts those respective functions. So the more buyin and more understanding that we can get again the easier it’s going to make in terms of how do we respond and and again should we be worried or not. Alastair Parr: We’ve had a few interesting questions come in as well and commentary specifically on improving buying. In fact I’ll actually take One of the a quote shared in one of these comments that I quite like which is Thomas Aquinus. If the highest aim of a captain was the preservation of his ship, he would keep it import forever. And I think it’s quite telling from a business perspective is that they of course there is an expectation that the business is going to have to accept a degree of risk as part of these processes. But the important thing is that we’re all on the the good ship enterprise orever dealing with it. We need to get the internal sponsors of the program, the VPs, the business execs whoever’s owning risk for their respective area to truly understand the associated risk for their their vendors and their sphere itself. You know, if they’re sitting there with with the port holes wide open, smiling away while it sinks, we need to make them very very clear of the associated challenge to that. So, one of the big drivers that we see from getting a buying perspective is regular communication, highlighting from a KRI and KPI perspective data points to them that have meaning, not just a case of we have to do this because we’re regulated to do so. We need to spell it out to them what the associated risk is and ultimately get them to a point where they have to start accepting the risk themselves rather than defer it to infosc legal privacy and so on. We need to see the business feel responsible and accountable for it. And that of course really goes up to a board level. But the only way we can make them feel accountable is presenting the risk and the audit findings in plain and simple English so they can understand what it is they’re actually dealing with and what the impacts are. So good comments and questions all of you. Of course, I cherry picked one of yours there from the audience, but certainly a good point. Would you agree? Thomas Humphreys: No, agree completely. Yeah. And it’s it’s it’s it’s so it’s so important to have have that buy in, but have that ownership as well because the worst thing you want to see is handing it off. We’ll just hand it off to X. They’ll deal with it. We don’t have to worry. The uh burying the head under the sand scenario. So then we move on to we’ve established the risks. We’ve engaged with the organization. We’ve explained to top management, we’ve explained to the the business we do have thankfully some buy in across the board in terms of what activities what I what what actions we need to play we we need to conduct and so we can then focus on our formal business risk management process and it’s whether you subscribe to any of the known recognized frameworks whether it’s NIST IMF ISO 31000 or something else there’s a lot of risk management processes out there obviously the earlier we can identify that method of risk calculation aligning with any control deficiencies, internal risk appetite, and any regulatory expectation. We can then start to put into the necessary buckets the severity of each risk and how we’re going to approach it and deal with it. Risk remediation and we’ll cover remediation in a short while. That’s that’s a critical aspect of course and and making it clear what needs to happen and and more importantly who needs to take an action, what they need to take and when and that timeliness factor. So developing that very clear playbook on how we’re going to approach audit violations, nonconformities, control deficiencies and how we’re going to address them should form part of the wider risk management framework that the organization subscribes to. Um, obviously context of from a third party from TRIM perspective is is obviously very important context in terms of and perhaps this is where the the the tiering can also come into play here and profiling of organizations. Context in terms of product and service provision, severity of criticality of that product and service provision go a long way to identifying how we prioritize and navigate various risks that we’ve that have been received or that have been identified. And like any good risk management process, that continual monitoring and engagement process to make sure we’re not just saying this action needs to be done now, we can leave it, we can go away and come back a year later. No, it’s that continual process to say what’s being done, the actions and activities that we’ve identified. that we need to help mitigate and lower this risk or or or deal with this risk is being continually assessed till hopefully we can get to a point to say there hadn’t been a violation. We’ve dealt with it. This is the activities we’ve taken and we’re now at a stage when we can say to the auditing firms for example to the regulators whoever it may be that we’ve addressed these concerns and we’re now in a much healthier position as an organization or the third parties we’re engaging with with various third parties. they’re in a much healthier position in terms of the protection of systems, information, data, whatever it may be that they’re providing. Alastair Parr: Got a few comments as well coming in specifically on from a risk prioritization, remediation perspective. And I think you’re you’re going to touch on this again as well, Thomas, in a moment, but the fact that people are doing these annual audits, questionnaire processes that quite often there’s repetition and based on the cadence of contract terms, you might be trying to ultimately redo the same exercise six, nine month, 12 months later when minimal has changed. It could be a a futile effort because the vendor might just roll their eyes and not want to interact with you or you get back the same effort, same information, but you’ve invested double the effort in order to get there. So, pragmatism is relatively key from this. From our perspective, a good program when it comes to risk management, risk remediation is you don’t necessarily need to go and assess them fully all over again, but you want to understand the delta, what’s changed, what’s the same, and get them to self attest that things haven’t changed, but then still occasionally do a full assessment. Doesn’t need to be every single 6, 12 months, for example. You know, the reality is a vendor is going to be more likely to interact with you if you’ve distilled the issues that you’ve identified down into the things that you’ve identified and you want worked on and if you’re identifying key controls that really do affect your compliance and regulatory obligations as much as your own business internal risk appetite. So, if you’re sending out say a full 300 question assessment every 12 months and you’re asking them to complete it with the same level of effort and rigor each time, you’re going to get bad data back. you know, drip feeding, drip engagement is certainly more effective, but does require a degree of automation to make it actually effective from a a time allocation perspective. Thomas Humphreys: Very much so. And I guess it’s it’s important to have that pause pause every year as well, isn’t it? To say based on what we viewed last time and what we know about the organization and taking into consideration particular if there’s there’s operational changes in the business, if there’s legal regulatory changes, you know, what’s again going back to scope, what’s should be our our focus be for each assessment as I said rather than just sending out another 300page assessment where there’s going to be a lot of page rolling or or or sending it back uncompleted. So it’s yeah it’s important to have that view to say what do we you know what are we trying to achieve this year or this you know within this six month cycle ultimately obviously to get the best out of the engagement and to get the most I guess true representation of the risk as well. So analyzing risks and determining when they should be addressed is key to ensuring time and resources are being sufficient iently utilized. We need to make sure that you know risks received are they critical in nature? How how do they fit from a prioritization perspective within the business and related to external factors? Are there any time constraints? You know, will risks need to be resolved as soon as as soon as possible or practical. Are there time presses from external parties? Good example is if of this going back to to a regulatory perspective is where we’re finding more regulators asking questions around the response times for example with continu efforts and the the the the timeliness of of of responding and communicating should a continuity event occur or should event occur that would impact activating a BC or disaster recovery scenario. And sometimes there can be some some constraints in terms of getting issues resolved and and and and have have issues occurred as a result of failure to respond in that timely manner. Do risks carry potential penalties? Again, this is more focused from a regulatory perspective. failure to do something or failure for a third party or within the supply chain to do something. Could there be any any issues or penalties faced by the by the regulatory bodies or supervisory authorities? Something is has has not been achieved or have if there’s been for example a significant data breach or or or data protection issue, who’s going to carry the cost? Who’s going to carry the fallout from that? Again, are these risks related to any areas where there could be more severe issues and incidents? Do we need to prioritize those based on the level of scrutiny that they’re going to be faced from again from external parties or organizations? Risk prioritization, remediation. So remediation management should consider what is critical for treating risks based on prioritization and any mandatory control areas. And once we’ve understood what the risks are, we can start to articulate what we need to address those risks. Do we need to see additional evidence? Do there need be documentation that needs to be provided? Are there more notes and explanations that we need to assure ourselves that a process actually is in place or if it’s starting to be in place, when will it be finished? And we need to make that decision to say based on those remediation efforts and and and and treatment options by doing this, will it allow us to hopefully remove or lower that risk to an an acceptable level based on our own risk appetite and based on those other pressures and and and levels of scrutiny as well. So, we need to make sure that when we’re writing recommendations and remediations. In a similar vein to to to to the reports and the contracts, they’re as clear as possible in terms of what’s expected and what needs to occur before we can say we’re happy to close this risk or accept or we could lower the risk levels down. So again, it always goes back to that formalization of the risk management framework and and and having a clear plan of attack when it comes to to risk treatment. And finally, we’re looking obviously to develop that clear TPRM program and and the overall aim is to help minimize that level of audit failure. Do we have regular touch points to enable us to to continually review how our TPM program is be is performing? What’s the overall success rates and failures across the program? What’s the level of health that our program is achieving? Can we have some level of comparison against different peers and different KPIs or different objectives? What level of of of maturity are we at now? And where do we want to get to in the next in the next six 12 or 18 months. Obviously, if we have a very clearly defined program with a very clearly defined process to manage risk, it gives us that opportunity for further acknowledgement, understanding of where program weaknesses may be and and also the ongoing remediating and remedial actions that we need to be considering. One thing I would note and there’s been a couple of comments about this specifically. So, when it comes to a good program, there’s obviously the KPIs and Kis that roll up from that. One of the most common ones we see and I think Thomas you’re touching on it well The maturity component understanding across distinct pillars you know coverage content policies and processes associated to that remediation governance etc. Those are all criteria that you can benchmark yourselves clearly against peers. We’ve had a few questions around well who are we reporting this to because you might have multiple boards etc. Now the reality is it does vary of course by organization. Now usually you’re going to see from an audit perspective an audit board or audit equivalent but the reality is regardless of how many tiers of boards, execs, working groups that you have, you are gradually going to distill the information more and more and more as you work up that pyramid towards you know the executive teams and and the overarching board itself. So less is more at the very very top tier because they need to understand the associated risk from an audit compliance perspective from the TPRM program and then you work down ultimately increasing the volume of detail and data depending on the focus group in question. Certainly distilling it as you go up is key and the maturity assessment is and the maturity criteria there is a good top level metric for baselining and comparing across peers itself. So good commentary itself. Thomas Humphreys: Thank you. So then we’ll just briefly touch on specifically around regulation or and and and minimizing that chance of getting a regulatory violation. Requirements are changing all the time and it doesn’t help sometimes when it’s from from the regulators. You know some of them can be very explicit and it’s very black and white. Others can be very vague and open to interpretation but A few key areas that we that’s always worth highlighting is new reporting requirements. So how and when third parties should be reporting on incidents, data breaches, continuity events is one key area to consider. Secondly, where there are specific technical requirements and again we’ll have a couple of examples of this in the next slide. So identify where third parties for example are accessing sensitive information and data. For example, are the cloudspecific requirements or requirements around data being being held or being transferred across systems or across organizations. Sometimes regulations can get down to those weeds. And so of course it’s important for us to understand how do we approach this when we’re engaging when we’re conducting audits for example or on the receiving end of audits and what can we use to demonstrate these regulatory concerns or stipulations that again in in in in some industries are becoming ever more common common place. So to ensure business does not fall foul of regulatory penalties, it’s important to identify the earliest opportunity, what those requirements are to update third party agreements and contracts appropriately and where practical. Make sure particularly if we know that there are regulations that are not formalized yet, but they will be formalized in the coming months and perhaps they’re going live at the beginning of the next calendar year or financial year. The earlier we can get on top of those those regulatory requirements and expectations, the easier it’s going to be for us to then demonstrate how we addressed this. So what Couple of examples. One is from the Bank of England credential their SS221 outsourcing and third party risk management framework that went live first quarter in 2021. Firms should implement and require service providers in material outsourcing arrangements to implement appropriate business continuity plans to anticipate, withstand, respond to, and recover from severe but plausible operational disruption. I guess the Greek question is what does SS21 mean when they say plausible operational disruption? But nevertheless, What we can see here is there’s greater expectation from at 221 to say from our perspective if we’re going out to engage with a third party. What is their continuity planning and and and and communication process? Are we comfortable with what they will do? Particularly if they’re handling our sensitive informations and systems for example can meet this this this control this 10.3 from from the from the potential supervisory requirements. In a similar vein which is a Canadian regul They came out with some new third party risk management guidelines at the beginning of this year and they state internal incident management processes are established. The financial institution should have clearly defined processes for managing and escalating third party incidents and subsequent tracking remediation. And one of the drivers here is the level of reporting to say if there is an incident, if there is a significant issue that’s happened, we’ve established a process based on how we monitor, how we engage with the third parties so that we all know at the earliest opportunity where there’s been an incident that maybe has affected some sensitive information and and there’s a clear process in place in terms of how that’s being dealt with. Alastair Parr: So, I appreciate we’re running slightly short on time now. It’s been a great conversation. So, we haven’t had a chance to answer everybody’s responses. We’re just going to have a minute of Scott giving us a bit of insight specifically on how prevalent can help address some of these challenges. And we have actually launched a poll at the same time. So, as we hear from lovely Scott, please feel free to to respond away. So, over to you, Scott. Scott Lang: That’s great, Alastair. Thank you. I’d like to share my screen if possible, please. So, if you would stop Oops. Stop doing that. I’m going to click the There we go. All right, everybody. Just to kind of close it down as you’re thinking about any final questions you have and answering the poll question, I just want to remind you of a couple of appliance assets we have available for you, a few artifacts that can help you as you’re deciphering some of the complexities of managing audit processes. We’ve gone through that exercise already for 35 different regulatory guidelines and frameworks and have encapsulated those in four separate compliance checklist publications. One that is around industry guidelines with a very significant focus on financial services. One is on cyber security frameworks like ISO, NIST, SOCK 2 and others. One is around ESG requirements particular with a focus on Europe. And then third data privacy requirements such as the GDPR, HIPPA and and others. I’ve got a link there. I realize you can’t click on that link. We will include the this presentation in our follow-up email to you tomorrow with the with a recording of this presentation. You can click on the link, you can download the guides, then you’ve got that regulatory guidance and how best practices in thirdparty risk can help kind of at your fingertips there. So anyway, in the interest of time, that’s all I really want to share today. I’ll kind of pitch it back over to you Alastair and Melissa if you want to open it up to questions. Melissa: I think since we are at the top of the hour, if you guys have any outstanding questions, I will put my email in the chat. It’s pretty easy. Here we go. There it is. If you need it. There it is. But really, we do appreciate all the questions. Thank you, of course, Thomas and Alastair and Scott for your time. And thank you, everyone, if you’re still with us. Great. Maybe we will see you in your inboxes and at next week’s webinar. Thanks, guys. Take care. Bye.