How to Take a Holistic Approach to Vendor Onboarding & Offboarding

Melissa: And uh let’s kick things off with some intros. My name is Melissa. I work here at Prevalent Business Development. And today we have a returning guest, Tom Geruba, director of thirdparty risk management services at Echelon Risk and Cyber. Welcome back, Tom.

Tom Geruba: Thank you so very much, Melissa. It’s great to be back. Hello everybody. Good morning, good afternoon, or or good evening depending on where you are in the world. Um very uh honored to have uh to ask Prevalent for uh to have me come back. and talk about some of the common challenges that I’m seeing in the third party risk profession. And one of the big headaches that a lot of thirdparty risk professionals have to deal with is with respect to this whole onboarding and offboarding thing and having an understanding of what their respective roles are in that process. So we’re going to take this holistic approach to vendor onboarding and offboarding. So I’m really excited to be able to share those with you. Just a little bit of background on me. But Melissa already shared that with you. But here’s what we’re going to cover today. First off, we’re going to talk about what kind of risks are there to assess during the vendor onboarding and offboarding process. What risks do we need to focus on? What do we have to be front and center on when we’re starting to look at to uh both the onboarding and the risks with respect to organizations that uh vendors that we’re going to be offboarding outside and uh what are those challenges? We’re going to talk about navigating around common challenges that you may be dealing with in this process within your organization. We’ll talk about the due diligence that’s actually needed for onboarding. We’ll also get into risks to consider when you’re offboarding. There are risks to consider. You’re not just going to cut the cord and move away. There are things you need to consider prior to saying goodbye to a supposed vendor. And lastly, I’ll talk about some recommended processes to ensure your program convergence. And if you’re wondering what’s program convergence, I will be getting to that as well. But let’s start here. Risks to assess during onboarding and offboarding. Anytime you’re getting ready to do an onboarding of a vendor, you want to make sure that these risks have been looked at by somebody within your organization. The market risks, what are we talking about market risk? Are there new solutions?

Are there technology investments in the market? is the vendor that you’re going through maybe going through a restructuring? Uh perhaps there’s an expansion of a merger and acquisition that they’re going through as well. What’s going on in the industry? Is this something you are taking into consideration? When you’re talking about financial risk, you’re looking at things like cash flow, credit risk, do you see anything with respect to insider selling? What about buyback of shares? Are any of these things jump ping out at you that might be sitting there going, you know what, they might be a credit risk or hopefully we’re not one of those particular vendors that’s going to help them meet certain quotas, whether it’s in the industry or whether it’s to try to help make sure that they continue to be financially sound? Is there anything with respect to regulatory risk? Are there anything going on with the regulatory body that’s been forcing them, such as through fines? What about ESG? Is this something that you have to be paying a lot of mind to? And you’re going to see this very geographical. And what I mean by that is in the European Union, you’re going to see a lot of emphasis on the environmental aspect of ESG. Here in the US and other parts of the globe, you may be seeing much more of the social aspect. When we’re talking about things like health and safety, we’re talking about diversity, we’re talking about pay equity and things of that nature. And lastly, focusing on the governance aspects. Do you have uh uh information that you’re able to get to help your organization make governance decisions based on things such as uh the makeup of their board? Uh ethics um anti-corruption policies, things of that nature, location. There’s a lot oh sorry compliance risk a lot of emphasis on compliance with the aspects of is there uh is your vendor pro perhaps banned for doing business in certain countries or perhaps banned in certain ind histories? Are there any things that you’re worried about from a lawsuit perspective? Is there anything with respect to settlements that were out of court or settlements uh based on something that they have done? Are they allowed to do business with the federal government?

This is something that when I was running programs, we used to make sure that if you couldn’t do business with the federal government, then why should we be doing business with you? So looking at it from that compliance aspect, location, where is the processing being done? Where is the data being stored? We’re looking at things such as is it flood zones? Are there other uh environmental zones that we need to worry about getting into the geopolitical arena, you’re looking at things from could be here at home with respect to right to work states or right to work countries. You could also be focusing on certain regional tension. You’re seeing that obviously in Eastern Europe. We’re seeing that in the South China Sea and Asia Pacific. So, you have to think of these things as well. Is this something that I need to am I willing to accept that risk? And lastly, cyber, of course. Are you able to do anything from a cyber perspective during the onboarding? So, when you’re actually going to do your assessment, it helps to streamline and make things a little bit more fluid, makes things a little bit better in terms of what you need to do from a due diligence perspective. Now, offboarding, very similar circumstances. If you’re going to be offboarding to a new vendor, you’re going to be eliminating a vendor. Are you worried about the location? Are you able to get your materials back? Is there anything you need to do from a compliance risk perspective? And when I mention from a compliance risk, I’m talking about particularly if you’re for instance a financial organization in the European Union, you have to reach out to your regulator and let them know that you’re no longer using particular vendor of which time you may have to bring it back inside your own organization or you already have to have another vendor lined up that you’re going to be able to switch that data over to them. So now you’re talking things with respect to your uh vendor repository. Okay, you’re able to be able to show them what you’re doing with respect to moving that data and that processing around. Redundancy risk. Are you placing stuff uh in processing in multiple cities in multiple locations or with a multiple vendor?

You’re taking it away and now you’re going to give it to another vendor and now you start getting into this thing called concentration risk. Are you putting all your proverbial eggs in one basket or in one location where if a tornado or a typhoon or a hurricane or some other type of earthly event was to affect this geographical location, is it going to cause disruption to your vendor? Als ultimately to you as an organization. Anything from an ESG risk that you have to worry about now that you’ve onboarded, you’re going to be taking that risk on to you. Are there certain things that you have a responsibility to your investors or to others as with respect to uh the vendors that you’ve been using? Now you’re taking that risk on. Are you able to move that over to a new vendor for your new onboarding? But are they able to transfer that risk over? So these are things you need to consider uh that’s a I apologize for the compliance risk redundancy there. All of this ties into your social pers uh perception risk. Social perception drives the other risks. It drives financial risk. It drives uh even your ESG risk. It drives other risks such as your operational risk. So if they uh if your clients, your customers have a feeling that you’re doing doing something that’s not akin to what their core beliefs are as an organization and as an entity. This could come back to haunt you in that social perception. Okay, so I think these are the critical ones to consider. Now, let’s talk about navigating around these common challenges. First off, and I still see this to this day, third party risk management. I’ve had a a wonderful conversation with a colleague of mine last week talking about, you know, third risk is still very much in its infancy. Even though many of us have been doing this for close to a dozen years, but it’s still in its infancy with respect to all of these additional components that just seem to be operating in silos and we need to start bringing these together. This is where I’m going to get a little bit later when I talk about um convergence. But ownership of the vendor repository, who owns the master vendor list, many organizations will say primate sourcing.

The problem with that is and I know all of you in some way, shape or form have been exposed to this or experienced it. There are ways you can bypass sourcing and procurement. Okay? It might be you only go to sourcing and procurement based on a particular spend 40,000 50,000 whatever. It could be if you’re only going to capitalize the vendor’s expense and project. So you might have business units that are going to be doing something from a data transfer and data handling perspective but it’s coming around 2530,000 however it’s involving a lot of records a lot of data so sourcing and procurement might not be aware of it but the vendor is and now you’re also talking about well what about legal what about information security so you really have to have an understanding of who owns the vendor repository in many cases it’s turning out to be the third party risk management program. And now you need to be able to gel what you have on your list to the sourcing and procurement folks. Who are the stakeholders in the onboarding process? First off, it’s the business unit, first line of defense. The business unit is responsible. They’re the primary stakeholder. They’re the ones writing the checks. But other stakeholders that are very integral into the third party risk management process is sourcing and procurement. Legal, they come up with the legal language, right? Right. It I it security are you working with information security and other organizations such as privacy to make sure in your data protect your data privacy and security addendums which are affixed to the contract are in alignment with your organization. It could be whether it’s working from home whether it’s making sure that you’re using VPNs or whatever the case may be. However you have that structured out are you working with your other stakeholders and they’re in alignment and they understand what the expectation is for the vendor? What about facilities management? A lot of times your vendors are coming on site to see you particularly in the IT space. Okay. Do they have card keys or things like that that are assigned to them to allow access into certain facilities? Business continuity and disaster recovery.

They’re the ones that in many cases help to prioritize your vendors from a strategic perspective in the event There’s an issue with availability and recovery and of course compliance. Any changes you’re making, are you in alignment with the compliance of not just uh guidance or standards or regulatory obligations, but are you in compliance with your company’s own policies and standards? What’s our inherent risk and our exposure risk? Another common problem that’s been going on for ages. How do we calculate inherent risk? I’m very proud to say that an organization that you’re probably familiar with, the shared assessments program is actually addressing this and coming out with a component to help you calculate inherent risk. Um, and I’m, you know, I was a part of that group and very proud of, uh, of what we’ve done on there and that’s something that you’re going to be seeing coming soon and I’m sure Prevalin’s going to be, uh, made aware of, um, you know, those additional tools as well. But the thing about inherent risk and exposure risk is there’s really no set of guidance out there as to how you calculate inherent risk or exposure risk. And when you think about what exactly is inherent risk or exposure risk, it’s what are the unknowns before you actually do business with that vendor? Okay? Think of it as almost going on a date. You only know so much about the person you’re about to go on a date with through maybe their social media, maybe from what their friends have told you, maybe from what you know about them at work. But until you start to engage with them and have a relationship with them, do you really start to know what’s going on? on. So, you can’t necessarily calculate those unknowns, but you have to be able to come up with something that’s going to give you a general idea of, yeah, I’m looking forward to this date. I’m looking forward to meeting this person. Okay. Same thing with your vendors. Calculation of that risk. Do you have sufficient contractual language? This is something that I’m still seeing to this day. Whether they’re mature organizations or small and midsize businesses, you must must must make sure you have the appropriate language in the contractual agreements.

Everybody knows about the right to audit clause, but here’s a dirty little secret about the right to audit clause. In most cases, in your right to audit clause, you can only execute a right to audit once in the life of that contract. So, you might have a three-year relationship, a contract that says we’re going to do business for the next three years. But if you play that right to audit or it’s interpreted as an assessment is part of that audit. You can only do it one time. And then if something happens at that vendor and you say, “I need to come and audit you over whether it’s a breach or whether it’s mishandling of information or data.” They will reserve the right to come back to you and go, “Whoa, whoa, whoa, whoa, whoa. Time out here. You did an assessment on me.” That ties into the right to audit clause. So, you can’t come back to me. And in a right to audit clause, there’s a lot of additional stipulations. I need prior notification. I need time to prepare. I need to do this, etc., etc. So, you want to make sure you have something besides the right to audit clause. And things that I’ve been pushing and starting to see a lot of organizations doing is called the right to assess. And the right to assess clause is something that basically says we’re going to assess you and reassess you based on risk tolerance, based on the risk scoring that we do on you. What else can tie into that risk reassessment? That’s the continuous monitoring aspect. You want to be upfront and share with them we will or we may be doing continuous monitoring on you whether it’s at the cyber level or a combination thereof cyber financial operational etc. Okay. And now when you start getting to expectations can you still move forward? If you’re going to do that you have to have an understanding who ultimately authorizes the approval or disapproval of using a said vendor. Is it the third party with management program? Is there a group? We actually had a thing called the vendor assessment um committee. Running gag back then is we called them the vacuum because we give them things and say, “Hey, I need you to sign off on it and we wouldn’t see it back.” So, VAC became vacuum. They got wind of it so we changed it a little bit.

So, there’s there’s a little bit of your Thursday humor. But, who’s got to sign off on it? If you’re not going to use a vendor, who goes back and tells the business unit you can’t use this vendor based on the risks in my organization? That was me. And there were times we actually had an exception process where the business unit was able to state their case. Not just me, but we pull on the chief privacy officer. We pull on the chief information security officer or anybody else that needed to be part of that conversation. Who has signoff authority to exceptions? Now, when we’re talking about exceptions is okay, you may have a conversation with the with a particular business unit and say, “We’re not overly comfortable with this vendor’s current security and privacy posture. However, we understand that they may be a sole source provider or a single source provider. Therefore, we’re going to accept and we will put this into our vendor registry along with our risk registry that we’ve tracked this and we’ve identified this.” Okay. So, that’s where it comes useful to having who is authorized to sign off on those exceptions. From a cyber perspective, nine times out of 10, it’s going to come from the CISO’s office, but in other organizations, it might come from the chief risk officer or some other person at a high sea level. Lastly, when do we perform due diligence? Is it before or after the contract? Many financial regulators will tell you this due diligence must be done prior to actual transaction of data. Usually, you don’t start transacting data until the contract is signed. I have seen organizations that will start to transact data and the contract’s not signed. Beware. The reason why I say that is because if you’re contract, if you are actually sharing data amongst each other and something happens at your vendor and that contract hasn’t been signed yet and something goes on there, you really have no legal recourse to go after that vendor because the contract hasn’t been consummated. Now, everything that I’m telling you here with respect to contracts, please talk to your legal counsel if you need more information on this, okay? Every organization is different. So, I wanted to throw that little caveat out there.

But again, these are common ways to help navigate around these common challenges. What about due diligence for onboarding? You might be asking yourself, what tools do we use to do our assessments? It really depends on what risk you need to know upfront. There’s many tools out there from a cyber perspective. You know, the big names. I don’t have to share those with you here. There’s also some smaller names that are very, very good at what they do. Some of them you may think are the just one trick ponies. However they are, if it’s something that brings of value to your organization, consider using them. Now, you in the third party risk management program, particularly if you reside within the cyber uh cyber arm of the organization, you’re probably not using these other tools such as credit and financial analysis, maybe things from an ESG perspective, but you can use tools even if it’s just, you know, Google news feeds or maybe you should check with your organization. Do you have subscriptions to say maybe Bloomberg or Standard and Pores or U Lexus Nexus, something that can help you could put in and do strategic searches on for at least your critical vendors? Is there anything out there with respect to a lawsuit here? I’m starting to hear chatter that uh from E acquisition perspective, uh, this particular vendor might be a takeover target. What is that going to mean to me? Could one of my competitors take over this product or or take over this vendor? So, these are the things you have to think about. Is there anything with respect to a vendor that might put you at ease due to a legal obligation they’re now faced with? Maybe it’s a a class action lawsuit. Maybe they’re doing business in Europe and a European and a um data protection authority slap them with a multi-million dollar fine and it’s starting to hit the press. Okay. What is the data being processed? I like to put a lot of emphasis on the data and I’ll tell you why. We live in a sue happy society and if you’re dealing with client and or employee information and vendors are doing that for you. It’s really a good idea to have an understanding of what data is being processed. What is the value of that data being process?

First name, last name, street address has far less value than first name, last name, street address with social security numbers, EBT numbers, uh, bank account numbers, on and on and on, or health information. And in the event of a breach with your vendor, this is where the data protection authorities, this is where the law firms are going to migrate to. What was the data? How many records are affected? Big difference between 10,000 and 10 million records. Okay, not only are you looking at the cost of a record, which can be anywhere from $5 to $50 depending on the data, but now you got to multiply that times 10,000 records, times 10 million records. So, you really have to have an understanding of what the data is being processed and the records. Now, what kind of questionnaire should you be using? And I understand there’s this thing called vendor fatigue. And the big thing that we try to push as well, uh, as me being a legacy with shared assessments is we’re really about standardization using something that’s out there. I think one of the best things that I’ve ever heard was I happened to be in London a few years ago and a representative from the Financial Conduct Authority was asked a question, can we use standardized questionnaires? And this regulator looked at this individual and said, why wouldn’t you? Why are you trying to recreate the wheel when there’s already great tools out there? So look for something that standardized. Okay, there’s a reason why they’re industry standards. Krevalent, for instance, uses the SIG questionnaire. It’s up to you whether you want to use a SIG light or SIG core. Maybe if you’re doing something in the cloud environment, maybe you need something like the cake? Whatever it is, make sure the questionnaire that you’re using has been scoped and is in alignment with the data and the processing being done. Something that you should also consider that I was able to execute with the organization with I was prior at when I was running their program was we actually came up with a thing called the vendor intelligence checklist or a VIC for short.

The purpose of the VIC was and I’m sure you’ve seen this where you’re being inundated from a business unit going hey I’m looking at these five vendors here and I can’t decide which one to choose. Can you help me make that decision? No, I’m only going to look at one that you want to select. Tell you what, I’ll do a buy one get because I’m a nice person. Give me two of them. Okay? And whether you do a chargeback or however it is, you’re at least providing that value to the business unit by helping them. A good way to get around this is to work with procurement and sourcing and come up with a vendor intelligence checklist. It might even be the SIG light. It might it can be whatever you want, but it’s a way for you to vet the um vet the vendor that’s coming on board to make sure they’re tall enough to ride the ride. It’s an example I’ve used many times is treating a vendor as if they’re a little kid that wants to go on a roller coaster. That roller coaster can be a small coaster, meaning you might just be giving them, you know, uh, company confidential information. They might be helping you with something like a marketing schematics or or growth opportunities or can be that triple loop, you know, 90 mile per hour coaster and you’re giving them 10 million records of protected health information or other type of data. Okay, so you want to make sure that their control is tall enough to put them on the ride. Lastly, don’t discount your own professional network. We’re in an age now where we can pick up the phone and call people. We can communicate with people outside our organization and say, “Hey, do you use this this particular vendor? Any thoughts on them?” You might, “Oh, we we love them. They’re great here.” And there’s other ones that go, “Oh my gosh, man. I ain’t got to touch them with a 10 foot pole. They’ve had two data breaches in 18 months.” Whoa. I never heard of this. So, it’s being able to tap into your professional network that helps you to do that due diligence prior to onboarding. And lastly, do you have a superpower? Okay, shameless plug for uh an article that I just published two weeks ago about what is a superpower. Do you know your third party risk management superpower?

When you start going through your career, when you start utilizing the tools that you have available, you’ll start to actually craft the superpower. are that people are going to tap into you and it might not be the people within your own group. It might be somebody from procurement, somebody from security, somebody from IT that they’re going to tap you and ask you, hey, can you help me on this? So, these are the things to consider as you’re going to be doing your due diligence for your onboarding. Risk to consider when you’re offboarding. A lot of organizations still struggle with developing an exit strategy. And I’ll tell you, Why? It’s really just because people don’t like to say goodbye. Okay, it’s human nature. We like relationships. We like to I know you guys let me down a couple of times, but you know, compared to other organizations, you know, you’re relatively cheap. You’re relatively easy to work with. Okay, your accuracy rate could be better, but I know we’ve talked about this 10 times, but let’s see if we can make it better. There comes a time where You have to put your pencils down and hand in your test and you have to grade them appropriately. So by coming up with an exit strategy, this is on the business unit and this is where third party risk management can help provide value to the business unit by being that liaison, that intermediary with the legal department, with sourcing and procurement and with other organizations to say we’re going to have to come up with and develop an exit strategy here. And you want to actually make this part of the agreement. Look, in the event that we have to separate, here’s how we’re going to do it. Here’s what we’re going to do. Even if they’re only going to be used for a small um engagement, maybe it’s just this one-off project, you still should have an engagement strategy in the event you turn around and you start going, “Okay, this just isn’t working.” So, something to consider. Failure to provide proper notice of termination or nonrenewal sense. There are times where you’re going to run into a situation where you’re going to separate from a vendor and you don’t tell them about it in a given period of time.

So, you want to make sure that you’re able to share that information upfront with the vendor. It is a it’s a best practice to actually be able to do it, but some people will turn around and go, “Look, we’re just going to separate and move on.” By doing that can cause an issue with the next bullet, which is lack of parallel or transition services. If you’re going to make this transition. Excuse me, my cat decides to crash here. If you are going to have a situation where you’re going to be migrating to a new vendor, it’s a good opportunity for you to about 3 to six months in advance, start planning for parallel or transition services. If you already have the other vendor lined up for you, start being able to work with them and provide them feeds of the actual data that’s going to be going to them. So, when it’s time to flick that switch and got off your primary vendor to your new vendor. You have that ability. It’s already broken in and your team can work with them. This will help eliminate service disruptions during the winding down period. When there is news that the business unit tells the said vendor, look, we’re going to be going our separate ways. We’re not satisfied. It’s September. I’m letting you know we’re going to be rolling off at the end of December. Okay? This is the time where you start working with them at and they’re most likely going to want to leave a good taste in your mouth and they’re going to want to be able to say, “Okay, uh, well, I hope you reach out to us in the future.” Okay? So, they’re going to want to work with you during that winding down period. It’s very important. What about getting your data back, particularly from fourth parties? You have to consider the risk of the vendor, your third party, not sharing with your fourth party as to what’s going on. So, with respect to that you want to confirm that the data is going to be coming back to the third party. If it’s going to be housed at the fourth party, you need to be able to share with them your data retention schedule, your data retention periods. And you can’t just pro just block them off and sign off.

I have seen some people, some people I should say, came up to me and said, “Can I still assess a vendor that I no longer have a relationship with?” And so the question of that is really no. If you do not have a contractual relationship with the third or even the fourth party vendor and you’re asking them, “Well, look, you’re storing my data, so I’d like to uh assess you on this.” They’re going to tell you, “No, they’re storing that data due to a legal obligation.” So, they still have to live up to the expectations as defined by those contracts and with respect to the security and privacy handling that they’ve originally put in. Okay. Lastly, ensuring the continu Just give me one second folks. My apologies. Ensuring the continuence of ongoing data protection. This is where you have to make sure that uh the data protection continues to be there in the event and I just alluded to this earlier with respect to they’re adhering to your data protection uh excuse me their data retention guidelines and you’re assuming that they’re still going to have solid controls around that data. What you can do is ask to receive a per periodic sock 2 report if they do and so you at least are able to say we’re still tracking this and you can share that with your legal department and you can even share that with the data of retention uh folks within your organization. Lastly, let me take a sip here real quick. Thank you. Recommended processes to ensure program convergence. So, I’ve been talking about this thing called program convergence. Um I’m going to be publishing a a blog on this very very soon on generational program maturity within third party risk. Uh this something I published before at a uh at another conference. I just want to get it out there more for public consumption. Program convergence puts your organization in what I term as the fourth generation of program maturity. And what that is is the third party risk management program intersects and has that dialogue with sourcing and procurement with legal financial and other second line groups. You actually have established defined roles, responsibilities, and processes. And these are defined within your third-party risk management policy.

You’re able to show those linkages from the third party risk management policy down to the other organizations that are providing um the the uh the other types of uh operational guidance and support to your program. Also, in this program, convergence you’re going to see certification for professionals as long along with certifications with respect to processes it could be uh it could be uh the uh the ITIL certifications it could be an ISO certification could be a black belt certification and then you start getting into individuals within those respective roles having certifications as well whether they’re PMPs CTPRPS I happen to teach the CTPRP and CTP certifications Uh it could be uh other thirdparty risk certifications, other security certifications, other sourcing and procurement certifications, certified um uh certified procurement uh professional CPPs, things along those lines. That’s where you’re going to start seeing this convergence here of thirdparty risk management with other organizations and you’re really going to be able to have that documented from the process perspective. And this gets back into proc processes, process flows, and other maps are actually defined and reviewed because it’s critical to your third party risk management generations. You’re looking at things from your processes, having an understanding of the hows, the wins, who is responsible for maintaining and documenting these critical processes in your chain. Okay, so this is going to be integral when you have either an outside auditor, a regulator or an internal review of looking and seeing, okay, sourcing and procurement is responsible for this. We tap legal for this. We notify information securities, um, facilities management, on and on and on. You have to make sure you have those processes documented and those process flows. Do you share that with other people? Do they get back to you and say, “Well, wait a minute. Here in sourcing and procurement, this has changed. These roles have changed.” That’s going to help you be able to document what’s going on within your program, and it’s really going to streamline the operations during the onboarding and the offboarding process.

So, some final thoughts here as we start heading into the holiday season here. I know it’s hard to believe, right? We’re already in October, but as November and December comes up and you start seeing a little bit more quiet time, if I can use that term relative here with respect to third party risk assessments, it’s a great time for you and your organization to sit back, revisit, and take a look at your onboarding and offboarding processes and standards. Make those adjustments to your policy really where it is needed. And again, I’m talking about those linkages with other organizations that you rely on. And it could other be things with respect to the way we do due diligence. Navigating your common challenges really bring accountability, auditability, and most importantly, credibility to your program. This is going to be the feather in your cap that upper echelons of management are going to be able to see. This is a great opportunity to recalibrate your due diligence. Is there anything we need to change? Is there something with regarding to PCI coming up that we should start considering in our due diligence? Maybe we’re going to recalibrate the way we use continuous monitoring tools. Maybe we’re going to recalibrate the way we do things from a critical vendor and a and a um and a high-risisk vendor. Maybe we’re going to recalibrate and say You know what? We don’t need to look at all of these barrels of controls for our lowrisk vendors. So, this is a wonderful opportunity for you to take that because that’s also going to help you with your onboarding process. You want to continue to offer insights to bring efficiencies to the sourcing and procurement process. And again, by having this period, the these kinds of dialogues and these relationships really going to be able to drive that. And lastly, schedule stakeholder meetings with these organ organizations with your second lines. Become that analysis center. Look at yourself like an internal ISAC information sharing and analysis center where you’re able to sit down and say, “Hey, sourcing and procurement, here’s what I’m seeing. Hey, security, here’s what I’m seeing, etc.” And ask them to bring some metrics to you.

Are we in alignment with our service level agreements on onboarding vendors? You might have business units sitting there going, you know what? This has taken 45 to 50 days and it’s really slowing us down here. Well, what’s your service level agreement? If your service level agreement says 30 days and you’re unable to achieve that, this is a great way to get your hands around it by working with your stakeholders saying, “Is it us or is the 30-day expectation a little too aggressive? Maybe it should be 45 days. Maybe you know need to go back and alert the project management office and other organizations. This is the expectation. We have to recalibrate it because due to staffing concerns due to technology concerns, etc.” So, I’ve provided a lot of information. I know we have some questions. I’m seeing this lighting up here. So, I’m glad we have the opportunity to do this real quick and then I’m going to uh turn this over to Scott at Prevalent to uh to be able to provide some additional insight into Prevalence. So, uh Melissa, anything that uh or you know, we could talk about?

Melissa: Um I will go ahead and encourage you all to put some questions in that Q&A box. I know we’ve been um talk it in the chat, but throw them in there. Don’t be shy. You can always ask him anonymously. And then um Scott is our VP of product marketing here. He’s going to just say a few words and uh you know, I will pass it to you, Scott. So, stop sharing real quick. Scott can just share his screen and uh we’ll keep it moving.

Okay. So, let me stop here.

Melissa, do we want to do the the Q&A now or do we want to wait till after Scott’s done?

Melissa: I’ll wait for people to kind of drum up some more questions. Fair enough. Thank you.

Scott: Awesome. Quick check. You guys can see my slide. Okay, Tom?

Tom Geruba: Yep.

Scott: Awesome. Very good. Cool. Guys, uh, everybody, thanks so much for giving your time to participate in in today’s webinar. I think Tom always does a superb job of really distilling some of the most important things that we got to think about at some of the most important stages of the third party life cycle. These considerations, these risk types, these tasks, you know, whatever that are often times overlooked because you know we’re in a hurry. We got a high volume of stuff we got to get through and uh you know we know that uh there’s always some consequences on the other end of it. I want to real briefly walk through what our approach is to kind of help help resolve some of these challenges. Um you know first and foremost what our perspective is on thirdparty risk and the goals that we’re trying to help you achieve are really three-fold. You know number one is helping you get data uh that you need to make better decisions and speaking very specifically to the context here of onboarding and offboarding. You know, we we we see a lot of companies who are looking at a um uh you know, a a a cyber monitoring tool to get a score uh of cyber health before you, you know, make a a sourcing or selection decision or onboarding decision. We see somebody looking at a D&B report for financials or doing a Lexus Nexus search on recent news articles or sanctions problems or something like that. You know, that’s that’s kind of siloed approach kind of slows slows things down a bit. Our take on the matter is to try and consolidate a lot of that intelligence in one place so that you can extend that visibility across all the different types of risk domains uh to different uh uh you know stakeholders throughout the enterprise. So you’re all kind of singing from the same himnil uh if you like or or or looking at the same same level of data get better data more consistently to make better decisions. Second and this kind of feeds right into my my previous point from my previous point is that you know efficiency tends to be you know, the biggest roadblock to the success long-term success of a third-party risk program. And whether that’s because of your volume of vendors, you’ve got to assess, a lack of uh resources to help you do the work, or maybe you’re kind of stuck in manual processes, you know, everybody has a little bit they want from a third party risk effort. Security team needs to know security controls. Procurement needs to know if they’re a viable and ongoing concern. You know, compliance needs to know if they’ve got a sanction or violation against them, whatever. And if you’re trying to do that in in a set of disjointed tools or processes or a manual approach or in silos. I mean you I mean it’s not good. I understand it’s how the reality of of a lot of organizations are and I understand that but you know it’s self-defeating. And third and this really feeds off of the first two points. You know if you get good data to make good decisions if you are able to do more with the resources you have through automation and intelligence ultimately you’re going to be better positioned foundationally to evolve and scale your program over time. And that’s really what we’re trying to help you achieve, you know, with your program. Good data much more efficiently executed uh to help you uh grow and scale and evolve your your your program over time. Uh and really we look at thirdparty risk management from a life cycle perspective. And you know, everything that Tom talked about today uh very squarely rests on the left hand side of this this rising sun diagram, if you will, and the right hand side, right? Um and what we see organizations struggle with on the onboarding perspective is um not really having a single source of the truth for all that data that I mentioned on the previous slide. Looking at you know data risks processes in silos and not unifying it together uh in one particular place. Everything from RFX to contracting to you know vendor onboarding whatever all that stuff if it happens in different locations then you know you you you run the risk of of kind of not achieving your objectives. Um, uh, my headset is telling me I’m about ready to run out of battery. So, it’s been one of those days. It’s only, uh, what 12:30 here. Uh, so I am going to speed through the next, uh, next couple of slides here. You know, we address these different types of risks across the life cycle in these buckets and can help you by consolidating this information