More than a Checkbox: Getting Value Out of Your TPRM Program

Ashley: My name is Ashley. I work in business development over here at Prevalent. And we are joined with some very special guests, CEO of Cyber Marathon Solutions, Bob Wilkinson. How’s it going, Bob? Bob Wilkinson: It’s going great. Hi, everyone. Ashley: And our very own VP of product marketing, Scott Lang. How’s it going, Scott? Scott Lang: Hey, good, Ashley. Thanks for having me. Ashley: Of course. Uh, just a quick reminder, this webinar is being recorded and we will send out a copy of it along with the presentation slides. You’re all currently muted. but we love participation. So, please drop any questions in our Q&A box so we can go over them at the end of the webinar. Uh, today Bob’s going to be discussing how to get the most value out of your TPRM program. So, Bob, I’ll go ahead pitch things over to you.

Bob Wilkinson: Thanks so much Ashley. Hello everyone. Uh, today’s webinar is called Beyond the Checkbox, Transforming Third Party Risk from Assessment to Risk Mitigation. And for me, it’s a key component of the whole third party risk management program. Third party risk shouldn’t be about compliance. It should be about managing risks. And too many times the focus becomes ticking a box, getting an assessment done, and moving on to the next assessment. That doesn’t help mitigate risk that arises from third party relationships. So, I’m going to talk today about some of the key themes and things that we need to focus as we go through building and executing our thirdparty riskmanagement program and things to think about and particularly to keep in mind where automation can help you be successful in that process. So I’m going to start with why we have a TPRM program uh cover the TPRM framework and life cycle talk about the maturity model and you’ll see how all of this Subsequent slides fit into that conversation. Go from there into profiling third parties and onboarding due diligence. The use of periodic risk assessments. The key role of automation and talk about an automation checklist for people to think about the role of continuous monitoring in successfully mitigating risk in a third party program. The role of key performance indicators and key risk indicators in measuring the success and progress of your program. Issues management because that’s where the rubber meets the road and you actually mitigate third-party risk. Uh programs and program dashboards and reporting to share with your management incident management and its critical role uh with third-party risk and finally talking about benchmarking. So jumping right in Why do we have a third party riskmanagement program? Well, the reason is at the end of the day really simple. To identify, manage and mitigate risk that arises from the use of these third parties. By doing that, we prevent financial loss. We mitigate adverse publicity and reputational impact. And where relevant, we ensure regulatory compliance.

Bob Wilkinson: Now, the real challenge here is if you work in a regulated industry such as banking and you’re not effectively managing your third party risk, not only are the regulators going to cite you for issues, but it can result in pretty significant fines and sanctions. So that is a significant business concern. And then finally, we want to efficiently manage our TPRM program and we’re going to talk about ways to do that. So when we talk about the framework and life cycle for third party risk. We start with planning and discovery and there we want to identify our supply chain inventory which includes third parties uh fourth, fifth, sixth or what we sometimes call nth parties and also the use of third party software. Third party software I believe isn’t talked enough about and the risks that arise from that have been very prevalent. ent over the last few years. All we have to do is look at things like solar winds, log 4j, etc. And along in the planning and discovery phase, ensuring that contracts exist for all of our third parties and that key risks have been addressed. From there, we move into risk assessment and we’ll talk about due diligence and onboarding and the need for a consistent program within an organization to onboard all third parties. which for many organizations is a challenge. From there, we move into what I’ll call BAU and continuous monitoring of the operational risks that arise with third parties. Next, how do we remediate the issues that we’ve identified and what forms can that take? Can we remediate them? Can we accept the risk and under what circumstances or can we transfer the risk? And when we talk about risk, transfer, we’re really talking about things like cyber insurance. And then finally, being aware of considerations for termination. So, do we get all of our data back? Are all accesses that were granted to third and fourth parties terminated at the end of a relationship? The next piece is the third party riskmanagement maturity model. And when we think about a maturity model, we have to start with where we’re at. We have to be objective in terms of the maturity level we’re at, but also very clearly have a target maturity that we’re working towards.

Bob Wilkinson: I will say right away that level five is very difficult and expensive to achieve and that most third party programs do not target that level of maturity. In my experience, people consistently think that they’re a at a higher level of maturity than they actually are. So, it’s important that people are objective when they assess their maturity model. When we when a program starts out, everything is very ad hoc. Um there’s no dedicated management reporting. You don’t know your inventory. From there, you move into level two where you start getting dedicated resources. you don’t have documented processes and you generally respond to issues with third parties as in a reactionary mode. Level three is where things really start to come together. You’ve got a documented road map and plan. You’re executing those plans and you have an organ or organizational structure and processes in place that allow you to continue to build momentum. I’m going to talk a little bit later about the importance of management reporting and how that allows you to keep your program visible as you go forward. One of the biggest challenges that TPRM programs have is they get started with a lot of hoopla. Everybody’s very engaged. We’re going to get this done. We’re going to implement a great process. But then you start running into roadblocks and they could be in terms of resources, management support, whatever the case might be. For me, one of the key elements there is how you keep the program visible with all the stakeholders at all the various levels of management as well as the board. When we talk about onboarding of third parties, one of the things that’s really important is to understand how your organization works. Some organizations are very centralized in how they manage things. Other organizations are very decentralized where people have a lot of autonomy to go out and hire third parties because they need it for a very specific business purpose. Most organizations fall somewhere in the middle so that they operate along a federated model where individual business units have a great deal of autonomy in deciding which third parties they use.

Bob Wilkinson: in how they engage with them and they would follow a standard corporate policy and standards but have some leeway there. Now when you move away from the centralized model, one of the problems that you run into very quickly is people seeking exceptions to the third-party riskmanagement program criteria for onboarding. And when business units are allowed to have exceptions to the standard onboarding process, we start to run into a lot of problems because then we don’t really have a full inventory. We don’t have full visibility. We don’t know all of the software that’s being used and when problems arise, they become very hard to address and that impedes our ability to respond to incidents. It creates a whole range of issues for the business. So, one of the once you’ve established that there is a common process or noted where the gaps are then you have to go about focusing on your inventory and as part of your inventory process the definition of which vendors which third parties you want to focus on most or what is often called criticality comes into play. So organizations sometimes struggle with the definition of who their critical third parties are. So, I use a fairly simple and straightforward definition for critical third parties. Do they have access to your confidential and restricted information? Do they have access to your infrastructure? Are they performing a key control function for your organization like user ads, deletes, and and controls? Have they been identified by your IT resources and businesses as being critical for disaster recovery or continuity of business? And then finally, if any of those third parties provide any of the first four items on this slide, do they use sub subcontractors to perform those services? One of the things that isn’t talked about enough is where incidents originate from. And most incidents originate with a third party that a company uses. When you dig deeper into that, you discover that a lot of those incidents really didn’t start with the third party. They started with the fourth party. Because just like we build controls for third parties, we often don’t have the resources or time to focus on the fourth and fifth parties.

Bob Wilkinson: And the threat actors who would take advantage and try to exploit us understand that point very well. So from my perspective I always try to understand wherever someone has access to my infrastructure or confidential information are they using any fourth or fifth parties and what type of information might be shared or what access might be shared with them. That’s an important part of having an effective control environment for your third parties. And when you know that and when you’ve done that level of due diligence, then you can tar your third parties and properly focus your resources against assessing those and saving third parties that have less criticality for your organization for another another time. Now, the act of assessing a third party and deciding whether you’re going to do an initial risk assessment. The first thing that you should do before you say, “Okay, let’s get the risk assessment started.” Is ask the third party, and this is increasingly true, whether they have an independent risk assessment that has been done of their organization in the last 12 months, because if someone else already did an independent risk assessment and there the the the third party is willing to provide that to you. You don’t need to do another risk assessment just to say you did a risk assessment. You can review the work that’s been done and make a judgment on whether you think it’s sufficient to meet your needs. And if it is sufficient to meet your needs, then you’ve saved yourself all of the overhead from doing that periodic or that initial risk assessment. So, always ask the third party if they’ve done an independent if someone’s done an independent risk assessment that they can share with you. My personal view is that when you’re looking to hire a third party and you put out uh a request uh to various companies to see if they want to do certain work for you. Just like they provide their financials as part of the RFP process, I believe they should be providing an independent risk assessment. as well. If they do that, then you don’t need to be in the business of doing risk assessments, which is the purpose of which is to identify where risks are.

Bob Wilkinson: You can spend your valuable time and resources mitigating those risks as they pertain to your organization. So again, uh understanding whether your organization forces all business units to follow the same process. using some of the criteria here to help you decide who are the critical ones that you need to focus on and not forgetting your fourth and fifth parties and then asking them for that risk assessment first. If you decide you need to do a periodic risk assessment, you have to make several decisions and this is for your at your program level. What process and and and which questionnaire are you going to use to perform from your risk assessments. So there are some industry standard questionnaires out there that aligned with different standards. Which one is right for your business? Are you going to use that? And then are you going to use your organization’s resources? Do you have sufficient staffing that you can use people to perform those risk assessments for you? Or are you better served by using staff augmentation and hire hiring consulting resources? is to perform those risk assessments for you. And then depending on your line of business, would you consider using offshore resources? Because offshore resources may be more financially efficient for you. Another option is will you use risk assessment services companies that will perform the risk assessment for you and then make reliance on their periodic risk assessments that they perform as your due dill. on third parties. That’s an option. Another uh topic is when you identify issues in a risk assessment, how are you going to manage tracking those issues, remediating them, and ensuring that they don’t have a negative impact on your business? And then will your organization per perform periodic uh many people do annual risk assessments going forward. And based on what criteria would you perform perform those risk assessments? I am personally not a fan of risk assessments outside of the initial risk assessment because after the first one, you’ve got your baseline. The baseline doesn’t change much from year to year. At that point, you can begin using continuous monitoring.

Bob Wilkinson: And I’ll talk more about continuous monitoring and how that plays into this as we go forward. But the key point to remember here is that an effective TPRM program mitigates risk aligned with your business’s risk appetite. And risk assessment is only the first step that allows you to identify the risks that you have to mitigate. So when we get to issues management, which for me is probably the most important slide of of the whole presentation, we’ll talk in more detail about that. The other point uh that follows on that I’m going to get to in a few minutes is um the need for automation. So when we think about performing risk assessments, we now have available to us because of a number of providers in the marketplace the ability to automate our risk assessment. process. When we look at the scope of doing a risk assessment, it’s not just as it was 15 or 20 years ago when I started doing this where we focused on security and maybe business continuity. It’s now making sure that we cover the financial, operational, geographic, cyber fraud, and ESG risks that exist. And if we’re not doing that comprehensively, it’s going to result in problems. For example, if we don’t monitor the financial health of our third parties, then one of those critical third parties uh is having problems and potentially headed for bankruptcy. It’s very difficult on short notice to swap out one third party for another. These things depending on particularly if they’re critical to your organization can take a year or longer of planning to do. So that’s Just one example of why it’s important to ensure that your risk assessment process covers the financials. And with all of this, there is a need whether you do periodic risk assessments or you move to a continuous monitoring model to check with your business units on an annual basis to see if any critical aspects of the relationship with the third party has changed. For example, We started a pilot a year ago. We gave access to 100 of our accounts to this third party. Well, a year later, you go back to the business and it was a successful pilot and all of a sudden they have access to a million accounts.

Bob Wilkinson: And there may have been some issues that were identified that because it was a pilot, uh, it was allowed to proceed. But now you you’ve exposed the whole company’s database to what was originally supposed to be a pilot and the issues that were uncovered were never remediated. So you need to be aware of those kind of things. So automated tools allow you to centralize your supplier risk posture. It gives you the ability to understand, track and ensure the mitigation of issues that do come up. And automation also allows you to do trending to help understand how your organ organization is doing and ultimately to understand how your organization is doing visav your peers. One of the questions that I often get asked by boards is when we talk about third parties, how is our third party program doing compared to our competitors? So, as I said earlier, people are reluctant to spend money to be or to have the best third party risk management program. But any responsible board doesn’t want to have the worst third-party risk program. So being able to communicate how you’re doing visav your peers and we’ll talk about benchmarking a little later is an important aspect of your program. So if you have many third parties being used by your organization and you’re not automating the process and you’re still in the world of spreadsheets, you’re going to find it very difficult to scale your program effectively and it’s going to be very expensive and it’s going to be prone to risk and errors as a result. So leveraging automation allows you to ensure operational resilience, which is really what we’re after with our third parties. We want to make sure particularly for our critical processes that they are available when we need them. It also allows us to have a centralized way to track issues and plans for remediation. It allows us to pull the information we need in a consistent automated fashion to report to management and the board to show them the status. And as organizations increasingly use data science, it allows us the ability to quantify evolving third party portfolio risk as as the relationships with our third parties change and as new ones come on and as other ones leave.

Bob Wilkinson: So what I’ve done here is I’ve provided a an automation checklist for you to use to think about your third party risk program and make sure that you understand where you should be applying automation and uh help you through that process. So the area that I start with first is do I have a centralized third-party inventory or do I have to deal with multiple federated inventories to manage and equally important is everybody collecting the same information and is that information complete. So having an automated database which has predefined information that’s mandatory for every third party that you is in use ensures that you have an accurate base from which to start your program and many times I’ve seen inconsistencies in the data collected and that is problematic at a number of levels. As I mentioned before, do you have a single process workflow that all third parties are onboarded through? Because if you don’t, you’ve got some really bad blind spots and those are the ones that will come back and hurt you in in the long term. Another aspect of that is as you onboard your third parties, can you categorize them into domains of risk? And what do I mean by that? For example, all third parties that have information, access to confidential information, all third parties that have access to your infrastructure, all third parties who provide you specific business functions like call center or payment services. Um when you can categorize them into domains of risk, what that does for you is it allows you to see what for me is another one of the core issues in third party risk, which is why does your company keep hiring vendors that do all the same thing? Why do you need five vendors to do a certain function? when two or three might be sufficient. Clearly, we have a need for redundancy on certain critical functions, but do we really need five or six third parties all doing the same thing across the whole company? If we were efficient about how we do that process, we wouldn’t need to go out and hire so many additional third parties, which drive up expenses, which increase risk with every new third party that data is shared with and we could operate our programs in a much more efficient and riskbased environment.

Bob Wilkinson: So for me it’s important the whole idea of categorizing vendors into risk domains to avoid unnecessarily bringing on third parties that we don’t need. Do we have a centralized thirdparty contracts management database? I’ve yet to work with a a a company where they had contracts for all of their vendors that they could easily place their hands on. And because the process of hiring third parties evolves over time and because many organizations engage in mergers and acquisitions, it’s very difficult to account for all the contracts and it’s certainly difficult to have common language across all of them. And when we think about contract management, It’s important that they have certain key clauses in there like the right to audit uh the commitment to mitigate issues that are identified and timely informing of any incidents that they become aware of. So generally there’s no consistency in having a centralized contracts database. At least you have everything there and you could work over time to standardize contracts. Do you have an automated process and we’ve talked about this already to perform due diligence and how important that is because you’re applying a consistent standard to all of your third parties that you onboard. Do you have an existing issue tracking process and a database to track those issues so that you can manage outstanding third-party issues across your organization? And we’re going to talk a little bit more about that in a few minutes. Is there a process used by business units to track third-party performance. In the financial services industry, regulation requires that on a quarterly basis, third parties are evaluated by the business units that use them on their performance and ability to deliver what they committed to and to document the results. So, that’s why that’s important. Continuous monitoring. A lot of people talk about continuous monitoring and it’s for me absolutely essential. But whenever you bring any tool on whether it’s continuous monitoring or any other thing uh software to do risk assessments if you don’t figure out in advance how you’re going to implement that solution with the way your organization works today and the process flows that it has to interface with.

Bob Wilkinson: Then before you start part, you’re doomed. So, it’s the software that you acquire to do this is going to be what we refer to as shelfware. You have to understand how any tool you bring in is going to be incorporated into your operating environment. And then finally, have you considered with your given management reporting structure what those reporting requirements are and how frequently you need to do them so that every time you have to develop a a report on third party risk either for management or the board, you don’t have to scramble through a manually intensive exercise, continuous monitoring. We do periodic risk assessments and at the point that we do those for the day they were done, they’re accurate. The other 300 64 days a year. We don’t know. We lose visibility and things change very quickly. So if you’re really trying to mitigate risk in a third party program, you need to have a way on an ongoing basis to manage the risk that arises from third party use. As I said, deciding how you implement that third-party continuous monitoring solution. into your operations process workflows is key to its success. Continuous monitoring platforms use publicly available data sources to identify risk that may exist within your environment and also you can extend the continuous monitoring out to those fourth, fifth and sixth parties particularly where they affect your critical business processes. So they don’t rely on any proprietary information that your organization has. They’re looking at data that’s publicly available. But when you think about all the websites that businesses use and with those websites, all the software changes that happen, all the infrastructure upgrades that happen, every time a change occurs, it offers the potential for something to go wrong. And hackers continuously scan your publicly facing internet presence looking for a vulnerability and if there’s one there they’ll find it often within hours and and then we get into a whole different conversation. Now with uh continuous monitoring it’s important as I said to understand what it does and doesn’t do.

Bob Wilkinson: It’s also important to understand that the skills you need to perform risk assessments are different than in some respects than the skill set that’s required to perform continuous monitoring. So when thinking about implementing continuous monitoring, you have to make sure you understand that you have the right skill sets in the people who will be doing the continuous monitoring. You also have to think about where that continuous monitoring program will interface with other parts of your organization. So continuous monitoring could be very useful. For example, to helping the cyber threat intelligence program you have by informing them of a the vendors that you’re using which they may not have thought to have visibility into and issues that are arising there and then they can tie it back into threat intelligence they’re seeing or maybe you tie it into your security operations center where they’re res there the sock where they’re responding to incidents that have occurred I can’t tell you how Many times I’ve seen people in the sock when an incident occurs calling up the third-party team and saying, “Well, we don’t know anything about this vendor we’re using. Can you tell us? Can you know what are they actually doing for us?” If you work to incorporate the flow of knowledge upfront, you can be proactive instead of reactive. Moving on to key performance indicators and key risk indicators. And this ties directly into reporting. and visibility into the program. Key performance is indicators are measures of progress for a program component that you’re working on towards a specific goal. Lots of people talk about key performance indicators, but data is not an indicator per se. Whenever you think you you have a KPI that you want to use, you should ask your question yourself one question. And that question is So what? Why am I collecting this? What does this tell me? Does it involve any actionable information that I can use? Is it actually showing me a trend? An example is, you know, are are we having are we getting better in how we this vendor delivers the service to us? Are we getting better in our programs about how we personally execute our risk assessments.

Bob Wilkinson: Those are just a few examples of where key performance indicators come into play. A key risk indicator is a measure of how risky a business activity is. So when we talk about it in a third-party context, do we have more issues with our third parties today than we had last month, 6 months ago, or a year ago? And are those issues getting closed out or are they continuing to be retargeted? And that tells us that as the number of issues go up, the risk of our third party program is going up. So each program you have to decide what are the right indicators for you, but they need to help you tell your story about your third party risk program at the end of the day. That is the critical piece of information. that you need. Now, issues management. For me, this is really where where everything comes together. If you want to have a resilient third party risk management program, you need to vigorously track the issues that have been identified and how they’re getting remediated. And this is perhaps one of the most challenging areas of third party risk. Uh third parties will make commitments to address issues which may take time you know just because that doesn’t fit in their road map but those issues that are identified there’s a few key things that you need to do there. You need to make sure first that you’re capturing them in a centralized database. These are all the issues that apply to all the third parties that we’re using. You need to ensure that there’s a committed date that someone has agreed to to implement a corrective action plan and you need to know who that person is. And then finally, you need to have a way to track and report on progress. So the typical way people address issues management in an organization Uh the way that business units, the way that vendors do it is they pick a date at the end of the quarter, at the midpoint of the year, or at the end of the year. So if you were to look through your issues management database, odds are you’d see 3:31, 6:30, 9:30, and 12:31 as the target dates for remediation. If you wait until those dates to check the status, you’ve failed before you started. When someone tells me today that they’re going to remediate something by September 30th.

Bob Wilkinson: I’m going to make sure that on March 31st I ask where the plan is. On June 30th, I say what progress has been made. And then as it gets closer, I would use the old red, amber, green way of tracking the status of issues. And I would report those issues back to the business unit heads to let everybody know where they stand with issue remediation for third parties. Now, that’s a very politically charged issue. People don’t like to be called out and held accountable. But if you want issues resolved, that’s what you need to do at the end of the day before you publish any reports. The way to deal with that is to share them individually with the business units where issues have not been getting addressed and to let them know that in two weeks, for example, this report is going to be shared with senior management and there’s going to be a meeting about it. That’s how you get traction to get issues resolved by holding people accountable and that’s why issues management is so important to me because in the end remediation does equal operational resilience. So from my perspective this is the single most important aspect of third party risk management. If you don’t fix the problems you identify from my perspective don’t bother doing risk assessments because all you’ve done is made it worse. Because before you were blind and didn’t know, now you know and you chose to do nothing about it. Program dashboards and reporting. I had mentioned earlier about keeping visibility into your third-party risk management program. So how can you do that and how can you do it right from the beginning of your third party riskmanagement program? You can start producing reports right away and reports occur at different levels. So let’s talk about your immediate management maybe one level up from there. You can start reporting right from the beginning and I would start with four aspects. You don’t need more than four slides to do this. So you can talk about for whatever your reporting period is a week, two weeks, a month uh what progress did you make in your program? Then you can Talk about topics that your management needs to be aware of so everybody’s on the same page. The third thing you can talk about is roadblocks to your success.

Bob Wilkinson: Who’s not getting something done that you need in order to advance your program? And that’s a way of getting your management engaged in helping you to resolve problems. And then finally, how all the activities that you’re doing contribute to that path to sustain ainability for your third party risk management program. Some of the trend reporting topics you can cover which I think uh really help tell the story is the growth in overall use of third parties. In my experience, it’s not unusual to see third parties increase 10% a year. So, if you have 10% more third parties to deal with this year than you had last year, did somebody give you a 10% increase in your budget? I don’t think so. So you have to become efficient in how you make awareness of the growth in the use of third parties particularly when many of these third parties are inherited through acquisition or hired and are providing duplicative services to your organization. You can talk about your increase or decrease in the overall performance and risk of your third-party program based on the KPIs and the KRIS that you’re measuring. You can report on the completeness of your third-party inventory. Say you break it down by business units. Say that you’ve identified however many third parties you have, but you’ve only been able to account for half of them. Is that number getting better over time? And by the way, if you’re looking to build a third party inventory in the first place and you want to ensure its completeness, the easiest way to do that is go back to your accounts payable department and ask them for everybody that they paid in the last two years because that’s who your vendors really are. You can talk about the increase or decrease in the number of issues. I’ve talked about this point enough already. Then there you can also talk if you’re in a regulated business about issues that the regulators report back because the regulators actually have a program for example in banking where they go out and they perform risk assessments of what They call them exams of third parties who provide critical services to financial services companies.

Bob Wilkinson: And when they do their exams, if they find issues, they document them and they forward them on to all the users of that third party and they expect that you will take those issues back, develop corrective action plans, and report to your board of directors on the fact that you did done that. I’ve had to do that. in the past. That’s how I know. Switching to incident management. So again, this is something where the benefits of automation are substantial in helping you manage that. As I said before, more than half of the incidents that arise can be tied back directly to third parties. So having a process in place that is documented, has been tested and is constantly reviewed is critical to mitigating the impact of the incident. So when we talk about incident management, there are a number of topics that need to be covered. First, incident management preparation. What do we need to do? Who do we need to call? Do we have all the right phone numbers? Do we know who our vendor contacts are? Are we sure their cell phones and emails rem inaccurate and that they haven’t all quit. How do we know what our processes are internally? The only way to do that is to do a tabletop exercise and simulate an incident with your management and with the third party. Incident detection and communication. What are the re uh reporting procedures? How do escalations occur? When an incident does occur, how do you triage it and decide what the next steps are? Once you’ve done that, how do you contain the incident and actually recover from it and then most importantly what did you learn from the incident and have you taken that knowledge you’ve acquired and incorporated it back into your control processes. So rapid response is absolutely key and minutes do matter here and regulators are very focused and expect to be notified promptly when incidents do occur and they’ll ask questions about how did it happen and what were your processes around how you will prevent it from happening again. and and what failed initially. So having a documented automated periodically tested process to manage incidents is absolutely critical to success. I talked a little bit about program benchmarking. Third party risk management for me is a journey.

Bob Wilkinson: It’s not a destination. It’s constantly changing. New risks occur. Um new remediation techniques and processes uh evolve and allow us to help address those risks. As you implement automate automated processes such as the ones we’ve talked about here, uh you’ll improve your program’s maturity. You’ll have clear criteria which you can use to benchmark your program and see how you’re performing against similar organizations in your industry. As you look at the opportunity to leverage data analytics. You can do some very interesting modeling and I’ve done some of this before where you can actually score your individual third party. What is the risk of them based on the controls that they have in place from your assessment. You can score the risk of your individual risk domain. So, how risky are my call centers? How risky are the the third parties who have access to my confidential information? You can do that also for your entire third-party portfolio. So on a scale of 1 to five, you could score the risk today in your third-party portfolio and then do that quarterly and see if your risk is increasing or decreasing. So there are techniques to do that and dynamic portfolio scoring helps you understand your evolving risk and whether you’re getting better or worse. So these are the topics I know I I gave you a lot of information. As I always say at the end of uh my part of the webinar is this is my contact information. I’m happy to talk to anybody anytime about any of these issues. I do this because I truly enjoy it and uh I welcome the opportunity to have any conversations. So at this point I’m going to pass it over to Scott Lang. Scott, you ready?

Scott Lang: I am. Bob Wilkinson: It’s all yours. Thanks, buddy. I’m gonna share my screen here. Just uh quick confirmation that you can see my screen, Bob. Bob Wilkinson: Yes, sir. Scott Lang: Awesome. All right, everybody. Uh thank you so much for hanging in here through uh through Bob’s presentation. You know, the thing with Bob’s webinars is that they are rich in content and uh experience. So, I know he gave you a lot today to kind of consume and digest. Just as another reminder, as Ashley said in the chat, uh we will send out the deck in the recording tomorrow uh so you can kind of go through the materials again and really apply them as best practices you know in your organizations. What I thought I would do is just take a few minutes to explain what Prevalent can do to help you go beyond the check uh the checkbox and automate your thirdparty risk management program. Um we understand that there to be some pretty uh distinct realities that you know you’re probably facing in your program today. Number one, it’s highly manual. We do a survey every year uh where we ask respondents how many of you are using spreadsheets solely as your you know TPRM uh and assessment process and almost half of you do that stop doing that uh 20% of you say that you know you’re not really looking at risks at every stage across a third party uh or supplier life cycle and then third there’s you know maybe some questions about ownership of the process and ownership of the third party vendor supplier relationship in organizations Um 71% say the infosc team owns thirdparty risk but 63 say procurement owns the relationship. I don’t think that’s that uncommon uh but um it will drive certain behaviors like needing to work together building a good solid governance foundation setting your processes in place engaging different teams before you start down the path of you know buying a tool and and kind of incorporating that uh into your into your environment. Look the process of transforming you know from a checkbox to you know a much more dynamic and real time and process driven approach. Uh you know it it takes a lot and you know in our view this is kind of how it happens you you start out with headaches pain and stress and you’re worried about juggling email spreadsheets and shareoint step one tends to be managing all your vendors in one place just getting a single inventory or database of all your vendors and the vendor information that goes behind it their information their risks u a picture of you know their criticality uh as as as Bob talked about. And then as you have that information centralized um you can then start to evolve out of spreadsheet jail and begin to design you know centralized vendor risk assessments that are housed in a platform are backed by workflow and then enable communication with vendors you know in the platform and then sending those assessments out via links uh in emails instead of you know switching you know spreadsheets back and forth. Next step in the process once you kind of get out of, you know, the, you know, centrally managing vendors, um, dropping spreadsheets forever and all time. Uh, is validating the findings from those, uh, thirdparty risk assessments with external data that you might find via a cyber uh, cyber intel score, business operational updates, uh, financial um, or or you know uh, operational updates, reputational intelligence, like things that that happen in between your regular assessment that help to add color and context to that relationship and might trigger um a you know a reassessment in between your annual planned assessments. Next step in the process, you’ve got it centralized, you’ve got a process in place, you got your stakeholders all lined up, you’re validating answers that are coming back. Now you finally have the automation in place to to kind of define what a risk is. Um measure it, scale it, identify what doesn’t line up with your organization’s risk appetite, and then begin to prescribe some remediations to ultimately reduce risk instead of kind of doing it via, you know, a more ad hoc uh spreadsheet based approach. And that kind of gets you to the apex here. The apex is a more continuous, intelligent, and automated approach where you’re being much more proactive with it. So, you know, looks great on paper. How do you get there? Uh, you know, every path is is unique. Every journey is unique in in in thirdparty risk. But this from our perspective is a summ summarization of the steps that orgs finally take uh on that path to uh to the ultimate outcome. You know, our approach is very prescriptive. As I mentioned, we look at risk across every stage of the third party vendor and supplier life cycle from the point where you source and select the vendor to the point where you off offboard and terminate the that vendor uh and that relationship. Each one of those steps presents unique risks uh and then we look at those risks. We consume them, we score them, we categorize them, we give you insight and intelligence to help you remediate those risks. Uh whether it be from a a cyber failure or vulnerability to an operational disruption or financial problem at a vendor uh to reputational concern or compliance or sanctions violation. We incorporate that all together for three outcomes. Uh number one is to help you speed up and simplify your onboarding process with a single version of the truth. Second is to streamline the process and close uh gaps and risk coverage. And then third is to unify all of your teams uh across the third party life cycle. If you recall back to that first slide I had, it talks about different teams owning the relationship and uh owning the process. What we actually uh deliver to help is a combination of our people, our data, and our platform. If you choose to have us do it for you uh in managed services, we’ve got the experts to do everything from onboarding vendors and managing them to uh analyzing results and uh prescribing remediations. We incorporate hundreds of thousands of individual data sources into the platform to help you make good pinpoint specific decisions on uh on risk and then we house it all in the platform uh that has all the workflow the reporting the analytics and more to get everybody on the same page. Look at the end of the day we want you to achieve three things from your TPRM program. The number one is to get the data you need to make better decisions you know through automation by helping you like a knockout manual processes. Second, to increase your team’s efficiency and to break down silos um to get everybody singing from the same himnil uh with regard to uh you know making risk based decisions, looking at risk, looking at processes and then finally giving you a foundation that you can then evolve and scale your program uh over time. All right, again that’s what Premley can do to help you. Our platform is tuned to helping you apply automation so that you can and be much more efficient and effective in executing your program. So, with that, Ashley, flip it back over to you.

Ashley: Thanks, Scott. Actually, uh, pitching things back to you. We already got a question in the chat for you, uh, from Dan who said, “How do we get existing vendors to get on board with this when they already have a contract, and now they want to require metrics, monitoring, and and whatnot. Scott Lang: Yeah. If you have a contract in place and they don’t want to like cooperate uh, and and be part of the assessment process, Uh I found a successful way to do that is to run a cyber scan on them and show them their score and then that will usually force their hand to say, “Oh yeah, you know what? I that’s not accurate. Uh I you know this is wrong. You need better data.” Okay, great. The best way for me to get that data from you is via an assessment. That’s one mechanism you can use to to get to it.

Ashley: Thanks Scott. Going back over to you, Bob. Kelly asked, “Where do end parties fit into the maturity model? Bob Wilkinson: Nth parties, depending on their use, I tie it directly to criticality. If you’re using nth parties that tie to critical business processes, and those nth parties have access to all your customers, they’re right at the top, right from the beginning. I’m more interested in the criteria for defining criticality and focusing down that chain to understand all the fourth, fifth, and sixth parties that are involved than I am about talking about third parties that are performing or tied to less critical functions within my organization. So I put them right at the top if they’re part of a critical function.

Ashley: Thanks Bob. Uh one more question for you here. David asked how does an organization define risk appetite? Bob Wilkinson: Ah well that risk appetite is how much risk are you willing to take for a specified reward and organiz s define that at the board of directors level. So the board should clearly define and communicate to the senior management of the organization how much risk is appropriate to take in order to achieve a certain reward. And then senior management should ensure that that information is communicated down through the entire business so everybody’s working on the same uh playbook and everybody understands what risk is acceptable. A classic example of that is during the financial meltdown when AIG had a small team that was doing uh uh insurance on derivative contracts and the whole thing went south when the financial markets melted down and AIG ended up with a $60 billion bailout from the federal government. That was a small chunk of a very large organization that caused that problem and it was because their their risk appetite was greater than the firms.

Ashley: Thanks Bob and Scott. Uh if you’re still here, we got one more question for you before we wrap things up here. Uh someone asked regarding the data points of financial cyber ESG reputation. Uh if you could just elaborate on that if those are included in the platform or you have to purchase additional licenses to uh collect those data points. Scott Lang: Yeah, there are two pieces to the equation. There are assessments that you can issue to to your uh vendors that will ask very specific questions about uh that type of information. Uh and then the second piece of it is the continuous monitoring intelligence that uh that kind of comes in. So it’s all part of the platform.

Ashley: Excellent. Thanks Scott. And one last question here. It’s for you Bob. Uh someone asked for unremediated vendor issues. How do you determine who’s signing off on the risk acceptance? Bob Wilkinson: Ah risk acceptances is a whole separate conversation. Um who’s the business owner whose name’s on the contract. They’re the ones who are accountable. So businesses have this uh facious view that they can sign contracts and outsource things to third parties and somehow after the contract signed, it’s no longer their responsibilities, but they own it and if it goes bad, it’s on them.

Ashley: Excellent. Well, thank you Bob and Scott and everyone for all of your questions. Uh they both gave us some great information to take in today and I hope to see you all either in your inbox or at a future private webinar. Cheers everyone. Enjoy the rest of your week. Scott Lang: Thanks. Bob Wilkinson: Bye. Scott Lang: Bye.