The 10 Most Common Third-Party Risk Management Program Mistakes

Amy Tweed: All right, welcome everyone. I see some people are slowly starting to trickle in. As you are settling in and getting comfortable, I’m going to throw a quick poll question up because we are very curious as to what brought you here today to our uh webinar, the 10 most common third-party risk program or excuse me, thirdparty management program mistakes. Uh my name is Amy Tweed. I am here as um a person to help relay questions and keep everything going smoothly. Um, you see the poll questions here as you are settling in. We have, you know, what prompted you to join? Is it educational? You might learn a lot today. This is a really hot topic and I know I’m excited to learn a lot. Uh, maybe you have an upcoming thirdparty risk management project and you’re curious about what to avoid. This is a really good webinar to be at. Maybe you have no idea why you’re here. Um, but maybe stay. You might learn something. Um, and then maybe you’re prevalent customer, which is great as well. So, you’re learning how to use our platform and services. um to its full extent. All right, so a few housekeeping things as we get started before I shine the spotlight on our uh webinar host today. Uh this is being recorded, so if you do need to pop off whatsoever, this will be sent to your inbox first thing tomorrow morning, so you can check it out at your own time. Um also, we want to keep this super interactive. So we have the Q&A function at the bottom of the screen. We also have the chat function, so if any questions pop up whatsoever as Alastair and Joe um are going on with this webinar, please send them our way. We really do want to help. So, um, please make it interactive. And without further ado, you’re not here to listen to me. So, I’m going to pass it on to Alastair Parr and Joe Tolley. So, Alastair Parr is Prevalent’s own senior vice president of global products and risk. And we’re also joined today with Joe Tolley, another member of the Prevalent team who has worked with hundreds of thirdparty risk management clients to help set up their programs. Um, so I’ll hand it over to you. Hope you guys are both doing well today. Thank you very much. And hello. And hello Joe. Can you hear me? Okay,

Joe Tolley: can indeed. Hello everyone.

Alastair Parr: Lovely. So, uh, between myself and Joe today, we’re going to give you a bit of insight into the key challenges and issues that we’ve seen from really assessing and managing hundreds of third party programs over the years and invariably we tend to see the same mistakes and issues and and fundamentally the challenges whenever we start engaging with uh respective customers and clients around the third party program. So, between the pair of us Uh beyond our general experience of having the oversight of third party programs, we’ve also got backgrounds in data loss prevention respectively uh firewall and and incident management uh as well as operations and delivery both for information security programs as well as of course third party risk specifically. That’s enough about us. Without further ado, uh just to set the scene slightly, we’re just going to give you a little bit of insight into really fundamentally what’s involved in a third party program. And as I’m sure many of you already know, but for those who don’t, just to reinforce, and this is really where all of the key issues that we find stem from, uh there’s there’s a series of activities and actions that formulate a third party program. And starting at the top, what we typically see is that people start off with understanding, well, what are we actually trying to achieve? What what’s the maturity of a third party program? Uh based on what we want to achieve, how are we going to track and react to that? So, what are the KPIs, KISS that we react to? Then they define the scope. So, well, we know what we want to do. What do we to do it against and they outline the third parties and then they define what they want to assess them against. So how deep do we go? How broad do we go? Are we using assessments? Are we using monitoring etc. From there they tend to start doing assessments capturing data whatever it needs to be and then standardize and review that data set. Uh they obviously have to involve the business third parties in that process etc before finally actually doing something with the data and then funament ly repeating that process time and time again. Now, we’ll touch on some of the key issues and challenges that we see across the gamut of everything you see in front of you now, but something we’ve learned over time is it’s very very similar to how we deal with datos prevention programs, which is there is a sea of information that you need to troll through and get through and assess. And once you’ve got that data, people get paralyzed with what on earth do I do with it? How can I make it actionable and interactive as a as a human being? And we’ll touch on some of that shortly. So, Firstly, as the primary starting point when we look at a third party program, people start with governance, reporting and business involvement. So they’re understanding from that prior slide, what are we looking at? What’s our definitions of maturity going to be defining our KIS etc. It’s really that initial starting point which is capturing requirements and understanding uh the contributing factors and metrics that drive our program. And when you think about that, the very first challenge that we often see and the top issues is really down to the community. ations and responsibilities process that you see from the outset. So we’ve always and consistently seeing that a third party program as you expect is it’s a team effort. It’s a team not just in the sense of the third party risk team but uh it’s a team effort between legal procurement infosc compliance audit etc. All working together and the business all working together to prop up this this concept of a third party risk program. And too often we’re seeing people working in isolation. Vested teams have established processes the business users disin interested etc. and they’re not working in collaboration. Tied to that is well how do we actually get people to work together? They’re not defining the roles and responsibilities on interactions. People are intrepid about engaging the business in any sort of meaningful way. Uh and they don’t want to disrupt existing patterns and processes that might be in place. That could be in a specific business area that could be related to how the business operates themselves but fundamentally they’re they’re scared of change in that situation. Now hopefully For those of you on the call that have a program, that is you there at the front spearheading this uh this functional and collaborative third party program. But more often than not, we uh we do tend to see people um unfortunately with a slightly less polished approach, should we say, to third party risk management. So what can we actually do to prepare? How do we address these issues? First and foremost, what we normally recommend is start looking at the life cycle of life cycle of third party risk management. So we want to understand what what Where does it start from? Well, we have sourcing, RFP, RFX processes up front that define who a third party is. That goes through various systems through contracts and procurement. Uh, and then goes through an intake process to be on boarded. Uh, that of course then follows through to the third party program eventually who can then prioritize, tier, classify, and then drive risk remediation downstream. And the big issue we tend to see here is that far too often people are focusing on this tail end of this endeavor and they’re working in that isolated pocket. So, we’re always strongly recommending now to address this. Make sure you engage with everybody who’s involved in these upfront processes and make sure they’re capturing the right data from the outset. Next, what else do we recommend and what do we typically see is that well, we recommend you understand the criteria. So, tied to roles and responsibilities, we would really strongly recommend that you know in your program what are the business functions that are supporting it. Uh what visibility you need in order to drive that program. How will we get engaged with audit for improvements and also ownership most importantly at the bottom left there? How do we get ownership from the business and the various vested parties to drive that third party piece and that lends itself to thinking about who are the various participants in this program and I’ve alluded to it already but the fact is there are multiple parties involved procurement legal risk operations and audit and they all play a meaningful part in that process. The best third party programs we’ve seen have got all of those parties involved, interested, and collaborative and communicative in how they want to engage this. As much as they might have their own piece and objective as if they’re able to work together and see the fact that each relevant party has some contributing factor and need uh then it works out best. And we see that function quite well with things like uh operations and governance committees that can meet on a monthly basis, steering committees uh that would drive that third party program with representatives from all of these so that people can support one another. So the information collection mechanisms used can support obviously the risk assessment components help operations with looking at supply chain downstream looking at SLA and performance management and so on. So everybody can get some some value out of the program and should be working together. So moving on to uh specifically roles and responsibilities Joe is there any particular uh challenges or issues or good practice you want to share?

Joe Tolley: Yes. Sure, Alastair. Thank you very much. Um, one of the most common things which you would think is quite a um foundation for building a program is a failure to have or create a an up-to-ate operations manual to support the program. So, this would be your manual of the key processes, the key roles and responsibilities and duties to actually carry the program forward. So, what we typically find is either an operations manual isn’t in place or it’s something that was designed day one um and isn’t actually maintained over time. So it’s a real recommendation to have a conscious decision or a checkpoint on a regular basis to create an operations manual. Make sure that there are owners of each of those elements that create or make up an operations manual so that we can ensure it’s up to date over time. It serves as not just a reference guide for um developing the program maturate going forwards, but any new starters within the program itself, it would of course serve as their instruction manual or process guide to develop this over time.

Alastair Parr: Lovely. Thank you Jay. Joe Tolley: No problems. Alastair Parr: So uh just to reiterate the points on that. So we are fundamentally looking to work collaboratively. We don’t want people working in isolation and those vested teams and collaborative efforts are are really key to addressing some of those common challenges that we’re seeing there. Next on our journey through the third party life cycle is program KPIs and KRIS. So the indicators and performance indicators that we expect to see in the measurements of a successful program, whatever that may be. And this is an unfortunate one. It’s got actually, despite it being such a prominent area, is actually quite often overlooked when we’re looking at third party programs. People are so fixated and transfixed on can we do assessments, can we enable monitoring? And and considering sort of the scale of what they’re looking at, they fail to consider some of the depth and context around the information they’re capturing. And that’s pretty natural as a human being when you start looking at, you know, numbers in the thousands, tens of thousands, and so on because it’s very hard to start processing that. sort of volume of data. So what we’re seeing there is that people are using volumes and saying raising a flag and said, “Oh, I’ve conducted 5,000 assessments this year. I’ve enabled monitoring on 40,000 vendors, etc.” And and that sounds brilliant in isolation, but when you realize you’ve got 150,000 vendors in your estate, it’s actually not so great. So they’re using the coverage value as a factor in success. It plays a part, but there’s lots of contributing factors beyond that. uh we’re seeing lots of people failing to associate results and targets to available resources. Uh so this is about actually making the program achievable. So if it was just poor Joe and I sitting there driving a third party program for 150,000, I’m probably not going to be too successful and I need to temper my expectations of you know my peers, the community, the business to to reflect that. So people quite often are biting off more than they could chew. Uh next, too many are failing to plan risk tolerance upfront. So to manage some of that they’re not considering Well, what is a proportionate risk appetite that we’re able to accept based on our capacity in order to drive risk? I can’t simply say that every single issue I find needs to be fixed because it’s just untenable. And then finally, and this is very prolific unfortunately, but far too many overestimate the third party willingness to contribute. Now, if you’re turning on passive monitoring, for example, then that’s that’s great. It’s an indicator. It’s good information. But, uh, to get deep under the covers of the third party, you need to engage them, conduct assessments and so on. And invariably, well, generally invariably, they they are not particularly receptive in giving you information once they’ve got your money. So looking at these misleading and unrealistic targets, it’s very simple just to look at that picture up that face value and just assume things are chaos and uncoordinated and unmanaged. But that’s generally controlled by the confines of the program that you’ve created. So if you have a 45 gradient hill and you’re rolling cheese and running down, then you’re going to expect a bit of chaos. If you’ve established a nice set of parameters for yourself, you’re you’re going to fare far better. So, what are the factors we want to consider to demonstrate good progress? Firstly, is uh maturity assessments specifically. So, Joe, I was hoping you’d be able to give me a bit of insight into what you expect to see in a good maturity assessment.

Joe Tolley: Sure. We are a big fan of maturity assessments. Uh we find that organizations aren’t conducting these enough. Uh we recommend performing these quarterly and it serves as a formal opportunity to take a step back from your program actually look at the key components that make up a program and and and help it develop uh and actually assess how well each of these areas are doing. The approach we use leverages the capability maturity model uh and what we would really do is identify what the key aspects are uh and then assess each of those components you know very granularly with the teams that actually run or manage each of those components. So as some examples the things you’d expect to see here is looking at the coverage or the scope of your third party program. How many third parties are actually being assessed? What do the gaps look like? Uh then moving on to things like the content that’s being leveraged. You know, is it something that’s based on an industry standard? Is it sufficient quality? Is it capturing the data you need? Then delving more into the operational aspect. So looking at the roles and responsibilities, looking at that operations manual piece that I touched on a second ago, uh looking at remediation, and then of course the metrics that support the program as well. So, if you plan to do this exercise quarterly, it’s going to uh ensure that you’re maintaining a record of where these weaknesses are as well as the things you’re doing well. Uh and then of course, you’re going to associate some responsibility to actually developing those key areas. The really valuable thing as well from doing these types of exercise, if you do have some form of metrics as an output from a maturity assessment, like you can see there with the the five pillar approach. Uh it it can help identify where the weaknesses are. See, of course, where the most important deficiencies are that that you’ve uh you’ve gained from that exercise, but also it can demonstrate some of the successes you’re having quarter on quarter as well. If you do implement or have a conscious effort and a project to improve certain areas, it’s often good to be able to demonstrate back to the business that, you know, the resource you’ve associated to improving content, you know, is having a positive impact on the program. Uh and You can demonstrate that by seeing, you know, the maturity scoring increasing over time.

Alastair Parr: Thank you, Joe. We have had a question come in as well. I wonder if you possibly be able to answer it, which is, uh, who would be in the best position to perform the maturity assessment within the business? Joe Tolley: Yeah, very good question. Um, normally what we like to see is a program lead, so someone is actually responsible for managing the the overall um, accountability of the program. But often not, they won’t actually have insight into all of these areas individually, which is why It’s important to associate the right representatives to the right types of aspects that you’re assessing within the assessment. So if you have someone that’s been responsible for content and is their responsibility to look at the question sets you’re sending out quarterly um then obviously they’re best placed to look at that in more detail. So although you have someone that’s overall uh accountable for the program, we do believe in there being a particular committee that would be responsible for answering this you know in its most accurate way. Alastair Parr: Okay, thank you Joe and just to second that point if you don’t have the relevant resource by all means let us know we do offer free maturity assessments as well for you so beyond the maturity assessment on the basis you’ve done that maturity assessment so you understand well what you’re actually trying to achieve across these various pillars coverage content roles and responsibilities remediation and governance you can then start looking at the actual key KPIs kis of the program itself so for example common mechanisms that we tend to consider and they can’t be looked at in isolation if we’re looking at assessment workflows for example is starting from the right the percentage coverage of the third party estate so I mentioned at the start if I’ve done 5,000 out of 150,000 5,000 sounds great but as a percentage I can see that’s actually not as uh as palatable as I may have hoped the assessment response rates so if I’m doing assessments or if I’m enabling monitoring what sort of success am I actually getting so x% have been uh achieved, I’ve got responses for etc. And that’s an important metric because it helps drive insights into what’s working and what’s not. One of the common issues we’re seeing is that people are blindly assuming that their uh the process they built on day one is is effective when the reality is they need to tune and tweak their methodology in order to get the businesses to respond, the third parties to respond and so on. Uh and then we move on to actually risk management. So the risk or reduction targets month. So what do we actually want to reduce risk values by? What does good look like for us and then what’s actually been managed to an acceptable level. So I talk about risk tolerances, risk thresholds. A common thing we don’t see is people putting a a really definitive line in the sand and saying we accept risk below this value. For those of you on the calls who are risk management professionals, you do know that risk is is absolute. There is always going to be a risk out there or some description and you can’t mitigate absolutely everything. So with that in mind is a there should be a definitive statement from the business to say what is a tolerable amount of risk and equally so you can define things like key controls and things that are absolutely not acceptable. So the things you actually would want to focus on as risk domains. So these metrics of course should support your low-level KPIs. So and they also set the management expectation on what good should look like. Those are good measurements and tracking points for your programs.

Alastair Parr: But Joe, I wonder if you could illuminate for me. How does this actually get mapped into a process, a good third party process? Joe Tolley: Yeah. problem. Um so we have this life cycle diagram that you can see on the right hand side there. Um the main benefit of of presenting information like that is that we see third party programs being something that needs to be reviewed often. Um things need to be enhanced and optimized over time. Uh and as I said earlier, this is something that’s a common downfall forum a lot of organizations. They have something in place day one. Uh they don’t then set these review sessions in or or ways of actually enhancing and reviewing um what they’re doing to support the program. So this is all about looking at that life cycle and making sure that there are conscious decisions to improve things over time. Um as Alastair said there around scope, you know, if you’re assessing a 5% of your third party estate day one, uh the processes to support that might be quite basic. You have enough resource to manage those. As you start to expand that scope over time, that’s when you need to start looking at uh reviewing some of these processes and seeing how you can enhance them to make sure you can um cater for additional scope or changes in scope over time.

Alastair Parr: Thank you, Joe. And for those of you more keen eyed, you may have noticed that Joe is a program director, not a project director for the very reason that it needs to be an iterative repeatable cycle. Uh it’s not a point in time exercise when you start looking at a third party program. So you’ll notice we consistently talk about third party programs as people generally do in the space. for that very reason. This it is a life cycle that does need to be pruned, tweaked, modified over time to become something that uh is enhanced. So next on our journey, we’re going to start looking at we’ve defined our KPIs, KISS, we’ve established the program baselines and metrics and now we’re going to look at actually looking at our third party estate and scoping and prioritizing it. And when we start looking at that really it becomes a scale issue that we’re trying to address and we see the common iss here with scale which is that too many people don’t have enough meaningful data. Now this isn’t necessarily their fault but it’s tied to bad well technically bad business processes over time. So they may not have the information from the onboarding process to let them know what data is what data is available. So do we simply have spend of the third parties? Do we know what they’re doing? Do we know who the business owner is? Etc. And the data is there to be able to make those meaningful decisions. Now you can try and retroactively fix that but that’s a pretty enormous endeavor itself when you start looking at large scale third party programs and then people tend to fail to actually get the business context in it. So they’ll make decisions based on things such as well what is total spend and what is the base service they provide. They don’t really consider well what are they actually doing for us as a third party? What line of business or service are they actually supporting? And then finally too many are biting off more than they can chew. And what we mean by that is that they will optimistically go into that prioritization and profiling process and say Typically, let’s say we take a tier one to three model, tier one being the most critical, tier three being the least critical, they’ll aortion things accordingly. They might try and go for say an 80/20 rule for the tier ones being the 20%. But the proportionality there is not considered. If it’s just Joe and I running the program, that’s probably going to be unrealistic for the volumes. The fact is we either need to temper the prioritization to reflect the resources of the business or alternatively we need to shout and scream about getting additional resource whatever that may be in order to for us to be able to meet the business aims and objectives. So something we do and see quite a lot is that up front people will be spending time on doing a resource calculation so they understand based on the resource they have and the that’s people and technologies and so on what can they realistically actually process and achieve and have that feed into their prioritization and taring methodologies. So dealing with this scale problem there’s obviously a point of well how do we actually effectively it as a human being. It’s quite problematic. We’re not designed to really process scale. Uh but there’s a couple of ways that we see helping and address this. And one of the first points that we normally would consider is well, what is actually in scope? What is a third party? And it’s a fundamental question that you like to think people have asked themselves up front, but in reality, we often see people going with a preconceived notion on what a third party is when they enter their programs. But when you actually look at what what is a third party, it’s third party is a broader term than vendor. It’s a broad term than supplier and intentionally so because a third party is really anything that could be supporting the business. It could be contractors, service providers, systems and assets that are helping it. Uh and then equally so people who have access to your site that might be indirectly linked for a third party like a fourth party for example. So when you actually understand what you have in scope uh then that’s where it becomes a situation of how on earth do I prioritize that. So Joe, how are you seeing people considering these different factors in prioritization?

Joe Tolley: Yeah, sure. I think the first thing that really needs to be put in place and and improved upon for most organizations is that on boarding process. So not a lot of organizations actually have the right information collected up front about a service that’s being provided so they can identify the impact that third party might have on the business. So looking at things like the service being provided obviously going to be great to be able to categorize and even report on that information. Um but also assessing what type of impact there would be if that third party to fail in performance or delivery of the service. You know, would a business unit not be able to function anymore? Would systems go down? So, asking those types of questions around what the true impact is of a third party to the business is going to be really helpful in prioritizing who should get assessments first, what types of assessments, and what type of content should be included in that as well. So, um that’s obviously brilliant making sure that that uh upfront on boarding process is is improved. So, that’s a definitely a common deficiency. there. Um, also making sure that uh the systems you have in place that already have information collected are actually looked at to identify what you can leverage now to support the program. So if you haven’t had all of the historic benefit of having a a fitforpurpose on boarding process, there may be ways that you can leverage information that already exists to be able to identify and form some form of uh prioritization of your third parties for assessment. So this is something that commonly uh isn’t considered an exercise that’s um that’s worth doing because there’s some sheer volume in doing that type of activity. But there could be information leveraged from teams like the procurement system from the procurement team. There could be information from previous GDPR engagements or known third parties that um that require PCI compliance for example. And all of these can highlight readily information that’s available to help identify a a method of prioritizing vendors or third parties as you as you for them into the program.

Alastair Parr: Thank you very much, Joe. Now, we actually had a question come in which uh which ties into uh our next point, which is how should organizations consider beyond tier one of the supply chain for TPRM? Uh and it’s a very good question and quite often we tend to see success being in a as you expect a sort of a pyramid-esque model here. Um what we typically see and what we are recommending people do is that they start um aortioning the right quantity of effort that they can against uh the right third parties. So you can see here is a generic example. We’ve got say 15,000 vendors in our estate. Uh ap sorry 15,000 vendors in our estate that we want to try and manage of which say 4,000 are going to be subject to continuous monitoring because they’re prioritized. 2 and a half thousand would therefore get some form of risk remediation or assessments based on that. Uh 1500 assessments are distributed. 300 contextual assessments are done which is of an in-depth review of the assessment results. results uh 100 of those might be subject to additional validation exercises and then of those 20 might require on-site audits. So when you actually look at that in the entirety of it, you’ve created multiple tiing. So yes, you do have a tier one, tier two, tier three model where you might say assess the tier 3s on a every two three year basis. You might just use continuous monitoring against them etc. But the reality is you really need to start breaking down the tier ones as well to consider the level of effort you want to invest against each of those tier ones. So, some of those might need an on-site or remote audit. Some of them might need some contextual information shared with the business, for example. Uh, and that may extend beyond the tier ones as well. Now, tied to that question. So, if we’re actually looking at the tier 2s and the tier 3es, we appreciate that we might not do very much of them. We may just repeat this process on a slightly less frequent cadence. It’s all going to be tied again to the business resource. If if you’ve only got a small number of people to actually manage your third party estate, you may really never be able to do more or anything than tick a box or or try and do some very lightweight assessments against those third parties or be quite reactive in in how you’re engaging with them. But the best chance you’ve got is enforcing as part of the renewal process capturing information on that third party so you can make an effective decision about which tier they’re in and therefore what amount of effort you’re going to associate to those. So it can be an iterative process to start feeding them into this this broader life cycle and workflow. So onwards to assessment design and distribution. So we’ve tiered, we’ve profiled, we know who we want to engage with etc. And obviously a core foundational component of a third party program is assessments and continuous monitoring associated to that. And when we look at the the the noise that we see associated to a to a third party estate and managing them, we see some very common themes and issues. So firstly, we’re seeing that too many lack regular consistent assessment formats. Now this is simply a case that it may be while not a one-sizefits-all approach for assessments. You at least want to be consistent in the fragmented question sets that you’re asking them. So, you should always be asking about certain key controls. Uh certain domains might be only relevant for certain services, but you want to be consistent in how you structure those domains and capture the information. And those domains are beyond assessments. We’re talking about cyber monitoring, business monitoring, financial monitoring, ESG, etc. Uh too many of them are actually failing to consider the communication mechanisms, which is well, how do we actually engage with these third parties in a way that’s effective and at scale. Quite often they’re relying on an initial interaction and then realizing that 50% of the estate isn’t actually responding back. So they don’t know how to actually talk to the business uh their own business as much as the third parties. And then too many fail to ask contextual questions across a full profile. And what we mean by that is people are sending out say SIGs, HISAC assessments, PCs, their own proprietary assessments, whatever it may be. But what they’re not doing is actually asking the the the questions you’d expect. up front. So, we’d want to understand who are they, what are they doing, what do they need to do that, how are they doing it, etc. The information that helps feed and drive our decision-m process and also too many of them are simply failing to engage the business. Now, this is probably the most prolific issue we see when it comes to the assessment methodology, which is we are driving a third party program because these third parties are providing a service to the business. It’s not just Joe and I who are getting value out of these third parties. We’re not doing it for fun. Uh we’re doing it because the business has a need to do so and they’re essentially functioning as our customers in a third party program. So we need to engage with them, communicate with them and share the information around what a third party is doing and where necessary getting their involvement and buyin. So these are the stakeholders, the project sponsors, these are the uh relationship managers, the third party etc. They should be as part of that assessment process as possible. So we look at that sort of consistency and engagement. There also needs to be some form of structure. It can’t be some lovely freeforall for that sort of third party process or third party party. We need to make sure that we have consistency in that approach. So Joe, I was hoping you can give me a bit of insight into what you’re seeing as good practice and what some of the pitfalls and traps are related to uh way to to the assessment methodology of a third party program.

Joe Tolley: Yeah, sure. Um I mean over the the recent years, I mean we’ve seen lots of weird and wonderful ways of assessing third parties with different questionnaire content. things. Um I would say that’s probably the most um the most common downfall is an inefficient way of capturing data to be able to identify risk and work with risk efficiently. Having a question set that uh is you know free form text responses for example. It just means there’s more time spent on interpreting data that comes back. As soon as you leave yourselves open to free form questionnaires um as well as being able to ident as well as make it difficult to identify risk things like scoring risk as well become inconsistent. You have different representatives looking at responses in different ways. It makes it very very hard to produce an accurate standardized consistent risk register that the business can use. And of course then makes reporting inconsistent as well. So tidying up questionnaire content to a point where it’s something repeatable, something as binary as possible to be able to capture standardized fields for example, which you can then associate risk weightings and scorings to. who of course is probably the the one that uh is most common but gets the best uh best value back to the business. Um once you have those risks defined and you have your risk weightings defined you know that becomes a standardized exercise that you can carry forward in the business as well. You know looking at risks looking at scores and identifying you know what’s acceptable within the business from a remediation standpoint um and what happens next if someone actually does generate a risk of a certain scoring. So certainly making sure that content approach is efficient as possible. It’s going to be an investment of time upfront to make this as detailed as it needs to be um and as binary as it needs to be, but obviously you’re paving the way for an efficient you know future with managing that content and the responses you get back as well.

Alastair Parr: Thank you Joe and completely agree that upfront work that preparation that party planning uh makes all the difference in in what happens subsequently. So to give a few examples of what we’re seeing on that so what sort of types of content we actually want to start being that we are seeing more regularly now and typically a third party program as I mentioned is involves multiple parties and we’re seeing considerations around information security so of course key controls key domains etc business continuity disaster recovery resilience particularly in the last 18 months funnily enough uh the regulatory obligations to bringing in compliance and audit and legal and understanding well how do we actually start factoring in things like uh you know California regs GDPR uh our own local reg uh verticalbased regulations considering fret data. So we’re seeing more and more people now considering things such as well passive vulnerability scans of course results of pentests and getting exposure to executive summaries of pentest that’s become a lot more prominent now rather than just relying on a you know sock 2 report or an ISO 27,0001 uh statement of applicability people want to get some validation against that and then suitability so components such as ESG financial stability ethics controls quality sustainability that seems to be becoming more and more dominant actually in some of the third party programs we see. So historically we’d see very strong focus on the far the far left really and what we’re seeing is as time goes on people are evolving to start factoring in additional threat criteria and then suitability into their programs. So thankfully we can say that while it’s a common problem we are seeing that problem gradually getting addressed by people which is reassuring. Now once we consider some of the criteria that I want to look at We then need to consider what a vendor profile looks like. So looking at for example the third party programs tier one, tier two, tier 3s for example, there might be a subset of this that we want to cover off for each of those. And again quite often some of the common pitfalls we see is that people are focused on either just certifications or just assessments and that’s dangerous.

Alastair Parr: You we do recommend considering the entirety of these and a common trap that people fail is they’re not considering things like the financial profile bar looking at it in isolation. So things like credit ratings uh They’re not looking at the ESG feeds. They’re not looking at proactive events and business context that feeds information. So, I’m consuming a service from someone and then I can see they’re now being acquired in 3 months time. So, I can expect some uh some changes to how they function and operate. It’s all good contextual data that helps me understand well what is this third party doing and contributes to their profile and how I’m ultimately going to drive their risk. And at the top left, we see more and more people dealing with this, but it is fundamentally one of the biggest issues in third party risk. is nth party. So we don’t have the resource to manage the third parties. So how on earth are we going to get down to the fourth, fifth, sixth parties and so on? And there isn’t a quick and simple solve for that bar. Well, we need resource and we need to look at intelligent ways of capturing that. So we do at the very least recommend people are asking questions. Who are the end parties you’re dealing with? Why are you using them? Uh and just getting context at the very least you could start making some decisions if not reaching out to those end parties yourselves. So now looking at actually some of that prior preparation, we’d want to see for uh some of those those workflows. We want to make sure that we’ve defined what good looks like, what are the risk ratings need to be, uh what does the assessment question sets need to be, what type of monitoring are we going to enable, and then what are the the remediation requirements on the business and also the third parties. A good program addresses three of the key areas at the bottom there. So, single points of failure, still a common issue unless you’re starting to document your past remediation and what you’re trying to do. So you’ll have say a few auditors or a few consultants who are subject matter experts and you rely on them to deal with everything in this risk domain. That’s great.

Alastair Parr: But when they leave one day and someone else takes their place and has a completely different perspective and risk tolerance, that’s going to be reflective in the results that you get and your program whether you expect it to or not will start deviating and patterns will emerge. So you we recommend documenting and being consistent in how you’re actually tracking these risks, assessments and requirements. Uh and then try and mitigate some of that points of failure. responses. We don’t really recommend yes no responses. We do recommend that you have choice, clear, prescriptive choices around your your assessments. Uh we’ve seen that to be more effective because you’re indicating what we need to see as opposed to letting them interpret the question set directly. It also can reduce the question set quite heavily and then defining the recommendations that I mentioned up front. And this third party communications piece is a massive issue that we’re seeing in third party risk which is people are sending out assessments engaging with the business but they’re not really considering uh some of the the marketing aspects of this which is we’re talking to the business internally we’re interfacing we’re talking externally to vendors third parties suppliers but quite often the timing tone and the source of those communications aren’t really considered upfront as part of the program so one of the quickest fixes we see to the issue of insufficient assessment results So people not responding to assessments, people not engaging or the business themselves directly not engaging is considering these factors. So this is quite often one of the the simpler wins that we tend to see when we’re dealing with a program. So we need to understand well how do we need how do we engage with the business? Not just when but also cadence. We need to understand the tone. So how do we communicate in a way that’s going to get some results back from the business? And then also who does that voice needs to come from? Is it the CISO? Is it the CIO? Uh is it the information security manager? Is it the business reps manager themselves?

Alastair Parr: You know there’s different aspects of the business that can weigh in on this and get their buy in in order to make people react. Uh that can even be to the point of getting procurement and legal involved in the cons of the third parties. So one of the key takeaways we’d say from the session is do consider your third party communications. We can actually learn a lot from some of the marketing teams in our respective companies to understand what’s effective and what is not. Now onwards we’ve got this raft of data. We’re doing fantastic. Uh I’ve got a hundred risks for every single one of my 10,000 vendors that I’ve assessed and monitored and now I’m staring at that ocean unsure about what to do. So one of the big issues we see when it comes to actually remediation and tracking of that. So one of the biggest issues up front is poorly defined requirements and drivers. So too many are failing to advise the third parties upfront on what good looks like. What are we actually expecting from them? They’re looking for guidance on the least amount of effort they can invest in order to make you happy. and we need to give them some guidelines and milestones for that. So, we recommend that people give remediation guidance up front to streamline that process. Good even looks like giving them some content that they can reuse and repurpose uh as long as they’re using it effectively. And also equally so too many people are failing to actually pass that problem downstream to the third parties themselves. You they take the responsibility of driving the issue, acting like an auditor when really we want to arm the third parties to manage the risk remediation process directly themselves. Otherwise, we’re stuck with hundreds or millions hundreds of thousands or millions of risks and issues that we’re able to track and we just get paralyzed in not being able to actually do anything about it. So, it’s if you look at the core problems around this quite often it’s it is a scale issue.

Alastair Parr: It’s a case of we’ve got lots of parties and participants who are wanting to do the bare minimum because they want to continue getting the revenue streams they’re getting from you to provide a service and they don’t want to invest any unnecessary efforts in doing so. And beyond that, we need to get them to do it in a way that’s effective and can demonstrate we’re hitting our KPIs and KIS. And when you look at it that way, you realize you are basically just hurting uh well, many many cats, the third party estate, which is problematic. And for any of you who tried to hurt cats, you you do realize that it takes an element of skill and luck. But there’s a few things that we look at and we consider when we start looking at what that process could look like. So, first and foremost, this is an overwhelming slide, which is why I prefaced it with a nice shiny image. Uh, the reason why it’s overwhelming is because this is an example workflow of what a good program could look like. You see, there’s multiple checkpoints, there’s multiple criteria involved in it, and multiple stages and steps. But when you break it down and distill it to its most basic levels, it’s a case of going through those milestones, understanding how much effort we need to place, and then whenever we’ve hit the appropriate mile zone stop. Don’t do more than we need to. We’ve got the data back. Do we need to engage further? Do we need to invest more resources, etc.? This remediation, tracking, and management process is all about investing the minimum amount of resource possible to derive the most effective amount of outcome. We get we see people getting paralyzed by perfectionism trying to make sure they get everything and every single vendor managed to the mth degree. And the vast majority that’s not necessary. The point is there’s going to be milestones and checkpoints through that remediation process where you can stop and move on and get on to the next. That also extends of course to the third party program generally which is perfection should not be the end game. So looking actually at the remediation process itself uh Joe is there any sort of guidance or thoughts that you’ve got around how we can drive risk remediation effectively?

Joe Tolley: Yes, lots of thoughts here. Um mainly around u defining logic up front to support these types of uh these types of processes. As you said Alastair there’s could be tens of thousands of risks to go through. So, identifying a way of prioritizing those is going to be key. Um, one of the best investments of time that I can think of is looking through the actual survey content and actually stemming this process from there. So, looking at the questionnaires, the questions we’re asking um and the responses available, we could actually predetermine what should happen next if a third party answers in a certain way. So, if we’re asking whether a a uh a third party has an infosc policy and they say no, we already know what the outcome could be. So maybe we could invest some time in actually deciding internally what we should do if someone answers it in that way. Um obviously an infoset policy should be fairly important. So we should then set up some basic guidelines up front about how our uh remediation team should be engaging with the third party what they should say what the expectations from them are. You know maybe it’s that an infoset policy is needed within 3 months um and we want it contain to contain X, Y, and Zed. So using the questionnaire content and some of the key controls within there, we can already identify what the next steps could be um and define a bit of a playbook for how we approach reviewing responses and actually managing the risks uh that come from it as well. A real benefit to doing that is that we don’t have to leverage risk remediation experts if we have this information defined up front. So if there’s a resource resource shortage, and we’re not able to get through enough risks month on month. If we perform this type of exercise to define our if this then that type logic here, we could actually have someone else from our analyst team perhaps reviewing those risks and actually being that first line um uh that first line person engaging with the uh the third party to help resolve some of these risks. So we can make the process a lot more efficient again by investing time in looking at questions, the responses and how we should act if someone responds in a certain way. Okay. Yes. Looking at the um uh the prioritization here, what we really need to do, again, it’s steming back from the questionnaire stuff, is is looking at what the real key controls are that we need to be met from uh from our remediation process. You know, are there a specific set of risks or questions that have to be in place if they’re a tier one third party, for example, or or vendor? um and actually identifying what good looks like to us, what our sort of foundation layer is to actually move forward with a vendor. If we invest time in defining what those parameters are, then of course we are much more equipped with the right tools to be able to engage with a third party, have a very efficient conversation with them, set some clear targets on when things need to be delivered by to actually, you know, progress with a with a vendor and move forward with them. And um because we have the experience as well with looking at these risks and defining what expectations are. We can also um you know manage the level of effort we expect from third party to support us as we move forward through these risks.

Alastair Parr: Thank you Joe. And I see we’ve got several questions coming in. We’ll try to answer some more of these in the Q&A section, but um one I’ll just call out because it’s particularly relevant to this point is how do you provide remediation guidance while avoiding liability if your guidance fails? Are you speaking to highle guidance without getting into specific action plans? And it’s a very very good question. question because there’s a fine balance between advising them they implement and then of course having a degree of liability associated to that but you you are acting as an adviser. You’re not removing that obligation and commitment of them of good practice and having their own internal audit and compliance mechanisms here. What we’re talking about is giving them some out outlines and insight into what good practice looks like. So we would recommend telling them this is what we expect to see and then they come back to you with some outline. about how they apply that within their business. It isn’t going to be cookie cutter. It isn’t going to be one sizefits-all in that respect. It is going to be a situation where, you know, they need to come back to you with a plan of attack and then unfortunately as a risk and compliance specialist, you need to make an informed decision as to whether that’s within your risk tolerance or not. You’d assume and outline out front that you’re not accepting, of course, any liability associated to that. Good question. So before we just move over to the uh some of the other questions, if we just loop back then to the very very start is when we’re actually looking at the third party workflows in itself and the third party life cycle and what we actually dived into today. There is of course multiple elements within that journey within the third party program. Uh and a lot of it as you can see starts with upfront exercises. Now if you are adopting a third party program or inheriting one then there might be some bad practices outlined up front. Don’t feel and if you kind of in your business. Don’t feel you need to adopt those and we would very very strongly recommend that you spend time to dig into that, engage with the business, see if they’re necessary, and if possible adapt and adjust. Quite often when we’re seeing these programs fail, it’s because they’re built on the foundations that are somewhat shaky from predecessors. So there’s a lot of planning up front and it is a case of optimization and tweaking and pruning over time to make it effective. Now on the left hand side here, that standardization and benchmarking of when we’re actually going through volumes of data Now, of course, you can use machine learning, AI, etc. to help support that. But there is invariably a human factor. There is going to be context in how we interact with third parties. There’s going to be context into what our requirements and decision-m processes are that would drive how we drive that remediation process and how we actually engage and measure success. So, if we’re going to summarize the and distill what is good practice on this and what to avoid, don’t work on bad foundations. Make it a program. make it repeatable. Uh make sure that you’ve got the mechanisms in place to succeed. So make sure that your efforts and targets are proportionate to the amount of resource that you’ve got available and spend the time to plan up front so that you can make it repeatable, consistent, capture context, and engage with the business. Before we open up to Q&A, Joe, is there anything else you would like to add to that?

Joe Tolley: Just on that point there, Alastair, I think it’s um you know, a really good point of where to start if you are thinking about um you where to start in progressing and optimizing a program especially if you’ve you know inherited something. Uh and I would certainly recommend that whole phase we talked about regarding the maturity assessment piece just that checkpoint review of the each of the components that make up a a healthy program so you can identify where the potential weaknesses are. You know it may uncover some real foundation level stuff that could be really easily and quickly fixed but obviously improves the efficiency of the program as a whole. Um you know you very easily. So I’d certainly recommend taking a look at that type of engagement or exercise first because I think uh it should identify some clear items that could be reviewed and uh as I said some quick wins.

Alastair Parr: Thank you Joe. I can see some questions coming in thick and fast. So we’ll move over to the Q&A session for for the next few minutes. Amy Tweed: Okay, I’m popping back on here. So um just before we get to those questions, I’m going to give Alastair and Joe a break so they can have a sip of water and take a breath. But that was a really Great presentation. Especially love the picture of the hering of cats. Um that was awesome. Great imagery. Um I’m throwing in a quick poll question just in case some of you have to hop off early. Um so like we mentioned, we are here to help. So if you are looking to augment or establish a thirdparty risk program um this year maybe looking into early next um you know let us know yes, no, I’m not sure. We’re here to help. You can always email us at [email protected] as well um if you’re looking for someone to chat with. So we’ll open it up for some Q&A. I see we do have a few questions. I’ll leave up the poll question for just a moment here. Um, and if you do have any other questions as we are finishing up here, please take a moment to bring them in. This is a really good chance to get all of your questions answered. So, Alastair Joe, I will read them off for you if that’s fine and um, we’ll go from there. All right, we’re ready to go. Okay. One of the first questions I see here is, do you see situations where third party risk management results are such that an organiza an organiz ation elects to bring activities in househ.

Alastair Parr: Yeah. Well, that’s a very interesting question because it’s a case of quite often if you speak to the business, they’re going to say, “No, I need this. There’s no alternative. We need to proceed and accept all the risk and liability associated with this third party.” So, it’s a challenge because you’re trying to convince the business who’s obviously got a vested interest in on boarding that third party uh that there might be associated challenges. And really, yes, we see situations. It’s really going to be dependent on the appetite of the organization. A lot of businesses, of course, prefer to insource than outsource. But we do see situations where where possible you can bring in resources to accommodate the same the same ask. The challenge of course and the reason why a lot of people go for the third parties is that they are specialists or should be specialists in their field and you’d like to think they’re going to be more efficient and arguably better at what they’re doing because they are living and breathing that day in day out. Uh but we find it difficult to find a situation where you say no to the business and that’s the the biggest driver into whether they’re going to bring it in. house or not. So, it’s going to be very dependent on your business tolerance and the relationships you’ve got with your wider business.

Amy Tweed: Got it. Thank you for that question. All right, moving on. Um, what is the difference between contextual assessment and assessment via PCF domains? Alastair Parr: Ah, it’s a very keen eyed person there. So, a contextual assessment is fundamentally looking at the who, the what, the where, the why, the how around that third party. Who are they? What are they doing? How are they supporting you? It’s not actually risk domain based question. questions or you know associated domains. Uh it’s very much about and there’s no right or wrong answer. It’s just giving us enough information to paint a picture on who they are, what they do and how we should approach them. Um so that’s why we focus on the contextual assessment and we can use that data to correlate against the various risk domains that we look at. So PCF depending on your your interpretation quite often will be the uh the policy and control frameworks that you’re looking at. So looking at the various controls of the business, the processes, the policies uh and then you correlate the two what context, what are they doing for us? Does that mean I actually need to worry about something? So, you know, if they’re cleaning fish tanks for you in your reception, but never actually go inside the business, you’re probably not that fussed about things like their physical security posture in their offices. So, it’s all about context being key there.

Amy Tweed: Awesome. Thanks for that question. So, yeah, we have a couple more um here. So, I know we’re getting close to the top of the hour, about six more minutes. So, if you have questions, throw them in now. Um you’ll get some experts to answer them, which is really nice. So, the next one here, if a company is in maturity level two. How long does it take to get to A4? That Alastair Parr: is a very good question. So Joe, you are our resident expert on maturity assessments. Joe Tolley: Yeah, sure. No problem. Yeah, a good question. Um it’s it’s difficult to say. Um from from conducting these maturity assessments, you know, to date, um it could be that you are at a healthy level two and you know the strive to get to a four is some real um you know, optimal stuff. Um or it could be that you’ve that that an organization is already you know has a mature program but they’re missing some of the foundational level stuff which is why the maturity level has dropped down quite a lot. I would say that it’s difficult to put a time on it but I would say within 12 months you should be able to you know mature at least sort of one level. Uh but this is all going to be about the number of items that contribute towards that increase and obviously the resource you have to support those types of exercises. as well. The maturity assessment that we conduct, the output is a nice binary list of items um with some estimated levels of effort against them. So, this might be a great idea to uh to to get involved in that type of maturity assessment just so you can see the types of things that we look for that contribute towards maturity level increases. Uh and of course, then we could give you some quite accurate detail on how long we would expect, you know, quite a mature organization to be able to get there.

Amy Tweed: Great. Thank you, Joe. All right, a couple more questions have come in. So, the next you mentioned communicating with the business. Um, this person agrees, but level of what level of detail do you provide to your business stakeholders so they can make an informed decision?

Alastair Parr: Yeah. So, it’s a challenging point because they’re relying on you as the subject matter expert in some respects. And quite often the process we see is the third party risk management team would provide some insights and in in some informed guidance to the the business owner and then ask them to accept or reject and pass the owners on to them which is a bit unfair because they’re not the subject matter expert. The third party program team should be giving some more definitive guidance to the business owner on on on what the associated issue is and what they’d expect. Uh so we don’t normally recommend giving them every nuance, every risk, every issue. What we’re generally saying to them is you know let them into the third party party to some extent but not all the way. Uh let them see the overall summaries, give them some guidance. and recommendations and and handhold them through that journey of making that decision. By all means, the the buck can stop with them and they can make that final decision, but they don’t need to know the nuance of every single risk and issue. Amy Tweed: Got it. Thanks, Alastair. All right, this last question from the audience I really like. So, they’re looking for elaboration on additional third-party risk management KPI improvement metrics that one can use and how best to track them.

Alastair Parr: So, if we’re looking at program K differentiate here between a KPI and and KRI. So if you’re looking purely at the performance of the program, there’s levels of expectation that you can attribute based on the resource. Uh and what we normally do to drive a KPI and or sorry our KPI criteria is we’re using the a resource calculator up front. So firstly we map out the high level service workflow. So we need to understand what are the checkpoints and milestones. Against that we feed in the volume of the estate that we’ve got and then based on that we can define what an effective KPI is. So we know we’ve got tier ones, tier twos, tier threes, for example, they need to go through these checkpoints and milestones. We don’t know up front how far through that each of them are going to get, but what we can understand is what our team is able to get through with the automations available to them and what they’re able to do. So good KPI improvement metrics. What we want to see is how can we find ways to increase the volumes of third parties getting through the respective checkpoints because you’re very rarely going to have a situation where you’ve got more resource more capability than you have a third party estate. It’s usually the other way around. So the some of the best KPI improvement metrics that we’re expecting and expect to see is we see X number of third parties get through the assessment process in this number of days. How can we make that shorter? We see Y number of risks. How can we reduce that based on our risk tolerance? How do we reduce the number that we’re having to accept on a regular basis? And that’s not by removing risks. That’s just by changing the goalposts on on what we deem to be acceptable and tolerable. So it any good KPI improvement metric needs to be driven from the resources available and the automations that you have in order to drag third parties through those those milestones and gates of your high level service workflow.

Amy Tweed: Awesome. Thanks Alastair. Um I think that’s it for any audience questions. Alastair or Joe, would you like to add on anything before we uh close our session today? Alastair Parr: No, but thank you all for listening. Joe Tolley: Yeah, enough of me. Thanks. Thank you. Amy Tweed: Yeah, we really appreciate your expertise and as a reminder, this is recorded so it’ll be sent to your inbox first thing tomorrow morning. Again, if you have any questions or you want to know where to start or anything regarding thirdparty risk management, you can email us at info prevalent.net. Follow us on LinkedIn, follow us on Twitter. We are here to help and we have a ton of great uh webinars and blogs to share with you as well. So, thank you everyone for joining. Hope you have a great rest of your day wherever you’re at. Um, thank you Alastair and thank you Joe.

Joe Tolley: Thank you everybody. Have a great day.