TPRM 101: KPI & KRI Reporting, Transparency, and Compliance

Melissa: And without further ado, I will let Bob get started. Go ahead. Bob: Thanks, Melissa. Welcome everyone. Um, this is number four in a series of four uh modules uh for for building a sustainable thirdparty risk management program. Um, next slide. Melissa. Melissa: Melissa, can you see it? Okay, I have that. Bob: No, it’s No, it’s not scrolling. Melissa: Um, let’s see. You can’t see that management reporting issue one. Bob: Nope. Melissa: Oh, boy. Scott: I can see it. Bob, probably might be on your end. Unknown: Bob’s got 100. was open perhaps. Bob: No, no, I got all my windows closed. Actually, don’t exit out of the Zoom. That’s all right. Let’s see. Can you see? It says part four and then I’m going to that next one. The management reporting issue remediation and TPRM community and the rock. Okay, I can uh I will uh I will improvise as long as everyone can still see. Melissa: Okay, I think they can. And I got a little message in the chat saying they can. Bob: Continuing along and uh. Melissa: Right. And you can still see me, right? Bob: Yep. Okay. So, con continuing along and apologies for that little hiccup. Uh we’re going to cover topics uh including uh management reporting, issue remediation, TPRM community, and what I call the rock or resilience operations center. So, we’re going to drill down a little bit around some of the measurements and reporting that are essential in a TPRM program. We’re going to talk about dashboards and reporting to help tell your story to your management at all levels. We’re going to talk a little bit about t what I call TPRM community, which is building trust in the relationships with all of the third parties, subcontractors, and other stakeholders. ers that you have in your organization. Then we’re going to turn to what I consider one of the most important topics in thirdparty risk management, which is issue management. The reason that we perform assessments is to understand, identify and remediate risk. If we are not remediating risk, then we are not improving the risk management. of our third parties and uh consequently improving the resilience of our businesses. So for me issue management is absolutely critical. Next we’ll go into risk exceptions and the conversations that are appropriate to have with management when sometimes people don’t want to remediate risks that are identified. And then we’ll go into the importance of lessons learned. And if we do not apply the lessons learned, it puts us in a position where we’re going to repeat the issues that we had just been through and we’ll never really improve in our program. Next, I’m going to go into a discussion of regulatory topics, talk about the three lines of defense and the very recently issued new banking regulations, and from there talk about the future a little bit, what we can expect and how we need to evolve our programs to become proactive rather than reactive when addressing third-party risk. Next slide, Melissa. So, key performance indicators and key risk indicators. Now, lots of people talk about KPIs and KIS, but when what they are is a quantifiable way to measure progress that is made towards a goal within a specific period of time. Now, if key performance indicators are collected, they should always answer one simple question. So what? And when I say so what, I’m talking about what does it tell me about the trend within my organization? So just collecting numbers and saying I have 100 uh third parties in my third party risk management program doesn’t tell me anything about how the program is performing or its direction. So when you contemplate collecting key performance indicators and key risk indicators, think about what they’re actually telling your audience. about the status and the trending and direction both of the performance of your program and the risks that your program is seeing. Key risk indicators will measure how risk risky a certain business activity is. In this case, risk indicators help you understand whether the risk in your third party uh risk management program is going up or down. And that’s important and you need to be able to communicate the trends of your program to your management in order to have credibility with them. Next slide. Having said that, one of the things that allows you to communicate the the level of risk, the progress that you’re making in your program are your program dashboards and report. reporting. So as you collect your KPIs and KIS, you need to decide how to communicate that information at the appropriate levels of management within your organization. Excuse me. What you need to tell your immediate supervisor is different than what you need to tell your board of directors. So you need to make sure that in your reporting your focusing on the right level of messaging to be given to the stakeholder you’re reporting to. Now, there are a few trend reporting topics that you can cover in your program status and updates. You can talk about the growth in the overall use of third parties and of their suppliers, your subcontractors. Because one of the important aspects of a TPRM program is how many new new third parties you are adding to your inventory who provide services and products to your organization. One of the important aspects of thirdparty risk is how many third parties are you sharing both your data and your access to your infrastructure with. The more rapidly your program is growing, the greater the risk that program is going to have. Conversely, leveraging existing third parties to deliver functionality that businesses may be looking for allows you to mitigate that risk and at the same time better control the costs associated with your thirdparty risk management program. So over time growth in thirdparty risk management programs sometimes many times it appro approaches 10% a year. So if you start with 100 vendors, sudden in the next year you have to manage and assess 110 of them. That’s a significant increase in the burden on your organization and you’re not getting any additional funding in all likelihood to take into account the growth in the number of third parties that you have to address. So reporting on that is a very use measurement increase and decrease in the overall risk of your third-party program based on v various data analytics measurements. And some of this gets more into the quantitative side, but you can measure based on how many third parties have access to your data, how that data is being shared with them, who has access to your infrastructure and in which ways. Those types of information demonstrate whether the risk in your program is increasing or decreasing. So when you combine that with the growth in the number of third parties and then the types and the volume of data that they’re accessing that can drive an increase or decrease in your overall risk and that’s something that manage needs to be very aware of so that if they need to address it, they can do so proactively because you’ve kept them informed. Another aspect is the completeness of your third party inventory. Many medium and largers sized organizations have often been through mergers and acquired businesses. In the process of acquiring businesses, one of the areas that tends to get neglected is all of the third-party relationships that are coming along with the acquisition. So, you may be inheriting when your organization does an acquisition a large number of third parties that may fall through the cracks. It is also not uncommon to see certain areas within businesses receive an exemption from complying with thirdparty risk management programs. When that is the case, for whatever reason, that needs to be highlighted to make sure senior management is aware that there may be parts of the organization that are not following the third-party riskmanagement requirements and therefore increasing risk in your program. Another and for me again one of the biggest topics is an increase or decrease in the number of issues which are open. So if you see the number of issues affecting third parties increasing over time as opposed to decreasing. That is perhaps one of the most important measurements that you can make in assessing whether you’re making progress in managing the risk for your program. So how you track open issues, how you hold people accountable, we’ll talk more about that in a few minutes, is a very important aspect of your program. Another one is issues reported by regulators and where you have regulators. Um they have a program particularly in financial services where they go out and do risk assessments of critical service providers to the financial services industry. When they write those reports, if they identify issues, they will share that with financial institutions that they know who are using those third parties. And financial institutions have to take that information and share it with their board of directors along with any corrective action plans they may have. So these are things that demonstrate trends and show progress or in some cases slippage with how the third party uh risk management program is being managed. Next slide. So when you think about reporting one thing that I found of effective is covering four different areas in your periodic update. So the first is what progress have you made since the last reporting period and that’s always a good and positive message and helps people see that you’re moving things forward. The second area is topics and themes that your management needs to be aware of. You want to make sure that they’re not going to get any surprises to get potentially blindsided. So you keeping them informed of topics that are relevant that they might be hearing about from other sources is a very useful thing to do. The third component of effective uh reporting is sharing with your management roadblocks to your success. So once you highlight that, you’re asking your management to help you break those roadblocks so that can continue to make progress in your third-party program. If you just try to work it yourself and you’re not getting any progress, you’re just making your job a lot harder. So, by sharing the roadblocks and and sharing the status of those roadblocks on an ongoing basis, you’re letting your management know where they need to help you. The fourth is always putting your third-party risk management program into context. And when I say context, I call it the path to sustainability. So how are you making your program sustainable in the long term and be helpful to the organization in first limiting risks that that the that they are exposed to but second and more importantly being aligned with your business goals and helping your business partners to get there. So with all of this as I said earlier it’s important to know who your audience is and to adjust your presentations accordingly. The final point I’ll make on this is dashboards provide the the important backup data that you need as you tell your TPRM story to your management. Now when when we started this course in the first session, one of the things I talked about was telling your story. So every third party risk management program has a little bit different story on what was the impetus for its creation and what are the goals that management senior management asked you to achieve with the program. So always keeping in mind that you’re telling a story and that what you’re what you’re getting here with your KPIs, your KRIS and your management reporting is the backup and supporting data for the story that you’re telling. Next slide. TPRM community. So, one of the challenges and opportunities that anyone has in the third party riskmanagement program is building relationships with third parties and ensuring that there is a certain level of trust in the relationship with the third parties with the subcontractor. and with any of the stakeholders that we deal with to make sure that people are comfortable that they believe in and share in the goal that you’re trying to achieve and that that you’re acting with them in good faith as a partner. That will enable the opportunity for them to become more comfortable and share with you what they see. and help you to be successful in reaching your is having an adversarial relation. The best thing working with you towards the same goals that you’re trying to achieve and what I call that is building community within your third parties. For example, when a major security incident happens and I’ll use example like Log 4J, Solar Winds, what’s going on with Move It right now. That those type of vulnerabilities, you have to first understand how they affect your organization, but you also want to understand how they affect your third parties and what exposure your organization uh may suffer as a result of of those security vulnerabilities and the incidents that may go be ongoing. When you have open communications with your third parties and you’re able to work with them, you find that you can get answers quicker and you can resolve matters that need to be addressed faster than you can possibly do on your own. So when you think about your third parties, think about how to build trust. And trust comes one third party at a time. And to the extent that you reach out to your third parties and share with them what you’re doing, how you’re building your business, and working towards your goal. That inspires trust and confidence in them. So, that’s an important thing that often doesn’t get talked about, but can really help you in terms of your your third party risk program. Next slide. Issue management. I cannot stress enough the importance of managing issues particularly in certain regulated businesses where people’s highlevel understanding of what the regulators are after is to complete a risk assessment. Completing a risk assessment doesn’t do anything. All it does is identify potential risks that exist. When those risks are identified until they are remediated, the risk profile of that particular relationship and your overall third party has increased. Your ability to reme remediate identified issues is directly correlated to the operational resilience that your third party risk management program has and that those suppliers have as they work with your business. So when you think about issue management, There are several of important uh themes to think about. First of all, by by tracking issues and by managing those issues, you have important quantitative data to back up whatever you say the risk level in your program is and how you’re remediating it. So, getting at this problem, there’s a few ways that that you can increase the effectiveness of issue management. The first thing you need to do is capturing all of the operational risk issues that are identifi identified both from risk assessments you may perform and any continuous monitoring that you may be doing. You need to create visibility of the issues that exist within your organization and having a risk register a database of what the those issues are is a very helpful way to do that. Now, when you do that, it’s important that you have that discussion with the third party to determine who the owner of the issue is and by which date you can expect that issue to be remediated. And then once a third party reports back that they have remediated an open issue, then you have to go back in and validate that in fact the remediation that they implemented is effective in mitigating that particular risk. Now some of the things that happen here is businesses may not follow up and remember that this isn’t necessarily your job to do. You have a relationship with a business that owns the relationship with that third party. You should be having the business be part of the conversation with the third party where the third party needs to understand that their failure to remediate the issue is potentially jeopardizing the relationship that they have with your company. Another thing to be aware of is what I call the end of quarter and endofear dates that are a common practice for people to put in for the for remediation of an issue. When you look at all the issues that you may have that are open and you see all the dates are uh March 31st, June 30th or December 31st, that is a way that people get around the question of providing a date but actually have no intention on doing the work that needs to be done to remediate the issue. So, Getting a name and getting a date are important, but following up periodically in between the date that you’ve been given and in the interim to ensure that progress is being made on addressing the issue becomes very important. Otherwise, you get to the end of the quarter, the end of the month, the end of the year, and you find out there’s been no progress. And then we have a situation where businesses say we re need to retarget it and you’ve done nothing to decrease their risk. So when you’re trying to get businesses to address the issues, one of the things that you can do is on on a periodic basis and you need to decide what’s right for your organization. Let your businesses where issues have not been being addressed and where they’re falling behind schedule and missing target dates Let them know that you’re going to be sharing with senior management an update on the status of status of issue remediation and offer them the opportunity to take care of let’s say the red items in the report that may pertain to their specific business. If there’s one thing businesses don’t like to be called out on it, it’s items that are passed due especially by their management. So having a lever by which you can share the open issues that are not getting remediated and letting the business know before you report those items. That is an important thing that you can do to help more effectively manage your open issues. Next slide. Risk exceptions. So when we talk about risk exceptions, we’re talking about situations where there’s no identified solution to a problem or in some cases where the business doesn’t want to make the effort to remediate the risk and instead just accept that risk. Well, if they want to accept that risk, then one of the things that they should be doing is signing off and formally acknowledging that they accept the risk that’s associated with an issue they choose not to remediate. And if they do that, they should also be required to provide compensating controls to mitigate the extent of the risk that exists. The important point here is holding the business unit owner of the third party relationship accountable. So when you say, well, I don’t know who that is. Well, who’s whose name is on the contract? with the business with with the third party and that’s the person that ultimately has decided to accept a certain level of risk which may put his business or her business or the organization at risk. So they have an obligation to formally accept that risk to provide compensating controls and then as they move forward to ensure that they periodically revisit the issue and see if there are technology or process solutions that may be available to help address and close out that risk. And this is an important conversation that often gets neglected, but holding the business unit owner accountable is an important part of creating a a a TPRM program where risk can truly be mitigated. Next slide. The importance of lessons learned. So whenever we have a security incident at a at a third party and and for people to have a full appreciation of this, the majority of incidents that occur at an organization can be back to a third party. What’s less talked about is that when you look further into the details of the incident, you often find it started with a subcontractor, a fourth or a fifth party. And realizing that and and realizing the severity of some of these incidents, taking steps to ensure that the incident cannot be repeated. In other words, closing out issues and ensuring that third parties and their subcontractors are doing the right thing is a critical part of a healthy TPRM program. So while you may have solved the immediate problem that you’re having when you have a security incident, if you fail to follow up on that and to ensure that the appropriate controls are put in place on the side of the third party and potentially in your business processes. Then if you don’t do that, you’re leaving a big hole. And one of the truths about security vulnerabilities and incidents is that they never go away. They just wait for the next bad actor to come along and try again. And I know of multiple organizations that have had security incidents on the same t on the same topic months or even years a later because they failed to address the issues that were identified and to remediate them effectively. In any incident, there are many learnings that come out of that. Sometimes the learnings are positive and those need to be celebrated and also ensured that they’re put into the processes of the organization. So don’t forget the importance of the lessons that you learn, documenting those and making sure they make it into your operational business processes to help you lower the level of risk that you have with within your organization. Next slide. It’s always important in third party risk to talk about some of the frameworks and guidance that drives important aspects of thirdparty risk management. So there are a number number of references here that I’ve included that I think would be helpful to people who are starting out. Um hopefully you’ve heard of many of these already. But the first thing I’d like to talk about is what’s called the three lines of defense model. This actually arose out of work that was done in Europe. And the three lines of defense when we talk about them, we talk about the first line which are the people who are part of organizations who are actually executing work are customerf facing maybe key technology roles including the CISO function. So the CISO function is responsible for information security of the organization. Sometimes they like to think of the themselves as the second line of defense and there may be some context where they have to review programs and ensure their effectiveness but the importance is to understand where you fit and where your organization fits as part of the three lines of defense. So the second line of defense those are oversight organizations which are charged with overseeing the effectiveness and of the first line organization. And examples might be your operational risk or your enterprise risk management team. It can be your CFO function that’s responsible for understanding all the financial aspects of the various business lines within your company. But also understanding the health of critical third-party suppliers that provide services to you. It may be your HR organization. But those are examples of the second line of defense. The third line of defense, excuse me, is your independent audit function. So the audit team answers both to senior management but independently to the board of directors and as such has a responsibility to ensure that both the first and the second line are performing their jobs sufficiently. This is a model that’s originated in financial services, but we see it across many different industry verticals. Now, banking regulations relating to third-party risk management, they form the foundation of a lot of the activities that we execute in our thirdparty risk management programs. Last week, the banking regulators released a new version of their third-party risk management guidance. And what they’ve done is previously in the US banking industry, you had the office of the controller of the currency, the Federal Reserve Bank, and the Federal Deposit Insurance Corporation, each with their own separate third party riskmanagement guidance. And while there was a very high degree of overlap, there was difference. With the release of this new guidance, they’ve unified it across all three of those regulatory agencies and as a result simplified and clarified various aspects of third party risk management. So in my conversations with regulators, I’ve So what’s the difference? What are what are you trying to get at here? What are you doing? And part of the conversation was about understanding how the regulators are interpreting the new regulations and how you you need to understand roles and responsibilities and risk management concepts in the conversation. So specifically they’ve taken a more riskbased approach. They’re looking at previously they had very specific guidance for example as it related to the board and and bringing contracts with critical suppliers to the attention of the board before there they were signed as one example. Now they’re allowing that approach to be more risky. faced. So, organizations need to decide which are those most important relationships that need to be brought to the attention of the board before the contracts are signed. So, they’re giving a little bit more flexibility and taking a more risk-based approach to how things get done. So, they’re allowing for clarification of the risks that companies see as being most important. to them and they’re looking at it, you know, from the view of the third party risk management life cycle. What are the roles of the various organizations and and how do they address risk in terms of the criticality that’s represented by various third-party uh providers. So really, it’s just a clarification. They’ve incorporated their FAQ from 2020 that the OC developed into the regulations. They’ve gotten rid of the appendices and they’ve overall streamlined the document. So, they’re not adding really anything new here. They’re just clarifying, cleaning up, and aligning the guidance that all the regulatory agencies rely upon. So, that’s that’s just important to know that you keep up with what your regulators are doing, how their thinking is evolving, and how they’ve incorporated the FAQs that the OC developed previously into the banking regulations and and in effect gotten rid of the FAQ and the appendices. The next document that’s important for understanding uh third party risk is the NIST 853 release 5 document. In that document, there was a new risk family added in specifically for third parties. It’s very useful in helping evaluate your controls and deciding whether you’ve addressed all the the key risk that you really need to address. And then finally, the uh the cyber security fa framework from NIST is very use ful in helping o assess overall risk with any of your third parties. And those are just a few of the documents that are available, but I think those are the most important ones you need to be aware of. Next slide. So I’d like to spend a few minutes looking at the future and what I call the resilience operations center. So one of the key activities in a third party risk management program is thinking about how that TPRM program fits into the operational process workflows of your company. There’s the more that your program connects in with the other pieces of your organization and into your workflow, then the greater the value, the quicker you can respond when you need to and the better the intelligence information that’s generated to help you understand proactively where risk may exist. So when you think about and I’ll use the example of continuous monitoring when you’re thinking about implementing continuous monitoring say for example a uh security continuous monitoring solution like a security scorecard or a risk recon when you’re doing those things it’s going to generate a lot of information. The skill sets that you need to effectively evaluate that they’re different than the skill set skill sets that people who perform risk assessments may use. And that information that’s achieve that that you’re able to access as a result of continuous monitoring has value outside of your direct TPRM program. For example, if your continuous monitoring program is identifying problems that may exist with some third parties who are critical to you. Sharing that information with your threat intelligence organization allows them to proactively look to see if, for example, hackers on the dark web are developing attacks to exploit the kind of vulnerabilities that your third parties may be subject to. The other side of this is when you do have a security incident. Being able to share information about vulnerabilities that exist at your third parties with your security operations center who’s in the process of responding to a security incident can allow them to move much faster and to be more effective as they go forward. So, a big piece of this is shifting your mindset from being reactive to things that occur to being proactive and looking for risks that may exist before they hit you. And that by embracing your role in the context of all of the operational process workflows you have in your organization, you can potentially be much more effective in your third party risk job. Next slide. So what are the benefits of taking this approach and and moving forward? You’re shifting your organization behavior from response to prevention. And that’s often the difference between being successful and just waiting for things to happen to you and fail. By doing this, you’ve expanded at TPRM’s role and you’re making it an organization or an organizationwide resp. responsibility. You’re engaging with your business. You’re engaging with your other partners. You’re engaging with the software development organizations. And that will create stakeholders who have a visible interest in the success of your program and help you to be more effective in the goals you’re trying to realize for your TPRM program. It also helps you more proactively manage risk beyond your organization’s boundaries. By leveraging intelligence, by having outreach to your third parties, by keeping them informed of things that you’re doing, it also enables much more rapid response in the event that you do have either a threat that’s imminent or a security incident that’s just occurred. And it also acts as a central point to help with mitigating risk, closing issues that have been identified, and leveraging le lessons learned across both your organization and your businesses. So, there’s important reasons to think about the resilience operations center as a model for the future that can shift your behavior to being more about prevention, having a stronger base of support for your third party risk management program, and being able to respond more rapidly when you need to. Next slide. So, one thing I’d like to leave you with, one last thought as we wrap up this course is your organization is in all likelihood a third party to your customers. And in that third-party role, you have an opportunity when you think about it through through that lens. of practicing what you expect your own third parties to do. So by doing a baseline risk assessment, by potentially using your continuous monitoring tools to run against your own organization, you’re going to get insight into items that you may not have been aware of that may represent significant risk to your organization. What you’re also doing by that is you’re helping your business to be proactive as you go out as a third party looking to service your clients because now you can say yes I’ve proactively assessed my risks I monitor it on a regular basis and I’m very aware of what the is going on in the environment and how to protect myself because any client you’re going to go to these days is going to ask you when you did your last risk assessment and how do they know that you’re secure? So, by doing this for yourself, you position yourself well for the conversations when your clients come to you. And in fact, in fact, by doing that, you can offer them up the risk assessment you’ve done on yourself. And that’s a competitive advantage because not a lot of companies do that even now. But you can go in there and when your business is trying to win new business from a client by showing that you’ve taking a proactive view of security for yourself, you have a competitive advantage in the conversation. So, it’s an important thing to think about. And if you’re just starting out in your program, you’re not sure where to start, do a risk assessment on yourself. You’ll be amazed at what you learn and the things that you see. Next slide. So, that question questions. And uh if you have any questions, you can reach out to me at bobcyms.net. There’s my mobile number. Uh anything you want to talk about, I’m game fork. Feel free to reach out to me. Melissa: Okay, Melissa, back over to you. Awesome. Thank you so much. Um I’m going to go ahead and stop sharing real quick and throw it over to Scott so he can go ahead and uh share his screen. So Scott, let me know if Yep, I can see your screen. Uh and in the meantime, Scott’s doing that. If you have any questions, put them in the Q&A and we’ll see if we have a few minutes to chip away at a few. So, go ahead, Scott. Scott: Dear thanks. Awesome. Thanks, Melissa. Um, hi everybody. Uh, just wanted to close off a little bit on a few things that Bob shared in the webinar today and some of his best practice guidance from the beginning of this series of four webinars. Um, and just kind of talk about how prevalent kind of can, you know, kind of help you get across the finish line in in building and maturing your your party risk management program. Very quickly, like inevitably when I talk to customers, they tell me they want to achieve any one of these three things. Number one is get the data they need to make better decisions. Whether that be uh getting good KPRI, K uh I just combined the two, didn’t I? KPRI. That’s good. I’m going to copyright that real quick. KPI or KRI uh metrics or data to support the reporting on that. There I got it. Uh good good. delay data, get good uh risk intelligence data from the outside to incorporate it with your assessments for an overall third-party risk score. Getting good data to make better business decisions, huge challenge. Number two, increasing team efficiency and breaking down silos. I mean, if you’re calling in right now from the security team or the risk management team or the enterprise team or the procurement team or the supply chain team, that in and of itself tells us that third party risk has its hands in multiple different departments throughout the organization. And Chances are each of those teams have a little bit of uh unique information to them that they want uh out of that relationship or want out of that risk assessment. So customers tell us they want to knock down those silos that exist between teams. Get everybody singing from the same himnil uh in the same solution uh so we’re all looking at the same data. And then third being prepared for the future evolving and scaling your program. Going back to what Bob said a few moments ago in the resilience operations center uh definitely a trend and and a way that the the the market is going uh that solutions are going to um focus on resilience first and be able to kind of scale to you know different challenges and problems that uh that arise throughout your vendor base. You know our approach to addressing thirdparty risk isn’t just one that addresses uh risk at the time you onboard a vendor or when you need to do your annual reassessment of that vendor if it’s required. Uh we address very specific risks at every stage of the third party risk management life cycle. And you can see presentation of that on on the screen in front of you. Everything from helping you, you know, add automation and intelligence to your sourcing and selection decisions, automating the RFX process or getting you intelligence into whether or not this potential vendor is a good one for you that matches your company’s risk profile. Uh, next to intake and onboarding, getting you a single source of the truth for supplier risk profiles, for intake processes, for contracting and onboarding workflows that you can then share throughout the rest of the enterprise. and invite people to contribute to uh without taking them out of the platform. Third, scoring inherent risks, scoring and categorizing suppliers based on datadriven insight so that you know how to construct your assessment strategy going forward. And then moving into assess and remediate there at the top of the uh the that the half moon shape there or the sunrise shape as we like to say it. Streamlining ongoing assessments against multiple different reporting requirements whether they be IT security, privacy, compliance, ESG, financial and others and then validating the results of those assessments as well uh with continuous monitoring of cyber security business reputation and financial insights. Um and then finally measuring service level agreements and performance. You know we all know that that risks aren’t necessarily 100% of the time security related some could be performance related. Uh their vendors and suppliers can introduce risks to the enterprise if they’re not meeting their KPIs or uh service level agreements or very cool. It’s a KPRI. Um, you know, we can help you automate that process by extracting and helping you calculate those measures from contracts, getting them into the platform, assigning owners tasks and reporting uh automatically. And then finally, as every relationship uh ends up doing, uh, you know, when it comes down to offboard and terminate a vendor or supplier relationship, uh, you know, what we do is we help companies verify adherence to contract terms, make sure all those tasks are complete before you, uh, end the contract. and and perform some some level of sign off. You know, at its very heart, our solution addresses not just IT security concerns when it comes time to assess somebody on a cyber security or business resilience challenge, but also making sure the procurement vendor supplier management teams are happy with the you know vendor selection decision that’s being made and the data privacy, legal and compliance teams are also benefiting from the solution and its reporting uh as well. Three things we want uh for you from the solution. Number one is is to simplify and speed up your onboarding with a single source of the truth in a single process. Streamline the process of assessing your vendors and closing gaps and risk coverage and finally unifying those teams across the life cycle. You know, we address you know tons of different uh risk areas in the prevalent platform. We’ve bucketed them into these six categories here. Cyber, operational, financial, ESG, reputational, and compliancebased risks. Each one of these bullet points under these underneath these three uh these six buckets has either an assessment and or continuous monitoring data to validate that assessment into the platform. It all comes out of the box. Uh and then finally, what we actually deliver to you is um a combination of our people, our data, and our platform. Uh in any equation, it’s the people that really differentiate you. And you know, we’ve got thirdparty risk management experts that are ready to do the hard work for you from onboarding, assessing, remediating, and managing vendors. Uh probably the biggest uh uh set of data, the greatest amount of data that’s being pumped into the platform um of any of the other vendors in the marketplace uh across multiple different domain areas to help you add context to your uh vendor decisions. And then finally, a platform that ties it all together with good reporting workflow uh and and more. Again, three things we want from you here or we want for you, not from you. Number one is to help your organization be smarter in terms of how it tackles thirdparty risk, be more comprehensive, data driven and role-based. Uh second to help you unify your processes, your teams, knock down silos, look at risk from onboarding to offboarding, and then be much more prescriptive about uh the workflow, the response, and um the remediation recommendations uh to ultimately get you down to a level of risk that’s acceptable to your business. So anyway, that’s what I had to offer here in terms of how ProLent can help. I’m going to flip it back over to Melissa. Melissa: Perfect. Thank you, Scott. Um I’m going to launch our second poll real quick. I know we have some really good questions, so I want to get to those while we have the minutes. Um, so Bob, first question for you. Um, oh, sorry. Go ahead and answer the poll question. It’ll take you probably four whole seconds. And the first question we do have is asking how can we manage issues with third parties when there are contract constraints or limitations in place like related to policies, technical controls, etc.. Bob: Manage with contract restraints. Um that’s that’s you know that’s very situational depending on what type of re restraints uh may exist. That’s why it’s absolutely critical that in your contracts you in include the appropriate clauses. Um for example uh the right to audit. If you don’t have a right to audit then they can say we don’t have to do an assessment. Secondly, breach notification. They have to let you know timely when there’s been a breach. And third, their commitment to remediate issues that are identified in a timely way. And by using your own standard contract template, you can get at some of those issues. I realize many times, particularly for smaller organizations, you have to work with someone else’s contract. But having those clauses in gives you the flexibility to do a lot of the things you need to. All right, great. And uh keep seeing a few questions pop in as we go. This one’s a long one, so hold on. How do you recommend shifting to that proactive approach from the reactive approach when we still have so many challenges with vendors that take a long time or even don’t want to cooperate with answering our risk assessments? Bob: Well, you know, it depends on on your organization, the relationships you have with your vendors when when you’re a very small compon component of that of that vendor’s revenue stream, for example, it’s often difficult to get their attention and you may need them more than they need you. So that adds a level of difficulty to the equation. But one thing that I found useful is what I call stopping the bleeding. So you have an installed base of vendors, third parties that you work with. As you bring new ones on, make sure you use contracts. Make sure that you build that relationship in a way that you have the leverage and flexibility to gain those commitments from those vendors. And then as your existing population of third parties, your inventory comes up for renewal that you address contract deficiencies and other deficiencies in the relationships. And if you work, for example, in financial services, regulation says that you have to perform orderly performance assessments of how your third parties are performing and if they’re not performing according to the level that you expect that’s a conversation you need to have with your business partners. So those are some of the things you might do but it can be a long and tedious effort to do it. So start where you have the highest level of success which is your onboarding process for all your new third parties. Perfect. Melissa: Um, I think we have time for one more. Um, and I we always get this question, but I think it’s a good one. Can you credibly force a third party to comply with your risk appetite strategy where they are the large organization like an Amazon web service and you are the small organization and normally they have all the power? Bob: Well, that is a popular question and you know having that power is is part of the reality of the relationships and it’s often very hard to ext ract information from them. One of the big problems with an Amazon for example is that they’ll provide you with their overall sock 2 type two or their risk assessment documentation. But the risk that you have is well you know Amazon never goes down. Well guess what it certainly does go down and what you have to understand is where is the zone where the service that they’re providing to you is being provided from and where you need to have redundancy in your business. How can they ensure that your redundant site is in a different grid than the one where Amazon is providing that service to you? It’s a difficult topic when when when you’re the small person dealing with, you know, David dealing with Goliath, but um if the relationship isn’t working for you, then it’s time to consider another partner as well. Melissa: Got it. Um well, I think that puts us at the top of the hour. So, I did put Bob’s email in the uh the chat, so if you need it, there it is. Um I’m sure he’d love to talk. Good question. I know we didn’t get to answer all of them, so I appreciate the ones that we could answer. Um again, thank you Bob and Scott and of course, thanks everyone for all those questions. Um you know, lastly, I hope to see a handful of you in your inboxes and at a future webinar. Take care everybody. Thank you. Bob: Thanks. Melissa: Bye.