ABAC & ESG: 5 Implications For Your Third-Party Risk Program

Amanda: Okay, I see the numbers rising. Hi. Hello everybody. Happy Wednesday. I see a lot of people trickling in. Thanks so much for joining us. While you guys are getting settled, I’m going to launch a poll and then I’ll do some intros. I’m Amanda. I’m your host for today. Uh here’s the poll for just curiosity while we’re waiting. What prompted you guys to join? We’re excited to find out why. Are you here for education? Are you here for project research? Are you a massive fan of Nasser or potentially my gappy? But we’ll get to know everyone. Mike: Don’t bet against that. Don’t bet against that. Amanda: Are you a prevalent customer? Are you lost? It’s fine. You’ll learn something. Um anyh who, a couple of housekeepings before I do uh my spiel here. Everyone’s muted you guys. So um while we want you to participate, we won’t be able to hear you. So use the Q A use the chat, raise your hand, whatever it is you want to do just to keep us engaged. Uh want to keep you on your toes. We’ll be asking a lot of questions. It’ll be an interview type of webinar, so we’re excited about that. And if you do have any questions, we’ll try to get to them at the end of the session. So stay tuned. So as you can see here, we are talking about five implications for your thirdparty program. We have a couple of acronyms on here. Uh we’ll get to those in a second, but ABAC and ESG is our p priority conversation. Our guest speaker today is Nasser Pata. He’s cyber security and thirdparty risk leader. You can read here, you know, he’s passionate about all things cyber security, third party risk management, all those fun things. And we’re really excited to have him on. He’s a firecracker in my opinion. We Mike: just for the record and I don’t even get a slide. Just Amanda: literally can you let me can you Mike: I don’t even want the line on NASA’s slide. Just for the record, Amanda: we we uh we’re really excited to have this one on. Um this is Mike Gaffy for those of you who don’t know. He is the CMO here at Prevalent. We’re just so excited to have him on here because he’s just quite Mike: way to pedal to the audience. Amanda: Yeah, Mike: I’m sure that’s all the reason why everyone’s here right now. Um anyho, so we are going to talk acronyms on here. So we’re going to give you a little um cheat sheet here. Obviously TPRM, we hope you know what that means. It’s third party risk management. ABAC is anti-bribery, bribery and anti-corruption. ESG, environmental, social, and governance. And CSO is chief security officer. I’d be really concerned if you didn’t know what any of these mean. The middle two I’d be okay with, but the top and bottom you’re probably clicking, what am I doing here in this poll. I’m going to end it right now. Well, that is it for me, you guys. We’re going to record this session. If you end up not paying attention to it, it’s going to be in your inbox tomorrow morning. And I’m going to let Yaffy and Unfortunately, take it away. Godspeed to all of you. Good luck. Mike: Don’t spoil it. I mean, my god. Yes. I’ve already seen a couple chats. We will make the slides available. Get they’re just question and answer slides. We’ll also make the recording available because that’s where I think the the real value is going to come from Nasser um talking about let’s see if I could just scroll the next slide. Um talking about and kind of giving his answers. So, we have Nasser how many did we end up with like 13 14 slides in some area? Nasser: About Yeah. Mike: Okay. And Nasser can get look between the two of us, we can get off. We could do this in one slide for 48 minutes. So, we’re not going to try to get there, but we’ll try to keep it on pace. If you have a question and it’s relevant, feel free to shoot it on the chat function. We’ll do our best to answer. If not, we’ll answer them at the end and we’ll try to keep this look fun and punchy. I’ve been in infosc for 20 years. Had the opportunity to meet a lot of great folks like Nasser. So, uh why don’t we dive right in? So, Nasser, first question. Right, thirdarty risk is challenging in and of itself. I’d say a lot of people are still trying to figure it out. How do I do it? What do I do? I’m doing a spreadsheet. And you know, one of the things that has always driven me crazy is you hear people talking about fourth parties and they do all this other stuff. A lot of people haven’t even started or started solving the third the basic tenants of third-party risk. And now you’re hearing about ESGNA back. Why should they give a you know what about this now? What is it? Why is it important and what are kind of the implications? Nasser: Oh, hey, thanks for that and thanks for having me on. You know, just a a quick disclaimer. You know, uh the opinions and views that you hear from me is from Nasser, not for those who I provide services to. So, I just wanted to quickly say that. But to kind of jump into what you said, uh Mike, you know, I think we all in the third party risk management space have been very accustomed to certain types of risk where we’re talking about privacy cyber business continuity and compliance and now gaining a lot of momentum is ESG environmental social and governance as well as Aback anti-bribery and anti-corruption and and just a little bit of insight as to what is ESNG and then we’ll talk about Aback you know when you look at ESNG the environmental looks at you know what is the business doing as a steward or is the business violating environmental risk you know may that be air water pollution uh deforestation gas emission you know are they impact climate changes. So that’s the environmental responsibility of businesses, right? And in particular, public business gets a lot of scrutiny in that particular space. And then there’s the social aspect uh of ESNG that looks at, you know, uh diversity and inclusion and uh are you doing fair labor management and what is it about privacy and security because that also plays an aspect of social because you’re protecting your customers information. And then the last piece is the governance where you know as a public company what are you doing about your executive paid is your board, do they have a governance program? Do they look at ethics? Do they understand shareholder rights and things of that nature? So those three things when they come together is really really important. And I’ll give you an example of what would happen if something went south. So just imagine that we’re doing business with a vendor and unbeknownst to us because we’re not doing ESNG due diligence uh on a particular vendor, this vendor is polluting uh local water supplies, using forced child labors or have terrible work conditions like sweat shops for its employees in order to deliver goods and services to our organization. You know, these conditions are not only unethical, they’re unlawful. And to make a long story short, they’re just bad business. And because of this, you know, when this becomes known, uh it can easily impact an organization’s uh reputation because they’re dealing with a vendor that is unethical, might be breaking tons of laws, as well as, you know, you have not only uh a reputational impact But you’ll have investors that are all paying very close attention to ESNG as well as your partners and customers. So this is why this can really snowball into a significant challenge for an organization if they’re not paying attention to ESNG when it comes to uh their vendor portfolio. And then the other thing I would say here is you know regulators have really started to zone in in ESNG uh starting with the EU where they are requiring public companies to provide uh ESNG disclosure statements and and as well expecting uh companies that are reaching out to these vendors to do business with that they’re doing ESNG due diligence uh as well as Aback which we’ll talk in a second and these regulations that is being pushed out starting to get in the EU in the United States there’s a tremendous amount of conversation taking place and if you’ve been following uh President Biden’s uh conversations around climate change that has to do with ESNG uh even uh US regulars are paying really close attention here and again uh these violations uh do come with very very very stiff uh penalties when it comes to fines as well as giving uh the victims the stakeholders that might be uh on the opposite end of an ESG violation the rights to take these public companies to court right so again you know organizations that have a vendor portfolio really needs to pay attention to ESNG uh in particular you know when you’re looking at uh places in the world that unfortunately is known for bad working conditions and uh all types of um uh forced child labor and things of that nature. So that’s where ESG plays a significant part and again getting again a lot of scrutinies from the regulators including fines and enabling stakeholders to take them to court uh and that can easily come back and bite you as an organization. Let me quickly answer a quick question. So it Mike: it’s it’s taking assessments if you will and it’s not just a security it’s not like you’re not asking for internal security controls. You’re asking for please explain to me how you’re an ethical business and I’m not familiar with the questions, right? I don’t write the questionnaires, but it’s it’s getting them to answer a different set of questions. Are do you find that Aback or ESNG uh are are run by the same third party folks? Is it run in concert like procurement, enterprise risk? Is there a completely different group spun up like and and maybe even too early to say this is kind of the default who’s owning this and who’s running this but just curious? Nasser: yeah in the current state that I’ve seen when I work with my peers it has been uh typically compliance uh and because Apex is definitely a compliance matter and organizations uh public companies in the United States have become very acclimated with Aback what’s happening with Aback now which is anti-bribery anti-corruption is that they are extending what they do internally to their vendors now from an Aback perspective Uh so Aback has been uh I would say around longer than ESNG. Um although ESNG has been uh in the uh space for some time uh but uh organizations uh in the compliance space have been paying attention to ABACK and right now currently I see ESNG also falling the compliance space and typically if you’re going to be doing ESNG with your vendors often you have an internal program that you as an organization is already establishing ESG policies. how you handle ESG matters in in your uh organization in your community uh things of that nature is already in place so that you can extend that uh to vendors. I have not seen where organizations are looking at ESNG with vendors and they themselves don’t have an ESG program uh for themselves. So that’s what I’ve seen Mike you know compliance and Abeck has been there historically ESNG picking a lot of momentum but it really starts both of these internally with an organization and then they start to extend that uh capability out to their vendor community. Mike: So it’s it’s almost like the the company themselves and I just I’m just paring it back, but you’re saying the company themselves would have a program and then it would become an important enough thing to kind of proliferate and say, look, I want my ecosystem or my supply chain to share the same value. So then we’re going to proliferate and kind of double check that out as we go. Nasser: That that’s absolutely true. You know, the way I see it is, you know, your vendors, your partners to a large extent is really an extension of your business. You know, they’re doing something on behalf of your business as if they were your business. So, you’re absolutely right. It starts at the core internally and then it proliferates uh to the vendor portfolio accordingly. Mike: Have you seen anybody do this in terms of starting with aback or ESG and then kind of get to the security or is it everybody kind of has some third-party process and then it maybe it works with compliance or you work with compliance, but you’re you’re kind of getting some leverage on the the policies, procedures, workflows that you already have in place. What’s the what’s the sequence of events, I guess, is what I’m asking. Nasser: Yeah. I I I think that if you look at third party programs historically, you know, it usually starts with the what I like to call the big three, which is uh cyber, privacy, and business continuity. And that’s because there’s been a lot of focus in cyber privacy and business continuity. And rightfully so, right? I mean, if you look at what’s happening with ransomware that has a tremendous amount of cyber implication. If you look at the um new cyber laws that have come out, you know, from GDPR to CCPA in California and other ones coming out that becomes really uh relevant and and business continuity does not go away. Business continuity is making sure that you have operational resiliency uh to make a long story short. So those things are really really important but they are not the only things uh for an organization. So this is why when you start looking at the third party risk, it becomes what I like to call a 360 view, you know, from a risk perspective, right? You know, What is it that this vendor, this engagement is providing me? And then what are those risks associated with it? And there should be risk and not because risk is a bad thing. You know, whenever you do business, you’re always going to take on some risk, right? That’s no different than investing in the stock market, right? Mike: Well, yeah, it’s operational risk. You either choose to accept or deny that risk based on whatever conditions or parameters you set in place. So, Nasser: yeah. Yeah. So, so understanding that, you know, that when you’re looking at vendors as your partners to provide you a business service, a business good uh that uh vendor because it’s doing business like any other business uh there are going to be some risk associated with it. So if you understand you know how do I look at this vendor from a risk perspective 360 degrees you some vendors may uh introduce uh potential cyber risk privacy risk now we’re talking about ESNG Abeck the more uh relevancy when it comes to risk that a vendor can provide and the more due diligence you can do in a very riskbased manner you know not just basically high default. I need to do Aback on you because I’m going to do Aback. You know, there should be some unjustifiable um vendor characteristics, engagement characteristic that would trigger, you know, why you’re doing an Aback. So, there’s Mike: Yeah, it’s a downstream thing, right? It’s if A then B then C. Right. If you file fail this, don’t do this or don’t do that. Then you’re kind of you’re downstream and you’re it triggers something else. Right. Nasser: Right. Right. That that that’s absolutely the case. And I just want to just connect the dots just to make sure that we’re still on the same fly just in case. Uh, we’re moving around. So, just Mike: No, we’re still on slide one. That’s what I was talking about. But I told you I was we were going to do the slides and then I was going to ask you 10 questions anyway about what you’re talking about. Nasser: No. And you definitely can. And you definitely can and we should. I mean, this is pretty productive. Mike: It’s But that’s the thing. Look, I’m just putting myself in the place of a customer, right? So, or somebody who’s trying to figure this out like So, okay. So, I I think we get it what it is. And folks, correct me if I’m wrong or Amanda correct me if I’m wrong. You don’t get it. So, And I look I I think this is probably a short answer, but obviously global conditions have changed since Biden came into office. I think people are definitely focused more on corporate sustainability and responsibility. Is that why we’re hearing about it now? Is that why people are trying to or is there something else? Nasser: I think there’s a few things. What you said is absolutely true. I mean uh our government, our president is paying very closely attention uh to ESNG and because of that rightfully so, there’s a lot of attention. I also think that as I mentioned earlier, you know, regulators have been paying very close attention. I know in the EU if they haven’t already p pushed out regulations, they’re soon to, but I think they have. In the United States, our regulators are talking about how to do the same thing as in EU. So, we may see ESG regulations actively coming out, although right now regulators are pushing, you know, public companies into providing ESG disclosures so that their stakeholders are aware of it. So, you already see that momentum and I also think it has been part of board agendas. So, board uh are now looking at an organization, the board members are asking for, hey, when we talk about uh third party what is it that we’re doing with ESNG so that’s come to the agenda of the board and there’s also you know vendors in the market uh that has now provided these types of services because ESNG and Aback uh is challenging within your own organization by the way uh and then when you ask right there so and I don’t even know if we have a slide on it but so what is the biggest challenge relative sorry my zoom thing went off there it you know What, Amanda? When you said you should put your phones on silent, I totally wasn’t listening to you. Apologies. Amanda: I’m shocked. That’s fine. Mike: Um, so Nasser, what would you say are the biggest challenges around let’s say you do have a third party process, right? You’re you’re you’re using some whether prevalent or something else, doesn’t matter. You’ve got some process that’s something more than a spreadsheet. Um, you’re you’re able to get results. So you’re, you know, you’re at a say intermediate level with third party when it comes to implementing ESG back. Top one, two, three things people should consider challenges like do this or definitely don’t do this and it could be either one. Nasser: Yeah. So, you know, so I kind of go back to, you know, for starters, if you’re doing ESG and Aback, which are thirdparty vendors, I’m going to presume you already have these programs in your organization, uh, from policies to standards to all types of evidence collections that you’re already doing this internally. So now that you’re extending this uh to a third party, I think it’s really important to understand uh what are the appropriate triggers. You know, when am I going to do ESG? Is it because this is a critical vendor? Is it because this vendor operates in a country that’s unfortunately known for ESG violations? Um no different than with Aback, right? Uh so so there are certain profiles that you would like to establish when you look at your vendors because this is not applicable for every single vendor. As a matter of fact, that would not be conducive or efficient. But you definit want to have what are the appropriate trigger points and I gave you some examples such as countries and locations and things of that nature. So, so that would be one and then the second thing is I think it’s sometimes it’s very easy I shouldn’t say easy but it’s probably uh it lends itself for us to quickly formulate questions hey I need to ask the vendors do they have an ESG policy do they have an Aback policy uh do they support the following uh local uh laws and regulations related to ESG and and Aback and so forth those questions are pretty good uh and and you can definitely further tell of them. Uh I think some of the challenge is the evidence you know uh when you get something back uh what does it really mean and uh how do you really measure that right and and I think you know there is no today a sock 2 equivalent as an example so when we talk about privacy and security we can rely on our vendor to go hire an independent uh party to come in and do a sock two and you get to understand what controls are in place what’s effective for my privacy cyber etc. Uh with ESNG and aback you know that’s not in place yet at least not from my understanding from a soak 2 as an example. So you kind of have to do that as an entity. I do know that there are services out there uh companies that would provide you ESNG ratings and it’s important to understand how they formulate the ratings where’s that information coming from what data they’re getting. The same thing for Aback by the way. So sometimes if you feel that hey you know what even if I were to ask these questions can I get an independent source so I can use it as a soundboard or even do continuous monitoring uh those services are now uh spinning up. They have been available in the market and I know people are beginning to subscribe to them because they want to know about the vendors ESNG uh disposition as well as the Aback. Mike: Okay. So you had mentioned the big three before we we have a big two on this slide. We didn’t put business continuity on it but taking a step back and helping people understand and this is obviously a big question now relative. So if PSG and Aback are step five and you know we’re on a 10 scale and then there’s advanced things. How do you architect a program and then how do you architect a program to get there right so that it flows correctly into ESG and ABA? Nasser: Yeah. So so I think you definitely need to build a a framework right you need to build a TPR framework where you can then interconnect uh those risk disciplines and you can decide based on your vendor portfolio, rich risk disciplines, you like to onboard first. And I’m assuming that we’re starting this from scratch. You know, you have the opportunity to take a whiteboard and start putting all this together from the very beginning. And I would also add that, you know, I’ll kind of take a step back and I would say, hey, if I’m building this TPM from scratch, what are the objectives? What are the key objectives that I want to accomplish from this TPR program? It it’s just not about onboarding vendors, by the way, although that’s really important because you need to be able to onboard vendor in a very safe and sound manner. And as quickly as possible. That’s what the business demand. But I think you have to look at objectives such as, you know, do I want to be able to identify, report and manage risk associated with my vendors? Do I want to introduce cost savings because we may have so Mike: how do you introduce cost savings? Because look, whenever everybody at, you know, we have ROI documents and I just don’t think and explain it to me, right? But security risk is a cost center. You spend more money, it’s insurance, right? At the end of the day, I’m doing this to mitigate my risk. or define and accept a level of risk in case something bad happens. So how do you see this as a cost savings? Nasser: And I’ll give you a couple example but it’s not meant to be an exhaustive list. So you know to me one of the cost savings that if you were building a program is you know what redundancy do you have there? Uh sometimes when a TPM program is being formulated they may have five contracts with the with the same vendor and that’s because you have a very large organization is very decentralized when it comes to contracts. So you may have uh you may be doing business with the same vendor five different contract you’re not taking advantage of one contract, massive discounts and ways of introducing cost savings just from a contractual perspective. Uh because people never realize that uh right across the floor there are two other uh business units that are using the same vendor, right? Uh so that’s one. I also think that if in your portfolio as you do your due diligence and you established approved vendors, these are the vendors that are approved to provide these services, these goods, and they’ve been pre-approved already. They have a master service agreement in place. They have a rate card. in place. You’ve already negotiated the best prices for those rate cards and anybody now comes along and they want to use a service or product. It’s nice to have a vendor list that tells them, hey, these are the people that we can go to and be able to take advantage of cost savings in that fashion. Again, you know, that’s just an example of that, right? And then if we talk about automation, if you just talk about, hey, I like to leverage technology. I like to automate a lot of these manual processes. Then you can look at your labor force. Hey, how long does it take us to manually, because that’s what we do today. How long does it take us to manually process this and how much can I save on the labor hours, the administrative hours if I were to automate this in technology and and they’ve shown that you know technology does lend itself to that and not only that usually what happens in that particular scenario with technology and not only do you get cost savings but you get scalability holy macro I can do more of these more consistently with higher quality uh faster but still very uh sound and safe uh because uh technology has lended itself to it. So there’s definitely ways of concretely showing uh cost savings. It’s just a matter of how you’re collecting those datas and then how you’re presenting from a cost perspective. But again, that can be an objective of your TPRM program, right? Mike: well, and that look, I think that’s the most important thing that you said too is you kind of have to what look we’ve been doing this for a long time and to see people build these programs and it’s you kind of have to do it with the goal in mind and work backwards, right? You start at the very end, the Nirvana state and then look, if it’s a three-year plan, it’s a three-year plan, but you have to work backwards from okay I want to be here but I will tell you and this isn’t a prevalent thing this is look audit everything that you said is what we’ve seen start small start with a fixed number of tier one vendors right it could be a 100red or 200 at the beginning and I know you might have 1500 I know you might have 2,000 tier ones but figure out how to work it grow it scale it automate it lessons learned and then build it the folks that we see And I’m just saying this right from you know the hundreds of folks is they and look we had a lot of customers three or four years ago that start they’re like I’m going to do 5,000 and they were unhappy and because nobody’s going to do 5,000 vendors in their first six months. You’re lucky if you get through 50 quite frankly. It’s build a program in a logical way and set realistic goals with a realistic number of vendors and scale it as you build competency. Right? I to me that’s the great thing, right? You know, it’s the don’t you know, how do you eat an elephant? One bite at a time. It’s it’s that analogy and I’ve been using that one for years here at this point. So, Nasser: and you’re absolutely right. You know, uh build a you know, build a a program with the right framework knowing very well what you need to do now and how it needs to grow and scale in the future. And often you have a lot of indicators to understand that because right off the bat, Mike: what are those indicators? How do you know how much your program needs to because look, we run to people and you know there have been a few people that are like I have 50 vendors I just want to do 50 vendors I never want to do more than 50 vendors that’s it and then you have people who start they’re like I got to do 5,000 you actually you’re like no you don’t like not in your first year you don’t because you’re you’re you’re going to you know jump off a cliff so what are the indicators to you for scalab the need for scale and growth and flexibility of a program? Nasser: yeah you know I’m going to keep it very fundamental because I think fundamentals are important uh you know so is, you know, make sure you have an inventory, right? Uh so you need to know what’s in front of you and without an accurate inventory, there might be things that you think is important and things that just simply not in your inventory that might be more important. So one thing is, you know, do you have a central inventory of your vendors? Uh that’s a great start. That will at least tell you not only what your workbook might look like, but it will also tell you potential pipeline. And uh let me mention what I mean by pipeline. Pipeline is uh think of pip as being a workbook. So if you do an inventory and you also define risk criteria for your inventory, hey now that I have this inventory, what is risky to me? And let’s assume that those t those two things are working as you expect. Now you would know uh to your point Mike uh hey uh if I want to focus on my top tier because those are the riskiest one. You would know that because you have an inventory, you have a risk criteria. And not only that, let me kind of go back to pipeline now. You would know now that I’ve done the top and the most riskiest one. uh do we have the scalability do we have the bandwidth now to do more than that and that’s where your pipeline becomes uh an area that you want to focus on you know how many of this can I do because that comes back to people process and technology ppt never goes away that becomes instrumental when you look at TPR program you know do you have the right people do you have the right process you have to the right technology but let’s assume that you know you built this framework you have the inventory you have the uh risk criteria you start to understand Not only what the volume looks like, you can start to forecast. Hey, now that I’ve done 50, how many more do I have in my pipeline? And bear in mind, this is what you have currently in existence. Here are the ones that I’ve identified that currently in my inventory. You also have to anticipate, you know, as part of your forecast, as part of your pipeline. What new vendors are going to be on board this year? And hopefully when you start looking at your inventory, it should be able to tell you that, right? Your inventory should be able to tell you how many did we added last year, how about the prior year, how about the year before that, what trends am I seeing when it comes to new vendors and if you’re looking at digital transformation and things of that nature, you should anticipate more Mike: NASA on that one. So I find and and this leads into this question that I’m going to get to asking in a second, but the vendor identification is probably the biggest challenge I’ve heard for third part like you can’t evaluate your third parties if you don’t know who they are and people are generally able to get some but it’s always a subset of the whole and that’s always the biggest struggle. Do you have a rule of thumb like if you’ve been than 50 vendors, it’s actually a 100 vendors or it’s a you know, do you know what I mean? Like like where where’s the hidden skeleton there? Nasser: Yeah. You know what I usually say is that if you want to get a good litmus test of if your inventory is accurate or not, there’ll be two things. You know, one is uh understand who’s paying the bills because uh if you follow the payments, you kind of quickly start to enumerate Mike: all the money, baby. Follow the money. Nasser: Exactly. You start to enumerate, you know, who’s getting paid and hey, they might be uh they might be vendors that should be in my portfolio. So that’s one. The second thing is make sure you have a vendor definition because I’ve seen portfolios that they throw everything in a portfolio and because uh everything is thrown to the portfolio is really hard sometimes to distinguish out of the 10,000 you know which are my top 50, right? Because they just didn’t have a vendor definition and anybody who they shook hands with became a vendor and they threw it into uh their inventory. So I would say those two things, you know, follow the money. Hey who’s getting paid and that’s where you know uh your accounts payable your procurement department they are great partners right because they start to give you that kind of insight to give you the uh soundboard as hey how accurate is your inventory and then secondly you know make sure there’s a a definition because you can have a very large organization and people might perceive vendors very differently from one uh business to another. Mike: Yep. So let’s say we’ve identified the vendors like we’ve been discussing for a few minutes. You’re already theoretically close to capacity. Um, so how do you effectively work in these new type of assessments? Nasser: Yeah. So to me, you know, I’m going to go back to Aback and ESG. Uh, these are risk disciplines that we need to further include as part of our due diligence. Right? So again, we are very familiar with uh privacy, cyber, uh, business continuity and so forth. Those are the things that we have historically been doing. Uh, again, if you have that framework in place and I keep going back to people, process, technology. If you have that framework in place, Nasser: to me it is almost like you need to build a new wing in your home or you need to uh you want to extend or build a new room in your home, but you already have the foundation in place, right? You just can’t build a new room in your home if you don’t have the home. Uh so it’s that foundation. Do you have that framework in place so that I can like a Lego uh block, can I pop in this new Lego without uh bringing down u what I built or with my Lego structure. So, uh that is one. Do you have the framework in place? Also, you know, since I’m talking about the framework, you know, I keep I keep going back to fundamentals. You know, do you have a central intake process and does that central intake process defines or tries to extrapolate the characteristics of that vendor that engagement so that you know what type of risks uh you need to go ahead and perhaps do a due diligence of, right? Because if you’re now going to introduce Aback and ESG, you don’t want to do this for every single vendor. It just simply doesn’t make sense. There should be appropriate risk criteria. Mike: Yeah. You have to you have to um throttle it a little bit, right? Everybody should not be getting one of these is like Nasser: Exactly. So part of your intake process, you should be able to get that type of metadata from your engagement and vendors to say, “Okay, this one is not qualified for Aback and ESG.” And it could be for good reasons, by the way. It could be that these are this is a vendor that’s providing uh janitorial work. You know, I’m just exaggerating to make a a point or providing car cafeteria if you happen to be a cafeteria if there happens to be a cafeteria in your building as an example. But nonetheless, you know, if you have the right data points that’s being captured in intake process and then being funneled downward to the appropriate stakeholders to do their due diligence, that becomes a tremendous plus because all you’re doing is taking advantage of an existing framework that you have proven that it works. And now when you add this uh as long as the the downstream stakeholders and let’s assume that this will continue to be compliant in handling Aback and ESDG. Uh they would know that it’s coming because you’re helping them with their pipeline, you’re helping them with their forecast. And if they are subscribing to third party services for Aback and ESG, that would just further enrich um their due diligence where they may not need to rely so much on the questionnaire and evidence collection because they’re getting really uh trustworthy uh sources uh coming in. But you know, that’s what I would propose, right? That yes, you know, I I totally agree that you could be drowning if you don’t have a framework. If you don’t have a cohesive system that’s working synergistically and holistically across your organization because if these things are still done in silos, I think the person who suffers the most believe it or not is the business who basically wants to onboard a vendor because there is either revenue to be generated uh cost savings to take place or something to improve customer experience and that just gets further dragged out because these things are not interconnected. And now we’re going to introduce two more steps in the process which can be very frustrating. Mike: So uh got a live question from Brian. I’m going to uh what’s the word? My brain is just seriously it’s been been home too much. I’m going to uh um I’m not going to read it verbatim. Uh so anyways, but the question is so you had mentioned procurement and compliance. Do they play a bigger role, a more of a partnership role? like like you you’re kind of in your security role, right? But talk about procurement and compliance relative to TPRM is one and then does the role expand, you know, for ESNGA back and what you should do about it like should you be, you know, walking out with all the branches now, later regardless of where you are in the process. So I think that’s the where we’re trying to Nasser: Yeah. So so so what I will tell you and I kind of go back to that 360 view of risk. So when we Look at a vendor. A vendor can have multiple types of risk, right? From privacy to ESEng. And I’m a strong believer that, you know, there’s a saying, it takes a village to raise a child. It’s very comparable. It takes uh a lot of risk domains uh that are working in synergy uh to safely onboard uh a vendor and ideally in a timely manner. So, uh procurement, let me kind of put a pause there and just kind of focus on procurement. So, procurement to me is a is a is a key stakeholder. I’ve seen organizations where it is procurement is running TPRM. So it is not the the CISO anymore running the TPRM. It’s not privacy or compliance is Mike: is that an ideal setup Mike: in your opinion? Nasser: I I like it for many reasons. Uh one is you know I I see I’m going to compare it to an octopus. You know you need a head that kind of makes sure that all the legs are interconnected in one form another. Uh so uh procurement can definitely be that head of the octopus and then push down the work. you know, may it be compliance, privacy, discontinuity to the alleg uh from an analogy perspective while the head knows exactly what’s happening, what’s the status of that work, what’s bubbling up and ultimately providing an overall risk posture of um of that vendor, right? Because when I do it from a cyber perspective, I’m going to do cyber risk. When I do it from a privacy perspective, I’m going to do privacy risk. But somebody needs to kind of aggregate that and say, “Hey, what does all these risk really constitute when it comes to an overall risk posture of this vendor?” And I think that um an entity like procurement can really uh play a key part in that. But uh like I said, I’ve seen procurement um overseeing TPRM, but there’s other organizations that structures that differently. I’ve also seen if you work in a a three line of defense in the uh financial industry, I’ve also seen where the second line sometimes would like to uh oversee uh TPRM, although to me it is all about a first line uh function uh when it comes to third-party risk. And I’m sure second lines would agree. But anyway, um what I would say is is you know as long as u going back to procurement um they are key stakeholder I’ve used procurement also to help me you know so when uh I am doing uh due diligence as an example and I’m helping um my business in the vendor selection process usually procurement is in the front doing the RFIs RFPs uh so I usually take advantage of that and I work very closely with procurement to say hey you know what if we’re talking about a vendor that is going to be handling u regulated data you know, may that be HIPPA, GIA, PCI, you name it, GDPR, you know, I would like you to have these factors uh in your RFIs and RFPs. Why? Because when they come back, I can quickly start helping uh as part of the vendor selection process because why do I need to add something to my pipeline if I can start to eliminate it way up front, right? What we call shifting left. You know, what can I do way up front on the left side so that I don’t necessarily have to do because I have uh kind of uh evaluate it and provide an opinion very early on or if it does come to my pipeline and I was involved in this RF RFP, I should now have some expectations because the RFP would say, you know, Mr. vendor, Mrs. vendor, you will do the following things with my data. They say, “Yep, we will do that. Yep, we will do that.” When it comes to me for due diligence, that’s an easy conversation with the vendor, right? Hey, when we did the RFRP, uh you said you would do this and we’re expecting you to do this. Now, show me the evidence, right? So, that starts to really g uh grease the uh the skit line so to speak and help with the overall process. So I think that becomes really important and then the last thing I will say about procurement is and we talked about it u we might have touched upon it earlier is you know often procurement and legal uh work very closely and I want to be involved uh in that relationship because I want to make sure that contracts of appropriate terms and condition may that be ESNG terms and condition privacy side Mike: preaching to the choir man if you you got to get your stuff in there so you can actually affect change and that’s where that’s where the rubber meets the road baby. Exactly. Nasser: So, so you’re right. So, you know, so the contract plays a really big part because we know what people sometimes don’t realize is that when you do your due diligence, and I do emphasize the word when because you may only be able to do it once a year for your critical vendors or you’re in a position where you only do it once because you just don’t have uh the capability bandwidth to even revisit a vendor. So, it may just be once, but that contract lives uh in that relationship for the duration of that contract. So, you want to make sure that you have appropriate terms and conditions. including controls in those terms in those contracts so that when you’re not uh able to go and verify and do your assessment that you know the contract is still enforced right so uh procurement plays a really big part compliance plays a big part we talked about you know in places that I’ve seen ES&G and ABACK if they’re not completely their own uh divisions in that organization uh sometimes they fall under compliance um and uh compliance is a is a key partner you know uh they know more about you know uh regulation that are having to do with Aback than anyone else. They are these subject matter experts. They’ve been doing this in their organization for the longest time. They know when something smells good, smells bad. So, you know, you take advantage of those skill sets. Mike: So, question on the screen. So, look, everybody the the nut or the net result of this is everybody’s always looking to you have to report something, right? I have x amount of vendors. We’ve done this. I have x good, x bad or there has to be some metric. that validates the effort. Does ESG change the reporting in any way, shape or form or should it roll into standard? Nasser: That’s a good question. I I would tell you that um first it should be incorporated into your metrics uh and where necessarily uh called out uh uniquely uh in your metrics because like I mentioned, you know, ESMG is a again a lot of board visibility. Uh so the boards may want to know particularly hey you know when we talk about our critical vendors are any of these putting our company in harm’s way when it comes to their ESG practices and that’s something that I would anticipate uh if not already happening with board members just because of the attention of uh ESG uh but I would uh I would also add that you know you may already have uh metrics in place uh that talks about performance that talks about risk you know what we like to call KPIs and KISS uh and also important when we talk about metrics who are you presenting these metrics to Mike: and by the way Do you have two or three KPR that are like these are my go-tos rel for just for the program whe they apply to ES? Nasser: Yeah. Yeah. You know, so the the ones that I like to it’s it’s kind of high level. So, you know, uh because typically this is what execs and boards want to know is hey tell me which critical or high-risisk vendors are not financially stable because uh a company that’s not a vendor that’s not financially stable can impact an organization in a multitude of way. Right? If you don’t have the money, if you don’t have the revenue, if you don’t have the the cash stream that you need to operationally effectively run a business everything gets uh downgraded your cyber security is not going to be well funded your privacy is not going to be well funed business continuity may be in jeopardy and so forth so you know financial stability is really really an underpinning risk so I would always look at hey which of my highris vendor are not financially stable uh because I don’t anticipate that but it’s a a big red flag uh the other one would be you know which of my high and critical uh vendors and again I’m taking a risk-based approach right which of my critical and high-risisk vendors have exper erenced a a material data breach or security incident in the past 6 months in the past year and that’s because we know that ransomware is everywhere but we do know that security incidents have not stopped they continue it’s the gift is the uh the gift that keeps on giving so as board members and executive they want to know what is it about a material and I do mean a material data breach I don’t mean hey we had one customer record that got leaked I’m talking about you know a significant number of customer records that now um your company is interacting with the media. There might be uh class action lawsuits. You know, these are the things that the boards are really uh want to be in tune with. And then the other one that I would just throw in there, you know, if you are paying for a vendor to provide you services, products, you want to make sure that you know SLAs’s are not being violated. So, usually when it comes to critical hybrids vendor, you know, are my vendors performing as we expect because they are an extension of our business. If any of our businesses are failing to meet our customer demands, if any of our businesses are failing to meet our expectation that’s a concern. So that’s no different than when vendors. So I always throw in there, you know, failing to meet, you know, SLAs’s month after month or any material outage. You know, they couldn’t produce uh this uh outcome on the month of March and the month of April. What are the impacts? Uh the call center went down that was outsourced. They couldn’t handle a customer call for the past two hours. Those things are really concerning. Something that u board members executive needs to know. And then if you want to throw in other metrics operationally speaking about your T your own program, you should Nasser: you should you should say, “Hey, you know what? Uh, now that we have this program in place and we’re trying to identify all a high-risisk vendor, we have seen uh five uh vendors that have gone through the system and never done a due diligence. They have a contract in place and they just kind of bypass the system. Not that you’re trying to get anyone in trouble, but these are risk indicators operationally speaking internally that your board needs to know because you may not have everybody who wants to quote unquote cooperate the way you like to, right? So th those are the things that I think uh board members are interested in as well as execs and again uh pay attention to the metrics that they already collect. If you have the opportunity to take a look at the metrics that your execs and board collects, you can take advantage of that and understand some of the themes that they get concerned with, you know. Mike: Yeah. Don’t recreate the wheel, right? Nasser: Exactly. Absolutely. You know, they might be concerned with reputation or regulatory or compliance or or lawsuits and things of that nature. You know, lend it, you know, lend your metrics to those so that you’re speaking a common language. because to them, you know, they are they understand the risk at a very uh business and corporate level. And if we can tie our metrics with that, you hit a home run. Mike: So, can you track this stuff in spreadsheets? Can you do That’s funny. You laugh. Nasser: Well, here’s what I’d say. Let me let me start with some assumptions and and and and I laugh in no way to trivialize those of us, including myself, that have and may still be doing spreadsheets. So, in no shape or form am I trivialize that. because it’s still valiant effort for you to do what you need to do on behalf of your company to identify risk associated Mike: yeah I’m not blaming the people everybody’s doing with the best with what they can first there’s no against the the people that have been asked to do it in this way that being said Nasser: right absolutely yeah so let let me give you some assumptions and then from those assumptions I think we can talk about you know what are the material risks right so one you know spreadsheets relies on emails and we know how effective emails right uh not only that uh you are assuming that when you send an email that the recipient party who needs to complete that spreadsheet received it. You know, God knows if uh the email controls just killed it before it went in or it went to a junk box and uh you’re also assuming that uh you received uh that spreadsheet via email in a timely manner. And then presuming that all this is done through email because that’s what happens with spreadsheets as an example that uh your email system someone is vigilantly looking at to make sure that when they get the questionnaire back in the spreadsheet format that they can quickly process it, right? And that sounds uh hey, you know, that sounds doable, but what happen when people go on vacation? What happen when people get ill and they’re not looking at their emails for argument sakes? So, it can become a struggle just on those assumptions, right? And I just want to stop there on the assumption piece. Now, let’s kind of go into the material impact. So, you know, to me, one of the challenges with spreadsheet is that it’s really, really hard to stick to a specified SLI. So, if you as a the due diligence stakeholders in your organization. You say, “Hey, you know what? Uh we will do uh the due diligence within x number of days, whatever you want to call that SLA, it’s really hard when you’re relying on emails and spreadsheets to begin with.” And because you are going to impact the turnaround time or not being able to meet your SLAs because the capability now doesn’t lend itself to that, you’re going to impact go to market, right? So when a business wants to come in and sign that contract for very very good reasons and they want, you know, what we like to call go to market, it’s going to be hard to be an enabler of that and just because of the nature of spreadsheet, right? I think the other challenge with spreadsheet is they’re always suspect to audit, right? They there’s not there hasn’t been a place that I haven’t worked at or peers that I’ve spoken to that are that using spreadsheet that don’t have an audit issue in one time or another because of the manual process. You know, how do you know that the spreadsheet from the email was captured placed in the right file directory? Uh how do you know that that somebody did not overlook a spreadsheet that is still in his or her email, right? So, it just becomes very prone to audit issues. It it does introduce a lot of operational deficiencies and again just because of email and spreadsheets, right? You send out an email um where’s the tickler? You know, how do you know when you’re supposed to get it back? And then what happens when you don’t get it back? Is there a checker that tells you, hey, remind this person and I buy another email, please send that back and so forth. So, it it does introduce a lot of administrative overhead that to me has no value. in the effectiveness of the process right on how you do your due diligence. Uh and then the last challenge and there’s more right but the last challenge I would say is if someone were to ask you you know can you tell me what are the most common risks that you have seen in the vendor portfolio you probably have to go to x number of spreadsheets and open them up and extrapolate what you think are the most common risks and even if you extrapolate uh from your spreadsheets risk and put them into a central issue management system the question one would ask is hey did you extrapolate every single risk that you identify in the spreadsheet into the issue management system or might you have overlooked one two or more of those risks and I’ve seen that happen personally uh in my organization with me as a matter of fact where you know you think that hey uh I’ve taken a spreadsheet I reviewed these are the gaps these are the concerns I’m going to identify these as a three risk uh a month goes by two months go by order knocks on my door hey Nasser uh we are really concerned about this vendor we want to take a look at this vendor show us what we did ah wait a minute I know Notice that in the spreadsheet you identify three risk but you only move two of them into the uh issue management system. Hence uh you overlook one risk. Here’s an audit issue. Right? So it it’s just a challenge u overall that spreadsheet um um you know the challenge that comes with spreadsheets. Mike: So you had mentioned this before um about the financial and reputational monitoring and wallet. I don’t know that kind of sits in between. It’s not exactly third party security controls but it’s not a Can you know h Mike: so I mean the question how important is it and uh you had mentioned during our prep call right about offboarding too so let let’s tackle those two Nasser: yeah so let’s talk about you know remember I talked about you know financial risk to me is Mike: yeah that’s number one that was number one for that’s like that was a top tier top issue so Nasser: yeah yeah I think that’s an underpinninging risk right if a company’s not financially stable everything that company does goes into question including ing their security posture, how good they are with privacy. And I’m not knocking companies in any which way that are in financially uh troubles. All I’m trying to tell you is that that’s a key indicator. If you are not financially sound, there’s a key indicator that other things that are important such as cyber, ESNG, and so forth may not be uh where they need to be. So that’s one. Um reputational monitoring, I think it’s uh it’s very important because there are a lot of things that happens between your first assessment and your next assessment that sometimes you just don’t have the visibility. But if you know that hey uh there is something uh out there that’s happening and I’m getting that heartbeat alert for lack of a better word. I’m getting that update information regarding a critical vendor of mine um that I want to be a breast of what’s happening between the time I do the first due diligence and then the ensuing due diligence which may happen six months a year from now whenever whatever that cadence might be. Uh, you definitely want to have Excuse me. Mike: Hold on. Get a drink. You get a drink and I’m gonna just let everybody know. We’re going to do these two questions. Then, um, if we have any more questions, but I promise to get everybody out of here like five of three of the top of the hour so everybody can stay in schedule, go to the bathroom, get another drink, and then get to your next Zoom meeting. So, um, we’ll we’ll try to keep everybody on track here and ask any questions that folks might have. Nasser: Thank Thank you, Mike, and thanks for the drink. Um, Nasser: yeah. No. But so we were talking about financial now the reputation like I said you know you definitely want to be kept apprised of what’s happening reputationally uh with your vendors which can impact your reputation by the way and uh if you subscribe and you feel that that’s worthy and often the case uh you have to make sense of what you’re subscribing to right because uh it’s all about you know how relevant is this to me and is this meaningful and can I take uh decisive actions based on what I’m saying so that that’s part of understanding uh who you’re subscribing to when it comes to reputational monitoring, but I think it’s it is relevant and I also think that you know often the case uh and I’m giving you a worst case scenario to kind of make a point you know when your one if when can talk today if one of your top tier vendors one of your critical vendors winds up in the news in a very very negative way you know uh very often uh the minute that your executive your management your board members know of it trickles down pretty quick. So you know if you can be ahead of that If you can somehow understand, hey, I see from the what I’m describing to from a reputation monster perspective that this vendor is just degrading and let me go and have these conversation with this vendor and those conversations are solidifying uh the data points that you’re collecting, the data points you’re subscribing to. Uh you can start to now talk to the businesses to your execs. Mike: While we’re on while we’re on the subject, I got a question from Jeff F. What tools are you using to evaluate financial risk? Nasser: I’m going to keep it vendor agnostic because I don’t want to come across as if I’m supporting any particular uh vendor out there. But if you wanted to, you can actually Google there’s companies out there. There’s a an easy dozen out there that would provide you uh financial information and let me kind of help you with some qualifications here. Usually when we seek financial information, public information, I mean public information, public companies have to provide their financial statements. That’s because they’re public company and they have uh requirements. So with those those are usually very accessible. And yes, you can still use uh a vendor to help you aggregate that data and present it to you in a very meaningful way because one of the challenges with uh financial reporting is that somebody has to understand what that reporting is saying, right? Because uh I’m very familiar with uh cyber privacy um compliance, business continuity, but I’m not really a proficient expert when it comes to reviewing financial reports. There has to be somebody who knows that. And that’s one of the reasons sometime you will subscribe to a financial entity, a financial vendor that gives you that information uh so that uh you don’t have to do all that footwork but going back to public companies usually that data is readily available I think where it comes where it becomes a challenge is with private companies private companies are not obligated to provide uh financial statements and usually what I’ve seen with uh private companies is that when you first are looking to sign a contract with them they’ll provide you uh what you’re asking for because that’s just good business but you know the minute the contract is signed you may not get another financial report by way. So important to think about that from a contractual perspective, right? What is it in the contract that I should be including so that I get these financial reports on an ongoing basis or upon request uh from u from my vendors. However, going back to uh some of these vendors that provide uh financial information uh on public, they also do on on private uh so they have the capability to also do this uh because either they’re already collecting it uh from the private entities or on your behalf uh they would work with those private vendors uh to get that information. So, I I’ll leave it there if you don’t mind because I just don’t want to advocate any vendors, but there are a handful out there that would literally provide you financial status. You know, the one that uh Yeah, there’s many out there that provide you financial status of a of a company that you’re looking to do business with. Mike: Yep. And look, I’ll tell you that’s a feed that we have in the product, too. But if you’re interested, great. If not, nos. But just put it out there. So, Nasser, uh let’s come all the way back around to uh Oh, Amanda has one more poll question. Thank god you texted me. I was going to just wrap this thing up. You should have just cut me off, too. Amanda has another poll question. Go, Amanda. Amanda: Thank you. Just been waiting this whole time here. Uh, yeah. I hate to break it up, but just wanted to throw in one more poll question. Um, you know, since you got a lot of information from everybody here today. Um, was there an incentive that brought you here? Do you guys have something going on from a third party race standpoint um for 2021? that we can potentially help you with. So, Mike: and I would say ESGNA that too would Amanda: Yeah, that you Mike: probably shouldn’t have thought of that. That mean my fault, but probably should. Amanda: We’ll blame it on you. Mike: That would be a yes. Unheard of that. Amanda: Perfect. Yeah, that as well. If you’re looking to talk about Yeah, those two acronyms. Those are hot topics. Mike: We got We got to figure out the ES and right because Nasser had the and amperand and we weren’t using that. So, maybe we should get the amperand. Nasser: No, let me tell you, man. I might be bad about that one. maybe back because I know people say ESNG. Uh I happen to just by default throw in the N in there because it just sounds better to my ears. Mike: Yeah, it sounds good phonatically. I think I would agree with that. Mike: So Nasser, while the poll questions up there, uh ESNG Aback um like real important like where where is it like key takeaway for folks and when they if they have one or two key things about this from this Yeah. So, uh, ESMG, uh, definitely important, getting a tremendous amount of attention from, uh, from the White House regulators. If you have a geographical footprint all over the EU, ESG is significant. They already have regulations if not soon to come out. So, one uh, very important, and I also mentioned this definitely is a board agenda. Uh, so boards are zoning in into this. Um, no different than Aback Aback is also very important. Uh the second thing is you know if you’re going to continue and further bolster uh the types of risk you’re going to be looking at in your organization and you’re going to look at the ESG and Aback I think is also important to understand how does your organization do these two things and then how do they want to extend uh those capabilities from people process and technology right they may have the people with the skill sets they really know how to ask the questions and review the right content here. So it would be you know do you have these programs in place and I’m positive with uh Aback it’s in place ENG is in place in one form or another it’s just what maturity level you happen to be in uh if they’re in place you know how do you work with those uh parts of your organization to start to extend it to your third party portfolio because if you just extend it without having any catchers and you’re just pitching out there the minute your vendors turn around and give you what you’re looking for you still need somebody to kind of say okay can I make sense of this is this good is this bad and this is why it’s an internal thing that starts to propagate externally to your vendor. Mike: Fair enough. Nasser: I have a question Amanda. Back to you. Amanda: Yeah, just really quick because I had someone come and approach me about regarding FERC and NERC and I was curious as to Yeah. Nerk and FK. Um, is there one that’s better than the other? Is there like this is kind of new for me personally, too. So, Mike: what’s the difference between the two? Is is one better than the other? And do you need both? Like what? I don’t really know much about that. Nasser: Yeah. You know what I would say is uh they both are relevant. Uh I I think what’s really important is to understand from an organization perspective. Nasser: You know which of those uh are ones an organization needs to uh align with. Sometimes there’s both, sometimes there’s one. But I think it’s a is an organization decision. This is to me this is very comparable to Nasser: when you look at uh cyber security frameworks, you know, like the NIST and ISO. Mike: I was gonna say Nate 53 Nasser: and often companies who subscribe to a hybrid, right? Uh US companies like N. But the minute you go geographically and you operate in different continents, you know, you see that ISO is just as big. Mike: It’s ISO or GDPR or some writing. Nasser: Yeah. And there’s a million of those. So I guess the more this grows it’ll probably Mike: I will tell you look NASA and I tell and look I I really do want to wrap up but I I will tell you guys that focus on the outcomes that Nesser talked about, not necessarily on which com like all the frameworks are good if your goals are set correctly, right? They’re their flavors are the same. You know, I call it the pizza conversation. There’s no bad pizza. There’s all good different kinds of pizza. So, focus on the security and the outcomes and all the the the kind of the the things that Nasser spoke about today. Um, I don’t think you can go wrong if you followed any one of 20 of these, but it’s how you implement and how your organiz approaches a problem to begin with um would be my advice in 20 years. Nasser: I agree with that as well. Amanda: Yeah. Well, thank you so much for your time, Nasser. And this is super insightful. I took probably two pages of notes and word while you guys were both uh talking around. So, thank you again, Mike. Always a pleasure to see you. Mike: Always a pleasure. Amanda: And this will be in your inbox tomorrow if you’re sticking with us. Thank you so much. And if you have any questions, feel free to reach out to us. Thank you so much again. Have a good one, guys. Thanks, guys. Thanks.