On-Demand Webinar: Pfizer Case Study - How to Get Third-Party Risk Management Right

Peter Schumacher: welcome and thank you for joining our webinar today how to get third-party risk management write a case study featuring advisors Keith Walter governance you’re also joined by prevalence chief third party evangelist and senior director of networks Brenda Ferraro my name is Peter Schumacher your webinar host for today I’ve got just a couple of housekeeping items to cover before we can get started first of all a reminder that bullet and e lines are muted but in an effort to keep this session interactive we invite you to submit your questions using the zoom console time permitting at the end of the hour will host a live Q&A today’s webinar is being recorded and in the next business day or so you’ll receive a follow-up email with a link to that recording so I know you didn’t join to hear my voice so at this point I’d like to turn things over to Keith and Brenda thanks so much for joining us today and please take it away

Brenda Ferraro: thank you Peter Keith welcome I’m really excited to let everybody know all the great work that you’ve been doing over the past year on maturing your third-party risk program you’re ready to get started Keith Walter: I certainly are so we will need to change slides and here’s the presenters for today just so that you can see what we look like they’re trying to get a non fuzzy picture of Keith but to no avail we’re gonna we’re gonna keep it as it is but as you heard I’m the chief third party evangelist and senior director of networks for prevelant I’ve been a prevalent about for two years but my history of third-party risk has spanned across six years and I have an IT background of 20 plus years how about you keeps how when did you get into third party I spent 27 years in the chemical sector and spent about 15 of that actually doing third party

risk management and other risk management and have since moved the last three years to Pfizer where I’ve been more focused on risk management and plant cybersecurity so this has been a passion area for me for at least about 1718 years now and the two of us have worked together maybe over four years with the eighth ice pack is that correct yeah it’s three-plus yeah Brenda Ferraro: sliding it on four all right well let’s get started I’m sure everybody doesn’t want to know the history of how we’ve met but we’ll talk about why we’re here today the third-party risk has evolved from a position of collecting content to become aware maybe using active stations on better understanding where your entities third parties vendors or suppliers are with securing their controls and if those actually match what your customer requirements are for compliance and regulatory needs what a prevalent has done is we have the ability to assess monitor and share with a 360 approach we are able to collect one and share with many when it comes to questionary we’re able to share with you and outside and an inside look of your vendors and entities and what they have in place for their third-party risk and the networks that we have available within the industry is helping us to tell the communities exactly what the vulnerabilities are as we move forward and understand better what the threat threat landscape is changing to so we’re going to dip into a poll question at the beginning of this session to ask all of you how many questions are in your primary assessment questionnaire so Peter if you’ll start that poll we’ll watch and see what we get from the audience so really we want to talk about more about what’s just in the questionnaire because questionnaires only tell you what your entities inform you about their controls right Keith so we look at that and we say oh my goodness we’ve got all these

trolls and here’s what they’re telling us and we have to trust what they’re telling us is the truth right mm-hmm Keith Walter: yeah I’m a big proponent of the monitoring piece it helps you get the full vision into are you getting a quality questionnaire response to the indicators from the modern piece support the questionnaires responses as everything looks to be in sync so indicating good quality direction is to me they complement each other very well all right so it looks like we’ve got about 50 what 60% of the people voted so we’ll go ahead and end that poll and share it out Peter would you like to do that and there’s about 50% of us on the call out of the majority to voted that said that they have between a hundred and five hundred questions in their primary assessment questionnaire all right well that’s interesting to know and sometimes on the vendor side of the house it ends up being a situation where there’s a lot of questionnaires and sometimes they’re not meaningful or relevant so we want to start focusing on relevant meaningful content and efforts to identify risk and mitigate what’s important to those engagements Keith let’s talk about the unified risk based approach that you put into place recently Brenda Ferraro: yes so the main points of this slide that I really want to stress home are really what that leading question was talking about our primary questionnaire that we’ve used the last year and a half or two years it is really revolving around sector reuse and it’s it’s 228 questions but what we’ve learned over that time by really looking at we collect the right metadata upfront about the vendor and some basic things that if they’re available like the stock 2 etc we’re able to really focus that down on about 15% of those questions are really the ones that change our mind

whether we would or would not enter in a contract or will we continue a contract on an existing party so we call these the key controls we call these the controls when we look at assessing a risk if we were building the service ourselves these are the controls that we would absolutely want to develop into the requirements list so we started with that control list and then went back to the questionnaire that we had and use the concept of basically saying what questions in here are leading indicators to me that this vendor is actually meeting that control in an appropriate fashion

so we’ll take a good hard look at that pick one or two questions that really make sure that that control is likely present and that gives us a really good indication with a very ability to really look at things quickly focus in on the highest risks and really drive the investment of our Assessors our business and etc on the most important controls that the lack thereof would hurt them the wou most and that means I can really share and disposition and track to closure I can manage the most critical risks to Pfizer and thus drive those to closure rather than trying to be a purist solve at all I can solve the most important items so that’s what I would take away from this slide so I remember when we started working together on prevalent and Pfizer maturing the program can you remind me if it’s true that you were using Excel spreadsheets at the beginning Keith Walter: yeah certainly the process started out with Excel spreadsheets which doesn’t lend itself to a true risk-based driven approach with automated workflows and things like that it’s cumbersome trying to enforce good quality data and answering is difficult an Excel spreadsheet and it just a lot of passing back and forth tie

delays sitting an email getting lost an email just all those things really didn’t enable us to really hold the vendor accountable for the collection vase hold the Assessor accountable with an SLA to perform the assessment and also in the sharing distribution and track really hold based on the risk either our Pfizer business owner accountable and for the most critical risks we’re still holding them accountable but we’re also given that governance oversight in order to make our Board of Directors and our site so satisfied and confident that I have driven this risk in the direction that they are requesting Brenda Ferraro: I’m really happy that you’ve elevated your maturity from a spreadsheet into a workflow and automated capability so that you can now start to make decisions based on more Intel at your fingertips so that’s awesome so their next polling question is have you automated your third-party assessment program to collect risk information beyond using Excel workbooks so Peter if you don’t mind starting that polling question we’ll give them a chance to respond I’d love to get closer to a hundred percent votes so for those of you at home at work in the cars don’t do it in the car

please don’t crash but you like to find out where we are with everyone on this is very interesting Keith I talk to a lot of industry companies and there are many companies that are still using Excel Keith Walter: yeah and certainly if you’re a small entity that’s a that’s possibly the best place to lie if you really don’t it but as soon as you want to get into volume and you want to really drive a risk-based look and approach

there’s just capabilities that became important to us that you’ll hear about as we continue talking that I really think you need a tool to step that game up and in the beauty of it is is we have found a clear efficiency to increase our number of assessments capab per FTE by a very considerable amount and in the end that’s a return on investment and that’s really where we’ve you know really measured ourselves against to make sure that we are making the right investments and looking at the right vendors so we not only measure the tools efficiency on personnel to return on volume or capacity but we also measure and we’re going to talk a little bit about some of the banding and measurements we do on how meant ajiz of our fleet that we’ve measured how many are actually have no problems – how many we’re really turning up significant core must have controls key control failures that we’re driving change with with that vendor Brenda Ferraro: yeah well it looks like we got 61% of the vote so if we want to end that and share it out that would be great and pleasing to the eye

there are 45% of those that voted that said no they are not using Excel spreadsheets or workbooks anymore 27 percent said yes they are 18 percent said they’re in the process and 10 percent said not applicable to E thank you for those results so let’s start talking about how the risk-based approach phase comes to play so we wanted to help you at Pfizer to build a process using very simplistic one two three four steps the first one is prepare the second one is collect the third one is assess and evaluate and the fourth is track and remediate we also wanted to give you the ability to have flexible automated workflow so would you like to talk about what prevalence did with their program and efforts to use this four-step approach in phase four risk-based assessment

Keith Walter: yeah thanks Brenda this really fit well with my internal vision of how I look at really meeting the business’s needs for timely efficient enablement of them knowing the risk that they’re either about to take on entering in a new contract or the wrist currently operating with with an existing vendor so in the prepare the part I’ll highlight there is this is really having the white metadata about the vendor engagement when you fire it off so really having custom field capabilities where you can capture those couple of extra fields it just really enable automation and response in those difficult cases those oddball situations where you’ve got some of that metadata right at your fingertips enabling the resources to really execute efficiently the collect phase very important here to really have automated emails automated tasks to really do the handoffs from ourselves to prevalent to do for the collection activities to the vendor being driven and reminded and and then right back to us so that we can actually coordinate the return of the validated questionnaire turn around that and have that turn into an Assessors action delivered without in box to be there without a whole lot of extra work really I’ll have the questionnaire post and automatically generate the email that has here’s the key control deficiencies sorted to the top ready for the Assessor to validate a few seconds doesn’t look out a place that Assessors going to take it right to the business and then based on risk either deliver to the business and the business tracks themselves or if the risk is high enough obviously then we’re oversight governance tracking that and driving for remediation and consulting with the business through those steps so having a workflow SLA x’ from start to finish and accountability clear with escalation past is critical to our success in really getting that efficiencies per FTE that we want to have Brenda Ferraro: and I think what’s great is the fact that um we went through the process of defining the vendors universe that you had or the supplier universe as you call it and then having the ability to

to scale an effort to quickly identify risk by asking questions with the questionnaires and even using some of your other solutions to embed the cross-reference of if that information was appropriate or not and then when we worked on the work the whiteboards we call it whiteboard magic keep and I love markers and whiteboards we were able to identify the doubling of FTE productivity by moving away from a Excel spreadsheet to a program that now has the capability of giving you the information right at your fingertips with a workflow that’s automated the chasers are automated and so on and so forth do you have anything to add to that Keith Walter: no I think the workflow is just the ability to create tasks and the ability to just dry clean handoffs in a common tool that isn’t getting buried in the emails and everything else and giving you email reminders of your tasks or coming due and things it’s all part of just enabling each of those key components those key people at being able to balance a very busy workload because that’s just the world we all operate in Brenda Ferraro: I agree so let’s dig into the phase approach I believe that you are going to speak to this slide about all the components on what you need in order to prepare for success Keith Walter: yeah what I what I really want to walk people through here is to really think about when you’re preparing it’s like anything else the better you prepare the easier the I’m gonna say the request will go and your service will succeed in this slide I’ll bring highlight to a couple parts here the first one is the supplier profile really take the plan time to plan out what is that critical information that you need to make all the rest of the steps go successfully collecting that metadata about the supplier and it just just

whose sentence description of what are we trying to do with this supplier and making the business write that down really helps the Assessors understand what’s important and what’s not really knowing those kind of things the control standards knowing your own standards internally that you expect somebody to meet and then really taking your questionnaire rules as I call it is really looking at your questionnaire you’re using and say which questions really are leading indicators that the controls I expect are present we certainly help in the supplier profile by collecting facts like how much you know spi data is exposed to this vendor or is this vendor operationally critical to the cash flow and activities of Pfizer etc those things collected in the supplier profile allow us to really classification model of the data exposed and the importance of the vendor to us we certainly leverage contract addendums and standardization we’ll talk about that in a few minutes and most importantly the workflow status really taking the time to think a little bit about do you have enough workflow status states to really know where where and who is holding up stuff running through your engine here that you’re trying to get satisfied as far as requests and do you have enough states that really support your metrics and KPIs so you know where you new improvements in your process where you’re really falling short and and then also why are we falling short there can be focused on and continue to drive to the efficiencies and the turnaround that enables your business to hit their deadlines because of a lot of these cases contract renewals contract negotiations every day is the business losing the ability to reach those benefits they’re after Brenda Ferraro: and I really like the part about the stakeholder commitment because if you have a steering committee that’s available for disposition items making sure that if you’re going to accept

third party or a supplier to move forward knowing that they have risk that stakeholder commitment and having a steering committee is really key Keith Walter: absolutely Brenda Ferraro: so let’s talk about the supplier profiles what’s what’s the one thing that you learned or maybe the two things that you learned from going through your program redesign that helped you to better know who your suppliers were and what things were important to know about each one for workflow consistency Keith Walter: yeah probably the number one challenge that that I just continued to learn over all the years is having accurate and motivated contacts both inside of your company as the business owner and as well as with the vendor um it’s probably the biggest number one challenge in data quality coming into especially if you’re launching we like to do retrofit of existing vendor reviews and we like to do them in what we call waves or bundles and when you’re doing a couple hundred those as a shot you pretty much have to expect that you’ve got a ten percent data quality issue in that we’re seeing you know at least one contact or entity or multiple whether that be internal contact or external will actually change per year in your fleet so if you launch a hundred that means you’ve got ten that are going to stumble and making sure that from the last slide where I talked about having a workflow status is right

being able to flag up when an email bounces non-deliverable being able to know when something didn’t get through in the first expected SLA point by the vendor did the vendor register have they even answered just if they answered 15 questions at least we know how we have the right person they registered and started answering questions having that visibility is critical to knowing quickly and early when you probably have a bad contact so managing contacts watching for those contacts being an error and how that will manifest itself in KPI problems and etc is critical to success and that’s probably

really the part that I would take away from this slide Brenda Ferraro: I think about the custom fields that you’re creating that help you to understand if there are pertinent content information to know for reporting purposes such as what is the information that is about are they onshore are they offshore who’s the Assessor things that are very easy for you to put your finger tip on and then can you talk a little tiny bit about where did you start you have so many third parties and suppliers how did you know where to begin Keith Walter: yeah it’s a selecting where to begin I think as a risk manager my attitude is very much pick a way to identify where you think your largest risks are and start with the first part of your program I think the biggest mistake is that somebody thinks they gotta do the whole ocean in in the first set of ways and getting started perfecting your process perfecting the data that you need to support your process I’m certainly convinced that in one year we were able to do a lot more by having that attitude than if we tried to perfect it because I think we would have got most of the way through the year and would have struggled with the step change and probably not got a whole lot done in the last quarter versus getting some done and just scaling it up as we go so making concerted step changes and planning for those I think is important

certainly selecting the first one look at your criteria and put your business hat on sit with the business understand what could be some of the best triggers I think you’ll find a lot of your kurma departments that I’ve worked if throughout my career they have the concept of strategic partners or the most important vendor list because it’s just pivotal to the company they know it is finding that list and talking to them about why also sitting with the business and asking the question is what is the if you provide multiple services which are the ones that really provide the most revenue and then then ask the question well what vendors are crit

to the production of that revenue and really understanding that as critical looking at your compliance laws and then another area we found a lot of value in is we look at our we call it basically a partner connection where we are connecting our network with other key partners and through firewalls obviously but really that’s something that as part of the IT digital services departments we have the data on that so it’s something you can mine and data that we can easily get at and really find the ones where we’re exposing the most risk because we’re opening ports and things between key partners

there’s certainly different levels of that and understanding that using your firewall data to help drive you from the data we found extremely successful at finding what are really the top top partners with those criteria that could help us focus our time money and energy Brenda Ferraro: another thing that I believe you didn’t correct me if I’m wrong is you went forward with a regulatory methodical approach so you picked a bucket or a tranche of your particular supply profile and you started with them based on the needs of compliance and regulation correct Keith Walter: certainly with the key questions that we want to have the key controls certainly privacy we identified 26 key questions that really are leading indicators of those controls being in a responsible status and that really helps us to focus that in obviously when you go beyond that strict regulatory there’s operational controls that are critical to the service providing and maturity and availability of a service and that’s where we clearly added another 9 to 10 that really puts us into really are 35 indicating questions that drive our scheme control lists Brenda Ferraro: excellent so let’s go into our next polling question do you hold yourself and your third parties to the same security

controlled standard requirements Peter do you want to pop that up this one’s kind of a favorite for me because I always look at the fact that we need to make sure that we are identifying that our controls that we are using within our castle and four walls are actually being held true and enforced at the third parties fourth parties fifth parties and end parties so this is a critical one that I feel is very important how about you Keith Keith Walter: absolutely and it goes the opposite direction as well don’t hold them to a standard that you’re not prepared to meet either and I’ve seen some compliance oriented programs where it’s like I want to pass on every one of the questions that I ask and realistically there’s good business reasons why not everybody does everything the same way and that can cause some no so really focusing on the key controls the key risks understanding when the others are potentially when you’re failing a key to the same well what are the related questions that I want to understand which may help me put a full picture around it that’s where the Assessor gets value from potentially a few extra questions that are answered and there are based on risk absolutely places where you want to ask a lot more questions and have that knowledge Brenda Ferraro: alright so let’s go ahead and end the poll and it looks like we have 69% say yes they do and then 18% say no and then 14% say not sure it looks like that question has a little bit of a typo in it but it was basically asking you if you were expecting the same control standards of your third parties as you do yourself that was my fault

Peter Schumacher: that’s okay Peter I have mistakes too it makes us human so I’m glad you’re not a robot thank you for that Brenda Ferraro: alright so we’ll stop sharing that results and we will move on to the next slide and as the next slide the one thing that I want to bring to all of your attention is during my discussions with companies and tries are included is that we take an approach with our vendors not to hand slap them because they don’t have the control in place but to really make it so that we’re evolving the ecosystem and the community to help those other companies that may not be large they’re more small to medium sized and they need assistance in becoming more mature with those security items and control standards so let’s talk about control standards and what you learned about what happens when you create key controls and what that really means to you and ever in efforts to evolve Keith Walter: sure so first of all key controls defined by me by me is really what are the controls that we would say or absolutely we like the words must-haves when we’re designing if we were implementing the the actual solution ourselves and then we went back to the questionnaire and said which questions if answered correctly a majority of the use cases or experience we have is a roomful of control experts both compliance individuals risk based individuals security professionals and etc what what is her experience and what we really looked at is we found that 15 percent of the questions we had really gave us that visibility and then we really we did about a hundred vendors where we did both a full look at all the questions as well as just focused on the core controls and when we did that we really found that we could get from those you know 15% of the questions we could get at least 80% of the security clarity that we really wanted and we could do it much faster and really focus in on the biggest risks and as a unit there’s a there’s a place and time to look at everything certainly when you have a compliance thing and it’s the absolute most important you know top vendor of your company

for your company’s success you know you’re gonna look at more of the questions but in a lot of the cases what we found is we could quickly determine this vendor you know it’s just really in good standing and what we found is when we were seeing a lot of that we really didn’t have a big deal and we couldn’t find anything even when we looked harder at the rest of the questions of any significance but then when we did find these key controls failing especially when they had a significant number of them failing it really was a company with a poor cybersecurity program and then we really knew this was a place we want to focus in based on the risk of that entity to our business

to really help the business put their energy where they would get the most return on reducing their risks to their operations and their compliance requirements so surely on this slide I’m really stressing focus on the key controls driven by your engagement which you should be collecting what is the engagement I’m doing is part of the metadata when this when the vendor is being initiated and the controls may be different from a privacy engagement where your privacy data exchange is really the goal versus some of this providing a more of an operational critical service to the business you may have more controls in the ladder that makes sense but if you look at a lot of the privacy based controls they’re just good pure best practices and we really pushed those all the time and like I said that first hundred we did we really proved ourselves that you know more than 95% of the time we could look a lot harder but it was really on those few that we already had the indication that there was a serious problem or there was no problem at all by the core just looking at the core must-have critical key control questions Brenda Ferraro: yeah I think that what I really appreciate from the thought leadership that you put forth in your program is that you defined the key controls by engagement and sometimes the number

not the same you would make sure that it was relevant for your department to know what items needed to be risk mitigated versus the same risk mitigation and prioritization of those risks across every single vendor or supplier you had and the other thing that you did was you created a risk library so if a risk was not met you had what was expected already programmed into the solution so that your Assessors could speak the same language with the third-party or supplier vendor to let them know you haven’t met this there’s a compensating control maybe we will agree to take on however this is the timeline this is what we’re looking for so you’re really improving the ecosystem by providing that help based on the maturity that you have with your own controls

Keith Walter: yeah thanks Brenda this is certainly taking for those I’m gonna say key control questions that we are flagging up and really writing out a repeatable response and taking the time to write that in business language not only are we finding a much more responsive vendor situation but more importantly we’ve really been able to write it in a way that our Pfizer business owners really find a value of once they start understanding that they can understand why we’re pushing it they then can really run with the report that comes out of the system and act accordingly and in a lot of cases we’re finding more and more percentage-wise where the internal Pfizer business I got this I’m going to the vendor I’m not happy with these issues out the I’ll deal with them and they’re really driving off and saying this one’s a little different on a small percentage and really wanting the assessor’s assistance um the first time a given Pfizer business owner

they still want some hand-holding and guidance but the more we can self enable them the more volume we can handle the more we can be there to look at that next part of our ecosystem and fleet of vendors to make sure that we’re looking at more versus focusing our energy on the few the more wide look I get the more I feel like an assured that I have balanced the total risks of Pfizer I think so honest and questionaires rules and risk evaluation this is a topic that seems to be cropping up across all industries and it’s something that maybe you can help the people on the call learn about what exactly did you find when you went through making these rules and defining those risk evaluation criteria items Brenda Ferraro: yeah when you define it I think we kind of said how I did it I think the man that’s each I wanted to just bring out in this slide is when you’re budgeting for your response at the end you can really lower your costs based on the last comment I just made of you know writing your standard responses up in an advance but in the center there I did find about third of my vendors really had no core risk key control issues so I just left those role passed and moved on and you know but that means that there is another larger percentage where I’m really saying we need to work on and budgeting resources and making a plan to write up those canned responses really help manage the time and energy being put at the right place

so budget for that resources several other peers I’ve talked to it seems like that one third being in good standing no real action needed to be taken it’s kind of kind of a norm that I’ve seen in a couple of people that I’ve talked with it just seems to be kind of statistically where things are falling Brenda Ferraro: it was great about the solution is that each individual customer has the ability to place in their own risk tolerance and risk rankings so for example with the health care space and the network you will have a repository of completed questionnaires and content and evidence that’s been collected from the third party or the supplier and then when it gets ported into the

Fiser instance or view you have configured the solution to be appropriate to your risk tolerance appetite and attitude so that you could really determine what those risk based decisions are in the event that you have someone that’s maybe a cloud provider versus someone who may be someone who’s doing manufacturing for you and that’s what I kind of enjoy watching evolved with your program with the way that you’re able to slice and dice and risk rank based on those tolerance levels Keith Walter: absolutely classification models is a big thing with a lot of the companies once they start looking at their portfolio and they notice they have tens to hundreds to thousands to multi thousands of vendors and suppliers knowing what type of assessment that is applicable to each type of classification is something that some of the companies are struggling with how did you define what was going to get what type of due diligence Brenda Ferraro: yeah I think it’s important to think upfront in the prepare phase and that’s really what I want to stress with this slide is in our case and our sector really in the prepare phase understanding for each vendor engagement giving a vendors risk level as well as potentially an engagement level risk level those things can be drastically different and the example I’ll uses especially vendors that provide many different services a good example is IBM because they just they provide everything from PC solutions to consulting services to Watson to etc and they’re just one of a great many examples where their services are just the gamut and you know the risk can be totally different so be careful to understand what you’re doing

leverage the data and I think on the screen you see some of the things that we make sure that we collect some knowledge about we try to keep the questionnaire to determine the risk level down to about 15 check the box type questions so that the business can really be hick those by banding like I’m gonna tell me the exposed level of SPI data you expose or number of research compound dana’s are exposed I’ll ask them to say do you expose which band of the any of this and if they say yes select the band and the bands are pretty bar broad but the bands give me an understanding of that critical high medium low vendor engagement that I want to be focused on so I think keeping it simple for the business keeping it in their language but look at your own company classification model and some of these factors as you design it out Brenda Ferraro: yeah the last item we have in the process of prepare safe is about contracts and the one thing that I noticed here was a lot of companies go through the stress of redlining and then in some cases those contracts may say they only have right to audit once per year but let it be known that an audit is different than an assessment so yes you can have someone come in audit you once per year but an assessment is ongoing it’s a continuing evaluation it’s based off of if incidents occur or if a remediation is not remediated in time or if there’s a risk that needs to be checked on but what are the things that you noticed from a contracting perspective when you involved your program Keith Walter: yeah it’s difficult to keep the amount of contracts going and etc and then really helping to influence your procurement and your legal department to really make addendums based on the controls required so that there’s an addendum if this is a privacy related contract versus not addendum for cybersecurity operations etc and keeping them in addendum so that what you can do is say let’s put the right addendums on the contract and not having legal time on both our side their side redlining documents that really are not applicable obviously if the service is going to change you want to make sure that you add those in

and that’s certainly part of the risk that you need to manage but sometimes you spend a lot more money trying to get pieces and parts when you put everything mixed together so keeping it simple and straightforward trying to get that work together and partnering with procurement and legal is probably critical to the success of really making sure you’re assessing the cybersecurity balance points and Pfizer it’s obviously the privacy officers is one of our key partners as well Brenda Ferraro: well now it’s a Phase two collection so we’re getting close we only have about 15 minutes so we’ll try to make sure we hit the next couple of slides in detail but what are some of the lessons learned that you had to plan for you want to let others know to make sure that they plan for with regards to collection Keith Walter: yeah and I made this list on the right and I think I’ve hit a lot of these as we’ve been walking through make sure that you collect the right supplier there and apply it make sure that you’re prepared to handle for the bumps in the road the M&A impact is one that has always frustrated us in that there’s always that question of we were finding about 10% of our vendors through a year or basically could be literally part of an M&A situation and then you got to really ask the question which company the one you were working with or the one that acquired them is actually driving the control set because that’s who you really want to assess so making sure you understand of a process for that that’s definitely a lesson that

don’t underestimate getting the right milestones tracked again keep capturing that right data think about the data you need throughout your life cycle and get it up front collect it before you launch it because that really is a time that you have the business focused on wanting to get the questionnaire launched and moving and one of the other ones is this is data that you need to plan for make sure you have a primary key to use the data later and share it back and Bender names is that is a dangerous area to be your primary key looking at what else works for you in addition to that or as a concatenated key is critical because the bender names change and then you’re changing primary key that all gets very difficult and can get confusing to link things together especially as you’re trying to match your data with procurement data or privacy office data where they’re not even aware of the vendor name change but you are so developing internal keys developing an internal primary key and getting your key partners using the same key is another area that we are definitely investing focused time to continue to resolve in the Tourette Brenda Ferraro: and I’ve been noticing that a lot of companies will say I’ve requested for assessments to be completed and it goes into a black hole and I don’t know when I’m going to get the content back and so where is my request is really important and with the prevalent platform we’ve been seeing an uptick and a improvement that it used to take about 45 days to turnaround request and get the content available for risk identification and that’s our key item that we’re trying to focus on now it’s coming back in an average of nine days which is phenomenal and it’s reusable and it can be shared so I’m glad that you’re participating in helping us with that

oh here’s the banding you’ve been talking about banding all throughout this webinar so let’s talk to them about exactly what that means for assessment evaluate Keith Walter: yeah in the assessment phase given the volume we’ve done and everything else I think it’s really interesting that statistically we’re definitely finding that if you look at a risk-based banding approach we’re finding about a third of the responses are not failing any of our key controls and we’ve really taken the attitude of let’s focus our energy where you see that bottom one we still have a about 25% of

the hundred we’ve done we’re finding the key controls with that particular vendor is actually failing seven or more of the risk posture questions the the key must have heat control indicating questions that’s definitely a vendor with the control package problem and we want to focus in there and really drive with the business to say when you have a vendor that’s been assessed at a critical level as a vendor by the questions of what they’ve indicated to us as the metadata about that vendor and they’re also failing seven or more questions of those key controls that’s a high risk really truly high-risk situation that we want to make sure that’s what we’re putting our energy so again it’s a little bit giving up on you know some of those low ones we’ll just tell the business hey I did find some nothing here please have your discussion with the vendor appropriately and with the document at risk responses they’re enabled to do that more efficiently and effectively but this is definitely that balance is theirs on the left do I want to do perfection on each and every one of these and I’m only going to get through so many in a year or do I want a good evaluation and I want to get all most of the vendors in my fleet I’m marrying towards that second part how can i dry myself to get a more encompassing look at my fleet no were my worst of my worst is focus on driving that risk down and then at that point you know we may turn focus and change the criteria a bit and find some more but the answer is is I still think I’m driving out the biggest part of the risk on the investment level that I’m making and that’s really what I’m being asked to drive a return on that investment and we turn on reducing the risk we operate with every day Brenda Ferraro: right and with regulatory requirements now mandating that we ID the risk we make mitigation plans for those that we are accepting and/or have compensating controls and then we track those to closure with this position so I really like the way that you put that together

we usually use this slide at our presentations within prevelant to show the holistic approach to everything that’s required within third party risk for amateur governance program so can you put a little bit or a couple seconds on each of the four components on how Pfizer has addressed that Keith Walter: sure my philosophy on on some of this aligns and some uniqueness to it first of all on scores I think score is a good way of looking at things it’s helpful on logrus situations but it really doesn’t bring in that whole listing look so I’m more apt to focus on the controls rather than just a pure score look

however on low risk it’s a quick quick way of doing it but everybody’s scoring model is different and if it if the particular vendor doing the score has not done a good job of thinking about large scale medium scale and all it really can get a little touchy but it’s a good indicator and should be considered um networks I think it’s critical like we’re doing here today learn from our peers learn from what people are doing around you participated in events like this hopefully everybody’s going to take away a couple of ideas to look back at their program from what we’ve said and what what I’ve shared and I’m sure as I continue to travel around and talk with others I’ve always said I’d never have a meeting where I don’t walk away even reflecting on myself where I could do something better or hearing a comment from the person or company that I’m talking with and gaining from that a reflection of a place I didn’t think through and the last one that I really wanted to you know talk about was kind of the events for a second we’ve had an aha moment here that I really have found value in this obviously with brief notification and the amount of vendors we have we get those periodically and we have really a name

fooled ourselves with these tools and vendor risk management to really hook ourselves into when we get notified of a breach and we want to take action on what do we do do we cut our ties which is pretty much standard operating procedures to cut you know a partner connection until we’re sure that it’s safe to be operating together when we do those kind of things really using your tools and your assessments as being part of that process to reinstate business as usual making sure that that’s part of your activities and we’ve got ourselves hooked in there now and we’re seeing a lot of really good benefits to incident response being tied with a vendor third-party risk management tool box as far as standard response procedure we even had a case where we were pretty much able to share and predict how we believe they were breached and it was amazing how accurate we were and to the Sai so that I was speaking with so it’s a really good thing to have your type of toolbox and look at in your business use cases for it and you might not directly think are appropriate not just contract signing and be events that can trigger times that you should use this toolbox and platforms that you develop to really make sure that the vendors that your business is using is safe and secure Brenda Ferraro: and I think with everything that’s on here it’s very cumbersome there’s so much that has to be tracked and mitigated and reviewed and feed ins that that participate in our governance program and then I see that what I’d like for everyone to be able to take away is can you talk about what key takeaways you have experienced in your journey that are important to tell the community Keith Walter: sure so we built this slide internally and and in conversations that these are the things that we think are making us successful and we’re really using to drive ourselves that we’ve learned through the journey of the years certainly a risk based program we believe is the way to make sure our investments are returning making sure we’re using all the data that we can find and using it creatively like I said using firewall rules really set the risk level make

sure that the questions are leading indicators of problem rather than trying to say I’m going to review every question mapping your expected key controls your risky controls to the key indicating questions prepared for the challenges and escalations the more you can prepare in advance and again I’ll go back can thinking about what data do I need upfront collecting that upfront so that I can respond and escalate appropriately it is very important as simple as just knowing which business unit is quote unquote the primary consumer of this vendor service makes it easy to say okay this is the vice-president I miss escalating to workflow automation has really improved our ability to assess more with the same FTEs we’re looking at a doubling of our capacity per FTE and that’s really important to us in order to scale to the volumes that we want I do

planning for your disposition tracking making sure you know really which critical vendors you want to track and governance over and where you’re going to trust the business is going to take the right action but making sure that you’re educating them in a business terminology that they can act responsibility with what you’ve identified and then obviously making sure your data throughout your process your SaaS and everything really drive to a set of metrics and KPIs that support your escalation driving your maturity find out where things are hanging up in your process know what they are and then act accordingly to drive those out of happening again and again Brenda Ferraro: I really thank you for all of your input today Keith and then I hand it back over to Peter so that we can hear if there are any questions and he has a final poll but again thank you so much keys in advance Thank You Brenda

Peter Schumacher: I’m just launching this final poll so basically we’re asking you if you’d like to follow up from prevelant please answer honestly if you’d like a schedule a follow-up phone call with one of our sales representatives please say yes if if the answer’s no my feelings will not so please answer honestly we’ve got a few questions here in the queue and about five minutes left to answer them so let me get to the first one first is what have you found to be the key performance metrics you can pull from your tools and second part to that is what has been the most effective when communicating to business and other risk stakeholders Keith Walter: sure that if you’d like no I think I’ll make a comment first and I’ll try to answer it the first comment is I think anybody that thinks they have their dashboards and metrics right ready to go and perfect I’ve never found a leading risk manager or a sigh so or anything like that that’s ever really felt confident in that statement so it’s a learning evolution but certainly right now some of the things that I have found invaluable is watching I’m in an SLA and watching to that timeline and also especially being able to see the progression of the collection I personally love calling a vendor out that says yeah we’re almost done with a questionnaire I said well when you only show 20% of the questions you’ve answered

how can you almost be done and it hasn’t moved in the last week being able to really call the bluff when you really need them to step up and make it a priority that can only be done with proper KPIs and metrics visible to you and those are some of the things that I’m seeing a lot more benefit from and I’m focused on doing obviously that banding concept that I use shared a little bit earlier that’s the third thing I’ll bring highlight – being able to really let senior leaders know we assess so many this is where they fit in the banding of risk by their risk level and how many issues we found so they really see where the worst of the worst is and by bubbling that up and showing them those names and saying these are the ones I want to go after and I’m going to track the closure it helps them really understand that we are focused and not being a purist trying to solve world hunger but really using the data to drive their valuable resources in their own organization as well as mine to make sure that we’re

the best return on that valuable investment as we can to reduce overall risk Peter Schumacher: very good thanks Keith looks like a couple more questions and we’ll get to those but I think our our polling is coming along nicely 56% voted I understand if you’ve joined via the web browser you may not be able to participate in polling so that may be the reason for our low participation just as an FYI so next question this one looks like it may be more geared towards Brenda so what what is the trend on scoring and risk ranking and how does cisors approach help to identify risk tolerance posture Brenda Ferraro: yeah we talked

yeah we talked about this a little bit earlier but the restoring you have to be very particular on when you’re looking at engagement by engagement and in the prevalent platform we have the ability to help Pfizer configure what type of engagement requires what type of due diligence which then maps to their risk tolerance on their key controls that they’ve selected for those engagements and then we’re able to help them to determine from regulatory requirements and perspectives on how that map’s amiss or how that maps to ISO or how that maps to their key controls with a push of a filter button so it’s really exciting to see how they’ve pre set and prepared all of their content for their appropriate configuration to look at scoring and ranking and then continuously evaluate based on the risk scores that they’re able to realize within the solution so that that’s how the prevalent solution is helping Pfizer today Keith Walter: yeah and all that one more thing it was one of our core requirements to say the scoring model has to have some configurability to it in order for what solution we select and that was because we see it as critical to be able to make sure we’re tuning the system to really benefit our business and our activities and certainly the the the platform that prevelant has allows me to adjust the scoring methodology with NRI ease and really pull my key control

indicating questions up it’s the top scorers above everything else and that’s been very valuable to really make the reports coming out of the system focused where I want them to be focused to help my business Peter Schumacher: great thanks I think we have time for one final question now I’ve been fielding most of using my my marketing expertise I’ve been fielding most of the technical questions for you Keith but I’ve left one so it says do you have recommendations on how to handle Cu EC as listed in the sock to report now you’re welcome to take that offline as well Keith Walter: yeah I mean it’s not to report

that’s pretty detailed but the answer I will say is this is a sock to report is an alternative assessment method that in some cases can really make it unnecessary to do depending on risk a full questionnaire the gotcha that I would have with any part of the sock – is being very careful that you understand the again the metadata upfront and prepared to understand the engagement going in and making sure that the scope of the actual saw – matches what you were planning to do so keeping that in mind as you make those kind of decisions that’s being asked I think is absolutely critical to success if you’re going to use an alternative method like those specific sections and etc and end services of the sock – Brenda Ferraro: exactly what I was gonna say Thank You Keith yes

Peter Schumacher: all right thanks everybody thanks for joining us today Keith a special thank you to you really appreciate you you presenting today and Brenda I hope everyone has a good remainder of their week and we’ll see on the next webinar thank you thank you