Third-Party Risk Management: Inherent vs Residual Risk

Ashley: Hello and welcome everyone. We’re stoked to have you all. I will give you a minute while wait for everyone to get situated and dialed in. But in the meantime, I’m going to go ahead and launch our first poll because we are curious to see what’s bringing you to today’s webinar. Is it educational? Are you in the beginning stages of the TPRM program? Are you a current prevalent customer? Are you just bored and you love hearing the sound of Scott and Romney’s voices? If so, I can’t blame me. But either way, let me know. And I can’t forget about some introductions. My name is Ashley. I work here at Prevalent in Business Development. And we are joined with a very special guest, senior vice president and head of thirdparty risk management at Valley National Bank, Rodney Campbell. Hi, Rodney.

Rodney: Hello.

Ashley: And I can’t forget about Scott Lang, our very own VP of product marketing. Hey, Scott.

Scott: Hey, Ashley.

Ashley: And uh just a quick reminder, this webinar is being recorded and we will be sending out the recording along with the presentation slides shortly after the webinar and you guys are all currently muted but we do encourage participation though please put any questions in our Q&A box so we can go over them at the end of our webinar. Um today Rodney will be discussing the relationship between inherent and residual risk. So Rodney I’ll go ahead and hand the reigns over to you.

Rodney: Thank you Ashley and thanks to everyone for joining us. So today we’re going to talk about the true stories of a third party risk management professional um with a different twist on inherent risk and residual risk. Really, I want to focus on the disconnect between people, process, and technology and how that impacts the relationship between inherent and residual risk. Next slide. So, I want to make sure that everyone’s aware. I know that we’ve spoken a lot about inherent risk, residual risk from the technical perspective and also using technical terms, but I want to make sure that this particular message speaks to everyone. Um the individuals who work within TPRM, but also the individuals who are not within TPRM. Um the individuals who are uplifting a program for the first time. You’re trying to wrap your head around what should I do and what can I do. I want to make sure that we understand the relationship between inherent and residual risk. And as you see on screen, TPRM is an ecosystem of interconnected processes, tasks, and activities that together work to identify, assess, and mitigate risk posed by third party relationships. So the overall success of your program, third party risk management and the individuals that are stakeholders and contributors to the TPRM process. It requires business collaboration and organizational alignment. So again going back to what I mentioned originally, I want to discuss organizational factors that can prevent appropriate identification and mific mitigation of third party risk. Next slide. Now this is really interesting because I can tell you that many of us here today who are on this call, as I stated, you’re probably building a program and you’re trying to figure out where do I start? How do I look at this? So, I will say consider this. This is a learning opportunity for all of us. I think we’re all learners um in the making or subject matter experts in the making. So, consider this. If you were purchasing a home or a vehicle, you would verify all claims made by the seller before signing the agreement and issuing a payment. You would? Cuz I know that I would. So, why should you handle any other business transaction that you enter? Not be handled differently. So, imagine signing a contract for a new home or a new car. You’re going to make sure that you do your due diligence to make sure that that new home or new car is exactly as the seller stated it. So, why would you handle any other business transaction that you’re entering in differently? You would want to raise and position the same level of due diligence as you would if you were purchasing your own home or vehicle. Next slide, please. Your organizational role and responsibility in third party risk management. Now, this is really important because Again, you are more than likely a part of this process in your organization. Um, now whether or not you’ve been included in that process is another story, but I want to make sure that we understand for all of you here on the call, you’re probably a stakeholder, and a stakeholder can be many things within your business units. A stakeholder may be someone from your control function, a person who has a part or a role to play in your process. Are you engaged? Are you involved? Are you aware of what’s going on within the TPR process within your organization? You may be a vendor relationship manager. Now, I know many people are probably on this call cringing a bit because we know that a relationship management term has been dee has been deemed administrative processes in the past. We want to make sure that if you are the owner of a relationship, are you responsible for the relationship that you’re managing? Are you aware? Do you know what your supplier risk is? Do you know the impacts of your supplier risk? Are you utilizing your supplier engagement the way that it should be utilized? Are you engage with the supplier so that in the event of an issue or a risk event I would say can you contact them do you know who to contact so I think the vendor relationship manager role is very important is extremely important you’re part of the first line of defense and I think if you have no awareness as to what your role and responsibility is if you’re part of the first line of defense that’s probably something that you should discuss with your GPR team assuming that it’s centralized now internal audit internal audit again you’re probably pinching again but they are friends they help us get better so internal audit um have a role and responsibility in your TPR and program. Um they act as an effective challenge. They are the third line of defense. It’s important that you partner with internal audit because the goal is maturity. It’s evolution. You want to make sure that what you’re doing as an organization, you’re moving in the right direction, but you can’t do that alone. So no matter how smart you think you are, no matter how great and talented your team may be, you need to partner with their line of defense. It’s incredibly and crucially important. And then you think about senior leadership. This is really important because I want to say if you are part of senior leadership. You want to make sure that you understand what are the products and services that you’re utilizing to make your day-to-day business operations run as they should or run as expected. If something occurs within your business line, within your business function, are you aware? Are you aware of the number of products and services that you do utilize to operate as a business? And are you aware of the impacts and the risk? If you’re not aware, you should be. And I think engaging with your TPR team is critically important. I believe your TPR team should also engage with you. Remember collaboration is key. I also want to mention board of directors. Often times we do not mention the board of directors in TPRM. I think high level at the policy we do we talk about it in other calls. I see that other presentations and webinars mention the same thing. But I do believe board engagement and board awareness is important. It’s important because you are responsible for providing governance and oversight or management oversight for products and services that are supplying and supporting your organization. Many of these are critical core. Now, you want to make sure that if there are any if there any risk, anything that you identify that could potentially impact your organization, you want to make your board aware. Now, again, this is at a high level, but I do think that situational awareness, their engagement is critically important. Sourcing and procurement, you may or may not have a sourcing and procurement department. It may be integrated within your GPRM program as many are, but that relationship with GPRM is critically important. You are sourcing suppliers that your organization may potentially to use. If you’re disconnected, what you essentially do is overlook or probably bypass some of the processes that are required by TPRM. So, you want to make sure that sourcing and procurement are heavily engaged. They’re actively engaged. And TPRM is a department or as a function that can that can consist of many roles. So, not just the TPRM as a centralized unit, but also the control functions, the individuals that help support your business’s operations to make sure they run it sufficiently. Next slide. Whoa. An organizational issue. I tell you, this is a real organizational issue. And this is why I said I want to talk about inherent risk. I want to talk about the relationship between her risk and residuals from a different perspective. Not just getting into the semantics of risk categories. Not getting into this is what inherent risk assessment means for your organization. I want to talk about an organizational issue that prevents the complete accuracy of an inherent risk assessment. The identification of risk. in the mi in the mitigation of risk that you identify in that inherent risk assessment. Now look at this screen here. We see there are key organizational issues that prevent the proper identification and mitigation of third party inherent risk. Now some of these things and terms may be uh something that you’re well aware of and some of these may be terms that you’re unaware of. But think about what these means. Lack of corporate governance. What does that mean in your organization? You’re onboarding a supplier, a potential third party, critical or not. It’s important you have a process. If you don’t have a process in place, who knows who does what? What are the roles and responsibilities? How are they delineated throughout your process? At what point should this department or this function be involved? Who’s the stakeholder? What is the approval process? Do you all understand what is point A from point Z? When you don’t have corporate governance, processes are run all over the place. I can tell you that it isn’t repeatable. It isn’t reportable. It’s probably done many ways uh for many different things or many ways for some of the same things. Uh the next point is organizational silos and fragmentation that never happens. Of course it does. So organizational silos and fragmentation that is one of the biggest threats to onboarding any particular supplier. I say that because the silos the decisioning that is made within business departments need to be jointed not disjointed. But often times the ideas or the ideation the planning and identification of suppliers they’re done separately. So the greatest idea that one business function may have another business function who is an interdependent or interconnected department or maybe a shared service is completely unaware that will pose great risk to your organization. Fragmentation is often important too. You have business units that are probably working day-to-day side by side in parallel but they’re not communicating. So again you got to have that collaboration. You got to communicate. I think whenever there’s a third party engagement consider all of the risk consider all of the shared services and the shared responsib ility throughout your organization. So for example, if I’m a business function and I am looking to onboard a supplier, if that supplier has access to confidential information or confidential data, who should I involve? Exactly. I need to make sure I have the right people involved because if I don’t involve in the right people, the right departments, I’m going to make a decision solely based off of what I think and what I know. Now, keep in mind, I’m not in privacy. I’m not in information security, but I will make decision that a stakeholder within privacy and information security should be made aware of and should also participate in the uninformed independent decision makers that never happens. Of course it does. The uninformed and independent decision makers these are what I find to be the biggest threat to your organization whenever you’re dealing with third parties and products and services. The uninformed independent decision makers are individuals who are they’re they’re probably bright and brilliant at what they do. But the decisions that they’re making aren’t factbased. They’re decisions that are being based off of interpretation. Their perspective or perhaps their strategic goal or what their view of value is from dealing with a potential third party product or service engagement. I I think many times you see an organization you have a stakeholder or I would say business champion. Then the business champion wants to get this done. We need to get it done. That’s the individual who is kind of waving the flag of this particular third party product or service engagement. They’re telling you the reason why it needs to get done but they do not know how it’s getting done. They do not know the impacts. They do not understand the risk. They don’t understand the overall value and strategic purpose of third party products in service engagement. And this is critically important because that uninformed independent decision maker more than often times will be responsible for engaging suppliers and probably miser say misassessing but inaccurately assessing the inherent risk and also misidentifying the mitigation for the inherent risk as well. Internal misalignment Does that ever happen to you? It does. I’m going tell you why it happens. Internal misalignment is when you get a bunch of individuals, not in the room, but a bunch of individuals who are working toward the same common goal. You have the same purpose. Again, the product and service engagement make sense for your organization. The problem is this. When decisions are made that are disjointed, they’re not made together. We’re not connected. We are not all equally and collaboratively in agreement that this product and service engagement meets the same risk profile, meet the same measurements, the same goals. We we are in alignment with the impact. We understand the level of risk. We understand the holistic value. Then I can tell you that often times the actual product or service engagement as you intended it to be initially will not play out as originally planned. And another one which is probably most important now again take in mind these are not in any particular order. This isn’t a chronological order. This is justformational for all of you. Insufficient vendor betting practice. Vendor vetting is important. Often times we do not distinguish between vetting and onboarding. During that planning and identification process, are you verifying that the supplier is who they say they are? Are you looking at the infrastructure or corporate entity holistically? Are you asking for due diligence at the OnStar? Are you running old checks on your suppliers? What are you doing at the beginning to make sure that at the baseline level that these suppliers can pass stage one and get to stage two? I can tell you why it’s an organizational issue because often times you’re probably bypassing vetting or you’re consolidating vetting while contracting. So you presumably already selected as fire, but you haven’t the vetting process is to identify the impacts, identify the risk and discuss that internally with your group. Next slide please. Now here this is really important. An organizational recommendation and I have that in caps you see drive business value. value, quality service, and appropriate third party risk management practices. Now, everything that I just mentioned on the previous slide, here’s a way to address those things. Now, again, you have to make sure that you apply these techniques to your organization because it isn’t a one-sizefits-all. Everything is different. So, this is why I didn’t want to approach inherent risk and residual risk from the typical methodological perspective of this is what you do, this is the question that’s asked, and this is what you respond by. I think it’s important that we understand the people risk, the people element of how these process this can go wrong with the onstart. So when we talk about an organizational recommendation, I want to make sure that we address the concerns that I initially stated in the previous slide. So establish corporate governance, accountability, transpar transparency, fairness, responsibility, and risk management. Corporate governance is extremely important. How can you continue to source suppliers without a social strategy? Um has your strategy been operationalized? Do you have policies? Do you have rules? What is your governance? What is your framework? What is the process guidance? It’s easy. point a finger at a business function or an individual who isn’t doing the right thing. But if you don’t have process guidance to show them or point them in the right direction, then who’s at fault? I think that’s a shared responsibility. So if you are responsible for any TPR and program, you want to make sure that you provide effective process guidance. You want to make sure that you provide effective governance so that the individuals who play a role in a responsibility in this process have direction as to what needs to be done. Encourage crossunctional collaboration and stakeholder engagement. Be for engaging prospective third parties. Again, it goes back to the collaboration. You need cross functional collaboration. You need stakeholder engagement. It would be unwise and unfair of you to position or propose a potential product or service engagement to a stakeholder for sign off and not make them fully aware. So again, if you are a stakeholder, you want to make sure that before you are approving, before you are giving the two thumbs up to move forward with a product or service engagement, you have full awareness and transparency as to what the engagement tells not just the value, not just the cost savings, but the risks and the impact. And you want to make sure that your organization from a shared service perspective, they’re aligned and not unaligned. The understanding should be understood and not misunderstood. The next one, facilitate decision-m based on facts, not interpretation. This goes back to that uh uninformed and independent decision maker. And sometimes it’s not just one, it can be many. And many can be together or displaced or dispersed throughout the organization. You want to make sure that your decisions are fact-based. We’re moving forward with this supplier for these reasons. Your due diligence should be substantiated with actual work. Again, your decision making, the decisions that you’re making to onboard a supplier, not just simply because you need a product and service, but you need to make sure that you show true transparency, accountability, and due diligence for why you decided or determined to on board or engage this vendor. That needs to be fact-based. You cannot select or I would say you should not select a supplier based off of what you think. you should select a supplier based off of what you know and what you know may not be all the way good. I can tell you oftent times in in my previous life onboarding suppliers have not always been the greatest but those onboarding activities and processes were done with factbased decision-m not interpretation or what I think I knew simply because I have awareness of supply from a previous life and established internal business alignment on strategic goals purpose risks impacts and value before engaging. I mentioned this a few times again it goes back to that internal alignment. You need to make sure that the individuals who will play a role and responsibility in your process, they are align they’re aligned. If they’re unaligned, then that means you will have the perspective or idea of value with one group or one person and that can potentially raise or pose risk thereafter. So, how can you identify an inherent risk if individuals who are part of your risk function or individuals who are stakeholders in this shared collaborative process or shared service are not a part of the conversation or there are complet disagreement or have a complete misunderstanding of the product and service engagement that may be detrimental to your organization. So again, you need to make sure that your business functions are aligned, make fact-based decisions, but you do that cross functional collaboration and inclusivity of the groups that are a part of the shared service in the shared collaborative moment. Next slide, please. The ecosystem of third party risk management. So everything that we just talked about, we talked about the inherent risk, we talked about criticality and criticality we really didn’t talk about, but I want to be sure that criticality cannot be distinguished or just simply aligned by one person. It needs to be a collaborative moment. If you do not have all the groups, all the risk functions involved. Whose decision is it to be critical or non-critical? Whose decision is it that the inherent risk is high? Why is it high? Is it low? Is it medium? I think this is a collaborative moment. The engagement by your business functions. The engagement by the stakeholders is critically important to understand what the nature of the engagement is in the risk pose of your organization. So you want to make sure that you establish internal alignment so that you can establish an accurate inherent risk assessment for due diligence. We talk about that all the time. I think most of us on this call I can tell you me I’ve been on so many due diligence uh webinars. I’ve been a part of due diligence discussions. What should I collect? Can I collect it? If I don’t collect it, what can I or will I do? Those are all important questions. But I can tell you now, you will never know what to collect if you are not engaged at the OnStar. Remember, your inherent risk dictates a due diligence. Due diligence that’s collected is based off of the inherent risk posed to your pro by the product or service engagement and the inherent risk posed to your organization. But if you don’t have the right people involved to help identify that risk, then that would be a problem in itself. So you will miscalculate and probably unfortunately mischaracterize the inherent risk and unfortunately not collect the proper due diligence to mitate that inherent risk and the residual risk assessment as well. We talk about it, we pair due diligence, residual risk assessments together. We do. But here is the problem. A residual risk assessment is a point in time. It’s point in time assessment. It’s a moment in time where you collect a document. It can be a sock report. It can be a SIG, but is it is a document that is dated. The document isn’t up to date. Right now, me, you, all of your call, we’re looking to move forward with this product and service engagement, but your stock report and all of the other applicable due diligence material are not materials that reflect today. They may be materials that reflect last year. They may be materials that can reflect longer. So you want to make sure that you make informed fact-based decisions because for a sock report and again a stock report is really good, it is a control audit report, but I do want to make sure that we’re well aware that point in time assessments while they are efficient, I I do not find them to be entirely effective. So I do think you need to have other measures. Um continuous monitoring I believe is where you create strength is but h how are you continuously monitoring a supplier if you’ve misidentified the inherent risk and misidentified what should be done in the beginning so what I’m trying to show you is how these processes as an ecosystem are interconnected if you don’t if you don’t accurately assess the vendor at the onstar then your due diligence will be incorrect your residual risk assessment will be incorrect the residual risk profile will be incorrect selecting and contracting the supplier will be entirely incorrect because how can you memorialize the risk to do negligence anything that you found during the inherent risk assessment up into that residual risk assessment will be incorrect. So you can’t memorialize the right things as far as provisions are concerned in SLAs in your contract because everything was done incorrectly and your continuous monitoring is risk based. But how can you continuously monitor a vendor if you inaccurately um risk assess and have an inaccurate risk profile of the supplier? So what you’re seeing here is how all of these processes are connected but it’s really important that the people the people who are a part of these shared services are equally and actively involved and engaged in these processes because if you’re not then every subsequent step and every subsequent activity will be managed correctly. So again going back to that collaboration that internal business alignment make sure that you get your stakeholders involved. Make sure that you get them actively engaged. Let’s not present just the value of the contract at the cost of the proposition level. Let’s show a holistic view of what the contract is or the product or service engagement is. That includes the risk not including the risk simply because you may believe it’ll be a bottleneck or simply because you believe the stakeholders or the powers that be may decide to not move forward with your engagement again may be detrimental to your organization. So you need to be as transparent as you possibly can so that all of the right people who are in the room can make fact-based decisions. Next slide. Now before I say thank you, I I do want to make sure that we address any questions um that may be in Q. So, I’ll let Ashley or Scott to let me know if there’s any questions and we can talk through that. So, before handing it off to Scott,

Ashley: yeah, hi Rodney. I see we have a couple of questions in the queue. We have one from Ed who asked, “How do you successfully emphasize the importance of calculating the inherent risk of your third party population to your internal stakeholders?”

Rodney: How do you successfully emphasize well here’s what I’m assuming are you providing quarterly board reports because I do think your senior stakeholders are critically and crucially important if they are not aware of the risk posed by your product or service engagement then unfortunately they can’t help you they can’t do or be what you need them to be so I do think that quarterly board report is important that is an opportunity to communicate with the senior level individuals in your organization let them know where your organization at a TPR level is at let them know the risk let them know the opportunities for maturity and improvement. If you do that, I believe there’s a good opportunity to not just have your program embraced, but also have your program improved and matured.

Ashley: Excellent. Um, we do have a couple more questions in the chat box, but Scott, I’m going to go ahead and pitch things over to you and we can get to the rest of them at the end.

Scott: Awesome. Thank you, Ashley. Uh, hi everybody. My name is Scott Lang. BP product marketing here at Prevalent. Uh, I just wanted to share a couple things about Prevalent, uh, here. to draft off of Rodney’s presentation regarding inherent residual risk. Uh just to touch on on a few ways that you preing can help you simplify that process of calculating inherent risk. Uh trans translating findings into action to ultimately reduce your risk profile and get down to an acceptable level of residual risk uh over time. Uh and really it all comes down from our perspective. What our customers tell us is that they want to accomplish any one of three things. The first in their TPR program. Anyway, the first thing uh they want to accomplish is getting the data they need to make better decisions. And from an onboarding or inherent risk perspective, that includes getting the right set of intelligence and the right people involved in the process to understand uh you know the company’s initial risk exposure and then identifying what types of due diligence is required uh based on the results of of kind of that very very baseline assessment. A second is increasing efficiency and and breaking down silos as Rodney mentioned. you know, there are awful lot of people in organizations involved in third party risk and um you know, I I grew up on a farm and the analogy we always used was if you have a lot of people’s hands on the plow, that plow’s not really going to go in a straight line. So, you know, who’s you know, who’s responsible, who’s accountable uh for third party risk, who contributes to it, who needs to be consulted and informed about it, and bring those people together under a single source of the truth of data and processes so that you can, you know, accomplish your organizational goals. Uh and then finally evolving and scaling uh their third party risk management programs uh over time. Chances are that program is going to change not necessarily from a scope creep perspective but you’re going to bring on new vendors and suppliers. Uh new third parties are going to be introduced to deliver goods uh goods and services to your to your enterprise to help you deliver on your expectations to your customers. Uh so how do you adjust and be agile uh over time and account for any any of those types of changes that uh that happen as as the or organization evolves. You know, our approach to addressing the third party risk man uh third-party risk management challenge and you know those three objectives that you saw on the on the previous screen are to look at risk at every stage of the third party risk management life cycle. You know, so often we take a look at risk on some level during the sourcing and selection phase or making sure that that company matches you know your company’s risk profile. uh in addition to the good or service that you’re going to be, you know, purchasing from them or utilizing being fed for purpose. Uh and then maybe we do some assessments or we look at on a contract renewal, but you know, how often is the that level of discipline and rigor carried out throughout the rest of that relationship life cycle? We see that problem happen uh pretty frequently and it involves a lot of different teams in the business, whether it be the procurement, vendor, supplier management teams, IT security teams, legal compliance, data privacy uh and many others. So we see these you know unique and distinct challenges at every one of these u phases of the relationship and our approach is to deliver a prescriptive process that helps you to um recognize and mitigate those risks at every stage. So that as that relationship progresses from the point that you source and select a vendor to the point where you offboard and terminate uh that vendor when the relationship ends you have the assurance that you’ve got visibility into the risks that you’ve got an action plan to mitigate risk down to an acceptable level and have the documentation and memorialization of evidence to prove it to the auditors. Um, and from our perspective, it really comes down to three things. Uh, that is simplifying and speeding up onboarding with a single source of the truth and a process that the entire enterprise can leverage. Second, streamlining that ongoing assessment process and closing gaps in risk coverage that often happens when different teams are involved in managing thirdparty risk and maybe using different tools. and different sources of intelligence and insights to get a picture of of whether that that third party um you know brings risk to the business and then finally unifying teams across the life cycle which I addressed. So starting in the lower left uh off to the uh to the uh to the lower right I guess in our in our half moon shape here you know what we can help you accomplish at the sourcing and the selection phase is adding automation and intelligence to RFX processes RFP RFI processes, you know, so often those things are done in silos, they’re done in spreadsheets, there isn’t a lot of automation involved, and there effectively isn’t a lot of risk visibility involved in whether or not um or in a in a new vendor or supplier that you’re looking to onboard. Um second, at the intake and onboarding phase, we can, you know, give you that single source of supplier truth, one supplier profile, uh one set of intake processes, one set of contracting and onboarding process that is extensible throughout the enterprise. So you’re ing and from the same himnil so to speak. And third, scoring inherent risks, something very close to our topic today. Um, you know, we give you the ability to score and categorize suppliers, you know, based on datadriven insights. It’s a combination of an eight question internal survey that you and other members of the team collaborate on answering as well as incorporating outside intelligence on potential compliance problems, financial risks that this meers might uh expose you to. Uh, a history of data breaches and cyber for security problems uh you know governance issues and and more all to give you a score to help you then uh prescribe a path to a more complete due diligence uh once onboarding is completed. Um fourth you know our specialty is in um streamlining and automating the ongoing risk management uh process and we deliver specific capabilities in our platform that enable you to do that across multiple different risk types. Now historically you know it vendor manage agement third party risk management was the domain of the security team and largely is is still today um because of the sensitivity of the data and systems and processes that you know you’re ultimately exposed to um or uh as a result of doing business with a third party. Um but you know our for example the prevalent platform has more than 200 builtin assessment templates uh that enable you to u you know question and and pose to um um uh to uh uh to to vendors specific risk based issues that you know are that matter to your business or matter to the board. Next is monitoring and validation um or validating the results of those assessments with continuous cyber security business reputational and financial insights. You know a lot can happen in between the time that you make an onboarding decision and that you finish your due diligence and and contract renewal happens. So we help you fill the gaps between those different um uh you know this you know those different types of assessments with the intelligence to to you know keep the team ab breast of any challenges that that that vendor might be facing and because not all risks are dedicated to um uh you know cyber or you know ESG risks or compliance risks or operational risks. Sometimes a risk is a performance-based risk. And we give you the ability to measure and manage your supplier effectiveness with built-in KPIs and KIS. And then finally, inevitably, uh, you know, like Neil Saddaka said, breaking up is hard to do. Um, so when it comes time for that vendor relationship to end and and that contract to terminate, you know, so often we see, you know, companies don’t have the rigor and the discipline built into the process to properly properly offboard the vendor and mitigate, you know, the long tail risk that you can be exposed to to. So we give you the, you know, the checklists and the document management and the compliance reporting uh to close that process off. You know, we address multiple different types of risks or risk areas um uh with our our platform and that helps you to give uh helps give you a good view of your inherent risk, measure the progression of that risk over time and then get you down to a level of of residual risk that’s acceptable to the business. And these are the kind of the general six categories that that we deliver uh risk insights into whether it’s an assessment built in the platform or whether it’s uh the result of continuous monitoring insights and intelligence uh that um uh you know that we consume uh and then correlate against those assessment results you know on your behalf and I won’t uh belabor the point read the fine fine print there you know how do we deliver it we deliver it um in a way that leverages the three great strengths of Prevalent and that is number one the people the experts that we have that help you um that do the hard work on on on your behalf if you desire that excuse me and that’s onboarding vendors managing them uh remediating executing assessments uh and then incorporating a tremendous amount of intelligence and data from a half a million different sources uh and putting that into a format that can help you make good decisions housing it in the platform with all the workflow and the automation and more uh to help you ultimately get down to that that level of residual risk that satisfies you know your board requirements. Look at the end of the day we want three things for you not three things from you and those three things for you are number one um to help your organization your third party risk management program uh be much smarter in its approach and that’s delivering you the comprehensive insights uh datadriven analytics and role-based reporting for multiple different teams throughout the enterprise. The second to give you a single source of the truth uh to combine assessments and monitoring together and then look at uh risk throughout the entire life cycle from onboarding to offboarding in a much more unified fashion that you might be doing it with spreadsheets or maybe with some disparate tools that really don’t talk to one another. And then finally, as I mentioned before, it’s a very prescriptive uh intelligentbased approach that gives you built-in recommendations uh remediations and more to extend out to your vendors and uh third parties and other suppliers um that ultimately you know can help you get down to the to the level that that you’re willing to accept. So you know from prevalent perspective that’s what our approach is to addressing the the problem of thirdparty risk management. Um and I think it ties in very closely to kind of what Rodney talked about today in terms of the big challenges that organizations face in thirdparty risk and um you know you know what the overriding issues are to get from an inherent to a proper residual risk score. So you So, at that point, I’ll stop talking. I’ll open it back up to Ashley. Ashley, if we have any other questions uh for either Rodney or myself, I’m happy to uh to take those now.

Ashley: Hey, Scott. Thank you so much. Um I’m going to go ahead and launch our second poll so we can go ahead and follow up with you with any projects that you may have. Uh we’re just curious to see if you’re looking to establish or augment a third party risk program within the year. And please be honest because we do follow up with you. But in the meantime, Ron, Let’s go ahead and read through some of these questions. I love to see all the participation and I know you wanted to touch back on Ed’s question which was how do you successfully emphasize the importance of calculating the inherent risk of your third party population to your internal stakeholders?

Rodney: Yeah, that that question I wanted to revisit too because I I I think I’m imagining that ED could potentially be where I was many years ago. How do you how do you get your stakeholders involved? And I’m not just talking about the board because I think there has to be um gradual steps for you to get to that point. You may or may not already have access or participation or even engagement at that quarterly reporting level. So your stakeholders as far as senior management and senior leadership now that is critically important. I do think that for every third party relationship you should have an inherent risk assessment. I do think the inherent risk and distinguishing between inherent and residual because more and more I’m finding that organizations they will report solely on the residual risk. They would monitor and manage solely on the residual risk and not have any true transparency or insight into the inherent risk posed by their product or service engagements. So for you I think it’s important to emphasize the risk the innate risk posed by the product or service engagement not just the risk after controls have been put in place whether they’re internal or external you want to make sure that your senior management your senior leadership and I think that’s the collaborative model that I mentioned you need to make sure that you engage often times we we focus on relationship management internally. So that means the organization and our external relationships with the supplier. But I think that same model is important internally. So it’s important that you if you are in the TPRM space are a part of that TPRM function. This is a process of interconnected processes and activities. So your collaboration and your engagement with all of those individuals may not only be a good thing, it may be a requirement. And I think having that collaboration and building some fundamental or foundational understanding will help senior management support and even champion what you’re trying to do throughout their organizations as well.

Ashley: Excellent. And then Scott, we have a question for you coming from Mary who asked, “How does Prevalent help an organization complete annual sock report reviews?”

Scott: Uh great question. Um our so our take on sock reports is if you have one done with a third party audit provider and they’ve delivered you a SOCK report, uh what we do is we help you interpret that report. So we’ve got a service where we troll through the report with you. We extract the key risks and key controls and then map those into our platform as risks that you can then track over time a conclusion by applying remediations or or more. So we don’t necessarily execute the sock 2 report or complete it on your behalf, but once it’s done, we can help you um translate that into a platform so you can actually manage the risks instead of holding that PDF. in your hand going, “Oh, what do I do now?”

Ashley: Thanks, Scott. And then Rodney, we have another question for you. Somebody asked, “What percentage of the vendor population should you be doing active risk mitigation for, understanding that the inventory is broken down into three tiers, high, medium, and low? This is given the understanding that most TPRM programs are small teams.”

Rodney: Okay. So, so when we say what percentage of the vendor population should you be doing active risk mitigation for? I I think you should actively mitigate risk where risk is identified. Um now again what at what level you will do it will be differently. Obviously you won’t manage and monitor a low risk vendor as you would a critical or high risk or even moderate but it depends on the risk appetite of your organization. It also depends on the risk that you inherently identify. So that’s important simply because so I’ll say this I I I’ve heard a lot of organizations or even some of the TPRM um programs or professionals mention that a low-risisk vendor doesn’t require any mitigation at all. So, we’ve inherently identified it as a lowrisk and there’s nothing that we need to do. Well, I’ll tell you I disagree because what may be inherently low today for any unforeseen reasons could be um inherently um high or moderate tomorrow. And that can happen for many reasons. Maybe it’s a change in a material change in the actual product or service engagement. So, today you might engage a vendor for a particular product and service same vendor tomorrow you will engage the same vendor for a different product or service engagement. What I found is that most organizations or many organizations not everyone but when you have one supplier who is supplying multiple products or services uh there’s a disconnect there. So if you’ve inherently or originally inherently rated as low then you do subsequent products and services the same way or you measure or rate them. I think that’s incorrect and inaccurate. I don’t think that’s the right approach. You need to make sure that every product and service engagement is assessed, risk assessed. not just the relationship but also the product and service and you want to make sure that whatever that inherent risk assessment is that’s how you want to manage and monitor it so I do think you need risk mitigation activities in place if it’s a low risk at a minimum you should be managing and monitoring it at that low risk based frequency.

Ashley: excellent thank you Rodney and then Scott we have another question coming in from you uh somebody asked are there external interfaces within the prevalent platform to efficiently collect require data on a regular basis?

Scott: Uh yes, there is actually um our platform includes uh an open uh REST API that allows you to integrate with outside sources of intelligence that add additional context to um you know your your supplier scoring or your supplier assessments. Now you know we also offer our our own continuous monitoring solution that has you know cyber, financial, business, reputational ESG um you know data breach uh feeds whatever that can consume in and add that context for you or we do have the open API that allows you to integrate with other tools that that uh might be already in place.

Ashley: Thanks Scott and then switching back over to you Rodney. Uh Tony asked one of the most challenging aspects of risk that I’m starting to notice is building and sustaining an effective stakeholder engagement model. What are some key tips you’d offer to start building that out for a more impactful challenge as to law risk managers?

Rodney: See, I I love that question because it goes back to the original point and purpose of today’s presentation. Um, all risk is important, but I do think people risk has been a critical factor for many reasons in many different areas, but I do think that that engagement you and your other functions is important. I I want to I want to I want to believe that right now you’re at the beginning stage, maybe at ground one level of uh building your program. How do you get circular line of defense engaged? Well, have you first identified who is comprised of second line of defense in your organization? Um, and do you have a policy or some form of governance structure that states which functions or groups within your organization are actually or comprise the second line of defense? I think that’s important. And not just at the policy level, but outside of what’s written on paper, you need to have active engagement with your second line of defense. I think that’s important. What I’ve seen in some organizations, you may have a cheap PR and group you have multiple risk functions because you’re covering multiple risk domains but none of you actually communicate or connect that is a fundamental problem I can tell you now because together collaboratively you are protecting the entity which is your organization so the inclusivity in the collaboration is is mandatory it’s required it’s important that you as a risk control function communicate with your neighbor risk control function and perhaps the risk that you’re reviewing may be unrelated but still this talking about third party third party products and service engagements remember interconnected interdependent processes and activities so at some level you should at least have situational awareness even if you not even if you’re not at that moment actively engage in remedying or mitigating some level of risk so I do think setting up a corner with your internal risk functions with second line of defense is important reviewing which product or service engagements are critical high risk moderate reviewing where there may issues, escalations, or probably areas for remediations is critically important. Make sure that you’re all aligned as to how you’re looking at risk externally and what you’re doing internally to address those risks or potential impacts of those external risks.

Ashley: Thanks, Rodney. And then we have another question coming in from Christina also for you Rodney uh who asked, “How do you go about merging two TPRs when two entities are in the process of merging?”

Rodney: Two TPRM pro programs. Is that is that the question? How do you how do you go about merging two TPRMs? I’m assuming.

Ashley: Okay.

Rodney: Yes.

Ashley: I like that Christina was fast. Yes.

Rodney: Interesting. So, when we’re talking about M&As, it’s important that you have a clear view and I mean transparent clear view of what those product and services are. I’m assuming that you are part of the acquirer. Are you? Or are you the acquirer? If you can answer that question. She’s probably type okay to be determined. Okay. Thank you. Okay. So now that that decision is going to be multifaceted because my perspective is going to be that of TPR and professional. I think that decision and also is more of a a senior leadership and stakeholder question as well because you need to measure TPR and programs and you al I’m going be quite honest which TPR and program will would be most effective for your organization. That’s important. The effectiveness. Now, perhaps there’s a consolidation because you have the products and services that require the resources and that capacity is available. But you do have to measure the effectiveness of the TPRM program, not just at the current state, but also future state. I think this is about evolution and maturity. So, if you are in a TPRN program or you manage a TPR program, your organization needs to determine if your TPRN program effectiveness, it’s not just affected for that of today, but will it be affected for that of tomorrow, that future state? That’s important. I’m now I’m saying I’m answering this question in consideration of not understanding whether or not it be consolidated or it will be split. But a decision will need to be made because you won’t have two TPR and programs in one organization. You will either be consolidated or one TPR program will have to be the um the Wayne program, I’d say.

Ashley: Thanks, Rodney. And then pitching things back over to you, Scott. Somebody asked You mentioned prevalent has monitoring on cyber risk and compliance risk. Is this real time and I mean when data breach or cyber incidents happen at the third party? Does the monitoring side of prevalent notify us on that?

Scott: Yes, the short answer is yes. Uh it is uh as real time as the announcements or the breaches are announced. So you know most SLAs’s or cyber monitoring uh tools will give you uh a 20 4 hour window from between when an incident is discovered or for example the CVE is published or a data breach is announced and when you notify it and we we stick to that uh industry standard SLA uh you know within 24 hours that will be pumped through your uh instance of the prevalent platform uh and enable you to to make some decisions based on that.

Ashley: Thanks Scott Rodney. Somebody asked do you think sock documents are more valuable than an unodudited SIG document?

Rodney: H oh gosh, how many times I’ve been asked this question? Um, I think it depends. I don’t think that they’re more valuable per se. I do think that an unudited SIG document is have very very useful information that can be applied. But I’m taking this in consideration of the criticality of the vendor, the risk, the risk rating of the vendor, um, the product and service engagement in general. I will say that sock reports are extremely good. I I like the stock report, but can also tell you because they’re point in time um just like many other documentation that we received from vendors or third parties rather um I’m I’m more interested in the now not what was reviewed by an auditor last year because I want to engage this prospective third party today I want to execute an agreement today and I’m looking at documentation that validated the sufficiency of external controls from a year ago so my decision of right now my decisioning my factbased decisioning is based off of information and materials that were provided um from a year ago. So that that that’s a coin toss. I do think getting as much relevant information that you can to support whether it’s the SA right or whether it’s a sig getting as much substance much as much documentation information to substantiate and support that because I do think compensating controls are necessary whenever you’re dealing with point in time assessments point in time documentation And I I’ll just end it. I not end it, but I’ll also say for everyone on the call, I understand the importance of the residual risk assessment. We all know what the assessments mean, not just to organizations. We know what it means to auditors. We know what it means to regulators. But please do not let up or lose sight on your continuous monitoring. I do think a lot of your value for risks that are emerging, not risks that are current or currently occurring, but risks that are emerging, things that could potentially harm or impact your organization. You need to be made aware. of that. So get information that is relevant to today and also use that information that may be relevant to yesterday, apply it together and make factbased decisions.

Ashley: Thanks Rodney. And then Julia asked, “If an organization chooses to be more conservative and only manage inherent risks, what would you say the benefit is of including residual residual risks?”

Rodney: Okay, I I’ve also heard this question asked many times. before and I think there’s a coin toss there. 50/50 depends on the organization. It depends on the risk profile. Some of these questions or the responses to these questions that I’ve heard others provide are very much holistic. I look at it this way. What is the risk appetite of your organization? I do think you need to take these things into consideration whenever you’re determining whether or not the inherent risk takingaking that conservative approach and managing it managing only the inherent risk is appropriate. I I am not opposed to that. We do know that that is the innate risk. risk. What I would suggest is I do think the inherent risk and having the residual risk profile is important, but I also think it’s important to revisit the inherent risk. Many organizations again going back to that residual risk will use that only for management and monitoring activities. So after your residual risk assessment is done, you will probably manage and monitor based off of the residual risk. I’ll say no. You should always go back and visit the inherent risk. You want to go back and see if there’s been any material changes in the relationship because your risk profile can change. contractually may have changed. You may have had addendums or modifications that would require more riskmanagement activities or there may have been changes that reduce the level of risk management activities. But I do think always revisiting the inherent risk is equally important. I do think it’s something that all organizations in this space TPRM should do and not just focus solely on the residual risk assessment. So I have to say uh to that question it’s a coin toss. It depends on the risk appetite. It depends on the size of your TPR and program capac. capacity. It also depends on the size of your third party expansion inventory.

Ashley: Thanks, Romney. And then one last question for you. Somebody asked, “How big is your staff and how many vendors do you manage?”

Rodney: And that’s why that person is is that the anonymous question?

Ashley: Yes.

Rodney: Okay. Well, I’ll tell you this. I I have a team between 7 to 10 individuals and I have an inventory that is anonymously large. I’ll say that I’ll keep certain things to myself. You have to give me that.

Ashley: or tell the contact me offline. Of course. Of course. Well, thank you so much Rodney and Scott and everyone for all of your questions. Uh they both gave us some great information to take in today and I hope to see all of you either in your inboxes or at a future pre link webinar. Cheers everyone and enjoy the rest of your Wednesday.

Scott: Bye everybody.

Ashley: Thank you Rodney. Bye now. Bye everyone.