TPRM 101：从供应商评估中获取真正价值

艾米：好的，我们开始直播了。欢迎各位。艾米：看到有几位朋友陆续加入。艾米：在大家就座准备参加今天的网络研讨会时，我先发起个投票问题——我们真的很想知道各位今天为何而来。投票已启动。艾米：好的。艾米：无论是纯粹的教育项目调研，还是即将开展的第三方风险管理项目。艾米：若您尚不确定参与目的也完全没关系。艾米：请继续观看，或许您能有所收获——或者您是Prevalent的客户，需要掌握最新动态。艾米：我是艾米·特威特。艾米：现任Prevalent业务发展部成员，今日职责是确保各位问题能传达给布伦达·费拉罗。艾米：镜头里那位就是布伦达。艾米：请介绍一下布伦达。艾米：她是Prevalent的第三方风险副总裁。艾米：拥有20余年成功构建第三方风险管理项目的经验。艾米：今天我们将探讨如何从供应商评估中获取实际价值。艾米：在展示投票问题时，请注意以下事项。艾米：各位目前处于画面外且静音状态。艾米：我们真心希望大家保持参与。艾米：整个网络研讨会期间，我们将持续提问并期待您的提问。艾米：请通过Zoom界面底部的问答功能或聊天功能提交问题。艾米：无论哪种方式，您的问题都会转达给布伦达。艾米：另外本次会议正在录制，若您需暂时离开，明早即可在邮箱收到录播，随时可反复观看。艾米：话说回来，布伦达，今天我准备了大量问题——这个话题太热门了，期待向您学习。艾米：现在请您发言。艾米：欢迎布伦达。

布伦达：谢谢。布伦达：很高兴能参与本次会议。艾米，看到你如此积极参与讨论，我感到非常欣喜。希望听众能在我们探讨这五个不同主题时踊跃提问，因为这些内容确实至关重要。布伦达：正如各位在邀请函中看到的，今天我们将重点讨论如何优化评估工作流程。布伦达：流程中常存在诸多断层与缺口，我们既需要更快结果，又可能面临人力不足或重复劳动的困境，最终始终无法触及核心——即调用现有供应商数据源。布伦达：我们已完成大量评估工作。布伦达：为何不重新利用这些成果？布伦达：如何实现成果复用？布伦达：现有哪些机制支持复用？布伦达：我们更注重风险情报构建而非内容收集。布伦达：这也将是讨论重点。布伦达：用更少资源覆盖更多第三方供应商。布伦达：首场会议已略及此点——我们亟需厘清风险分布、供应商生态全貌及评估体系。布伦达：但现有资源可能难以完成全部工作。布伦达：我们可能从零起步，也可能在成熟项目中需要确保全面评估威胁态势下的风险。布伦达：同时必须确保风险能高效管理并落实整改。布伦达：我近期与全球不同行业的企业进行了大量交流，他们的工作令人赞叹——正如我之前提到的，他们在信息收集方面做到了极致。布伦达：他们获取信息的能力毋庸置疑，但往往在收集完成后就草草了事——"信息到手，风险已知"，却未投入足够精力进行风险缓解。布伦达：而真正提升安全性的关键在于：我们应直面风险、解决问题，然后转向应对当下或下周的新兴风险。布伦达：最近这类情况频发。布伦达：同时还要达成多重合规目标。布伦达：眼下我们已步入2021年中期甚至更晚，即将进入第七个月。布伦达：现在的情况是，许多部门都意识到我们对供应商和合作伙伴提出了过多要求。布伦达：法律部门、隐私部门、采购部门、第三方管理部都在向他们索要问卷，可怜的供应商们已经疲于应对。布伦达：去年我们就想解决这个问题，但当时还有其他要务需要处理。布伦达：如今情况已发展到关键节点——各方正凝聚共识，以企业级合规视角重新审视信息收集需求，用全新视角看待问题。布伦达：这些内容我们也会深入探讨。布伦达：会议尾声我们将总结关键要点，但现在请艾米提出问题，同时结合各位的提问，为这五大核心领域展开讨论。布伦达：艾米，我们首先讨论什么议题？

艾米：那么，我的第一个问题是：使评估工作流程更高效、更快捷的三大要素是什么？

布伦达：好的，对我来说最重要的三件事是：一个具备自动化功能的平台。我正在看笔记，因为不想遗漏任何内容——我总爱啰嗦很多事，怕漏掉重点，今天可不能有疏漏。布伦达：对我来说平台自动化至关重要，我是流程管理专家。布伦达：在查尔斯·施瓦布任职期间，公司安排我参加了迈克尔·哈默博士在麻省理工和哈佛开设的流程管理课程。通过学习敏捷方法、精益理念，以及如何基于现有资源拆解分析工作流程、消除延误与浪费，最终整合为平台方案或工作流——确保从起点A到终点Z全程顺畅无阻，所有环节都实现自动化，无需人工干预。 最终整合成平台、方案或工作流，确保从起点到终点全程顺畅，避免手动操作造成的浪费与延误。布伦达：因此要寻找能根据状态自动发送通知的平台，或通过算法分析信息，及时提醒用户"您即将错过风险调解整改期限"。布伦达：我们需要提醒用户：该事项即将到期或已逾期，并告知后续后果。布伦达：这就像在平台里拥有贴心伙伴——无论是挚友、小叮当还是幸运符——它们会为你处理事务，让你能专注于真正需要人工干预的环节。布伦达：另一项关键功能是配置文件分析与基准校准。布伦达：我接触过的许多企业虽已实施这些功能，但执行深度极其有限。布伦达：我们发现当前信息采集方式存在缺陷——收集的数据往往与实际业务关联度不高。布伦达：例如面对云服务供应商时，我只需关注最核心的云安全问题。布伦达：其他细节或许会涉及，但没必要穷尽所有可能。布伦达：过去我们曾使用1700道题的问卷，简直荒谬至极。布伦达：试图面面俱到根本是痴人说梦，重点在于聚焦当下实际情况。布伦达：勒索软件就是典型案例。布伦达：你需要明确对方为你采取的具体措施，并针对性地获取安全信息。布伦达：软件领域同样如此。布伦达：软件安全需要关注的维度与云安全截然不同。布伦达：无论是采用CAIQ评估，还是针对软件使用VBSIM问卷，抑或采用主流控制框架问卷，每种方法都有其特定目的和适用场景。 布伦达：最后第三点是平台通知与报告自动化。布伦达：我们讨论过自动化和通知功能，但报告系统绝对是最关键的环节。布伦达：当你持续吸收海量数据时，布伦达：必须能灵活切片分析，从而清晰掌握评估进度、尽职调查状态、整改实施情况——无论是投资组合层面、部门层面还是整个企业范围。布伦达：若无法运用机器学习和人工智能即时生成所需报告，你的工作效率将大打折扣。布伦达：这会导致你不得不额外处理大量电子表格，或从零开始创建报告，或耗时整合信息。布伦达：以上三点是核心要务。布伦达：艾米，我们讨论期间收到问题了吗？

艾米：还没，但我有个问题。艾米：我想回到分级和去皮功能的讨论。艾米：我跟Prevalent公司里几位感兴趣的同事聊过——他们从未接触过分级管理，供应商也完全没有分级。艾米：有什么好的入门方法吗？

布伦达：那么，我们将在本次演示的后续部分稍作探讨。布伦达：但分层管理的一些要点在于，首先必须确定贵公司的分层策略——因为不同企业有时会采用截然不同的视角。布伦达：若能统一全公司的分层标准，就能避免反复调整，大大简化流程。布伦达：例如，若贵司风险合规部门采用1-4级分层，请明确其评判标准并考虑能否复用该体系。布伦达：若无法复用，可建立第三方风险管理或供应链管理分级体系。布伦达：可采用ABCD分类法。布伦达：也可使用红黄橙绿四色标识。布伦达：具体方式不限，但风险画像与分级至关重要。布伦达：这一切都发生在最初阶段——当你开始评估供应商或供货商时。布伦达：因此，当采购部门启动招标流程时，他们会提出"这五家左右公司是我们考虑的对象"。布伦达：必须在最初阶段就掌握关键信息，这些信息将构成评估标准：他们将为我们提供哪些服务？布伦达：明确服务实施地点。布伦达：确定对接联系人。布伦达：获取高层次财务信息。布伦达：嗯，可对供应商运行威胁情报报告，建立现实环境中的基准数据。布伦达：关键在于合作前就明确：对方是何种企业？具体提供哪些服务？以及需要警惕哪些潜在风险点。布伦达：这类风险点约有11至12项，Prevalent能协助您全面识别。布伦达：我们设有接洽流程和基础评估流程，能在合作前就评估其固有风险。这能帮助你预判若选择该供应商将面临哪些艰巨任务——因为我们已知存在需要深入调查的风险点。

艾米：太棒了。艾米：谢谢。艾米：目前观众席还没有提问，但请大家记住，如果有什么问题浮现在脑海，随时写下来，我们会请布伦达解答——我们就是来帮忙的。艾米：好的，下一个问题。艾米：那么，哪些现有供应商数据可用于即时风险情报分析？

布伦达：刚才我们稍微提到了这一点。布伦达：我一直认为，使用线程情报就是一种无需接触点就能获取信息的方式。布伦达：你只需一个域名，它就能告诉你某些安全领域存在漏洞时，外部环境的真实状况。布伦达：嗯，通过威胁情报分析，不仅能评估网络安全状况，还能获取商业情报和金融情报。布伦达：因此强烈建议在确定优先级时——甚至在第三方合作全生命周期中——都应运行威胁情报报告。布伦达：另一项措施是重新设计问卷调查。布伦达：以前啊——我可不想暴露年龄，毕竟人总在变老。布伦达：谁不是呢？布伦达：我总假装自己还是21岁、25岁或29岁，具体数字不重要啦。

艾米：随你感觉如何。

Brenda: But back in the day, um, we had a situation where every year when the questionnaire to gather content would change because the threat landscape changed. Brenda: But if you think about it, the threat landscape was changing and we were catching up. Brenda: We have to get ahead of that. Brenda: So, I really proposed um a strategy that’s going to say we’re no longer doing I’ve talked about this before in many webinars, the one and done. Brenda: It’s important to do continuous evaluation and continuous evaluation means you gather what you need to at the very beginning for inherent risk. Brenda: You do your assessment and add components that are important and relevant for the residual risk. Brenda: you track those risks to closure and then when things happen when ransomware becomes important when IoT devices become more important when smart car stuff starts becoming I mean we’ve got smart cars coming all over the place and it’s going to be coming you know become more and more apparent pipeline things those are wakeup calls and those wakeup calls should not be ignored until the next questionnaire comes out those wakeup calls are really to say do you know if those suppliers and third parties are impacted by this situation and if they are what are you doing about it now not at the halfyear mark or the nine month mark or when the year comes so that’s what I would say about questionnaires and repurpose their answers but ask them to remind them to say okay has anything changed you can’t just say what you answered last time is exactly what you’re going to be this year because you may have had an audit that says you’re not doing as well as you thought you were doing in incident response or in multifactor authentication or things like that. Brenda: So they have to at least and I I don’t like this word the word attest but they have to at least attest or say we’re doing the same in our effectiveness for this particular control domain and by the way we’re answering all the deltas as they’re coming. Brenda: So make relationships with your vendors and suppliers and let them know that we’re not just going going to talk to you once. Brenda: We have a relationship now and relationships have to have time together and time together for us is going to be whenever I reach out very thoughtfully about what is happening in the environment today. Brenda: The other thing is um key controls. Brenda: So if you have key controls in your organization and what those are are really musthaves, these controls are the ones that we require all of our suppliers to have by engagement. Brenda: Then those will help you to set up and configure platforms for automation on what’s important based on their service types. Brenda: So you can do uh in external and internal quantification and identifying exactly what’s happening with those vendors whether you have a point of contact or you don’t. Brenda: Or you can look up point of contacts. Brenda: Um prevalent has a point of contact lookup and that will help you at least find someone within the company. Brenda: So don’t fear that okay I have 10,000 vendors or 3,000 vendors or even 25 but I don’t know who to go to. Brenda: Um you can always use a lookup feature as well. Brenda: The other thing is preconfiguring those risks. Brenda: So when you know your key controls you can rank those at the highest risk and when you rank them at the highest risk then it’s going to be things that are apparent and bubble to the top for your assessors to review. Brenda: And sometimes people have managed services helping them with their assessment. Brenda: So if you’ve outsourced your assessment due diligence to a risk operation command center whether it be at prevalent or somewhere else then those items will be completely available for them as well as for your organization if you’re like doing a hybrid approach. Brenda: So either you’re handing it off to someone or you’re doing it yourself. Brenda: But everyone should have the same voice and everyone should know what the risks are and we’ll be talking about that a little bit more. Brenda: Um also use risk association. Brenda: So what that means is that if you have a content gathering in a questionnaire or in thread intelligence, those things should match up together. Brenda: If a question is asked of the supplier or the vendor and something’s seen in the wild, those two things should say what they said and what we see match. Brenda: And if they don’t match, then they should say, okay, we have a risk or we have something we have to look at because what they’re saying is not what we’re seeing or what we’re seeing is not what they’re saying. Brenda: because it could go vice versa. Brenda: It could say, “Okay, they say they’re doing very well or we’re looking at a threat intelligence that’s um providing information that says they’re doing a great job in this security domain, but their questionnaire came back saying we’re not doing good.”. Brenda: You could go back to them and say, “Okay, well, this doesn’t look right. Brenda: It looks good out there on the outside. Brenda: Why is it not looking good on the inside?”. Brenda: So, it helps you to figure out um how to balance and it’s like a a double check. Brenda: The other thing is risk association can help you with if a question is asked somewhere in your questionnaire and then it’s asked again differently in a different security domain and they answer one way in one place and another way in the other then you can kind of do some checks and balances with the risk association with that as well. Brenda: Um we talked about thread intelligence of cyber business and financial make sure you always have those three because without one you will definitely have a scenario where you’re only seeing a part of the picture and we talked about profiling and tiering. Brenda: Oh networks and changes. Brenda: That’s the biggest one. Brenda: I almost forgot it. Brenda: So, networks are there for us to store a library of suppliers and vendors already completed information. Brenda: So, it cuts down on the delay of gathering content. Brenda: And what happens when I as a supplier might be in a network or an exchange with my completed content, my evidence, all of the information where I’m already working on risks. Brenda: What happens is if new company wants to look at my content, I have the ability to either give permission to a a sector like I might say for every healthcare sector uh customer I want them to be able to see my information or for every legal um industry customer I want them to see my information or I should be able to have the ability to say yes I’m doing business with this requesttor go ahead and share my information with them so it stays protected so don’t be af afraid of, oh my gosh, my my content, my information is up in some cloud being serviced by a a third party vendor. Brenda: What’s going to happen to it? Brenda: There are protection mechanisms put all over that to make sure that it is secure and not shared with the wrong companies andor without your permission. Brenda: So, it looks like we have a question, Amy. Brenda: I’m looking at two.

艾米：好的，这里有几个观众提问。艾米：第一个问题是关于主流网络风险评级产品。艾米：呃，就是我们是否开发自有产品？与Bitsite相比如何？

布伦达：好的，这些信息我无法在本场网络研讨会中详述，但若您联系艾米——她将通过[email protected]邮箱接收咨询——我们备有对比文件可供参考，其中会说明不同线程智能的差异、如何实现整合。通常多数企业普遍存在的情况是：我们与其他公司使用相同的信息源， 但通过差异化展示方式，结合平台特性及您的具体需求目标进行呈现。布伦达：因此存在多家整合了这些组织功能的公司。布伦达：我们的方案可能与Bitsite不同，但您需要尽职调查获取对比文档，明确具体信息内容。

艾米： 是的。艾米：话虽如此，我注意到了提问者的身份。艾米：本次网络研讨会结束后，我很乐意与您联系。艾米：我们可以就此进一步交流。艾米：接下来请观众提问。艾米：那么Prevalent是提供供应商风险管理的托管服务，还是销售平台让企业自行操作？艾米：如果是后者，这两种模式分别占贵公司整体业务的多少比例？

布伦达：所以我们提供三项服务。布伦达：首先，我们提供可自主操作的平台。布伦达：这是自助式平台，您可自行配置、创建所需功能，同时我们配备专业服务团队提供支持。布伦达：我们还提供托管服务和岩石服务来协助实施。布伦达：风险运营指挥中心可执行数据采集。布伦达：他们还能为你进行数据分析。布伦达：既能协调你需要收集的信息与供应商提供的数据，也能执行风险补救措施。布伦达：服务范围就是这么全面。布伦达：我们还提供快速响应服务。布伦达：这属于事件管理范畴——当《华尔街日报》《纽约时报》出现相关报道，且威胁情报系统向我们发出警报时。布伦达：您需要立即协助供应商和客户。布伦达：我们同样提供快速响应服务。布伦达：此外还有咨询与战略服务。布伦达：若您正构建安全项目，我们可派专员驻场协助——无论您是从零起步还是已达成熟阶段，我们都会全面评估现有体系，助您掌握平台的多元应用场景。布伦达：具体比例因企业而异。布伦达：各公司的项目发展阶段存在差异。布伦达：有些企业从零起步，有些则已相当成熟。我们的服务精妙之处在于：所有方案都将完全契合您的需求。布伦达：我们会与您进行深度面谈。布伦达：共同探讨您的目标愿景，进而为您量身定制多套解决方案。

艾米：太棒了。艾米：谢谢你，布伦达。

布伦达：好的。布伦达：太好了。布伦达：那么，进入下一项议程。布伦达：艾米，你以为这只会花半小时吧？

艾米：我确实做到了。艾米：哇。艾米：不，这太棒了。艾米：继续提问吧。艾米：而且我真的很喜欢这个问题。艾米：显然，我们都非常忙碌。艾米：面对如此繁重的工作、有限的时间和资源，我们如何以更少投入实现更多产出？艾米：请分享您的智慧。

Brenda: So, a little tiny story. Brenda: When I started in thirdparty risk, I’m sure all of you have heard if you’ve listened to me before, is I had this fall in my lap. Brenda: I did know anything about third party and it was a body of one. Brenda: It was just me and they came at me with okay you have 3,000 or 5,000 or 10,000 vendors that you’re going to have to assess. Brenda: And so when I looked at that then I became a team of two brought on another resource and then it kept expanding and expanding. Brenda: Now two questions were um asked of me by my chief information security officer at the time and they said all right there’s two things that can happen. Brenda: Either you’re going to do this with managed services and get some help from the outside or you’re going to hire people and they both have pros and cons. Brenda: Which pro and con do you want to go forward with? Brenda: And as I retrospect on that, I don’t think that I made m what I would call mistakes, but there are some hybrid approaches that I would possibly look at. Brenda: If I’m wanting to get done um maybe like a campaign of assessing things very fast, I would have a risk operation command center. Brenda: or managed services help me with that because it will get things done quickly. Brenda: They’ll be able to look in their networks. Brenda: They’ll be able to find out if the information’s already been gathered. Brenda: They’ll be able to give me what I need to know from a risk perspective. Brenda: And then very quickly, we would be able to identify where we are with what’s already been done. Brenda: That’s great. Brenda: And then again, I call them Tinker Bells and Lucky Charms. Brenda: If all of those individuals were doing things at a a standard level where I would say, “Okay, I want to do 200 of a week or I want to do all 3,000 at one time. Brenda: There would they would have bench strength to do uh to watch all of the responses come in. Brenda: And by configuring a platform with all the risks, the recommendations, the remediation timelines and doing that prep setup, that’s going to make it so that everything would be consistent. Brenda: It would be what the way that my company, whoever I work for, wants to look at their key controls. Brenda: There’s um the network and exchanges that we talked about before. Brenda: So using those those and and for those that aren’t in there, you can use a hybrid approach where you’re launching things out yourself. Brenda: So for that question that we had earlier, if you do um have a platform that people can use themselves, you can have a hybrid approach where you launch things yourself, but you also have managed services doing something for you. Brenda: So look at your tiers and really focus on your criticals and your highs and then let managed services or rock services do your mediums and your lows or or campaigns or things of that nature. Brenda: Um expand support out to additional departments. Brenda: So if you take an approach where you’re asking what you need to ask for not only yourself in your risk management or your supplier or vendor management area and you ask questions that are pertinent to DR, pertinent to business continuity, legal, privacy, procurement, then your your vendor and supplier is going to say, “Wow, this is like going to I guess an experience that I had is I you know going to a Honda car shop versus a BMW car shop. Brenda: They’re different. Brenda: So, it’s kind of like going to a place that has their ducks in a row and they give more um white glove service to you. Brenda: So, that’s kind of what you want to be for your vendors and suppliers. Brenda: They need to work on remediation, not content gathering. Brenda: They need to work on servicing you, not content gathering. Brenda: So, that’s that’s one of the items there. Brenda: Rapid response, making sure that you know very quickly who’s been impacted by an incident or a breach or a ransomware attack or malware. Brenda: And then knowing that you can tell your board, here’s who we work with that is having impact. Brenda: Here’s what we’ve done and here’s how long we’ve given them to close that disconnect. Brenda: And we will give you updates on either a daily or a weekly progress so that you know that the the bar of um impact is going to come to slim or change. Brenda: and then having that a platform that has the ability to visualize all the different connections of your third parties. Brenda: So I I am a proponent for the last five years of going and making sure you have assessment information whether it be just identifying for fourth and fifth and sixth parties that an assessment has been done to what the risks are and how that risk will have impact on the company of which you’re directly contracted with and knowing that in a picture format like a spider diagram and who what business units are using them. Brenda: So for example when I was at again Charles Schwab they had a twostory building that had a screen up on the wall and it would show if an impact happened the daisy chain of events that was going to trickle from that impact to the business units to what trades couldn’t be made and all kinds of things. Brenda: And that was way back in the day. Brenda: I was at uh Schwab way before 2007, so I’m sure it’s even better now. Brenda: But I was flabbergasted by like, oh my gosh, you know how to pivot based on exactly what’s going on so that you can quickly make adjustments to your business. Brenda: That has to happen for resilience for all of our companies globally. Brenda: And we’ve felt some of that pressure based on what we experienced in 2020 and even in 2021. Brenda: So if you have a platform form like prevalent that has the spider diagram and all of the connections of what business units using it, what are they transferring for data, which direction is it going, if something impacts, you can highlight it and see all the connections of what’s going to occur. Brenda: So that I would highly recommend you get into to help with accomplishing more with less because I can tell you it took a lot of manual effort to do things manually when you found out someone was impacted to determine how is the business business going to be with this? Brenda: How is how are we going what do we pivot to? Brenda: What company can we pivot to? Brenda: Do we have a backup company or do we have a concentration risk? Brenda: So hopefully that’s helpful.

艾米：好的，我这里有个关于托管服务的问题。艾米：那么，普瑞维尔作为托管服务提供商，其为典型客户提供的服务，会导致企业主因残留网络风险过高而更换供应商的情况有多常见？

布伦达：具体比例我并不清楚。布伦达：但你提的问题确实切中要害——当管理服务提供商向你提交高管风险摘要报告时， 你需要建立内部流程，将报告提交至指导委员会或任何处置程序，明确风险阈值——仅允许存在特定状态的事项。若存在全面缺失，则需考虑移除相关事项，同时与采购部门协作，告知其存在重大风险问题，并让业务部门参与风险缓解工作。布伦达：平台内可实现以下操作：布伦达：你可以追踪这些整改措施直至完成。布伦达：你可以使用高管风险摘要报告和不同的风险登记册视角，向高管展示业务风险，并能与隐私部门、采购部门、风险合规团队等共享信息，说明根据管理服务提供的信息，我建议推进与该客户或供应商的合作，或建议进行整改，或不予推荐。布伦达：他们将承担所有繁重的前期工作。布伦达：他们会提供决策所需的信息，随后您即可推进内部流程。

艾米：好的。艾米：顺着刚才的话题，观众提问说："我总担心，比内部供应商风险管理分析师指出风险时被忽视更糟糕的，就是作为外部服务提供商时被忽视。"艾米：所以这其实不算问题，但我想转达给你。

布伦达：是的。布伦达：确实如此，因为当我们进行尽职调查时——无论是外包服务还是内部资源——我们的工作都至关重要。布伦达：我常把它们比作医院的分诊中心。布伦达：医生、护士和手术中心若没有经过合理分诊，根本无法确定后续步骤。布伦达：所以无论采用混合模式外包给托管服务商，还是内部自主处理，或是混合方案，尽职调查团队都是流程中最关键的环节——因为他们承担着风险猎探的职责。布伦达：我称之为风险猎探。布伦达：一旦发现风险，就必须立即采取管控措施。布伦达：企业必须明确自身风险偏好，确定应对策略。布伦达：感谢您的见解，我深信这些人员在整个安全生命周期中扮演着至关重要的角色。

艾米：太棒了。艾米：没错，继续提问吧。艾米：那么，接下来啊...说到风险补救——在第三方风险管理中，风险补救是最关键的环节，究竟该如何有效管理呢？

布伦达：所以，正如我之前所说，补救措施就是确保你持续进行评估流程。布伦达：运行威胁情报系统，设置阈值和警报机制，以便在风险发生变化时及时预警。布伦达：同时准备好报告，明确列出即将触发的各类风险及其补救日期和截止期限。布伦达：同时要确保业务部门或负责变更的负责人能及时联系供应商，告知："你们的整改期限即将到期，是否已完成整改？能否将材料发送给我们？"布伦达：另外请注意，收到风险整改报告并不意味着问题已解决。布伦达：这意味着必须进行验证以确认整改完成。布伦达：为此存在特定的验证流程。布伦达：我们在其他网络研讨会中多次讨论过虚拟验证。布伦达：过去我们能出差时会进行现场访问——虽然现在差旅逐渐恢复，但当企业、供应商和客户重新开始面对面交流前，我们已探索出验证替代方案。验证就是通过特定协议测试风险，确保实际执行与声明内容一致。布伦达：这些都涉及风险管理。布伦达：但最佳管理方式是建立系统——不必将内容导出平台存入电子表格再逐一核查。布伦达：你需要一个能实时反馈尽职调查生命周期进展的平台。布伦达：无论是处于整改阶段还是评估阶段，都能灵活分析数据——比如明确今年需评估的供应商数量。布伦达：我们将聚焦于各层级及重点供应商中的高危与关键风险。布伦达：至于中低风险供应商，我们不会调整其风险等级，但会屏蔽其相关任务生成机制。布伦达：我们会知晓这些供应商的存在。布伦达：我们会确认其存在，但重点处理勒索软件、多重因素认证、传输加密、钓鱼攻击等威胁。布伦达：这些正是让黑客更容易入侵的途径。布伦达：因此当项目进入下一阶段时，政策将明确：待第二年完成高危与关键风险识别后，我们将纳入中低风险事项。布伦达：这也是管理风险的另一种方式。

艾米：好的，很好。艾米：没有问题。艾米：我们接下来进行下一项。艾米：好的，那么布伦达，是否有可能通过单次评估同时满足多个合规目标？

布伦达：是的，这正是主流解决方案中蕴含的魔力所在。布伦达：我们拥有顶尖的内容管理团队，他们在NIST、ISO、GDPR、CCPA等领域都具备超高的专业技能。布伦达：我还能列举更多各种缩写词和监管框架呢。布伦达：最妙的是——这词多时髦啊？布伦达：像1950年代的复古词汇。布伦达：真正了不起的是，回溯90年代，我们能用全新视角审视信息。布伦达：所以我称之为"魔法按钮"。布伦达：风险登记册和合规性筛查界面设计得相当巧妙——作为隐私部门人员，布伦达：我需要查看收集的内容如何体现GDPR合规性。布伦达：只需在系统里按下这个按钮，它就能根据已收集内容精准显示当前合规状态。布伦达：这样就不必反复追问："请重新填写GDPR问卷——这些问题可能已在第三方整体评估中问过，但能否再做一次？"布伦达：完全不必。它只是转换了观察视角。布伦达：就像相机对焦功能。布伦达：你可以聚焦于GDPR、NIST或ISO标准，从不同维度审视问题。布伦达：这个功能设计得相当精妙。布伦达：我尤其欣赏他们实现的多维视图功能，这让我们能从不同角度审视数据。

艾米：超爱这个词，sch snazzy。艾米：太棒了。

布伦达：哦，这句话我也说过。布伦达：天哪。

艾米：我正想说酷毙了。艾米：这感觉很90年代。

布伦达：酷毙了。布伦达：酷毙了。

艾米：太棒了。艾米：呃，目前还没有问题。艾米：不过话说回来，如果各位有任何疑问，我知道我们这一个小时的交流时间快结束了——其实不到一小时了——所以接下来我们会总结几个关键要点。艾米：若有任何疑问，请随时通过问答功能提出。艾米：那么布伦达，接下来请你来总结重点内容。

Brenda: All right. Brenda: So, I have I have five of them. Brenda: And so, because we had five topics, so I kind of like interlin linked that, but the first one is automation is key. Brenda: I want to make sure that you’re using the ability to push your life cycle with automation on status and certain criteria that’s being met and being able to use what we call active rules. Brenda: So, for example, if we have something that comes in at has a profile and tier intake process. Brenda: Then it will automatically launch the appropriate content that needs to be sent to the supplier. Brenda: And then when it comes back, the status will change as you know, you don’t have to go in and manually change the status. Brenda: And then when it’s assigned and the risks are identified and you push it along the process, um there’s certain things that can happen magically and automatically. Brenda: Otherwise, there’s a couple things that you may or may not have to do manually because you need to have that personal eye touch on it. Brenda: Having the notifications go out so that you don’t have to do the chaser emails. Brenda: That was one of the things that I just despise doing is having to chase people and you can make the information change and or be stagnant based on what notifications are going out. Brenda: You can tell them about your program at the beginning and give them expectations so that it’s very easy for them to identify what’s going to happen next. Brenda: You can remind them when things are coming. Brenda: do you have the ability to slice and dice the data? Brenda: So automation and having the ability to do that is like key for a process to move faster, but always have your program and process somewhat clearly defined in the beginning with the ability to change and tweak it as you go. Brenda: So do know that you’re not going to come in and say, “Okay, it’s going to be fantabulous and no hiccups are going to happen.”. Brenda: Hiccups will happen, but that’s supposed to because that means you have to improve something and it just continues to help you to grow in your life. Brenda: program. Brenda: The other thing is risk intelligence comes in many forms. Brenda: We’ve talked about cyber risk intelligence. Brenda: We talked about inherent risk. Brenda: We talked about profiling and tearing. Brenda: We talked about business intelligence, financial intelligence. Brenda: We now have uh uh other types of reports that we can give you that are even above and beyond what people have been expecting in the past that procurement can use. Brenda: Um share your information. Brenda: Risk intelligence should be shared and then make sure that you’re looking at that risk intelligence in different camera lenses, GDPR, CCPA, whatever that is. Brenda: The other one is obtain assistance from the experts. Brenda: So, if you’re just starting out, you’re you’re probably going to want to say, “Build this and give it to me so that it can be handed off so that I can just focus on risk remediation or risk management.”. Brenda: And that can happen. Brenda: Or you can have a hybrid approach where you have multiple people on staff and you’ve got this campaign that you need to do a lot with. Brenda: So they can help you with that campaign. Brenda: So think about when there’s temporary situations that you have to grow really quickly, they have the ability to help you with that. Brenda: So um don’t feel like you have to muddle along really slowly. Brenda: They can put a uh managed services can put a program together for you. Brenda: They consult with you. Brenda: They can do strategy services with you and a roadmap to say based on what we have in the platform today, which is a lot, we can help you do what you need to do. Brenda: But we’re also going to keep you apprised of the new things that are coming on a every month to every two month basis. Brenda: And we’ll be talking to you about leveraging those items based on what you’ve purchased from prevalent so that you can start using those because that’s the main goal is to make everything easier, faster, better, smarter, scalable. Brenda: And so you’ll want to keep up with the times on all the different components that are available. Brenda: Um run a relevant third party program or supply chain management program. Brenda: Don’t just have one question. Brenda: If you’re small, you can have one questionnaire. Brenda: I can understand maybe you have 25 assessments to do. Brenda: So, don’t think that you have to have different ones for each one. Brenda: But there’s situations where you may have contractors that are using your laptops. Brenda: So, why are you asking them questions about their laptop? Brenda: They’re using yours. Brenda: You should know how secure it is. Brenda: Or you may have someone who’s doing a software um coding for you and and you need to find out how they’re handling defect management. Brenda: because that’s how the hackers can get through is if there’s a code issue and then they come in through that way or um you might have ransomware that’s really important to you in the health care space and ransomware needs to be at the forefront of your questionnaires. Brenda: It’s nice to know all the other key controls but we’re dealing with ransomware right now. Brenda: So that’s something that could be a a proponent item for you. Brenda: And then finally the fifth thing is the responses need to be mapped to the compliance framework the regulatory require experiments and having that mapped will help you to use the camera lens to look at different views of the information that’s coming in and the way that you need to see it depending on who you are in what department. Brenda: So those are my five things. Brenda: So I will um I think we have one other polling question before we end today. Brenda: But as you’re looking at that polling question or a go ahead and put that up and then I could talk about the trusted partnership after you’ve put that up. Brenda: There it is.

艾米：所以，我们想问的是，你们计划在2021年扩充或建立第三方风险管理项目吗？艾米：我知道2022年已经临近了。艾米：所以或许也该考虑明年初的规划了。艾米：呃，是的，不，我不确定。艾米：请给我们个答复。艾米：布伦达，你先把这部分说完吧。

布伦达：这个问题还是要问艾米。布伦达：所以如果你想和艾米深入交流，或许阿曼达也能提供帮助，她们可能会分享相关信息。布伦达：不确定。布伦达：不过，嗯，了解你的具体需求对我们很重要，因为不同层级都有相应的支持方案。你当前在项目中的定位，可能需要探索其他可用的资源。布伦达：所以要及时了解各种可能有用的信息。正如我所说，许多公司正转向企业级方案，而采用企业级方案时，其他相关方会关注：你们的项目平台管理服务如何助力采购？如何保障风险与合规？布伦达：因此我们能展示的内容非常丰富。布伦达：当然，我们是2020年Gartner魔力象限的领导者，在战略领域实力最强。布伦达：这至关重要——没有战略支撑，就无法持续引领行业变革。布伦达：我们还拥有增长最快的供应商网络。布伦达：2020年网络规模实现了高达128%的增长。布伦达：今年我们还将再次参与高德纳象限评估。布伦达：相关报告预计将在未来一个月左右发布，最多不超过两月。布伦达：我们拥有值得信赖的合作伙伴，称之为"家族伙伴"，与他们紧密协作，共同探索如何通过平台实现其目标。布伦达：当然，我们有明确发展方向的专家团队，但更重要的是倾听客户需求——我们的员工无疑是最令人愉悦的合作伙伴。布伦达：因此我想强调，公司内部的每位成员都是我们引以为豪的宝贵财富。

布伦达：所以如果大家有任何疑问，正如我们之前讨论过的，我们会详细说明。布伦达：但若需要直接联系艾米，她的邮箱是[email protected]。布伦达：我们活跃在领英和推特平台，欢迎关注。布伦达：我们持续发布白皮书，确保您随时掌握行业前沿洞见——无论是当下最热门的ESG议题，还是生态系统中我们已解决的事件，以及各类报告内容。布伦达：艾米，有问题吗？布伦达：现场还有其他问题吗？

艾米：嗯，还没结束，但我会再多说几句。艾米：所以如果有人有最后一刻的问题，请花点时间使用问答功能。艾米：感谢所有参与投票问题的各位。艾米：若您回答"是"，我或我的同事阿曼达·菲娜会跟进联系，确保您获得支持。我们随时提供帮助——布伦达已详细介绍了平台及管理服务，但若您有更深入的问题或想了解更多，请如您所说联系[email protected]。另外提醒各位，若您参与或注册了本次网络研讨会，会后将收到我或阿曼达发送的确认邮件，确保您及时获取相关资料。艾米：目前没有最后一刻的提问。布伦达，我收获颇丰，相信这也是个好兆头——此刻在座的各位都在思考下一步行动方案。

布伦达：嗯。布伦达：希望是些有趣的东西，比如管理成熟度之类的。

艾米：对吧？艾米：说真的，你让大家开始思考了，而且他们正朝着正确的方向前进。艾米：所以，嗯，是的，你知道的，我们是来帮忙的。艾米：正如我提到的，嗯，话虽如此，我想我们该把时间还给你了。艾米：再次感谢你特意抽出时间和我和布伦达交流。艾米：如有疑问，请随时联系。艾米：希望你能带走切实可行的建议，在建立第三方风险管理计划时获取所需数据，从而做出清晰明智的决策并增强管理层信心。艾米：布伦达还有补充吗？

布伦达：不，只是非常感谢。布伦达：这既是我的荣幸也是我的乐趣，很快再见。

艾米：听起来很棒。艾米：非常感谢你，布伦达。艾米：谢谢大家。艾米：祝大家剩下的时间愉快。艾米：再见。艾米：再见。艾米：再见。