2021 Third-Party Risk Management Action Plan

Peter Schumacher: All right, welcome and thank you for joining our webinar today. This is 2021 third-party risk management action plan featuring Brenda Ferraro and Alistister Parr. Brenda is our vice president of thirdparty risk and Alistair is our SVP of global products and delivery. My name is Peter Schumacher. I’ll be webinar host for today. I’ve got a couple housekeeping items to cover before we officially get started. So, first of all, this is a reminder that all attendee lines are muted and we do that in an effort to cut down on background noise. We don’t want dogs barking, kids coming in the room, neighbors mowing their lawns, things like that. So, um we’d also like to keep this interactive. So, we do invite you to submit your questions using the Zoom console. So, throughout the session, please enter your questions using the Q&A section in Zoom. Uh time permitting. At the end of the hour, we’ll get to those Q&A and uh hopefully we’ll we’ll get some good dialogue going that way. Today’s webinar is being recorded. We do deliver that recording uh by tomorrow morning uh to the email that you use to register for the webinar. I know you didn’t join to to see my face or hear my voice. So, at this point, I’d like to turn things over to Brenda and Alistister. Alistister, Brenda, if you don’t mind turning your cameras on. We’d like to see your smiling faces. And there you are and let you guys take it away. Thank you.

Alistair Parr: Thank you very much, Peter. And hello everybody. So just a briefly intro for myself and uh of course Brenda can follow up as well. So my name is Alison P. I’m the SVP of products and delivery here at Prement. Uh I’ve come from a consultancy background and uh I’ve been conducting audits and managing third party risk programs for uh for a fair few years now. So pleased to meet you all. Brenda Ferraro: I think that This is our first formal webinar together after working with each other for almost over a year. So, I’m really excited about it. My background, of course, a lot of people know me from the healthcare and the financial institutions. My background really goes into process mastery. So, I like to take programs and identify exactly where you are in your maturity and how to help you to scale it and um use the prevalent platform to do that. So, I’m looking forward to this discussion about what we’ve seen this year. year, which has been quite the trying time, but we have managed through it and what we’re going to be experiencing next year in 2021, which is quickly approaching. So, um, I believe we’re going to turn off our screens and focus on our slides and content, and let’s get started, Alistister.

Alistair Parr: Fantastic. Thank you very much, Brenda. Okay, so what we’re going to do is begin with a 2020 summary in a bit of detail and highlight what the key trends and observations that we’ve seen over the course of the year. Once we’ve done that, we’ll move into the broader 2021 projections and what we’re expecting to see based on the trends, challenges, and issues that we’ve seen over 2020. And there’s certainly been a few of them. So, the first thing to observe that we’ve generally noticed over 2020 is that regardless of size, we are seeing prolifically the same challenges across organizations. And that’s really stems from finding and collecting the right types of information uh before applying consistency at scale. So every single vendor estate that’s being managed by our customers that we tend to see is significant whether it’s hundreds based on the resource or thousands or tens of thousands or hundreds of thousands proportionately against the resources of the organizations we’re speaking to. They’re illquipped uh to manage the volumes and that’s why they’ve been looking at technologies looking at automated processes and workflows to help streamline and make that scalable. But fundamentally getting enough information to feed those respective mach has been a a regular challenge that we’ve seen over the course of the year. So, how has maturity of third party programs generally evolved? And the way that we’ve looked at this is that we leverage the Carnegie capability maturity model and we look at scores of one to five across organizations. And when we do that, we typically focus on five key areas:

• Coverage
• Content
• Roles and responsibilities
• Remediation
• Governance

And each of those have their own successes and challenges that we see. But touching on the point we highlighted previously, there is a large a large trend and a large challenge in getting enough meaningful information. And that’s by not having consistent content. That’s by not having suitable coverage across the estate. Roles and responsibilities are illdefined or personnel are focused on the wrong activities and then people aren’t driving remediation or reporting back governance. So we’ll touch on a few of the the regular issues and challenges that we tend to see, but we’ll start with a common theme and Brenda, I was hoping you’d be able to talk through operational resilience. It’s been a pretty key theme this year.

Brenda Ferraro: Yeah, with everything that we’ve been going through with the pandemic or COVID, whichever way you want to look at it, we’ve been identifying some disconnects and gaps in our programs for resilience. And we’re now noticing that it’s not just the approach of just doing a third-party first perimeter review and due diligence of who you’re working with. Because, as we know, if we’re outsourcing or doing services or having a provider or some type of data share with another company, they may be doing that as well. And in the past, nth party and fourth party used to be one of those things that we put our hands up and across and we’re like, please don’t make us go there. But we’re now being uh pretty much forced to go that direction. And when we look at retail and other types of industries, not just from a cyber perspective, but also how are we getting our products? Are we able to lift and shift our work from one company to another company. Do we have concentration risks where we’re only using one company for a certain service or product or doing the data support or does it need to go to additional ones along with we may have 25 companies doing the same thing and some of them may be very strong in their posture for their controls but they may be weak and so we want to start using the ones or helping those that are weak become stronger in efforts to keep our bench strength of security posture the way that we need it. So throughout 2020, I’ve seen many companies of all industries starting to talk about supply chain management and outsourcing chain man chain management um in the UK and in the US. So we’re going to start seeing a lot of companies talk about more controls, more due diligence um things that matter not just from a cyber perspective But outside of cyber and data.

Alistair Parr: very interesting. So associated to that, as we go through some of the next few slides, uh we’ve conducted analysis against uh a lot of key customers and and individuals over the course of 2020 to see where the common trends and challenges are. So as Brenda rightly illustrated, operational resilience has been a reoccurring theme across 2020. But Brenda, I’m curious to know your thoughts around uh coverage and specifically how stopping at third parties has been a potential hiccup in 2020. Brenda Ferraro: Yeah, as we just talked about in the previous slide, we talked about cyber being the major focus of most companies. And you’ll notice here that we’re now bringing in finance and regulatory and reputational risk in efforts to know how the risk is going to apply to the vendors that are in our first perimeter and also in our fourth and our fifth and our sixth and calling that the nth parties. And what happens when you do that is you start to get a view and a picture of your risk landscape to the nth degree or to the outer perimeter of where it stops. So like we used to say follow the data from A to Z or follow the product from A to Z and we were only making it to maybe element OP but we were never getting to Z. So what we’re now noticing is that that we have to start considering who is all working together not just externally but why are we doing business with these companies internally and if something happens on a daisychain approach of the support that we’re looking for from these suppliers and outsourcers and vendors what will that do to us in the event that something goes arai or some dependencies are not met pivot to make sure that for a a zip resilience perspective we can stay up and afloat. Do you have any items also Alistister to add to this particular topic?

Alistair Parr: Yeah. No, I think it’s very much centric which is most organizations I spoke to have not had the bandwidth to be able to get past the third party state because that’s been challenging enough for them. But I completely agree. We’ve we’ve seen a bit of a trend towards the tail end of the year where people have got a grasp on at least their tier ones and they started to focus on that fourth party associated risk and operational resilience. has fed into that as they’ve had no choice but to over the course of 2020 start diving into what’s below the surface so to speak and and seeing what’s there. So it’s been a very interesting trend and change of trends there.

Brenda Ferraro: Yeah. And I believe also everyone’s having difficulties determining you know who are my fourth parties or my nth parties. How do I even know without asking or seeing some type of a screen that will show me all the connections? So we’ll be talking about that for 2021. Thank you. Brenda Ferraro: So content is something Alistair Parr: Oh, sorry. Go ahead, Alistair. Brenda Ferraro: Sorry, after you Brenda, please do. Brenda Ferraro: No, so I was just going to say from a content perspective, you had mentioned um there are a lot of companies that are looking at what are my key controls and how do I correlate my risk recommendations for those key controls and what type of profiling due diligence will set me up for identifying the risk that matters to me most. So I call it meaningful risk. Um there’s automation that everyone is talking about, but we also have to keep in mind that as we’re looking at these different types of profiling, inherent residual risks and and what that looks like from a centralized risk register perspective is that we we have to keep in mind that we have to look at our program in a way that is identifying the talent that you need to support the life cycle, the tools that you need in order to give you the information and the techniques that you need. and efforts to start, stop and continue. And so that’s the same thing as people, process, and technology. But there’s that common phrase that you cannot u measure or manage what you do not measure. And measuring is basically key. And so here is what we’re showing where likelihood scoring and overall impact and making sure that we’re taking a cohesive and comprehensive look of centralizing that information is going to help. So those companies that are using just a spreadsheet question there and using that as their due diligence. They’re missing the picture of thread intelligence. They’re missing the picture of validation reporting. Um, and then those that are using just scoring systems are missing what does the uh vendor or the supplier or the outsourcer say that they have in place versus what we’re seeing in the outside in view. So, I sorry I talked over you Alistair. What do you have on this topic?

Alistair Parr: No, I think that summarizes it very well there. thing I’ I’d note of what I tend to see is that when we talk about centralized risk registers, very often we’re seeing organizations focus on cyber security or information security specifically and we’re seeing a trend of consolidating uh the various types of risk they want to track whether it’s operational, financial, reputational and broader information security etc into consolidated views. That doesn’t necessarily have to mean the same risk register but we’ve been seeing people looking to standardize the metrics they use to calculate and track that and that’s certainly been an interesting trend.

Brenda Ferraro: Agreed. Alistair Parr: Thank you. So from a roles and responsibilities uh I had briefly mentioned before about the fact that there is I’ve yet to see a fully resourced and staffed uh ITSM team responsible for driving third party and third party governance. But uh as you can see from some of the data in front of you now it’s it’s not just about having the right resource. It’s about having the right resource on the right tasks. So, a trend that we’ve seen gradually begin to move over the course of 2020 is that they’re leveraging automation tactics and techniques uh and even outsourcing in some cases so that they can focus the qualified staff and resources on the right activities. So, if you have a information security specialist, privacy specialist etc. They shouldn’t be there reviewing the intricacies of assessment so much as focusing on the main pain points and challenges that they should be focused on the remediation, the validation exercises, Does that support what you’ve been seeing Brenda?

Brenda Ferraro: So I’m noticing that the engagingment the engagement of the department. So looking at legal, looking at your risk and compliance department, looking at procurement, they’re all starting to recognize that we’ve been hitting the vendors in the supply and outsource universe very heavily with asking them questions about what they’re doing from a cyber perspective and now into what’s uncybery. And it’s very it it’s hard for them because they have so much to respond to and some of those things are repetitive. So I I am seeing in a standardization review that these questionnaires um from an inside out view is is helping to inform the legal departments and the risk departments and the procurement departments on what’s happening over time. It’s not just a hey we’re going to find out how you are right now. We’re going to put your information on a shelf and then we’re going to pull it back out in a year. review you again um and then we may or may not share it with other departments. It’s now becoming one of those situations where the procurements are saying their offices and sourcing offices are saying what are you finding out that’s going to help me and complement me for um moving into the awareness of what’s happening with a particular vendor versus just making sure that we can onboard them. Right. We’re we’re all we’re also looking at people c talking about tell me what they’re doing in the interim and also tell me how they’re doing when we transition them out.

Alistair Parr: Very interesting. Thank you. Alistair Parr: So, from a rumination standpoint, Brenda, what is it that you’ve been typically seeing across 2020? Brenda Ferraro: This one is my favorite. This one is really, really big. And you’ll know that there’s 86% inconsistency with the remediation guidelines from the people that we’ve done maturity assessments on. And these respondents are really saying that I’m doing a great job of collecting information. I’m doing a great job at identifying risk, but then as soon as it comes time for me to remediate and track those remediations to closure, I start to fall short. And the reason why is because there could be situations where you’re not using standards for your risk remediation. It could be that you haven’t applied risk towards different tiering approaches. And um there’s there’s a big need and a challenge for companies to take that remediation to the full effect. CIESOs today, excuse me, are saying, “I no longer am a resource that’s responsible for just reducing risk. My main priority now as a CISO is to manage the risk. These risks are coming in. We’re identifying what needs to be remediated and I need to control what’s happening from the start and the end of those remediations. So, if there’s someone who’s unresponsive, what do I do with those companies that they said they had a plan they didn’t complete the remediation or maybe the remediation was finished and we need to be able to validate that that completion was up to your posture and standard. Also, there’s no risk scoring that’s being applied across the board for those responses that are coming back. So, we’re finding that 59% of our respondents were talking about the fact that they are monitoring thread intelligence that should help apply to what they’re hearing from the vendors and fires, but it’s not marrying very nicely together to show a normalized or a harmoni harmonized um risk score. So, those are the things that I’m I’m very hopeful the 20 and 20 2021 will take care of.

Alistair Parr: Interesting. Yeah. To second what Brenda’s been saying. So, from a standardization standpoint for remediation, it’s the amount of organizations that we’ve seen have been just simply treating third party risk as a checkbox. It is gradually diminishing as people realize that importance and as Brenda mentioned the CESOS are becoming more and more aware of the fact that they’re identifying these challenges and they need to they need to do something with it uh beyond just observe the fact that there’s this associated amount of risk across their third party estate and we are seeing more and more people finding the mechanisms and ways to start addressing those uh challenging their supply chain enforcing it with T in the form of contracts and beginning that validation and effective control process So if we were going to summarize what 2020 has been like, it has been a bit like hurting cats. Uh purely focusing on third party risk, it’s about struggling to manage a effective program that’s scalable. There’s a vast amount of collaboration as you’d expect within this space. Uh it’s not purely a case of dealing with internal resources and that collaboration requires expert knowledge, subject matter knowledge across respective domains and as you’d expect a fair amount of luck. Yeah, I I love this picture because it really truly is like hurting cats.

Brenda Ferraro: It does feel like it. Alistair Parr: So, that is uh summarizing our perspective on what we’ve seen so far in 2020. Some of the key challenges and themes uh moving forward, we’re going to talk a bit about the key themes that we’re expecting to emerge over the course of 2021. Now, some of these are going to be evolution of solutions that we’ve seen in 2020 and entirely new challenges and approaches to dealing with third party risk. Okay, moving on to the first slide. So, expanding third party horizons internally and externally. Now, what we mean by this is that we’ve started to see this over the course of 2020, partly down to reactions to to operational resilience, but there’s been a requirement to start understanding how third parties interact specifically with the business. Far too many programs historically have been purely outward facing from the organization. They get a raw list of third parties that they deal with on a regular basis and they’re treated without any association against respective business areas or business context mapped to it. Now what we’ve started to see is association of third parties beyond that basic list that may be provided by procurement or legal or finance whoever it is and actually starting to speak to the business. So why are you using this third party? What value do they have to you? What are they doing for you etc. And all that context is extremely important. As much as going down to the M party in the opposite direction, it’s extremely important to actually understand the true level of risk associated to that uh to that organization to that third party itself. And the way that we’re seeing people do that is starting to consider things such as relationship owners within the business. If they’re not established, we’re expecting trends of more relationship owners being defined in organizations. So somebody has a specific responsibility to manage and coord with that third party, we’re expecting multiple vested parties. And what we mean by that is that quite often you’re going to find different parts of the business that are have some form of vested interest in that. So when we’re looking at concentration risk of specific third parties, and we’ll touch on that a bit more later on, or purely looking at the fact that we’re going to have challenges in delivering revenue uh because one third party’s gone down or they’re supporting different parts of the organization, that’s something that is going to require increasing f focus and validation against preliminary tiering and profiling. A very common trend we’ve seen is that the the initial data set and I think Brenda touched on it a bit earlier on that initial data set of understanding what the third party is, what they do and applying some initial profiling on it has historically not been brilliant. The data sets, the legacy data sets have been lacking and we’re starting to see and we expect to see more into 2021 better procurement process. is to share upfront the data necessary in order to conduct these programs effectively. That of course leads to the endp party management piece and of course Brenda and I will talk a bit more about that shortly. And then that touches on comprehensive profiles. So this is about incorporating and amalgamating the different parts of the business that are dealing with a third party. So finance, legal, procurement, infosc, IT resilience, privacy, whoever it may be. And starting to build up these this ultimately 360deree profile views on what’s happening with that third party. And that of course touches on our final point there, which is the broader life cycle of a third party. So from onboarding through to offboarding, better management and definition on how that’s being managed. So we will touch on a few of these themes, but Brenda, is there anything you’d like to add or what you’ve been seeing out in the out in the wild and what you expect in 2021?

Brenda Ferraro: Yeah, of course. So the internal and external situation for a universe to be identified and point of contact has always been one of those lynch pins that have caused challenges and I would think that um as we go into 2021 there’s going to be some new approaches that people will start to use as a technique being that they may want to go directly to the vendor and ask them those preliminary taring and profiling questions to remediate that information or to bump that information up with what you have in your records. It’s kind of like when um someone’s asking you to just say, “Here is the service that I’m providing. Here is what I do for you. Here’s where I’m doing business.” And then matching that and mirror imaging that up with the thread intelligence that you have. So that if you have to get started really quickly, I’m also seeing thread intelligence being used as a prioritization technique. So if you’re really needing to find out information quickly, it gives you a picture of a portion of your third party vendor life cycle and you can use that at the very beginning and onset. So we’re we’re starting to find new unconventional ways of determining who are we going to contact at the vendors if we don’t have that information. Who can we go to internally if we need to find out what we need to to get started? Because you always have to hit the ball out of the park in order to run all the bases. And if you can’t even hit the ball from the first point then you start to run into situations where okay, you’re you’re kind of stuck. So, we’re finding ways to remove those areas where companies and programs are stuck.

Alistair Parr: Thank you. So, there’s a lot of complexity. There’s a lot of opportunities purely based on this one slide for 2021 and these programs to evolve. But, uh something we’re we’re brutally aware of is the fact that there’s an opportunity with all this complexity for it to be overly ornate and therefore very difficult to implement in manage and that’s a a reoccurring theme that we we try to speak to the the respected CISOs, CIOS, etc. that we engage with is don’t overengineer these third party programs. But the key themes we’re going to touch on over the rest of the session are really focused on streamlining efficiency and getting the best proverbial bang for buck for the third party program as it stands.

Brenda Ferraro: Yeah. And I think that I love that picture. You don’t have to go back to it, but the evolution and roadmap of building your program is key. Don’t try to bite off more than you can chew. Going back to that elephant and bird picture, there is a way to get you to where you need to be, but it’s a journey. It’s not something that you want to um create too much havoc on. Alistair Parr: So, Brenda, I’m very curious. What have you been seeing from a an upfront business insights and profiling approach? Is there anything you expect to see particularly effective into 2021?

Brenda Ferraro: Yeah, I really am looking forward to 2021 where we’re starting to look at profiling as you had mentioned earlier Alistister where we’re taking a look at the very get-go of what type of company are we going to be providing the due diligence and contextually how does that apply to my particular company and that way you’re doing the meaningful risk management where you’re looking at the information that’s important but before even getting to that knowing when you’re working with those particular their businesses, where are they doing service? Um, including thread intelligence that’s telling you sanctioned areas, having the ability to look at what the support mechanism is for those customers, and then having a defined uh lined diagram or link log or spider diagram that will show the internal considerations that you need to take into account when you’re doing your due diligence. Some of your company departments may say, say, “I know that I have to go with this particular vendor and they have risks, but my risk appetite is going to allow us to continue working with them as they’re going through their remediation, but we will govern them more strictly and closely. Um, they may have some resource constraints. So, we’ll be looking at how do we address those constraints being that if it’s something internally or externally. So, I think this increased importance of onboarding at the very front is going to help do the proper due diligence. And then always consider and keep in mind that contracts change, engagements change, and you’ll have to have a process that’s going to take into account when those changes occur so that you can either uplift the review or make sure that what your review addressed was exactly what you needed for this new engagement or modification.

Alistair Parr: And the only things I’d add to that from what uh what I’ve been seeing is as you can probably see from the the graphic in front of you, there’s a few common themes we’re seeing in that upfront consideration. So where historically we’ve seen people purely base it on say contract value and then apply some degree of taring afterwards. So whether they’re using threat monitoring tools to feed that or not, fundamentally there’s that requirement to look inside within the business. So is there a regulatory obligation associated to this based on what they do beyond contract value? What parts of the business are they supporting? Is it multiple? Is there concentration risk associated to it? What what are they actually providing? Where are they based geographically? And then of course that’s a fantastic situation. But if you end up with 70% of your business estate you profile in tier as critical or tier one, while that may be the case, the reality is you may not actually have the internal capacity to ever deal with that. So adjusting and tailoring that based on what you can actually consume and deal with so you can have an effective program has certainly become more and more common and something we expect to see into 2021, which is proportional planning. of the vendor estate against that initial profiles and what they can actually try and work through. Now, I’m not saying adjusting your tiers to reflect your capacity because of course it’s going to be business uh driven and business decided, but at least being aware and having a cut off point and a clear defined cutff point on what’s actually achievable as uh profiling and tiering is applied. Okay. Uh next, so vested parties uh within the business of Brenda. Are there any particular trends you’re anticipating?

Brenda Ferraro: Procurement, procurement, procurement. We are going to see so much happening in procurement because when we set up things right through procurement, then it’s going to be complimentary to the downstream um identified items. Uh we are going to use situations that are finding out data and collecting information internally and externally, inside out and outside in from questionnaires and from thread intelligence that’s going to be applicable to seeing certain risk registers applied to different organizations. So we talked about this earlier where more departments were saying hey third party risk management department let me know what you’re gathering because I can use that in efforts to respond to regulatory requirements or making decisions on risk for the company. So the legal department’s going to want to be able to see in a comprehensive cohesive tool what was gathered and in their lens exactly what they need to see um from their perspective. Then the risk the information security and technical risks there’s requirements for assessing ongoing management. So they’re going to want to be able to have alerts set up for them to identify that these things are not quite copacetic and we need to make sure that we’re keeping a close eye on them. Now for operations of course we’re talking about resilience as a whole and making sure that those efficiencies in 2021 is showing the awareness of the supply chain landscape in a a pure picture. And then of course audit. So if you’re looking at the three lines of defense, you’re going to want to be able to have the ability to if an incident occurs, then you could take that information, look very quickly within your comprehensive tool at where the disconnecting gap occurred, where the root cause is causing the problem, and the downstream and upstream effects of those. And audit’s going to want to be able to see everything that you’re doing without having to learn your entire program. So, make sure that in the 2021 time frame, you’re using a comprehensive product that’s able to say, “Okay, auditors, come in and look at how we’re governing and producing the risk management throughout the life cycle of the vendor engagement.” What about you, Alistister? What are you seeing?

Alistair Parr: I would certainly second that uh that preface you put, which is procurement, procurement, procurement. And it was a by by some design that procurement is is there left front and center. I would certainly second that and I expecting to see that quite heavily in 2021 which is there’s a wealth of data in procurement and they’re essentially that first port call when engaging with the third party and they have a a fair amount of of weight and power when it comes to that negotiation process and getting that third party to invest time into the wider program capturing the data necessary uh before it becomes a a BAU contract and the vendor or third party has the money and and then things may become slightly more lax. I’m not saying that’s the case but uh it can be sometimes. So that leveraging that procurement tool is certainly something we expect to see more into 2021. Now all the other aspects of the organization that has some interest in the third party data that we collect be it legal risk operations and audit uh they do of course have have uh different lenses and perceptions on what they want to see. Which leads us on to what we expect to see becoming the norm which is a comprehensive or 360deree profile. And the reason why this is becoming more prominent and should I say prevalent now than ever before is is the fact that the technologies are now there and suitably orchestrated to allow consumption of this in a single pane of glass or in a more consolidated view however it’s being done. So rather than having each of those business areas having a fragmented approach potentially aggregating the same data in slightly different ways uh in silos. We’re seeing the central profile being created and populated by various different feeds and tools. So just to run through some of the things we expect to see becoming near enough the norm into into 2021, there’s fundamentally assessments and within assessments we’ve got different types of assessments:

• Privacy based assessments
• Information security
• Operational resilience
• Compliance driven assessments
• Business profiling assessments
• Anti-briving corruption
• Modern slavery assessments

There’s a whole host of different content that we’re seeing becoming uh regular as opposed to just a security addendum from a cyber standpoint. Capturing as Brendan was mentioning earlier, capturing that initial perception, that initial cyber perspective. Now, while it may only be an outside in viewpoint of the third parties, it nonetheless gives you some understanding on what their risk posture is and how they may be managing their environment. The business data, we see that as being essentially business events, historical business events associated to the organization that may be meaningful. So changes in operations, changes in territories, uh any releases in relation to if they’re producing products, any new service lines they provided, etc. That’s all relevant information that gives you some understanding of the zeitgeist of the company and what they’re actually doing. The financial data, we’re expecting that to be more and more prominent. Of course, we’re seeing parts of the business using it today, but the financial data should be amalgamated into that vendor profile. So their financial stability, the the chances of them becoming uh bankrupt over the next 12 months, becoming insolvent. Events mean any proactive events beyond this point. So reporting data breaches, service outages, M&A information, anything that’s relevant is proactively communicated back to that profile. Tracking of certifications where relevant, wherever we can get any certifications and demonstrate that rather than regurgitating the same assessments in slightly different manners. And then of course, as Brenda mentioned, the end party. So who is that vendor using? what is the associated fourth, fifth, sixth, seventh parties that have meaning to the services that they provide. So to summarize, what I I’m expecting to see over 2021 is this this amalgamated view, this single profile incorporating different elements and each respective vested party from the previous slide will be spending time consuming elements or components of this vendor profile. But rather than having these silos in isolation, we will see a more conjoined effort between the business business to capture this up front, making it more streamlined for the vendor, more accessible, and allowing better analytics on on that data set. Brenda, I’m curious if that is if that’s something that that you’re expecting to see as well over the course of 2021.

Brenda Ferraro: I am excited to see this in 2021. So, there are so many companies that are using different tools that don’t talk to each other. And what you’re reflecting right here is this comprehensive profiling and capability to see everything all in one lens. And that way when you’re looking at it, you can really do an analytic review of what’s next. Without it, there’s bits and parts and pieces and you’re only doing parts of the puzzle. But having the whole puzzle put together and giving you the visibility all on one screen is going to be so powerful for those that have to do this type of work. Because if you look back at the slide where you were showing the ornate building, it is ornate. The the entire program does become quite brilliant and spectacular, but you have to have all of these parts and pieces available to you to make it so that it has that shining star approach.

Alistair Parr: Thank you. Very interesting. So, how are you seeing Brenda if I may ask the end-to-end life cycle? So, from procurement through to offboarding evolving into 2021. Brenda Ferraro: So, if you’re looking at this slide, you can tell that there’s two different colors. The first two chevrons are of a lighter blue color and then the last three are of a darker blue with gray underneath. And if you focus on the last three, supplier inventory and intake, prioritizing them, and then doing your assessment and monitor um perspective on the due diligence, that’s what many companies have been focusing on and that’s what we we’ve been seeing as a trend up until 2020. What we’re going to be seeing moving into 2021 is adding on on the ability to do the sourcing and the RFPs and the contract portions of the life cycle. So we’re refining the process by bringing complimentary information and setting us up for success further in front of the life cycle and that’s going to accommodate the businesses and make sure that the requirements are addressing the complexities of the third parties at scale. So it’s not like everything is going to completely change. We’re just just making sure that we’re putting focus on some areas that weren’t necessarily using the advanced capabilities of thirdparty risk management upfront in the procurement life cycle. Also, with the monitoring, you’re going to be noticing, of course, that that feeds into each of the life cycle phases. One, you could be using your thread intelligence to select your vendors for your RFPs or your RFXs. And you’re going to be using those monitoring items and your harmonized and normalized risk information to adjust contracts. Maybe someone’s not performing as well as they should be or of course we talked about before they’ve started doing different business with the company and we have to make sure we’re doing the proper due diligence. Now, your supplier inventory and making sure that you’re getting the information when you need to get it. We’ve saw we’ve seen challenges in 2020 where someone might be added but we didn’t know about it and we didn’t do the due diligence because we had no insight. That uh third-party or nth party database is going to be critical so that you can understand not only who is in your inventory but what they’re doing uh what they’re doing for you and how they interconnect with your internal business units all the way externally to your end parties. And then prioritization uh I’m sure some of you have felt just like I have in the past when I was building a third party risk program that these procurement offices were so kind to give me different lists at different times of here’s who our third party and our fourth party universe is and having thousands and thousands of them come at me at one time I had to make sure that I was taking a evolutionary approach to identifying what was the first importance the second importance and the third so tiering those suppliers and doing assessment planning is also critical. So seeing these things all work together and complement each other and be um somewhat dependencies on inputs and outputs is giving a more uh closed loop approach and I like how that’s going to be our 2021 view moving into the future. What are what are you seeing Alistister as well?

Alistair Parr: Very interesting. I I’m seeing very similar and the thing I find interesting around this slide as well was in that initial upfront procurement activities in the uh the light of blue chevron. So the monitor the manage KPIs element identifying best sources and monitoring that performance ongoing. Now that’s something that’s is until recently what I’ve seen has been pretty alien when it comes to the third party management program. It’s not being governed by the same teams that are conducting assessments driving those relationships with third parties. Uh but it’s becoming more and more common. And what I found interesting and I expect to continue into 2021 is those performance metrics those KPI requirements they’re feeding into the broader life cycle. They’re not just point in time uh or supporting contract renewals etc. and starting to see organizations tracking clauses, contractual clauses and expectations as part of their assessment workflows itself and finding discrepancies. So a prime example will be where there’s a security addendum provided up front as part of the uh the RFP contract phase and then validating that downstream not just at the point of initial assessment but in 3 months, 6 months etc downstream and using that to a address risk and b of course renegotiate contracts at the end of the term. So actually getting a return on investment in the form of cost savings through contract negotiations in the form of security deficiencies uh or service delivery deficiencies is is definitely valuable because you can show a definitive return on investment for the activities which is something I feel has been lacking for a number of years in the business and as much as people move to fair models to try associate associating financial risk and a cost associated to these risks that they’re identifying. It’s still not fixing the problem of what return on investment are we actually getting for this broader third party management program. You know, we should be getting at least cash savings in our pockets and we’re starting to see organizations do that.

Brenda Ferraro: Agreed. Alistair Parr: So, Brenda, I’m curious about your thoughts on endp partyy mapping. It is certainly a hot topic uh moving into 2021, but what do you see as common as Is there anything that’s going to be more proportional uh moving into 2021? Brenda Ferraro: Yeah, everybody is starting to dig deep. They’re not just going to the first perimeter. They’re going to the extra perimeters to identify what is my risk? How am I going to be able to quickly respond to incident response management? And with regards to resiliency management, how exactly will I know what I need to um tweak and or shift when things aren’t going as planned? or if they’re going really great, how do we include them in using them in more services? So, if you look at what this identify, assess, context, associate, and maintain workflow is really making sure that you contextually know what third parties, fourth parties, and end parties you’re working with. Mapping those internally and externally to show a database, a management database for your suppliers or for your outsourcers and vendors. and then making sure that by maintaining that you’re reviewing anything that might happen from a perspective of either good or bad. Now, if you go into that depth, it does look scary at first. It’s kind of like boiling the ocean, but there are techniques and ways in 2021 that will help you. For example, you can get a threat intelligence report that will show you what companies they have uh or they’re working with. And then in if an incident occurs, you can quickly go and say, “Okay, here’s the third party that the incident is occurring with. Where is that going to impact externally and internally so that I can make adjustments to my uh workflow, my business processes, or um start invoking business continuity plans and disaster recovery plans if need be. I can tell you of a story real quickly. Um, in the past, I had a situation where we had an incident and it was caused by a third party and that third party also had a fourth party involved and without us um really understanding what due diligence the third party did for the fourth party, it was basically leaving us at a risk that was an unknown risk. And we want to know what our risks are. We don’t want to have the unknowns unless it’s environmental or something that happens um unexpectedly. So managing those risks is important. And so I would I would definitely tell you that that’s if it’s not one thing that you’re looking at in 2021 right now, is definitely something that you need to start looking at um moving into 2021 because you’re going to want to have that landscape picture to your fingertips when your CISO andor your executives start to ask how is this going to impact us.

Alistair Parr: I certainly second that brand. Thank you. And something that ties to that and I’m certainly seeing it in the UK is there’s guidance and frameworks and regulations that starting to support looking into the fourth party or the Mth party. So, uh or produced by organizations and like the P uh support it in the sense of understanding downstream what the impacts are and understanding how that’s going to impact you. So we’re seeing not just regulators starting to visualize and focus on the end party but as you touched on beyond just the security concerns there’s merits and benefits downstream for the Nth party that we’re starting to see translate. You raised a good example there which is when you have a a data breach a service outage etc. Understanding the the impact associated to that across your broader third party chain. And I believe this image illustrates it quite well. If we pick any of these respective dots in isolation here in this network, it paints a very different picture from seeing the associations around that as well. That’s why we we expect more and more people to start defining where they have the resource of bandwidth into 2021. And what’s that fundamentally meaning is that what’s lurking under the good ship vendor is not so tolerable. into into 2021. And what we mean by that is that the sea of vendors and entities supporting all your third parties have become prominent in 2020 partly due to operational resilience and a reduced risk tolerance and we expect that to continue as a trend into 2021. We focused quite heavily so far on evolving programs. So where is a program going to get to based on one that’s already been defined? But there’s something else we wanted to touch on which is a essentially a net new or grassroots program that started from near an upper 2021 perception and there’s a number of things that we’re seeing as part of considerations as part of establishing that program which have evolved beyond the 2020 mindset. There’s a few highlighted in front now but the few I’d like to call out that I I see as becoming more prominent in 2021 is uh defining the key metrics. So establishing up front what success actually looks like a failure that we’ve seen time and time again over the last few decades really has been trying to do too much and then ultimately setting themselves up for failure. So we’re seeing third party programs moving into the tail end of the year and into next year being more intelligent around what the what are the metrics for success and therefore what and where does the program need to be in order to achieve those over a six 12 month time frame. But rather than allocating resource based on the scale of the problem they can make a decision up front and simply say that well based on budget based on capacity based on the entire scope of our organization from an end party. We expect to get to this for our tier ones. We expect this level of of validation and remediation against our tier 2s etc. and understanding what metrics we need to report back on success against that. Another key topic we’re seeing as part of a new program is the human factor. Now, this has been evolving for some time, but the human factor predominantly here means in how are we going to build up those comprehensive profiles of third parties and entities post procurement when there’s no legal or contractual obligation or a very loose one requiring them to do things and that they’re only going to invest the minimal amount of time viable in order to feed you. And that applies internally to the business as much as it does to the third parties. So what we’ve seen evolving is marketing starting to get involved and supporting uh some of these activities to help use some of their expertise and guidance of getting engagement and personnel involved to get the response and collect information. That could be using voices of authority when it comes to communications internally to the business. Uh even to the point of using very specific time frames for issuing out assessments. So issuing on particular dates uh expecting responses in set time frames etc. There’s human behavior which lends itself to the process of getting information from third parties and and vendors and we’re seeing that becoming more and more effective as as a tool to building those profiles. Brenda, is there anything else that you see that you want to comment on from a a net new program that you think is going to be beneficial into 2021? Brenda Ferraro: I think this is uh you stated it very well. I I really don’t have anything major to add to this one. I like everything that you’ve uh mentioned and and what it’s showing.

Alistair Parr: Thank you. In which case, what are your thoughts on ongoing management? So once these are established, how do you see that uh evolving into sort of business as usual and continuous improvement? Brenda Ferraro: Yeah, for me I have definitely shifted and when I advise companies, I’m telling them that you’ve got to move away from the one and done of the assessments in 21 and you need to really focus on continuous evaluation. And I say continuous evaluation because we’ve always heard about monitoring and filling out questionnaires and some companies will have them on a one year, two year, threeear cycle based on their tier, but there there’s now these longer durations for lows and mediums and I can understand that. So if you don’t find a risk with a particular vendor and they’re not remediating remediating anything and you’re just doing like a spot check on them, then that’s okay. Okay. But for those companies that you’re tracking risks to closure and they’ve got remediation plans in effect, then you’re going to want to verify and validate those risks as they are completed because it’s it’s basically showing not only their risk posture, but also yours in a favorable position if they have implemented a remediation that’s applicable. So that’s what I would really start focusing on is making sure that you’re doing what you’re doing today, but making an approach to continuously evaluate your high-risisk third parties and or if any change comes up in your thread intelligence or if a incident occurs then of course re-evaluate those. Um but try to steer away from the one and with platforms that make it very easy for you at scale. You won’t even have to say okay I’m only going to look at the highs or the criticals and leave the mediums and lows to the side. Sometimes the automation will make it so that you can look at every level and you’ll be able to do that with ease based on automation in the configuration that you’ve implemented in your platform. Are you seeing the same thing, Alistair?

Alistair Parr: I am indeed. Yes. That continuous monitoring and continuous improvement aspect has been slow to feed into third party risk management if only for capacity more than anything else I would have said and also a desire to maintain continuity and consistency year on year. But uh I certainly agree that people are finding more intuitive ways of maintaining the legacy standard and the legacy frameworks and requirements they’ve got but then evolving their program and then of course making sure that they’ve got continuous insights into those third parties. So certainly now Brenda, I’m very curious to hear your thoughts on networks as there are a number of different networks out there and they obviously provide a significant amount of value when leveraged correctly. How are you seeing that evolve into next year?

Brenda Ferraro: So I’m starting to notice that we’re not just focusing on one side’s a company that’s driving the particular network when it comes to standardization. For example, if there’s a healthcare vendor network or a legal vendor network. We are really focusing on every size. And so that comprehensive profile is going to give those that are of a smaller size company the ability to see what they need to see and relieve and receive value from that of which other companies are doing within that network. So they’ll start remediating risk. Uh they have the ability to do that as a community or they have the ability to see information that’s right sized for their company. There might be some companies who only assess 25 companies uh vendors at a at a year. Um there might be other companies that assess 10,000. So being able to share that information across is going to be extensive and and very much familiar for everyone in 2021. The vendor risk uh is now going to start if someone has completed a risk or they’ve remediated something, we’re going to start seeing that pushed to the companies so they don’t have to go up and tell every company I’ve remediated this particular remediation um to completion. Go check it. It’s going to be I’ve I’ve completed it. I’ve put it on my vendor portal and then the customers are going to magically see that in their system and and be able to take the next steps and action to either verify it or accept it. And then the other thing that we see in the networks that’s going to be very helpful is the instant response feeds. So if there are efforts that need take place across an industry or a specific one or even multiple industries. You’ll start to see people being able to use these web diagrams and the information um from a a higher level where they’re going to be able to share and compare and that’s going to make it so that we can strengthen our our posture across the globe versus just individually for each company andor vendor. What about you Alistair?

Alistair Parr: Yeah, I certainly second everything that you’ve said uh and I’m expecting into 2021 network to become more vendor centric. So moving that uh that lens to the vendor and providing them easy and scalable ways of actually sharing information across broader customers that they’ve got. So a oneto- many approach has become increasingly important from what I’ve been hearing from customers and of course vendors as well. In addition to that is service lines in the amount of network data out there that’s very specific to a service line that is being interpreted as uh the the vendor on a whole And this this applies to you various monitoring networks that exist out there etc. doesn’t really paint an effective picture and the only real way to get that from what we’ve been seeing is through assessment. So again supporting the vendors to be able to provide insight into service line uh based information and assessment collision is going to be particularly important. So to very briefly summarize what we see is we expect 2021 we’ll be seeing more organizations structuring their chaos uh which is of course music to Everybody’s h this is this is sadly not a picture that Brenda and I had had recreated too recently unfortunately thanks to lockdown but uh it’s certainly how we feel sometimes when we see the third party programs that we’re speaking to start to come to fruition and and be able to deliver at scale

Brenda Ferraro: that’s definitely my hair Brenda Ferraro: is my smile Alistair Parr: so we’ve got a few minutes left for a Q&A session now we’ve we’ve been trying to weave in uh responses to questions as we’ve actually gone along through the session. But if you do have any questions at all, please feel free to put it in the uh in the chat window now. While we do so, we have a couple of polls that we’d like to put in front of you now. So, please by all means vote and give us some insight into your your state of play. And while we’re doing that, we’ll answer a few of these questions. So, the first question I’m going to cherrypick here, we have a few. Uh Brenda, if I may ask you, if management does not have a defined risk, risk assessment plan. How can internal audit advise without getting directly involved in setting up the plan?

Brenda Ferraro: Yeah, this is my favorite question of the day. I would actually take an approach from an advisory perspective to do a maturity assessment on how you’re doing your due diligence and what due diligence you’re you’re applying to your program. Some companies are doing uh attestation questionnaires um up in the procurement cycle. So, So I would first say um contact prevalent if you’d like. We could do an immaturity assessment on either your procurement department or help you to identify the disconnects and gaps and then um you can use that as a litmus test for uh an internal audit from an external party that will be beneficial to show you return on investment and other things that would be applicable to having a program in place.

Alistair Parr: Thank you Brandon. Another question. we have here is in relation to Nth party. Uh and the question stems around to paraphrase here uh what what support and focus are you seeing being applied on party from regulators or the broader business if any? Brenda Ferraro: Well, as Alistister has mentioned, there are some regulatory requirements that are coming to fruition now that we’ve gone through quite the year. All the regulators are starting to look at how far and how deep and how broad do you need to look. I would basically state that um if if you’re looking for illustrations, there are some components within NIST and ISO that talk about fourth part party in general and end party in general, but I believe that through 2021, those regulatory requirements will become more clear.

Alistair Parr: Thank you. I apologize for everybody who’s asked questions that we haven’t been able to get round to, but uh hopefully most of them have been addressed over the course of the conversation. So, we are now at the top of the hour. First, I’d say Brenda, thank you very much for joining me today. It’s been very insightful and I’ve certainly valued your uh your input and insight. Brenda Ferraro: Thank you. It’s been it’s been an enjoyment for me as well. Anytime, Alistister. I I’ll do one every day if you’d like.

Alistair Parr: I think we may well end up doing that. But all of the attendees, thank you so much for joining us today. If you have any questions, please feel free to reach out to us at any point. We’ll be more than happy to advise and as Brenda mentioned, support by providing uh maturity assessment guidance, etc. But that we’ll close off there for today. But again, thank you very much everybody. I hope you have a fantastic rest of your day.