供应链风险与第三方风险的 4 个主要区别

Amanda Fina: Hello. I see people trickling in. Welcome everybody. All right, while everyone is joining us, I’m going to start with a poll question. You’re probably used to this by now if you are an avid webinar attendee here at Prevalent. So, we’d love to know while we’re waiting, as everyone starts joining us, what prompted you to join today’s webinar? Is it education? Is it project research? You have a current upcoming third party risk management project. You don’t know why you’re here, which would love to know in the chat what how you got here. It’s always Mike Yaffy: I don’t know why I’m here. Amanda Fina: Sometimes I don’t know why I’m here either. Um and then also you’re a prevalent customer which is great. Welcome back. I’m so excited to see you and see that you want to learn more. So that’s great. We’ll leave that up for a hot second here and let’s begin our introductions. Hello everyone. I’m Amanda Fina. I am a senior BDR and renewal rep here at Prevalent and also webinar host. Always happy to see you guys show up and always happy to give a little entertainment in these sessions here. Um today we’re going to be talking about four key differences between supply chain risk and thirdparty risk. And we have a couple of special guests here. We have Alpa Imadar, transformation leader at AIG. Um she’ll be dissecting the differences between tracking IT centric, supplier centric and compliance ccentric risks. Um, all of this is going to be a personal perspective for Alpa. So, it’s nothing affiliated with her current role and her previous companies that she’s worked for. So, this is all her own personal conversations about these topics. And then, lucky for us, we also have Mike Yaffy here, chief marketing officer. Just we’re so blessed to have him here hosting. Mike Yaffy: Oh, that feels like It’s dripping with sarcasm. And sorry, folks. We’ve been working together for a long time, so we take a much more casual approach to this. Amanda Fina: Yeah. Yeah. I mean, he’s wearing a sweatshirt. I at least put on a nice Mike Yaffy: Look, I have a company. Amanda Fina: Oh, good. Okay. He’s He has the logo. That makes it Mike Yaffy: logo. If nothing else, I’m right. I’m on brand. Amanda Fina: You’re on brand. That’s right. Excellent. Well, a couple of housekeepings really quick. You know, this is interactive, you guys. This is going to be a nice conversation, so please use the Q&A. Um, definitely the Q and May everyone you you will get lost in the chat and I don’t want to lose any opportunity to answer any questions that you have. The session’s being recorded so you’ll have it in your inbox either today or tomorrow. And also as far as the poll question that’s up now, I’m going to end it actually and then the upcoming one towards the end of the session. Please be honest and be careful with how you are answering those questions because we do follow up based on what you say. So I don’t want any confusion. It’s fine if there is confusion but we’ll just say hey reaching out to you because you said yes to this or because you said, you know, blah blah blah. Anyway, that’s all from me. I’ll hand it over to Mike Yaffy and take it away. Mike Yaffy: Hey guys. So, uh, nice to meet you. Uh, looking forward to this. Alpa and I did one of these about six months ago and it was it was a ton of fun. Alpa’s got a ton of experience and, uh, I’ve been doing this for 20 years in information security, so at least enough to be dangerous. Um, Alpa, so welcome. Thanks for, uh, coming back. Alpa Imadar: Thank you so much, Michael. And like I said, it was so much fun, Michael, when we did it last time. Um, you and I can go on and on for hours on some of these. Mike Yaffy: That is true. Hey, first thing, Alpa, I’m going to need you to come closer to your microphone. You’re a little quiet, Mike Yaffy: so I want to be sure. Mike Yaffy: Say something again one more time. Alpa Imadar: Can you hear me now? Mike Yaffy: Yeah, good. It if there’s any way to get a little closer, that’d be great. But that should work. So, Mike Yaffy: look, um, I’ll give you set up so you can just try to move a little bit. But so look, let’s talk about supply chain and third-party risk management. Um, Gartner defines them differently. Some people think of the terms or the terminology as interchangeable and then some people would even add in you have third-party IT vendor risk management, then you have supply chain management and then in the third category you can have overall vendor management. So how do you think of these and what are they different where do you see the differences and the similarities coming out and should we think of them differently Alpa Imadar: no and you’re right and I think in last um as I call couple of years um people have used these words interchangeably and I do think there’s a distinctly difference um between what supply risk management is and what third party governance risk management is so if I think about supply risk management I’m thinking from a business perspective right It’s really identifying and assessing mitigating risk from end to end supply chain. Um, are people still having a hard time hearing me because I’m just seeing Mike Yaffy: I think they are Alba. I I think Alpa Imadar: I am so sorry you guys. I am Let me see what else I can do. That’s Give me two seconds again. Apologies you guys. Mike Yaffy: No worries. I I can do the uh the dog and the dog and pony show on this. So, hey guys. Thanks. Uh, look, Alpa’s been doing this for uh um well, was a time when my hair wasn’t so gray, so I think she’s just going to try to sign back in. Um it was fine when we were doing the prep call, but um obviously in case anybody’s wondering, and I get asked this a lot. Um yeah, I get it, guys. Thanks for that. Everybody can I assume everybody can hear me. People generally never have a problem hearing me. Um but I’m not the star of the show, so Alpa Imadar: I am I’m back on. Can you guys hear me now? I just changed the audio settings. Mike Yaffy: Yeah, actually I think that’s going to be much better. Alpa Imadar: Okay, sorry you guys. Um, apologies for starting late, but no. So, let me go back supply risk management, right? Um, so I look at it from an end toend supply chain, right? So, if you’re thinking about from onboarding a vendor, looking at all the different kind of risk, interruption of services, um, cost element to it, what kind of internal controls do we have? Um, you know, impact to either, you know, anti-bribery, anti-slavery, modern slavery act. I meant that’s all I would consider as a part of the supply risk management. If I think about thirdparty risk management, I would really look at specifically third parties such as our vendors, suppliers, contractors, and how are we assessing risk? So, what is our secure how do you identify a security posture and that’s where I think we need to kind of potenti usually look at how the third party governance risk is. Are people still hearing me or are they not? Mike Yaffy: I think it’s better, but it’s still You still sound a little muffled and a little farther away. Alpa Imadar: Do you Okay, we have two options. One is I completely log off mic and try again. Um or the other one is we continue. Mike Yaffy: I’m getting other people saying they can hear me just fine, so I’m not sure. hear you. Turned up my volume. Seems to be okay hearing it’s fairly quiet. Not great, but viable. So, um, so I’m just gonna ask you to speak louder. Alpa Imadar: As close as I can. Mike Yaffy: Yeah, I’m gonna need you. So, I’m just gonna need you to, you know, as voice as a voice coach here would say, um, Mike is always loud and clear. Thank you, Dave. Um, just from the Alpa Imadar: people to say that. I really do. Mike Yaffy: Oh, and we have Tom Day. Tom says, “Mike is perfect.” Thank you, Tom. You’re so nice. Mike Yaffy: You can just mean the audio. Um, so anyways, Alba, yeah, if you could even just slide in, turn up your audio. Um, I think that would be great. And just try to speak a little louder than you normally would, I think would be in good shape. I’ll tell you what, I’ll speak a little more quietly and uh and everybody turn up their mics, okay? I’ll try I’ll try not to be my normal self. I’ll I’ll ratchet it down and And you can turn up the volume. It’s like when you’re I have YouTube TV, so sometimes the commercials are different volumes, which drives me absolutely insane. So I will try to moderate my voice so you can turn everybody up. Um, so Ela, let’s start one more time and give everybody a chance to turn up their volume and I’m speaking trying to speak quietly. Okay, Alpa Imadar: perfect. So yeah, so I think the difference is that supply risk management end to end looking at the overall processes third party really focusing on the risk either it’s an operational risk financial risk compliance risk thinking about how you do your due diligence for the third party right as they come through it um looking at the inherent risk profile because I think that’s going to be extremely critical on third party risk management where within the sourcing or supply risk management you’re looking more from a sourcing perspective if that makes sense. Mike Yaffy: Yep. So help me understand I guess and and Amanda, can you flip to the next slide? Why? Look, we’ve heard a lot of talk and look, we just had a conversation with Gartner about this that they kind of see all of these converging, right? Supply chain, third party risk, even the Gartner analyst just said that um you know, while typically you’re talking about supply chain, right? You’re talking about supplier performance and uh resilience and timelines availability, they’re actually adding a uh a wedgie into their not a wedgie. Uh did who remembers Trivial Pursuit? I’m thinking of like one of the little pie things. Maybe it is a wedgie, but to uh which is security to the overall supply chain, why are they adding when it’s a distinct category? Why is it also getting added into supply chain in your opinion? Alpa Imadar: So I think like what you just said, right, the convergence, right? So if you think about in the past, Mike, right, um we’ve always had a single point of failure. So I can give you a couple examples. If you think about 911 or hurricane Sandy or you know um hurricane in Mandela, right? Those were always certain location certain type of industry that was impacted. If we think about the current situation in the last two and a half years either with covid either what we’re going through currently with Russia and Ukraine right because of these worldwide crisis right it’s critically important that supply chain teach PRM have to work conjunctively. They can’t be in isolation and I think the business as well has to be part of this equation right and the reason I would say that is in the past we did this checkbox exercise right it works from a third party governance you got the right vendor check now given what we’ve seen with cyber security like you just said Mike either you know having your goods being stuck in Suez Canal right and how it impacts your dayto-day services um or even people working from home right we did not have the situation we are currently where more than 50% of the people are in a hybrid environment thus more vulnerability from a system perspective patches um you know people trying to be able to hack into your system so I think now the organizations are converging like you said because we have to look at the risk from a 360 it can’t be in a Mike Yaffy: so what were they doing so Was it more checkbox now when people got the kick in the ass that they needed to kind of do this? Is that And I know it’s a the it’s the layup question that everybody’s talking about, but I mean, is it the Ukraine? Is it geopolitical? Is it COVID? Is it I I feel like this was kind of moving beforehand, but these things made it go a little faster. What’s your read like how do you see it? Alpa Imadar: No, I agree. I think it accelerated, right? Because guess what happened? But COVID, for example, because you know, most people had as I call back plan or strategy is if my function in United States whatever the services or products that I currently do I can have my backup either in India or AMIA right we can kind of hand off back to us well guess what India was affected so was all of the world right so that whole strategy like you just said Mike did not work and guess what the organizations had to do a very quick pivot and thus accelerated the timeline because if you didn’t know where your services are being performs and the impact you’re going to have major issue continuing your BAU business as usual and that’s why like you said you see more and more this surfacing now um look at the issue we had I mean just basic things such as paper towels and toilet paper right I mean think about when we originally started this co situation people had no idea the impact of just some basic goods and how we would be able to get it on shelf so you’re right I think we’ve always had these underlying issues but now it accelerated and the impact to the customers or clients was much more visible than it had. Mike Yaffy: I know we’re going to get to best practices, but that leads the question, so what are people changing in your opinion right now? Right. So, so we basically got hosed, supply chain got hosed, and people weren’t doing it. So, what do you see people treating and I don’t care the people who keep the people who give buy you stuff so you can stay in business, right? Whatever that is. What changes are you seeing people make because of all these geo political and COVID and everything else that’s going on. Alpa Imadar: So I think it’s multiple facets, right? I think the changes happen from you know if you think about our policies and procedures, how we measure risk. So in the past we had these in inherent risk profiles which are the people who are on the Mike Yaffy: can you define an inherent risk profile for me what you mean because not everybody might understand. Alpa Imadar: Right. So when you are looking at a third party um cycle inherent risk profile is how do you measure the risk for that specific lender and you go through multiple facets from techn technology, compliance, legal, how that vendor manages, basic even authentication, right? On the technology front. So we used to do that based on the criticality of vendors. So you would have, for example, anywhere between 500 to 10,000 vendors. You would, you know, categorize them as high, critical, moderate, and low. And if they were critical, this inherent risk profile, you’ll get it updated every year. If it’s high or moderate, it’s every two years. Well, guess what? Lot of these companies were very different in a sense of the timing because some of them are no longer in the position to be able to deliver those grids and they’re no longer in services. So if you waited for a year to do an on-site assessments or enhanced risk profile, they were no longer in business. So people had to pivot and do something called continuous monitoring risk, right? Really assess where those vendors are today and literally do a periodic not a year but more on a daily basis or a weekly basis to Mike Yaffy: so I’ll want to stop you right there. Is that realistic? Like is is continuous monitoring of your third parties viable? Is it realistic? I because what what drives me crazy about security and in general people always talk about this ideal state like you have to do this. I’m like okay but maybe it’s going to take you three years to get there. They always leave that part they leave that part of the conversation out right. So Mike Yaffy: um so So what when you say continuous monitoring like is it continuous monitoring of your tier one vendors which might be 500 of 10,000 is it what is it? Alpa Imadar: No it is and that’s a good question right because if you think about it most Fortune 500 companies they have anywhere between 3,000 to 10,000 vendors. So based on this logic I would need an army of people constantly looking what’s out there and being able to monitor the risk. So I would assume you would want to look at your critical vendors for the continuous monitoring. A lot of them outsource these services there. A lot of you know There are a lot of organization who actually help you uh do this continuous monitoring and they’ll give you a scale and then waiting. Um but the other thing is you also have to really be as I call objectively focused on those critical vendors, right? So the critical vendors six months ago that you have they might not be critical to you today based on the services and your strategy of the overall business. Mike Yaffy: So um I do this a lot. I do this with my kids too and I’m sure you do. So what I’m hearing is Right? You want to be picked up at 4, not 4:30, right, at dance. But what I’m hearing is continuous monitoring from your critical vendors, right, is a key takeaway and regular check-ins to see if there’s still updating of that continuous monitoring list, right? Because six, like what you’re saying. So, it’s it’s regular updates of who’s most important to you and regular and continuous monitoring coverage of those vendors as a key takeaway here. Alpa Imadar: Exactly. Um the second I would say Mike is you know what your contractual agreement. So this is something that’s also changing right Mike. So in the past um we’ve got different kinds of contracts right you have evergreen contracts and I will tell you from my experience in the last 15 years right um a lot of these organization people have like contracts in their drawers that they’re pulling out. They’re like I can’t find this vendor contract that was done 17 years ago. Um so one is really having an updated contract. But the second thing is are you adjusting your contract like you said about you know this convergence and what are we doing differently? Well now in these contracts you can’t use the boilerplate contracts that you had 5 10 years ago right because do you really have what the impact of GDPR right do you have something in your contract that states that do you currently have a contract that says where your fourth and fifth parties are being being serviced because we saw with similar issues between COVID, between solar winds, right? All of these issues, it kind of just as I call percolator, it went up the top saying what is your contract? How do you define these vendors and where they are currently providing that services and most contracts do not have that kind of detail mark? Mike Yaffy: Thus, Amanda go to the next slide. Um, so what would you recommend regarding contracts Mike Yaffy: um relative to supply chain. So what what are the gaps and what do you see people need to include in their contracts to get some confidence in the safety security assuredness of their vendors Alpa Imadar: right and look it’s not a one cookie answer right Mike because depend on your business strategy right but let’s say for example ESG is extremely critical to you do you have in a cont contractual agreement with your vendors that says we are really focusing on ESG and net carbon footprint by 2030 or 2050. What is your strategy aligned and can you put in a contract that states we will only work with vendors who are environmental friendly right if that is important to your decision. But I think couple the key as I call the foundational things that anybody can apply one is making sure that you have really good updates on your contract from if a service is not being performed on a X location, what is the plan to transition that service and have you actually done your due diligence to be able to have a seamless transition, right? I think that from a contractual perspective is extremely critical. Mike Yaffy: I just don’t see vendors, and maybe it’s just where I sit, right, but I don’t see vendors getting fired for ESG or Aback compliance. Are you seeing that more? And I I still don’t see it in contracts enough. I see it as a nice to have continually like does it have enough teeth in your opinion yet? And I I don’t Alpa Imadar: Aback a little bit more just because we’ve had Aback for a while, right? So if you think about compliance or back sanctions and stuff, I think Aback is a little bit ahead of the curve in a sense of just because we’ve known about it, it’s been a part of, as I called the organization’s DNA. I feel like G is fairly um not mature. It’s different stages based on different organizations. I also think there isn’t a specific metrics Mike that regulators have pushed down to the organization saying that you know your CO2 emission should be X right or your biodiversity and habitat should be looking like this. So that becomes somewhat challenging Mike but you’re right I think with you know Aback it’s a little bit different because One, it’s part of compliance. I think a lot of organizations, at least that I have been aware of, they have pretty good trainings. How do you monitor and assess the Aback and the training to help employees mitigate that risk? ESG, I think in AMIA, is much more ahead of the curve compared to where we are at in the United States. But I think more and more as the organizations are liable and as the regulators are now saying how critical that is, you will start seeing much more in the contractual Mike Yaffy: You know the one thing I can say interestingly you mentioned EMIA in these deals. So uh we we primarily operate in North America somewhat in South America but then in in AMIA and that’s the two major markets. Um in the US I would say sorry North America um I would say most of our deals if not all are generally led by security compliance risk uh enterprise risk you know somebody with a third party funk or like a funky title, but it’s it generally falls into one of those groups. In AMIA, you can have procurement, sourcing, supplier management running a deal. In the US, the deals are very focused on security, security of vendors. In AMIA, they’re much the deals seem to be much more wide ranging right now, right? They care about ESG, they care about Aback, and they’re trying to which is good and bad. They seem to kind of want to get their hands around all of it. I think we’ve seen in the past that it’s tough to do, right? If you’re trying to do ESG and Aback and SEC, like you’re gonna fail because you’re there, it’s too much. Yeah, it is too much. Alpa Imadar: But I do think that 360 perspective though, Mike, it does help, right? And depending like you said where you balance that process, but I think one of the biggest challenges in United States that some of the organizations how they operate because they’re so siloed when the incidents do occur, we do have a much more higher harder time from a reactive positioning versus being proactive. Mike Yaffy: So, I know we have a slide on that. What do they what do they always say? Like a good question is is when you have an answer or a great question is when I already you already have a slide for that. Um Amanda, go to the next one. By the way, guys, we have 10 slides on this. So, um you know, it’s just meant to kind of guide the the conversation. Um I’m not going to ask this right now. I want to stick with the uh the incident response you just brought that up. So talk to me about look we’ve seen and it’s unusual that uh the Solar Winds log 4J uh stuff like that the board seems to be asking and and we just did a market study which I’ll get to in a second but they’re like oh crap are we affected negatively and not us but they’re asking about us and then they say what about our tier one vendors do they have this issue and there seems to be a pretty big disconnect on incident response what’s going on relative to just suppliers call them whatever the heck you want Alpa Imadar: no I agree and I think of um between solar winds the lock 4J right what did it do it highlighted vulnerability right with the significant potential consequences right after the log 4j right people kept saying well anything with open source software and especially like you said the board and the seuite leadership right is concerned is how good do we understand the open source software and it’s not just the open source software much because we’re all moving away as we’re going into cloud we can’t prevent that but I think it’s when they’re doing patching right or who is doing the patching and do you understand and you know this is a terminology we all usually use is do you know how the sausage is made do you understand the data you’re giving to whoever that third party tier one vendors how they’re accessing it and the impact when they are doing this patch, right? You can’t use this um notion is I hired somebody and they’re going to take my open source software and make an additional enhancement or a patch and not understanding the dependencies. So I think what’s happened is now organizations are expected much more detailed dive and understanding what their vendors of tier one do but if they don’t do it right what is the impact and thus like you said Solar winds, right? You are only good as your weakest link in supply chain. And the reason why is because most of the people did not know the impact. You know what they did is when solar winds incident occurred and I can tell you from some of my organizations the leadership asked do we do any business with solar winds question came back Mike Yaffy: do I sorry repeat that I didn’t do I what solar winds Alpa Imadar: do we have any currently in our vendors that we do any business with solar winds Mike Yaffy: did you know Alpa Imadar: and we said no because we looked at our critical vendors, but Solar Winds had fourth and fifth parties that we relied on that was not on the list. So, two weeks later when the client started coming back to you saying, “Hey, I’m having disruption. What is your approach?” We’re like, “What do you mean? I thought we don’t have solar rins so-called crypto vendor list.” And thus, like you said, it’s very very important not just understanding who you’re dealing with the businesses, but who they are outsourcing. and what that impact will be. Mike Yaffy: So look and and I and and I would say just thinking out loud depending on your program maturity level right we see everything from people who are super sophisticated they’re doing 1500 vendors they have great programs and and and to people who are like I have a spreadsheet I don’t have people who email me back right and everything in between Mike Yaffy: where look you you have to mature your program over time you can’t get to your third and or your fourth parties of your primary vendors if you haven’t even backed up the process Mike Yaffy: to understand who the heck your vendors are in the first place. And I will tell you Alba that most of the people we deal with that’s one of their biggest it’s I mean I got a spreadsheet. I don’t have a tool and I don’t even know who the hell my vendors are. Like I can’t get if they’re in IT security they find it and I guess this will circle back uh to the persona question but the IT people who are in security or risk struggle to even identify who the vendors are um that they should be evaluating. So can you identify from a supply chain side and the IT who what are the titles of these people what they care about and how to work together? It’s kind of a big question but Alpa Imadar: no it is it’s huge right um and look like you said a lot of organizations um don’t have the manpower right like you said so they have things in Excel spreadsheet and you know everybody’s not going to spend $50 million on a brand new infrastructure that can manage the third party governance. But at the same time, the regulators are coming extremely hard and I can tell you from a financial industry perspective. So if you see on the news between city, HSBC, JP Morgan, right? All of them in the last 10 years have been either cited in MRA, Mia, right, from a regulatory perspective. So it is extremely critical. Now the fact is how do you manage and how do you operate when you don’t have a XYZ million-dollar budget right so I think the first understanding is look technology plays a critical role um in this process but I do think it starts from the beginning and when we talked about those roles right when you talked about what does supply risk management and sourcing where it says TPRM does I would say is when you’re onboarding or when you’re looking at your contracts you have to get a list of who’s performing your services right And if that means taking two steps back and going through each of your businesses and saying who are you relying currently to do your day-today services or what are quarterly services that you need and get that list identified because you’re right if you don’t know which ones are your vendors forget going to the fourth fifth or the employee right because you don’t even know who to go to or even ask the right questions but even within the Excel spreadsheet I would say is it is more and more critical If the organizations want to stay in business, they have to start focusing on vendor management. It is key critical. They need to know what vendors they’re dealing with. Mike Yaffy: So is the is the question. So if you have a security person and then you have a procurement and sourcing person, right? Is the message from security look Mike Yaffy: I want to help you make sure that these are viable then like the win for them is if you get me this I can ensure that these vendors are secure. They’re running best practices. Alpa Imadar: You can do your due diligence, right? I mean, if you can’t tell me what the list is, even security can’t do the due diligence, mind. How are you going to check the IP addresses? How are you going to check what their network connections are, right? What is their profile score overall from you know the internet perspective? So, their presence um you can’t do that if I don’t know which are my renders as a first step to start. Then, yes, you need to go and do the due diligences, you know, What is the ex you in do they have multi-factor authentication? What is their access into their firewalls, right? Where are they storing their data in the data centers? How much upgrades have they been done in data centers? Are they moving to cloud? I can’t tell you any of the risk if I don’t know if I’m talking about Amazon, if I’m talking about Google. I mean, you know, I won’t know where to begin. Mike Yaffy: Do you find that these groups do don’t work together. And Amanda, you can go to the next slide. This will be the last question on this one. Like the procurement and sourcing and supplier management, are they more collaborative with the IT security risk folks? Is it more standoffish or is it case by case? I Alpa Imadar: I think it’s case by case, but I’ve seen more collaboration. And the reason why is because if you like I think what you brought up in the earlier is now it’s not just the organization, but the board is asking, right? Because they’re actually afraid of the reputational challenges um that they’re going to face if some of these incidents occur right so I think now from the top down as well they’re asking to make sure do we have a good posture or can you showcase if an incident occurs how are we going to be able to address that issue right so I think there’s a lot of pressure coming from the top of the house as well as the regulators right because the regulators are now coming in and saying show me you know within your technology of the vendors what due diligence what on-site assessments have you done and what is their inherent scoring of why X versus Y. So I think you’re seeing it from different facets coming in and thus the pressure is more and more for them to work together because they Mike Yaffy: have have you seen a change in the auditors over COVID I guess in the last two years and with all the supply chain disruptions are they still operating as they were before are they more stringent in certain areas Alpa Imadar: there I think they’re operating more um some stringent but I think you’re seeing it because people are now allocating resources right so Mike in the past when you asked about resources for you know information security third party risk management supply chain management the question was you are a support function right or a corporate function you’re not doing business bringing the revenue Alpa Imadar: we have to be extremely extremely lenient or you know we have to be very careful stringent is as the word I would say um when it comes to the resources I think after co they have seen between like you said all the incidents that’s happened in the past that they have to start in investing in this infrastructure and you’re seeing more and more organizations bringing the right people either cyber security specialist either it’s you know credit or liability risk specialists coming in or even operational risk because they do understand that if they don’t have the right expertise they are not they’re going to have major issues down the path and thus I’m not sure Mike but there’s a significant right now demand for supply chain management expertise in all across different industries Mike Yaffy: uh Amanda, go to the next slide. I think we covered this one. We talked about incident response. You know, the um you know, I do want to go back to this one. I I the thing about third-party and contract management to me is that is the that’s the thing that most people miss, right? It’s people don’t have manage and they don’t put in the requirements in the contracts or they come out too easily, right? And if you’re sourcing a new vendor, you know, you need to specifically state, you know, you have to you will fill out an ESG or Aback survey quarterly, monthly, yearly, whatever it is, and you know, you will meet our best practices. If not, you’ll get fired. So, what you know, this is something that you brought up yesterday when we were prepping for this, but I think contract management and managing the details of the contract, just not where it sits in the terms, is super important. So, Alpa Imadar: No, and I think it’s like you said, it’s also depends on where you’re doing these services, right? So, I think it’s regional based, it’s jurisdiction based, Mike, right? Different regulatory requirements within those contracts. And you’re right, I think the devil’s in the detail is, you know, do you want an 800page contract document that nobody’s going to read uh but hopefully you cover your bases or do you have something that’s synthesized but has the clauses for flexibility? And what do I mean by flexibility? So, a lot of these cont contracts has like you said expiration date but in the process do you have clauses that talks about indem indemnification right because that’s clearly important you know who is that you know are you going to compensate for certain issues or certain services disruption right and some of these we kind of not think in detail and thus I think it’s more and more important how those contracts are formulated and do we have the right language that we can then go back to the vendors to ask What are what are the mustaves? Mike Yaffy: Concentration risk. Mike Yaffy: Yeah. I Okay, so talk about concentration risk and then come back to um what are the must haves in contracts for you if you could write the contract in this area. What are the things that you would absolutely require in there? But first start with concentration. Alpa Imadar: Yeah. So look, I mean especially in this contract details too, right? As you have the details, you will understand that 60% of your services um either related to cloud is being performed in Ukraine. I’m just making these examples up of course or you know 80% of your goods are coming in from China and if something you know has a major issues either it’s chips or either it’s a specific manufacturing part that you need but because we don’t go in that detail of where we’re getting that specific product sourced from we cannot then of course come up with our plan B and this is where that concentration risk is extremely important where contractual agreements helps right gives us that transparency Because most of the times even on the due diligence we don’t go that much in detail like Mike Yaffy: and really without knowing you have to ask the question around concentration risk or you’ll have no idea that you are or are not are in certain areas right Alpa Imadar: no I would Mike Yaffy: I would also you know I would also add I think we were talking about this but you should have the flexibility to add kind of oneoffs too like if all of a sudden your com your company and I’m not making any political judgments but decides to stop doing business in Russia, Alpa Imadar: right? Mike Yaffy: Right. You need to be able to identify where things are being sourced from, right? Alpa Imadar: And I mean, look, a lot of organization did that, right, Mike? I mean, that’s a perfect example you brought up, right? A lot of companies in the last three months have decided to pull their businesses out of Russia and that way the contractual management would be extremely critical knowing where it’s being performed and what the impact would be. So, no, completely align and like you said, even your strategy, your ESG strategy might be more aggressive compared to others. So, Do you have that documented or can you update it? It’s also the leadership and organizational changes as you see significant amount of attritions, you see a lot of M&A, you see a lot of divesters, how is that affecting your contract? Like do you have a clause that states right that you know if there’s a change on your leadership and how you’re going to run your businesses instead of you know Middle East it’s going to be now in Japan and how is that awareness made before the time frame because my contract is Mike Yaffy: Yeah, you have to have the built-in flexibility. I’m not a lawyer and I don’t know the terms, but you have to have the built-in flexibility to reassess, assess, and modify based on those. And you have to, and this goes back to what you said, the flexibility and the continuous monitoring, too, right? And I’d also say it’s the details of what we we talked about, right? You had said that it’s a little bit of the sausage making, but you need to kind of pull back the covers on this and understand where things are, what the real risks are. It can’t I think We’ve seen this a bunch of times now, right? You can’t just be doing this for a checkbox. If you’re doing this for a checkbox, this is going to bite you in the ass. Alpa Imadar: Completely agree. Right. Um, and if you think about in the past, contracts were only mainly used for cost savings, Mike. Right. And the volume, right? So, if you think about 15 years ago, why did we need a contract? Uh, because what we said is we have an official document that says it’s going to cost me X. This is the amount of volume or the service I get. And it was done, right? That’s all we needed. Now, as we evolve, like you said that contract I think some as I call mandatory checklist is one is flexibility like you and I talked about you have to have a flexibility clause where you can append or update based on the changes of both parts of the organizations right so currently I thought I wanted to do business with Russia three years ago now I’m changing my mind because of the geopolitical and my stance as an organization I need to make sure that we pull out of whatever business we do how quickly can I do it and is there an additional cost that will un have an impact, right? Mike Yaffy: Yep. Amanda said, Amanda Fina: you know, based on next slide while we’re talking, Alpa Imadar: right? And based on your strategy, how does it affect? Right. So, your contractual management should be extremely aligned with your business objectives and business strategy. What either it’s like you said ESG, either it’s Aback, either it’s GDPR, whatever any of those issues are. How do you make sure that you have an auditable trail within your contracts that you can make people accountable? Mike Yaffy: Yeah. And look, relative for accountability, but I I think when when you can’t be accountable or something happens, I want to just touch on this quickly and then move to the best practice, which is kind of the conclusion. But cyber insurance is tricky, right? Because it’s not you’re not giving yourself breach insurance, right? You’re giving yourself downstream costs of if you get breached, Alpa Imadar: is it? Mike Yaffy: No, I was just going to ask is Is it a good thing? I mean, do you find it useful? Do you find it valuable? I mean, Alpa Imadar: I think there’s a lot of confusion in the industry for cyber insurance. And the reason why is people understand that if I have cyber insurance, like it can just substitute for my IT security. That’s crazy, right? Because that has not, you know, that’s you have to have a strong hygiene. You have to have a strong IT security either you have an insurance or not. But I will say cyber insurance, I mean, given the ransom outbreak, given the security incidents and the breaches we’ve seen, this has been quite a hot topic for cyber insurance, right? And as we look at more, you know, financially business interruptions, recovery efforts, people are more aligning to that cyber insurance, Mike. But I think as cyber insurance underwriters are looking at this and how much claims they can get, they also have been, as I called, smarter and they’re underwriting these policies for cyber insurance, right? So, Alpa Imadar: you know, similar to contract, I think fine print is extremely extremely important for cyber insurance, right? Alpa Imadar: But cyber security, you know, and again depending which insurance you cover, right? Alpa Imadar: Some will only cover your data losses, recovery or recreation, right? Some will say, hey, based on the business interruptions and the loss of the revenue due to the breach, we will try to help you go back to those customers and try to figure out where there was a gap. Right? But nowhere does the insurance cover um if you’ve exposed personal data. And now that you have a financial loss or a reputational risk, is cyber insurance gonna help you? Right. Mike Yaffy: Yep. We have a couple questions. Mike Yaffy: Yep. We have a couple questions. Um, uh, Alexandra, are are you asking for cyber insurance coverage with additional insured terminology? If so, do you require that from all your vendors? It’s interesting like how do your vendors and what what gets passed down to them? Alpa Imadar: I do have a question. Um, and the reason is, you know, again, do you have that in your contract? How are you asking your vendors to be able to do this? Right? Because again, this is an additional cost. And given being in the industry for a while, let me just tell you, the cyber insurance cost is extremely extremely high as well. So, do other vendors and your third party suppliers want to take this additional cost um to give you that security, right? And I Mike Yaffy: Yeah, it’s a risk cost thing, right? How much risk are they for your tier ones, right? Mike Yaffy: Maybe for your tier fours maybe not Mike Yaffy: why not Alpa Imadar: and then you know a lot of them saying you know can you reimburse me for my future profit because of this I can’t do that I mean no insurance will do that right Alpa Imadar: now you are seeing because of current environment most of the insurance companies now are adding an additional clause that anything that affects war exclusion will not be covered in a cyber insurance Alpa Imadar: so this was something that new just recently in last two months insurance companies came up and saying we’re not going to take any additional um claims due to the impact right so look I think it doesn’t hurt to have cyber insurance as long as you understand the fine print I think at the same time you still need a strong structure you still need to make sure wherever your data is who has access who’s um you know how much provisions are you putting in that data and access and I’ll tell you a lot of organizations as great as they claim to be people have left the company for three years and they still have access to their system but it’s scary Mike right Mike Yaffy: yeah what’s your offboarding what’s your offboarding policy Alpa Imadar: exactly and how do you verify is there some audit checks that says you know Mike is no longer part of prevalent or alpha no part of this organization you know did we do the right control check Mike Yaffy: yeah quick question is it appropriate for an organization to review audit results of third party relationships whether internal external or both Alpa Imadar: um so this is kind of interesting so we have in the past some of the companies I Before we have asked and they have not provided us the detail of the audit reports but they have brought us a highlevel summary just because everybody doesn’t feel comfortable opening their hood and telling all the issues as an organization and you know how likely will we do a business after seeing the audit or regulatory findings but more and more companies are saying I don’t need the detailed report but what kind of security can you help me make sure that you guys have right controls that I feel comfortable doing business as Mike Yaffy: y Alpa Imadar: so you can’t really demand it part of the due diligence but you can always ask and there is different iterations or variations that they can provide you where you can then make a decision if you want to you know do business with them Mike Yaffy: okay Amanda let’s go to the next one and I want to burn through and then leave time for questions right I think we have three of these is that right Amanda three best practice slides I’m just trying to pace myself here Amanda Fina: two Amanda Fina: Oh, I’m on it. Thank you. Mike Yaffy: I know. Just teasing. Uh, what should you consider uh including in your business continuity plans? You Well, first of all, you should have one, Mike Yaffy: right? That’s probably a good idea, Alpa Imadar: right? No, I agree. I think every single organization after 911, I think has instituted BCP plans, which is fantastic, right? Um, but even within BCP plans, I would say is, you know, what kind of different categorizations do you have so do you have it from natural disaster versus human error versus militia attacks or tech disasters right so depending on some of these categorizations I think then you have to really understand the scenario planning like and this is something you and I talk about right yeah Alpa Imadar: in the past we’ve always done these single point of time scenarios and now we have to be much more innovative and creative when it comes to the scenario planning testing um and you know if some of these major uh organizations get hacked in or that has you know data breaches how does that affect you and I think we talked a little bit about you know either it’s DTCC or New York Stock Exchange or Swift uh or Dow Jones how will that affect and cripple the organizations I also think one of the best practices is integrate the lessons learned from your previous incidents right most organizations have as I call short-term amnesia we go through an issue either it’s 911 Mike Yaffy: If you fail to learn from history, you’re doomed to repeat it. Comment Alpa Imadar: exactly and then you know look you have to create a communication plan as these incidents are occurring right I will tell you at least with co and even with solar winds and log 4j each of these incidents occurred most of the organizations had no idea how to communicate to the right stakeholders what were the incidents what was the cost and the impact right um I mean there was a massive email to 50,000 or 75,000 people saying we have an incident but not understanding an actual plan how to get through it. So I think it’s you know communication to the right stakeholders if it’s information security do you have your CRO your CIOS involved to make sure that they understand the risk and how we communicate internally and externally. Second is really thinking about some of these data breaches. How quickly can you come back and what are your what are your plan A’s and plan B’s as you’re going through from a client exposure from the vendor risk exposure and how do you notify right so I think there is and the scenario planning I think you know we have to become more smarter each time because some of these incidents as you are aware I know they’re not as many natural disaster but it is like you said it’s geopolitical um it’s operational it’s compliance and people are just become more and more creative uh in order to figure out some of these incidents uh occurrence Mike Yaffy: right on Amanda you want to go to the next slide Um you talked a lot about this too and I guess this is kind of concentration risk right but uh to some degree but uh just talk about the diversification. Alpa Imadar: Yeah I think it’s important diversification in any organization any industry right you can’t rely on everything either from a cloud services to manufacturing a specific product to a specific country or a specific location um and the reason why is because as the worlds are colliding in some element We have to be extremely careful. If you don’t diversify some of these services, you’re going to be out of business. Simple. And not in a bad way, but you’re not going to be able to recover fast enough, right? So, if you know tomorrow you’re saying all your products are made in Ukraine and you don’t have a backup or exiting strategy to continue those services, but if you’re saying, “Hey, look, as I look at my contracts, I feel like I have a significant risk in Ukraine. Let me diversify and do some in, you know, whatever other countries, three, four. That way, I am kind of limiting my investment, right? So, I think the main focus is how do you mitigate risk and how do you diversify to mitigate that?” Mike Yaffy: Perfect. And guys, we’re just I think we’re going to come up to the Oh, QA. Amanda, do you want to run the last poll? Do we have another poll now and then we can get to QA? Amanda Fina: I do. Yes. So, run the last one here and simple question, everyone. Are you looking to augment or establish if they’re party risk management program in 2022? Yes. No. I’m not sure. Once again, be honest with this answer because we will be following up either myself or our counterparts, uh, Melissa or Landon, and we’d love to hear from you. So, please be honest. I’ll leave that up for a little bit. Mike Yaffy: It is the best policy. So, I’ve heard. Amanda Fina: Yes, it is. It helps us all. You know, quick nose. Mike Yaffy: You’re not gonna hurt anybody’s feelings either. Amanda Fina: No, absolutely not. you will hurt my feelings if you’re like, “Oh, I just pressed yes just to mess with you. Have a great day.” I wouldn’t love that. But Mike Yaffy: um so we did have a question from uh Indra uh with respect to incorporating comprehensive ESG goals in all facets of the business to what degree would uh doing so facilitate an organization’s ability to better monitor third party Alpa Imadar: so I think it’s two thing one is internally right you have to look at your ESC plan in turning. So you can’t ask your third party vendors what they are doing if you are saying that you know you’re not using any electronic vehicles but you’re expecting your third party vendors to do that because it’s an ESG friendly right same thing with greenhouse um gas. So I think one is internally as an organization what is your strategy how are you measuring those metrics and then I will say is then ask your third party vendors is what are you doing specifically on the certain factors of ES because ESG is as I call the huge right because it’s environmental social governance so there’s different facets in each one of these um acronyms as I would call it right so first understand your vision and the strategy and what you’re doing on ESG and then how do you parlay that and a lot of vendors are coming to us and saying tell us what your strategy is and then we’ll try to align and something simple as reducing um you know printing and postage right and recycling paper I mean just something very very very simplified process and we said how do we measure that so two years ago we spended x million on paper and now we’re spending x million reduction by 20% right so I think the way I would look at it is first identify that strategy internally and then go back to your third party vendors and ask but I will say it’s extremely challenging if you cannot showcase how you are following those processes and asking your third party vendors Mike Yaffy: agreed so um gather your thoughts. We’ll we’ll get to a concluding statement, but the three things that I really took away. One are the continuous monitoring, the regular check-ins of your tier one vendors. The other part two was um the contracts, really understanding what’s in the contracts, the downstream implications of the contracts, really ensuring that you have the flexibility in the contracts to get to what you need, get the information, get updates, and then business continuity planning, right? And this goes for disruptions, incident response. Uh these are the things that are super important to kind of integrate into your thinking. So continuous monitoring with regular check-ins, contracts and understanding the downstream effects and getting kind of the ability to be flexible and then business continuity along with in you know clear lines of incident response are my three key takeaways. But anything else before we let everybody run? Alpa Imadar: No, I think it’s fantastic and you know Diversifying your risk I think is extremely critical Mike especially in the current environment right make sure you understand every single vendor that you’re dealing especially the critical ones and are you diversified from everything from location concentration services performed um the people who are doing that businesses right all of that has a significant impact on the success of your organization Mike Yaffy: well again thanks for the uh wide ranging conversation keeping up you know uh um supporting my add in these cases it works great because we can jump around and cover a whole bunch of different topics. So, I’d like to thank we had everybody stick around for almost the whole time. Thanks for uh um going on the ride and uh we’ll do this again real soon. Everybody have a wonderful rest of the day and uh enjoy the weekend. Thank you so much, Ala. Thanks again. You were amazing. Amanda Fina: Thanks, Ala. Alpa Imadar: Take care. Mike Yaffy: Bye, guys. Alpa Imadar: Thanks, Amanda. Amanda Fina: Have a good day, everyone.