第三方风险补救的最佳做法

梅丽莎：我叫梅丽莎。我在 Prevalent Business Development 公司工作。今天我们请到了一位或几位非常特别的嘉宾，他就是来自福特汽车公司的杰夫-克莱默（Jeff Kramer）。我相信你一定听说过。他是第三方网络风险管理的负责人。欢迎您，杰夫。还有 Mike Yaffy 也来了，他是我们的首席营销官。你好，迈克。

Mike:Oh, hey.

我很快就会想明白的。嗯，最后但并非最不重要的是，我最喜欢的人之一，特别是斯科特-朗（Scott Lang）。他今天和我们在一起。斯科特是我们的产品营销副总裁，他将深入探讨一下盛行如何帮助你。嗯，所以我的意思是，稍微整理一下内务。本次网络研讨会将进行录制。之后你会收到幻灯片，所以不用担心。你不必做笔记或任何东西。而且，嗯，是的，你们都是静音的，所以如果你们有任何问题，就在问答中提出来，我们会尽量在我们认为合适的时候解决这些问题。话不多说，我把时间交给杰夫请说

杰夫：好的。非常感谢你，梅丽莎。我很感激。我也很感谢有机会在这里和越来越多的人交流。我在福特工作已经34年了，在过去的四年里，我一直在福特从事第三方风险管理，这是一个不断发展的领域，也是一个非常重要的领域。嗯，你知道，我期待着大家的提问。我不知道梅丽莎能否换下一张幻灯片。所以，我总是喜欢来一些呃一些介绍。我叫杰夫-克莱默。在福特汽车公司工作。1984 年毕业于密歇根中央大学计算机科学专业，1991 年在底特律韦恩州立大学获得计算机科学硕士学位。我住在底特律郊区，已经结婚 38 年了。有三个成年子女。我想说的是，在我的大半生中，我一直很讨厌那些总是提供孙子照片的人。但当我当上爷爷后，就不再这样了。那么

所以，你现在就是那个人，对吗？你是那个家伙。

Jeff: I am exactly that guy now. And so, uh so I have two uh two granddaughters, uh two adorable granddaughters. Uh you see their picture there. The one-year-old, that’s about as close as we can get to getting her to sit still for a picture. And her uh 5-year-old sister is a little bit annoyed by that. Thought that was a pretty nice picture from our Fourth of July gathering. Um the little more about myself. I’m a sports enthusiast, which um living in the Detroit area for the last 10 years or so has been challenging. Um but uh we do have um some uh opportunity here that we’ve never had before. Our our NFL team has never been to the Super Bowl ever. It’s been around for 60 years and we’ve never been there. Um not even really close. Uh but they’re getting better and this is going to be the year. So, Um, you’ve heard it here first if that happens. Um, and then then hell might freeze over at that point, too. But we’ll see. Um, as far as professional experience, uh, out of coming out of college, I I spent four years at the National Security Agency in Fort Me, Maryland. Um, got a lot of really good experience there. Um, but we wanted to come back to southeastern Michigan and and start a family. So, ended up getting a job as an agency employee uh, at Ford Motor Company doing a little bit of programming um, for the transmission division. Uh and about a year later uh they hired me in. So uh started at Ford in 1989. U been doing several different roles over the years from um setting up uh token ring networks to um setting up our first IBM PS2 model8s, working with uh Windows 3.1, all those really old types of things. Um um all the way through and did a lot of PC support, did a lot of uh Unix support. Um And then um sometime in the late 90s I I started working with Oracle databases and and um and and I uh led a team of Oracle database administrators and and part of that was making sure that you know everything was secure with our databases. So I got a lot of um a lot of exposure to what’s needed to um make sure that what your infrastructure is doing is uh is secure. Um when I about five year no more that eight years ago now. Uh I uh decided that I was um getting getting tired of doing uh 24 by7 uh uh support uh being on call. I wasn’t always on call, but being the supervisor, you’re the first person, the on call person call. So I was uh I was getting a little bit tired of that. And I I ended up moving into cyber security, so out of an operations role. And uh did some work with some of our plans for for uh for for, you know, their cyber security needs. But then, um, about four years ago, we had an issue with a, um, with one of our suppliers at our, uh plant uh plants where we built um the F-150s. Now, uh, if you, uh, know anything about Ford, uh, you’ll know that the F-150 is our money maker. When that shuts down, when that line shuts down, it uh, it gets the attention of a lot of people. And, um, and we had, uh. We had a line shut down for uh for a couple of shifts uh because of a um uh of a a ransomware attack of one of our suppliers um directly. So uh one of the things that they wanted to uh to do they came to our CESO and said uh we need to incorporate uh uh cyber risk into our supplier risk management processes. Um they you know um purchasing um our purchasing organization, our supply chain organization uh does a really good job of um addressing supplier risk and has always done that u for things like uh you know financial uh sustainability are they u mining materials correctly um you know just all these all these types of things uh but cyber risk was never part of it. Um so um our management tked me to uh start leading the team to to uh to provide some of that risk information to our suppliers. Um so um so that’s uh so that’s why we are where we are today. I have a team of um seven people and uh we we go out and we do assessments. A lot of them are on the line today giving me great support and uh and uh so we’re I’ll just wanted to talk a little bit about uh what it is we do um how we prioritize our suppliers, what kind of level of assessments we send out. Uh how we deal with uh suppliers that we see as problematic and uh just uh some questions that we had about um you know some of our challenges and and uh some of these other things that uh that we wanted to uh share with you today. So if Melissa you can go to the next slide. So so what we uh what we uh decided that we wanted to do is that we wanted to send uh some assessments out to our suppliers. Um, but one of the things about uh Ford is that um we have and and this number fluctuates on a daily basis. We have roughly 14,000 suppliers. Very daunting task to go out and uh assess all of them. And in fact, we’ve never done that. What we’ve done is um now we are um we’ve prioritized and we continue to prioritize which suppliers we send assessments to. Uh and that’s based upon some of the risks. And some of the things that we look at were are um you know we have um we have uh uh purchasing uh applications that provide some uh some indication of the types of services that uh each of the purchase orders that go out provide. And uh we’re able to take a look at that and and we make some determinations based upon this code uh of we call a commodity code um as to what services are provided and we we identify some of the ones that we’re most interested in. And I mean some of the ones that we’re most interested like uh engineering suppliers um the suppliers that do transportation for us um some of our marketing suppliers spend a lot of money on marketing uh and um and like companies that do consulting. So those are some of the suppliers that we do put up on kind of a higher u level um suppliers that um manage Ford’s data and IT services for us. One such example of that would be prevalent. Um they um it’s a SAS or u a SAS offering and uh they manage uh this data that is for its data. They do that for us. Um so we have uh many um suppliers that do that. Um Prevalent is not a uh they don’t hold a lot of our any of our secret information. information, but we do have suppliers that do um you know, health care, uh employee benefits, um some that have a lot that have some customer data, some perh personalized information. So, um those are also suppliers that we do, um, uh we do uh prioritize and uh and then also um I mentioned that there were suppliers that do uh that have the ability to if they shut down their operations, um it would have a negative impact upon uh Ford’s operations. and uh and so our our production um you know if if we don’t have um transmissions or or wiring our seats to put inside of vehicles that’s a problem and a lot of our suppliers have very I’m sorry a lot of our plants have um uh very distinct plans and u and for sequencing as the cars go by uh they’re building for an order so it has to have this kind of seat um that’s going into the to the vehicle this kind of engine or um or anything and if it’s not there it shuts down the plant. So um we with the help of our um supply chain organization um we’ve identified those uh those particular suppliers. Um the assessment that we chose um is the u is the the an industry standard uh called the SIG light. And I’m just going to check to make sure that I’m still being heard.

是的，我们听得很清楚，杰夫。只是幻灯片出了点小问题。我们正在恢复。

好的，没问题。我只是呃，我不知道如果他们 我有问题，有时 我自己的互联网供应商。所以，我我今天在我家。所以，我就我就继续前进 我觉得呃梅丽莎会赶上。嗯，所以，呃，我觉得它的背 一对夫妇或背之一。是的所以，嗯，所以我们选择的评估是 嗯是SIG光 嗯，我们认为是一个行业 嗯标准评估。嗯，甚至在过去的几年里，当我们第一次开始嗯，我觉得有你知道完整的SIG光有大约你知道超过250至300个问题，这取决于你知道你在回答什么。这些年来，现在我们已经进入了 2023 年，他们对问题进行了压缩，使问题不再那么繁琐，但仍然提供了我们需要的信息，以便向我们的采购伙伴提供风险信息。但我们发现，有些问题甚至与我们的一些供应商无关。例如，有很多问题是关于如何处理范围数据的，范围数据是福特公司提供给你们管理的数据，而很多为我们提供座椅和线束的生产供应商并不管理我们的范围数据，他们甚至不知道什么是范围数据。因此，他们回答了一些我们认为并不合适的问题。这并不能提供更多的信息。这只会造成整个系统的混乱。因此，我们决定采用四种级别的 SIG 灯，如果是提供 IT 服务的供应商，他们会得到全套 SIG 灯，如果是有可能关闭福特应用系统的生产供应商，他们会得到全套 SIG 灯，如果是有可能关闭福特应用系统的生产供应商，他们会得到全套 SIG 灯，如果是有可能关闭福特应用系统的生产供应商，他们会得到全套 SIG 灯。嗯，他们也得到了真正的全 SIG 光，但所有关于范围数据嗯的问题都被删除，因为他们并没有真正涉及到他们。嗯，然后我们还有其他几个层次。另一个是第四级，第三级，基本上是不太详细的，不像 SIG 级那么详细。我们也有一个最低标准，那就是你的供应商是否提供了我们希望任何公司都能做到的最基本的东西？我们并不使用这个标准，因为我们会优先考虑风险最大的供应商。我们现在只使用它与我们的一些嗯嗯预采购嗯嗯预采购嗯嗯过程中，嗯，你知道，如果如果一个如果一个买家想看到嗯一些这嗯一些这方面的信息，嗯我们会送他们一个20个问题的最低限度，他们会得到嗯他们会得到这些信息。

迈克：嘿，杰夫，我能插一句吗？我觉得我们接触过的很多人要么做了一些事情但失败了，要么就是在做电子表格，嗯，这似乎是最大的挑战，对吗？我想听听你的意见。没有人说，当你做第三方时，你就像同时做了整个宇宙，对吗？你必须了解谁是最重要的，你要问不同的人不同的问题，频率，类型，以及你如何去找一个提供东西的人，你知道，F-150 和一些，你知道，对你的组织影响不大的东西是非常不同的，对不对？还有

迈克：大多数人一开始只是想知道如何有效地开展这项工作，然后再向全球扩展。我只是想知道，分层对你来说有多重要？

杰夫：嗯，非常重要。随着时间的推移，我们意识到这一点有多重要，对吧？所以，我的意思是，最初，我们只是向每个人发送同样的完整评估。同样，这些问题并不适合每一个人。所以，我们试图让它确保我们它涉及到每一个人。但是，如何设置这些问题仍然是个挑战。我想说的是，迈克。我的意思是，关于我们的供应商数量，我们从很多分散的系统中获取了很多信息，但这些信息并没有真正地联系在一起。现在有很多活动在做这件事。我们还没到那一步在与一些同事的交谈中，我了解到，在我们这样规模的公司中，这是一个相当普遍的问题，但即使是规模较小的公司，也有很多同样的问题。我们正在尝试。目前还没有，但总有一天会解决的。

没关系。我的意思是，这就是它的方式，对不对？必须把一个

杰夫：我一直用的术语是 "肌肉记忆"，对吗？不一定

杰夫：这是一个组织的内在能力。你不仅要教你自己和你的团队，还要教整个组织如何处理和解决这些问题。对不起，我不是故意的，但我认为这是没有通过一切手段，如果有，如果有问题，即使你看到他们在聊天中，如果如果它是呃特别重要，我说的东西，请随时跳英寸给我一个机会，让我有机会得到一个问题，即使你看到他们在聊天中，如果它是呃特别重要，我说的东西。让我有机会

喝口水 喘口气 想点事情

杰夫：我还想问梅丽莎，为什么你和我都不是她最喜欢的人，不过我们可以留到下次再问。

梅丽莎：我将在发言结束时讨论这个问题。

杰夫：好的。

Mike: Well, I just met Melissa, so I’m hoping I’m getting getting up there. Um uh so, uh just the last thing on here. I mean, we have expectations of our suppliers for sure. One is that um when we we send them uh this assessment that they they complete it and they complete it truthfully, right? Um quite honestly, this is a self assessment given the uh number of people that we have and the uh and the the number of suppliers that we have. Um we can’t we can’t go out and review evidence. If someone says they have a a a business continuity plan, we we can’t we can’t review all of those. So this is a self assessment and what what we’re as what we expect is that the supplier will um will uh complete it with integrity. Um certainly we have um within our um uh terms and conditions. We do have a uh clause that says that you will complete this um assessment complete um the various assessments on a on a regular basis. Um and and essentially we give them with a month to complete it. Um certainly if people need more time we do it. Um and uh and then um we uh and then we they’ll come then they’ll they’ll get some uh some reviews. Um and I I think I just saw a little snippet at the bottom uh from the chat that uh perhaps we um about certifica asking about certifications and uh just mentioning here that we um it doesn’t make a lot of sense for us to uh send an assessment out to a team and then they come back and say well we have this uh this ISO 2701 certification we got we went through the time and effort and money to do this um why why are we uh why are you sending us this assessment? Why should we complete this assessment? And essentially, we say, well, that’s a good point. There’s really no reason. If someone uh independent has reviewed your um your assessment uh reviewed your uh cyber security posture, we will take that in lie of your u completing this assessment. It it saves us time and it saves them time for sure. Uh and there’s and and things like we mentioned it’s reviewed um There are um we do accept SOCK 2 type 2 reports and potentially there could be um exceptions within that report and we do review that for exceptions and do uh manually create risks within the system and ask them to address those. Okay. Um next uh next slide please Melissa. So when the assessments um you know uh are sent out um within a set period of time. They get completed by the supplier uh and they get uh submitted. It uh it goes to the prevalent risk operations center first and and they review it uh you know fairly quickly for um for completion. Um I mean we ask for u things like uh whether or not uh any of the uh u replies that come back is not applicable. If there’s comments around it for um uh for uh you know to to tell us why it’s not applicable. That’s something that we uh that we ask for. Um so um they do a quick u quick uh uh search through the assessment as it’s submitted. If there’s concerns, they’ll they’ll pop it back to the supplier. If not, they uh put it in the queue for um for my team to take a look at and to uh to review. And um and and what what we do is u uh a few things. Um first of all, if there are comments or notes within um uh some of the answers um and and I will say that uh you know in the SIG light I mean if you’re not familiar essentially it’s and it’s probably true with everyone is basically we’re asking yes no right yes no not applicable um generally one of the yes nos is a risk response um and uh and and when that risk response is uh completed, it generates a uh a a risk record. And sometimes uh suppliers will put in notes that say, “Okay, here’s here’s a compensating control. We don’t have this, but we do have a compensating control for this.” And they uh designate that. And uh and then we we just we review those and uh I mean, if if it’s uh suitable, uh we’ll we’ll mark that risk as remediated. But generally um there’s not a lot of that. There’s there’s it’s mostly comes back as yes, no. And within the SIG light, what we found was a couple different types of questions and uh and these are kind of our own terms. U so it doesn’t may not make a lot of sense. One is anformational question and I mean essentially that is does a situation exist where a risk may occur right so things like um do you use uh servers internally on your data center to uh do you use Unix servers to um um uh at all within your data center. And um and so if if that’s the case or if uh or if you have some kind of a DMZ um where the where if there there’s data shared externally, uh does a DMZ exist and things like that. If they answer yes, well, a risk record gets generated. Um but there may be uh policies, procedures, standards in place that would mitigate that risk. And um that’s what we we’re calling here is the policy questions. And that’s those are just exactly what I mentioned. Do you have this policy in place? Do you have this procedure? Do you have a a a standard or uh some process that would help mitigate um the potential risks as as I was uh just saying. I mean, these are things like uh do you do access reviews? Do you have uh physical security in your um in your um uh in your facility so that visitors have to sign in or is the doors just wide open? So um so a lot of cases theseformational questions that generate risks um will get mitigated based upon the policy questions that are associated with them and we review that on a yearly basis as to okay theseformational questions would generate rate of risk. What do we think um would be a uh compensating control the controls that would help mitigate that risk?

迈克:杰夫，你知道我来自信息安全领域。我是一个营销人员，所以这意味着我真的不知道我在说什么，但足够危险的那种，但你看，我去所有的方式回到渗透测试，并在创建一种利用工具包，使人们不会花40个小时写Python代码，然后他们可以真正运行它。你知道

迈克：我认为审查和收集是很多人被第三方风险卡住的地方，对吗？对。因为需要手工劳动，所以看起来很艰巨。嗯，听着，我完全支持混合方法或某种你和你的团队正在审查结果的类型。对不起，我可能说错了，但我只是觉得，你们在那里试图让人们说，你能回答第 38 个问题吗？而 D，你知道，你们太聪明了。我是说，你们是如何整合这类问题的？你们在这方面有什么想法？

杰夫：嗯，嗯，所以我们至于像回答个别问题或完成评估，我们确实依靠盛行呃做了很多他们的自动化，嗯，你知道，如果如果还有两个星期，我们给他们发送一封电子邮件。嗯，如果离到期日还有一周，嗯，或者到期日是第二天，或者如果你嗯，如果你还没有开始嗯在接下来的几个星期内，嗯一封电子邮件会被发送到联系人。所以，呃我们不做很多这样的事情，但我们确实依靠我们的采购呃合作伙伴，他们有呃人，实际上拥有呃与呃这些供应商的关系，呃，他们确实有呃一些呃发言权呃，以及如何这些好，他们有很多发言权，但他们也做了很多的劝说呃，以完成其中的一些事情。所以，我们尽量不要过多地参与其中，因为这并不能真正发挥我们团队的力量。然后，如果我们认为供应商有问题，我还会稍微谈谈我们如何与他们接触。这回答你的问题了吗，迈克？

是的，确实如此。我看我只是不 我有一个很大的事情，有 无论你怎么到达那里， 不要紧。这是它很诚实 它是它的香肠制作。你的人有更大的问题 炒比、

迈克：你知道，让人们回答问题。你们应该审查结果，做出基于风险的决策，决定谁应该去解决，告诉哪些人应该去做，这样业务才能保持正常运转，而不是花大量的时间在愚蠢的任务上。

Jeff:Yeah.不，理解。呃，所以我只是呃，我会 我会很快通过这一点。风险等级是由总风险记录数、关键风险数决定的。同样，我们会根据我们的采购伙伴或网络安全同事或我们自己的经验反馈，调整哪些是关键风险，哪些不是。因此，我们会这样做，然后根据风险的数量来确定是否是红黄绿状态，如果是红色状态，我们就会与供应商进行一些接触，我想这是下一张幻灯片梅丽莎。

梅利莎：嗯，在我们跳到下一个问题之前，有两个问题问的是同样的问题，人们很好奇你们有多大的团队负责第三方风险管理？

迈克：所以实际上我看到了这些。杰夫，你能说说大家的职责是什么吗？因为我猜你们在人力支持方面处于最高端，对吧。所以，如果能明确每个人或每个小组的职责，那就太好了，而不用明显地

Mike:getting too.

Jeff:Yeah.So, yeah.老实说，我们所有团队都会做很多这类审查。嗯，但也有很多不同类型的活动，我已经嗯嗯嗯你知道给嗯嗯子团队或个人嗯嗯嗯嗯嗯责任嗯嗯嗯你知道拿出嗯不同的解决方案。我的意思是说，我们有专人研究每年同样的灯光变化，我们有专人研究这个问题。我们还有人在研究我们使用的程序如何提高效率。我们在采购和系统中都有专人负责识别供应商的联系人，但我们必须看一看，确保发送给正确的人。当我们开展活动时，我们有很多人参与其中。总的来说，除了我自己，我的团队有七个人。你说得对，我在上面。他们不会，你知道，我尽量不把事情搞砸，嗯做任何工作，实际的工作，但嗯，但嗯你知道，他们他们做了很好的工作，我们经常见面，嗯在一些这些呃这些子任务。嗯，所以，这是否为你工作，迈克？

迈克：是的，先生。

好的好的我想我已经回答了梅丽莎和团队成员提出的问题。所以是的。好吧。红色状态会议。所以，呃是的。所以，如果我们确定某人的红色状态供应商呃和呃所以我们做什么是我们要求采购呃呃创建一个会议，呃呃和很多时候，我们有呃采购或采购联络员在该会议上。有些时候，我们会让采购部的采购员参加会议，他是采购部里工作最多的人，也是与供应商关系最密切的人。然后是供应商方面，你知道，我们会要求完成评估的人和其他合适的人参加。在首次会议上，我们会审查风险，主要集中在关键风险上。我们会要求他们承诺完成评估，并提出某种时间表，说明他们何时可以补救这些风险。我们知道，对很多供应商来说，这不是一件容易的事。这不是一个月、两个月或六个月就能完成的事情。但我们要求的是不断取得进展，我们要求的是在流行的平台上来回沟通。它能很好地在平台内进行沟通，我们也能捕捉到我们的沟通内容，并提供给任何需要的人。这就是我们与供应商沟通的主要方式。会议结束后，我们会召开一次后续会议，要求供应商在意见中说明他们的补救时间表，我们会在后续会议上审查这些意见，并回答他们提出的任何问题。如果他们有任何问题，我们会在后续会议上回答。但是，我们会努力保持参与，直到补救措施发生，供应商脱离红色状态，并清除关键风险。之后，我们每月都会在风险记录中记录一些意见，看看他们都做了些什么。如果他们想再开一次会，我们也会这样做。但一般来说，在前几次会议之后，我们会通过电子邮件或主要通过平台来处理。我们在这方面取得了相当大的成功，而且在很多方面，我认为这也是我们的价值所在。我们有超过 100 家供应商。在过去一年左右的时间里，我们会见了 250 多家供应商，其中约 120 家供应商从红色状态转为更符合要求的状态，这就是我们的优势所在，就像我说的，我认为这是我们增加价值的地方。我们知道，这只是我们供应商中的一小部分。但在我看来，这对每个人都是一种提升。

嘿，杰夫，我们已经收到了三个问题，我想我们将进入问答环节，由我向你提问，但我们也很乐意回答观众的问题。嗯

迈克：第一条涉及的是我们讨论过的一点绷带问题。我念给你听。呃，许多采购团队使用分层方法，对吧，来划分公司的供应商。如果企业利益相关者认为，从网络角度来看，低层次的供应商不如高层次的供应商重要，你如何解决这个问题？我的猜测是，他们不希望自己的员工在顶级供应商中受到过度审查。

杰夫：是的。嗯，我们，我的意思是有有像经典的例子 有时，你尝试网站嗯与U嗯你喜欢暖通空调公司 嗯嗯，嗯你知道有一些嗯问题 嗯，嗯在哪里嗯在哪里黑客进入嗯一个嗯

杰夫：是的，我说这就是目标，这就是目标。所以，这肯定是嗯

杰夫：这是我们使用的主要例子。但是，呃，但它，但它只是再次 它解释说，呃，你知道这 威胁无处不在。威胁针对每个人。即使是黑客，也不一定都是通过供应商进来的。很多时候，他们甚至没有连接。但我们需要确保情况确实如此。我们在打火机上增加了一个问题。我们对一个问题的补充是，你们是否有灾难恢复计划，其中是否包括向我们的搜索小组、事故响应小组发送电子邮件？你们的计划中有这一条吗？嗯，那是嗯，这只是一种方式，我们知道，嗯，他们是嗯，我们的利益是有的。因此，我们需要检查所有供应商，嗯，真的嗯，然后还有其他供应商，嗯，这将对我们的业务或我们的生产设施产生负面影响，嗯，你只是嗯，很多时候你只是你只是不知道在哪里嗯威胁来了，可能会产生什么影响。所以

迈克：是的。

迈克：嗯，让我们看看珍妮特和一位匿名与会者提出的问题。它涉及到同一个问题，你如何捕捉呃风险缓解的证据，以及如何，我会把这一个更进一步。你如何能够执行缓解措施？我总是发现，TPRM计划面临挑战，因为你可以识别一些东西，但如果你不能执行修复，对吧，它有时会缺乏牙齿。所以，如何捕捉是第一个问题，然后是如何执行如何执行补救活动？嗯，所以嗯，所以我的意思是这些都是很好的问题嗯肯定。我希望我有一个很好的答案，而答案是我们没有捕捉到，我想我提到过，就像siglet是一个自我评估，而我们有那么多的人，那么多的供应商，我们只是呃我们只是呃我们我们不能做到这一点。所以，在福特公司，我并不是说我们就说，嘿，不管供应商做什么，但从服务层面来说。因此，如果供应商为福特提供 IT 服务，那么业务所有者就需要进行单独的评估。在此过程中，他们会收集证据，证明这些事情已经完成。这取决于企业所有者在这一点上的特定服务。从我们的角度来看，我们没有资源来做这件事，而且目前我们也没有授权来做这件事。

迈克：不，你回答了我们两个问题。

Jeff:okay.

迈克：我的采购团队经常会根据成本来分配层级，但即使是成本很低的供应商也可能会有重大的网络问题或重大影响，我完全同意这一点，但杰夫会不会像你必须提出一个有点二进制的标准。如果你创造了任何与 F-150 有关的产品，你就是一级供应商。句号就像我，你知道的，因为如果我们不能制造F-150，我相信在COVID那边有一家德国制造商因为得不到零件而不得不关闭。所以

Jeff:Right.Right.

迈克：我的意思是，我觉得应该是这样，但我不是专家。

杰夫：嗯，我们有一些评估优先次序的标准。成本是其中之一，但这肯定不是唯一的标准，也不是主要的标准。但是，我们有 F-150 供应商的采购清单，这些都是最重要的。我们还有其他供应商，比如排序供应商，他们需要库存来生产那个零件，这些供应商会被优先考虑。我们在他们身上花了多少钱，这是其中之一。我想说的是，这可能是下线，虽然。

成本不是问题。而是对业务的影响，对吗？

Jeff:Yep.没错没错

迈克：那么，如果企业主希望接受风险，而不是让供应商进行补救，你该如何处理呢？我不知道你对此是否有发言权，但是。

杰夫：不，我们没有。嗯，就像我提到的，这是我们向供应商风险管理团队提供的信息。他们有自己的风险接受政策和流程。我们没有参与其中，但这是肯定的。我的意思是，业务优先事项很多时候是最重要的。

迈克：嗯有趣。你知道，我们看到这更多，我开始看到，你知道，我只是在那里与客户和乡亲们交谈，似乎有更多的那种采购中心的制造，在那里你会看到有人从采购，有人从法律，有人从风险，有人从安全。

迈克：随着供应商的入驻，他们开始更集中地考虑这个问题，而不是。

你知道，我我跑了布拉德街做。我们运行的网站，对不对？哦，你得到这个。

迈克：完成了，对吗？

杰夫：是的。

迈克：相比之下，你知道，我们需要业务层面的风险吗？我们还需要一大堆其他可能影响这一点的东西吗？

迈克：所以，我把这个问题变成了乔尔提出的一个更大的问题，但法律部门在第三方风险管理中是否发挥作用？或者说，这个项目是编造出来的，还在继续发展，你理想中的配置是什么？

杰夫：所以，我的意思是，我们确实有一些管理委员会，我们通过我们的一些管理层和你知道你说的那些人向上报告。还有我们的 OGC，你知道他们与这些团队签有合同，我们需要确保我们没有逾越他们的义务。还有采购供应商风险管理。我们的运营团队负责一般采购业务。我们的 IT 团队为采购提供支持，我们的 CISO 也参与其中。

迈克：知道了。嗯有人问嗯，所以我们在这里看到的事情之一，当我们做你知道我，我知道你都在我们的数据库中的权利，我们给你发了很多的电子邮件，合规的东西驱动的兴趣不成比例的水平NIST ICE所以嗯，你知道这种类型的东西。那么，监管机构是如何接受你们的方法和流程的呢？有没有什么地方是你认为可以改进的？过渡顺利吗？只是好奇。

杰夫：嗯，所以我知道，如果重来一次，我想我可能会制定一个更好的内部和外部沟通计划。

杰夫：嗯，因为我的意思是有很多时候，我的意思是我们依靠我们的呃采购管理的权利，所以它是一种涓滴下来，这是什么会发生嗯，我们正在发送这些评估呃，很多时候它不涓滴下来，所以你会得到一个供应商理所当然地回来，去他们的买家，说嘿嘿嗯，我们得到了这看起来像钓鱼。嗯，它来自福特嗯，你知道，因为我们有一个电子邮件中继，它来自afford.com。但孩子，这看起来像钓鱼。我'我已经做了我的培训，我需要确保这是正确的，这是适当的。嗯，但这样一来，我们的买家就不知道了，对吧？他们不知道我们在做这个，这是一个全球性的公司，有不同的，你知道，所以我我可能会做的沟通计划更好嗯嗯，你知道，无论是内部和嗯，主要是内部从我们正在努力做什么。所以

迈克：只是个问题。

杰夫：是的。嗯，你知道，我们总是问 呃，我我我最喜欢的问题之一 如果你是国王一天 或者，如果你能回到过去 你知道，给自己的建议。我刚刚看了 "平坦"。所以，你知道的、

杰夫：所以，除了给自己升职之外。

迈克：是啊，这就对了。

杰夫：好的。

迈克：这就对了。或者让巴里-桑德斯不要过早退役。不过，这是后话了。

杰夫：这是另一个话题。

你们今年会很出色，但这不是重点。嘿，梅丽莎，我们已经向杰夫提了很长时间的问题了。我知道我们有更多的问题，但我想给斯科特一个机会。我知道我们有一个嗯，嗯，你知道，斯科特一个机会，只是填补大家在盛行短短两分钟，问最后一个民意调查的问题，让大家也许重新获得饮料刷新之前，我们嗯得到一个小时的底部。所以，我们可以在这里暂停一下，然后再进行下一步吗？我想，杰夫，也许我们可以做个质量评估。你知道，我知道这需要一段时间。我们收到了很多问题，但你知道，我们从头到尾都没有收到过这么多积极的问题，所以显然大家都想听听你要说什么。所以，也许我们会在某个时候和你进行问答。小心，我们有und和东西的人，所以你的电子邮件可能会很快被炸毁，但。

杰夫：好吧。并不奇怪，你知道的。

是的嗯，是的，并不罕见，所以不用担心。

Scott: Uh, awesome. Yeah, great. Thanks, Mike. Uh, and thanks, Jeff. I’m just going to take, uh, you know, just a couple of minutes to talk about, you know, prevalence approach to addressing the third party risk management challenge. And then once I’ve kind of walked through a little bit of our approach, then we’ll pass it back over to Jeff and I imagine there’ll be some more questions to answer. So, Melissa, if you could move to the next slide, please. Um, ultimately what we’re trying to help organizations accomplish is to three primary uh questions or issues or to address three primary goals and the first of those is to uh get the data you need to make better insights. You know, maybe you’ve got it in silos. Maybe different departments are managing uh the vendor relationship. Maybe you know your procurement team uh owns the relationship but it’s IT security or risk management that executes the uh the actual assessments, right? Bringing that information together into one place uh that helps you make good uh informed decisions on um you know risk scoring, risk posture, remediation and next steps with vendors. Item number one. Item number two kind of relates to number one is increasing team efficiency and breaking down silos. You know you’ve got uh you know as I mentioned procurement might own a vendor relationship, excuse me, it might execute on the assessment. You finance might be involved. You’ve got the external auditors to deal with and everybody has a little piece of the puzzle that they’re that they’re playing with here. So pulling everything together into a single uh platform that enables you to action risk uh execute on reporting efficiently um is uh is is one of the ultimate goals here. And then third and the big one frankly is evolving and scaling your program over time. Uh whether you’re adding suppliers, making an acquisition, did a devestature, you know, reducing suppliers, going through rationalization process, whatever, you have to be able to have a a nimble and agile program that kind of flexes with uh you know, business requirements. Uh and that’s what, you know, a a a TPRM platform like Prevalent uh can can really help you accomplish. Next slide, please. Um so our approach is to and you can build it out a little bit more, Melissa, till you see the little blue bars at the bottom. There you go. Uh what we what we what we really talk about is and what we see in the market is that there are distinct risks at every stage of your third party vendor and supplier relationship. You know, you see risk during sourcing and selection. These guys have a kind of a a early sock 2 report or some spotty financial issues, maybe poor credit rating or maybe they’ve got some sanctions or reputational problems you have to address. That’s a very different type of uh risk to look at and manage and frankly sometimes a different department to take a look at that risk than at the top of that uh graphic right there in the assess and remediate function where you’re doing a much deeper dive on your on particular due diligence topics, you know, uh security um uh policies um ESG program um data privacy and protection policies you know financial compliance and more. You know every one of these stages around this this this life cycle presents its own unique challenges mostly related to a lack of insight not having stuff you know kind of pulled together having a very manual uh approach and then the solutions are also unique to every one of these wedges uh in this life cycle as well from being much more prescriptive about getting intelligence uh into your RFX processes to onboarding and contracting and building in the right uh right right to audit clauses automating your assessment processes enabling continuous monitoring of data so that you’ve got feeds of information coming into your environment continuously in between your regular assessments or your triggered assessments monitoring the SLAs’s and the KPIs and the KIS for each of those vendors make sure things are followed up on appropriately and then eventually as all relationships do um you know and they come to an end and you know what are the specific tasks and process that have to be addressed before you, you know, uh, you know, terminate a particular contract. At the end of the day, we’re trying to accomplish for you, you know, a a simplified and sped up process for onboarding vendors, getting you to a single source of the truth, closing gaps and processes, excuse me, and then unifying uh, everybody in the organization uh, around the third party life cycle. Next slide, please Melissa. You know, we address uh, a whole host boost of risks in a prevalent platform. Here are six categories of them. And this is just a sample of what I could squeeze in the tiniest type I could find on a slide. Uh but it just gives you an idea of how um elastic the platform can be in uh managing risk whether you’re issuing a dedicated assessment for one of these categories or you’re consuming you know monitoring feeds to make decisions. Next slide please Melissa. Um you know what we actually deliver as far as solution is really three-part harmony. Uh first is the expertise that we deliver uh through our risk operations center which Jeff mentioned uh you know earlier on in the presentation. You know this is this is our managed services organization that does a lot of the hard work for you from onboarding uh assessment and scheduling uh collection and management uh analyzing responses and evidence and documentation and then helping you define the right remediations to go back out to your to your vendors with. Um a whole host of data sources that we pre-integrated ready on your behalf. So you don’t have to try and tie a bunch of data feeds together into the platform. We pump it all in there for you right into the same risk register that your assessment responses appear in with some correlating between uh the the disperate findings so you can then take action on on uh you know potential gaps or or problems when you’re validating uh assessment controls with uh with outside monitoring data. And then finally we has it all in one platform that enables you to get great workflow uh reporting and then risk management guidance. um to share with the rest of the organization. Next slide, please Melissa. I mean really at the end of the day, our objective is to help you um make good well-informed decisions, be smarter uh by giving you comprehensive risk and performance insights, great analytics and role-based reporting for your internal and external stakeholders to unify your teams under a single source of the truth. To look at the life cycle on a unified basis from onboarding to offboarding and then give you descriptive guidance and intelligence to help you to understand what to do with the risks you find and uh and how to dispose of them of uh and uh and triage them from there. So honestly that’s our approach to thirdparty risk management to take a look at the life cycle address those risks at every life cycle and then give you you know the the process the intelligence uh and the guidance to help you improve that program over time and I think that’s pretty well representative of of some of the capabilities we’ve been able to uh to deliver forward And I’ll kind of pitch back over to Melissa if you want to open up for questions or Mike.

梅丽莎：嗯，在我们进入这些问题之前，我看到我们有一些问题堆积起来了。所以我要开始第二个投票问题了。你们继续提问吧。我们很好奇你是否正在寻找或建立一个TPR和程序？就像我说的要诚实。我们会跟进的就像它的物理我。我是一个真实的人。我会跟进你的。嗯，我，你知道，我想确保 我们不会让任何人通过裂缝滑倒。所以，你就尽力回答吧嗯，得到了你的方式 然后我想我们可能有时间 也许两个问题。所以，迈克，如果你想通过梳理 其中的几个或杰夫嗯，无论你认为 这将是最有价值的，我会投给你们。

迈克：是的，让我看看凯瑟琳说的这个问题。嗯，在进行年度年度审查时，你如何确保 SLA 得到满足？如果没有达到，你会采取什么措施确保供应商回到正轨？

杰夫：嗯，嗯再次，嗯会发生什么是，我们嗯我的意思是，我们提供了很多嗯嗯很多电子邮件，来嗯提醒电子邮件，甚至我们嗯我们要寻找我们看购买发送几封邮件后，嗯评估期窗口已经结束。很多时候，我们会收到评估请求，我们会收到延期请求，我们当然会这样做。我提到了红黄绿状态。还有一种采购状态是橙色状态，橙色状态意味着他们没有遵守规定完成评估。他们没有及时完成评估。他们甚至没有开始。嗯，我们有一个，这是第一个例子，我听说这种情况的发生。嗯是，一个供应商是嗯与买方合作，嗯嗯嗯，你知道购买和嗯买方看到有一个橙色的仪表板上的供应商名称旁边说，他们没有完成评估和嗯，他们他们停止了购买，这成为一个积极的供应商在这一点上。因此，我们会充分利用这一点。

迈克：嗯，好吧，这将是最后一个问题再次呃只是想给大家，然后梅丽莎将把它还给你，但嗯，我我喜欢这个问题。你有没有基本上这是一个很长的，但你有没有不评估别人，因为他们是像微软的人吗？你对此有何看法？

杰夫：是的，他们几乎无视我们。我是说，那些大公司，比如思科、微软、亚马逊、甲骨文，他们肯定不会忽视我们。我是说，一般情况下，我们的管理团队或 IT 管理团队中的每个人都会这样做。嗯，我的意思是，通过我们的首席信息官，嗯，很多管理层有嗯嗯是一种关系经理与一些大的家伙，如微软和所有其他和嗯，我们嗯我们与他们合作，嗯，以确保我们已经得到了正确的嗯嗯，你知道他们他们已经得到了一切，他们需要的地方，一般来说，他们通过其他管理人员做到这一点。所以，其他呃方法呃，所以，嗯，他们不 他们不填写SIG灯，很诚实。

我打赌他们不会。

杰夫：是的。

我打赌他们不会嘿，呃，让我把视频回来 只是这是我的互联网的一直怪怪的。但Jeeoff，这只是真棒。谢谢。嗯，你知道，数量和数量和质量的问题，我认为代表的愿望听到有人喜欢你在一个成熟的程序，你做了伟大的工作，我只是欣赏呃个人触摸。这真是太棒了。谢谢大家的旅行。非常感谢。

杰夫：好的。Thanks, Mike.我很感激。这是嗯，我想呃呃甲板 将被发送出去。是这样吗？

是的，就是这样。

杰夫：好的。我相信我的电子邮件地址就在里面。所以，我会期待你的邮件。

好了梅丽莎，还有别的吗？

梅丽莎：你知道，我真的很重视这种互动。我认为，与我们经常收到的所有问答相比，这非常有用。这是相当多的。所以，希望大家都能发现它的价值。也许将来我们还能有幸请到他。所以，嗯保持关注大家。感谢迈克跳上。我知道你今天有很多事情要做，斯科特也是。嗯，然后最后一次， 谢谢你杰夫。我们会在未来的网络研讨会上和你们的收件箱里再见的。大家保重。祝你们愉快

杰夫：好的。Thanks.再见