Compliance Podcast Network: The 2020 Third-Party Risk Management Study

Tom Fox: welcome to the innovation and compliance podcast part of the compliance podcast network join us every week as we talk with industry innovators who are making compliance to help business run more efficiently and at the end of the day more profitably here’s your host Tom Fox hello everyone this is Tom Fox back for another episode and today I have with me Brenda Ferraro she is the vice president of third-party risk at prevalent and we’re going to talk about an extraordinarily interesting study that prevalent commissioned and did and it has released to the greater compliance community so Brenda with that incredibly long-winded introduction first all welcome and thank you for taking the time to visit with me today Brenda Ferraro: thank you for having me Tom it’s a pleasure to be here Tom Fox: Brenda could you tell our listeners a little bit about your professional background Brenda Ferraro: oh yes so my professional background has brought me to living breathing thinking eating and sleeping third party risk and compliance for about 25 years I have been in information security as a certified process master and what that has helped me to do is to dissect and interconnect all the different moving parts and pieces of different types of business organizational departments Brenda Ferraro: how do third parties come together and work at an economic approach I’ve been a CE so I’ve also built a third party risk program from ground up and I want to focus that on knowing your numbers and acting on your numbers Brenda Ferraro: my background in companies are from the government at Edwards Air Force Base all the way to financial institutions that Charles Schwab eBay and PayPal and then finally before I came over into the vendor world and focused on helping communities build their third-party risk programs I was at Aetna in the health care space Tom Fox: Brenda one of the things that intrigued me about the study and I’m referring to the 2020 third-party risk management study and indeed prevalent was it seems to be encapsulated in your professional background which is a wide variety of professional business risk and compliance Tom Fox: jobs and functions over the years kind of leading to this very holistic approach to third party so most of my audience are Anti Corruption compliance practitioners obviously third parties are a high risk in the Foreign Corrupt Practices Act world but you guys are looking at it in a much broader vein so I was wondering with that could you tell us a little bit about the mission of prevalent Brenda Ferraro: so prevalence delivering a unified third party risk management platform and that’s going to enable businesses to better reveal and interpret and alleviate risk by simplification and speeding risk mitigation awareness for those businesses who rely on others to fuel their success so we pride ourselves on making sure that when we look at economic approaches with standardization how to use networks how to leverage completed content gathering and making sure that we’re doing the big bang for the buck basically if you are completing a questionnaire a survey result providing artifacts why are you not doing that for every single company that you work with instead of having to answer multiple proprietary questionnaires or responding to companies differently every single time it really needs to have a holistic approach and an economic approach Tom Fox: with that in mind could you tell us why the firm created or even commissioned I suppose the study which led to the 2020 third-party risk management report that’s been issued Brenda Ferraro: yes so the goal of this study was to provide a state of the market or a State of the Union on third-party risk and then provide actionable recommendations to these organizations that are interested in making sure that they’re looking at the proper approach to grow and mature their programs so could you walk us through the key findings that the study on Earth there were many of them and they weren’t as shocked to me at all especially based on what I’ve been doing with my career so we found that there’s a lack of process and that’s damaging the third-party program effectiveness so think of it this way if you have a program in your Brenda Ferraro: looking at how to enhance that program over time what you used to do back in the day may not be what you need to do today especially when you think about all of the different threat landscapes or the content that’s required from a compliance perspective think about it this way Brenda Ferraro: we may be having some well I’m not gonna even say we may we are definitely gonna have some regulatory changes on how we look at work from home environments what are the key things that we’re putting into place for compliance perspectives on that the other thing that we found was third-party risk management is a team sport a lot of organizations will say I have my third-party Assessors sitting over here in my security department but let it be known that privacy is just as important risk is just as important Brenda Ferraro: compliance is just as important engineering architecture for data flow management is just as important so work smarter not harder use content that can span across all your multiple departments so that they can do their assessments real-time another one is lack of confidence in their program and what results they’re getting so they’re conducting third-party assessments but that’s a skill and an art for the resources so you have to make sure you have the right people doing risk assessments versus risk management and then a couple other ones where there’s significant consequences so compliance violations especially with what we’re talking about today in this particular podcast is you could have those violations that may make it so that you have a fee or a charge or a penalty Brenda Ferraro: there’s operational issues that have come up in the survey Brenda Ferraro: there’s vendor performance contributions and also risk related business issues that have been identified many many companies which was not another shocking surprise are not happy with their existing tool sets because there’s so many of them so it’s important for us to start looking at if you’re using a GRC or an IR M tool or you’re using an assessment engine or a platform or you’re using a risk mitigation Brenda Ferraro: technique that may or may not be coexisting with all of your tools or even risk scoring weather reports of what is my risk today out there in the wild all of those things have to coordinate together in order to see a true picture and then we also found in the survey lastly that the IR M is not the way out so they’re important to have from an enterprise view but integration is key so that you have all of these tools talking to each other and bouncing off information of false vulnerabilities versus positive vulnerabilities digital transformation and then flexibility is crucial because every company is not in the same maturity state we have some companies that are just starting out their program and then we have some companies who’ve been doing it over five years which you would hope that they have been doing it longer than that but majority of them are at five years right now Tom Fox: let me pick up on that last point because I will have to share with you that was the one that surprised me the most so two of your key findings finding number three was third-party risk management isn’t mature enough to handle the challenges and then finding number four was especially when organizations are not even assessing enough of their top tier vendors I frankly found finding number three just almost stunning beyond belief because at least in my world it’s been known that third parties represented the highest risk probably since about 207 or 208 at least and here you have over 80% a noted of companies surveyed had not been performing third party risk assessments during that timeframe any insights as to how we got to that place Brenda Ferraro: well I think that we’ve all been trying to create our own way of doing things so the financial institutions have created their questionnaire and they’ve tried to say everyone in the financial institution use this route and then you’ve got the healthcare space that has different needs and compliance requirements and vice-versa you have gdpr that’s come around so when we do these assessments they were focusing majority of the companies are Brenda Ferraro: focusing on the top tier we said okay if we need to know our vulnerabilities who do we start with first but we’re also finding that by doing that the medium and the small tear companies are the ones that are causing the breaches and the vulnerabilities that were not focusing on so think of Adobe or Google or Amazon Web Services and cloud services they are watched with a magnifying glass so of course they’re going to be up to par on their security posture and our role as a global community of third-party risk and supply chain management is to help those other companies that may not be as mature lift their security posture so when you hear or you see all of this information about ok 10% of the respondents are extremely confident in their program and the rest were not it’s because we haven’t been doing a good job on discovering our third party base making sure that we’re putting classifications and information classifications around which ones are sharing data which ones are critical to my supply chain management which one can I live without if they’re impacted by some type of threat landscape and that’s what we’re now just starting to focus on you’ll see the companies start to look at what is my discovery of all my vendors in my universe how am i working with them and what’s the proper due diligence to apply it’s not a one size fit all where you have 300 to 400 security questions that need to be answered by every single engagement some of them only need to answer key controls some of them need to dig deeper and so by properly tearing properly knowing your vendors I think that’s going to help and then when you talked about number four that so goes into what I was explaining with regards to discovery if you don’t know your top tier vendors or if you don’t know all your vendors then how do you know what type of due diligence to apply and are you spending your money correctly on identifying what needs to be known and then let it also be known that if there is a questionnaire that you respond to why isn’t it Brenda Ferraro: showing how that response reflects to PCI gdpr HIPPA it should be if I’m doing this particular security control in this maturity level it should apply to all of those compliances NIST ISO and so answer at once reflected and spotted across all the different compliance capabilities and have a platform that shows you that if this questionnaire comes in as a standard if I want to look at it in a PCI view show it to me in a PCI view if I want to look at the responses of all the things that I have uploaded into a network show me that for NIST show me that for ISO or show me that for privacy and that’s where I’m going to see a lot of the companies or you’ll start to notice that they’re going towards is yes we make risk-based decisions but in order to make those risk-based decisions we need to use the guidelines of the compliance items that were mandated to do on regulatory areas Tom Fox: and I’d like to now turn to some of the recommendations that you guys develop based upon the study’s findings if I can start with an observation it occurred to me in reading the study listening to you talk about your background and prevalent and then you talked about some of the key findings that developing a process not simply a process but a really a holistic process that you can be comprehensive with would seem to be one of the key themes that I’ve gotten out of this would that be a fair assessment Brenda Ferraro: that’s a very fair assessment a lot of us in the past have been just throwing questionnaires at the problem to say let me know what your vulnerabilities are but if you don’t have a way to process the results and you don’t have a program in order to elevate the risks to a steering committee that can make the risk-based decision or if you don’t have a way to track and monitor your performance indicators and your risk indicators then what you’re doing is you’re spending a lot of time with questionnaire fatigue gathering content administrative Lea identifying risks and then it stops there so we’ve got to get to Brenda Ferraro: point where we’re looking at inherent risk and residual risks qualitatively and quantitatively so that we can end up doing what’s best for the company moving forward for example we have legal vendor networks and healthcare vendor networks and we should be able to say here’s the top risks for those communities and as a community you can address that residual risk together and close the gap of the vulnerability much faster than if you were to do it one on one engagement by engagement and some of the vulnerabilities cross sectors so that way if we’re all working together on the top risks then we remove the risk or reduce it and then start focusing on the new ones that are cropping up that we may not be paying attention to right now because it’s just something that started Tom Fox: when des does that message that you just articulated does that resonate with the prevalent client base or even in preps the broader compliance market Brenda Ferraro: yeah I think that with the ice axe the ice hours the communities that are working together I think it’s very well known that we need to share information we need to work together and by doing so we’re going to elevate each other up in the risk posture and reducing those vulnerabilities and unfortunately we’re near the end of our time but I was wondering if our audience wanted any more information on India topics you’ve raised or prevalent where can they or from you where can they go for more information Brenda Ferraro: they can go to www.prevalent.com we have a lot of information out there from business resilience health we also have a maturity assessment that can help you identify where you are in your program and how to leverage data in the proper way to know which steps to take next and right now is a perfect time to re-evaluate your program and your approach and dig into who your third parties are and your supply chain companies what they do for you and how dependent you are on them use automated workflows and flexibility and leverage standards and networks that would be my final say Tom Fox: well now that you’ve said that I have to ask a couple of follow-up questions Tom Fox: based on that because I was really struck by your thoughts around a now’s the time to do so and now maybe a time because so I’m in energy capital of the world and people are not working full time on their energy jobs so that could be one reason they’d have time but also because of the economic dislocation and certainly coronavirus crisis I really like your thoughts around now is an extraordinarily good time because we may be at not only a turning point but you may have the ability now to look at things you haven’t had the ability or time to look at in depth in the past would that also be fair Brenda Ferraro: that would be fair as long as we’re doing empathetic discovery I would agree with that and everybody does have time on their hands or they’re shifting what is important to them this is one of the important areas so I would advise to focus on it with the time that you have and just be empathetic on getting results from other companies that may or may not be impacted by what we’re going through today Tom Fox: and with the cross-functional team approach that you’ve articulated also be an important part of this because I was really struck by I mean you didn’t phrase it this way but I heard you talk about the human element a lot and certainly the data is important the information the numbers are important but several times I heard you emphasize kind of the human element and putting a professional set of human eyes on the data would that also be critical at this time Brenda Ferraro: yeah definitely so if you’re using a standard approach and you’re gathering the content and you’re using resources by shifting them from data collectors to risk managers then you’re gonna be able to start focusing on mitigating those risk and I think the human element of shifting those roles and responsibilities is critical amount Tom Fox: well brother this has been a fascinating podcast for me so I know it will be for our audience as well I hope we can continue this conversation but love – thank you so much it’s been a pleasure if you’re a compliance professional looking for a convenient and effective way to fulfill your continuing education requirements go to FC Tom Fox: a compliance report calm / courses and choose from four hour long training packages that will keep you current that’s fcpa compliance report comm / courses