Third-Party Risk Assessments: How Responsive Are Your Vendors?

Ashley: My name is Ashley and I work in business development over here at Prevalent. And we are joined with a very special guest, Brian Littlefair, former CISO of Vodafone Group. Hey Brian.

Brian Littlefair: Hey, how’s everyone?

Ashley: And our very own VP of product marketing, Scott Lang. How’s it going, Scott?

Scott Lang: Hey, Ashley.

Ashley: Today, Brian’s going to be discussing how to get your third parties to participate in your vendor risk assessments. So, Brian, I’ll go ahead and hand things over to you.

Brian Littlefair: Great. Thanks, Ashley. And and hello, everyone. It’s great to be able to to speak to, you know, potential and and current prevalent customers again and, you know, those that are just here to to listen to the topic. Um, so I think it’s a really interesting one today. You know, how responsive are your vendors? Um, it’s a it’s a particular challenge that I think a lot of us face, you know, depending on where we are on the maturity journey of our individual TPRM, you know, initiatives and, you know, I recognize there’ll be people on the call that are at the very beginning of that journey and there’s going to be people that are are very mature. So, I’ve tried to be quite holistic with the with the individual messages. I will apologize. I’ve got a bit of a a chest infections, but I’m sure we’ll be fine to to get through it. But if the voice breaks occasionally, that’s that’s why. So, without much ado, what are we going to cover today? So, a little bit of of scene setting from myself. Um, so where are we and what what are we talking about and you know, what’s a bit of the context around what we’re trying to achieve. So, you know, All organizations or certainly all organizations that I think take effective risk management and protection of customer data seriously at some shape or form are driving a third party risk management program. And obviously that’s going to look and it’s going to feel differently depending on the sector that you’re in, the geog geography that you’re in and and how you interact with your customers. But regardless, we’re all trying to do the right thing. Uh and obviously the level of you know budget and resource we’ve got depends on you know how effective that we can be. I think we have to look at the threat and and why we’re all focusing on this initiative. So I think regardless of where you are in the world, government agencies are, you know, advising their, you know, citizens and the the organizations operate in their jurisdictions. This is one of the biggest strategic threats that we face. Um we’ve only got to look at essentially, you know, the many thousands of suppliers that individual organizations can have, the level of interaction that potentially they’ve got into our organizations.

Brian Littlefair: So whether that’s you know potentially they administer our data centers or they’ve got access to our networks or access to our applications but you know there’s a a level of interaction and integration that we need with our supplier base uh for certainly you know large global midsize organizations to be able to deliver our products and services to our customers. So so we need to you know take into account and take that threat seriously and we have to be able to evaluate and assess our supplier footprint. the footprint and and understand the risk that they pose to us. Then we have to understand, you know, the maturity journey. I’ve already already touched on that. So, so where where are we? And I see, you know, numerous different organizations. I I run a consultancy business myself. I do a lot of work with with private equity and, you know, I work with numerous different sectors uh around the globe. So, I get to see all different flavors and approaches of of organizations when they’re when they’re looking at third party risk management. And some honestly take it extreme. extremely seriously. You know, they they recognize the risk, but equally, they recognize the opportunity and the value this can deliver to the organization. Some, it’s safe to say, recognize that they have to do it for for compliance reasons. They view as a little bit of a a box ticking exercise. Uh, you know, they’re not really going to deliver the value into the organization. But, you know, I think that the way regulation and compliance is going, we’re starting to see those box tickers move away. And, you know, organizations really take this seriously and and move move it forward. And then we have the challenge of where you are on your tooling journey. And I’m I’m going to talk a little, you know, a few times about this today. Uh you know, I should declare that that obviously I am an independent consultant, but I’ve uh certainly when I was running security organizations around the world, I was, you know, a very active user of of the prevalent tool set. So I’m speaking from experience, you know, I’m speaking from someone that has used Excel to to manage third party risk before because it’s, you know, that’s always available to me at the time.

Brian Littlefair: And then I’m speaking from the the fact that I’ve, you know, adopted and embraced, you know, specific tooling that was designed and and purpose-built to to drive forward mature TPRM programs. So, we all agree or hopefully we all agree, you know, evaluating that risk is is essential to to move things forward. So, hang on two seconds. My computer’s being a little bit slow on advancing the slides, so hopefully it doesn’t skip too many. So, you know, setting yourself up for success. So, if you’re a large multinational organization, you know, having three 4,000 suppliers isn’t unheard of. So, you know, and even if you’re in a mid-range organization, you know, having 100, 150, 200 suppliers, it’s still a lot of suppliers. So, you know, where do we actually start? And how do you set yourself up for success? And as I said, seeing lots of different organizations and lots of different maturity levels, you know, different focuses, different approaches. It’s really important that we understand what does good look like and you know what are the components that together make a successful program and you know you can get the outcomes that you’re actually looking for in terms of being able to effectively evaluate and manage risk. So what do they look like? So number one is always budget. So you can’t really do a lot without budget. You need the budget to bring in your resource. You need the budget to be able to acquire tools. Um so you often need to make sure that you’re evaluating the amount of risk that you’ve got under management within that function. Uh and it’s the same when it comes to to resource. Um and and sadly certainly in organizations that I’ve seen uh I’ve seen the full spectrum again I’ve seen you know two or three people that have the accountability of managing several thousand suppliers using an Excel spreadsheet and that’s not really sustainable. But equally I’ve seen you know organizations that have optimized the process and use a tool such as such as prevalent. And when you’ve got a a fully optimized global process, you don’t actually need that many more people to be able to run that that global process because you’ve, you know, baked in all of the the efficiencies.

Brian Littlefair: But regardless, right, we need the right level of budget. We need the right level of of resource and we need the right platform to be able to effectively, you know, interact and and and message and and store all our responses from our suppliers going forward. So, they’re really the given. So, uh, absolutely, they’re the foundations that we need. need. Teing is really important, but I’ve got a slide on that later on. So, I’m going to skip that because that’s something that we’re going to focus on on a later slide. And then we get to communications, right? The the reason that we’re all all here today. So, we have to have effective communications. You know, we can have the best process. Uh we can have the best platforms in the world, but but ultimately, if we’re not an effective communicator and people aren’t returning our communications, we’ve got a broken feedback loop, uh then we’re not going to make progress going forward. So we have to look at you know what are our priorities. So we want to evaluate risk across our supply chain. That’s that’s pretty clear that is our number one priority or certainly for the people that work in you know the third party risk management function and equally the people in compliance legal you know data protection procurement etc. We all share that common goal that we want we want to maintain business continuity. We want to be able to mitigate disasters. We want to make sure we’re complying to our legal and reg requirements and we’re doing the right things by our customers. There are common goals, but we have to face facts that it might not be a priority for all of our suppliers. Uh, you know, we’re we’re saying absolutely we need you to fill in these questionnaires. They might be getting lots of them and we’ll we’ll come on to that later on.

Brian Littlefair: So, we might have this imbalance of, you know, here’s our priority, but the people that receiving it don’t see a priority and then we end up in this situation where we’ve sent out, you know, maybe, you know, 500,000 20,000 questionnaires and we’re waiting for that response so that we can either put them through our analysis platforms or if you’re not in a good situation, you have to receive lots of Excel files, then obviously you have to go through, you know, analysts and and triaging all of that information coming in. But regardless, we need to somehow reset that imbalance and make sure that we can, you know, prioritize communications coming back to us from our suppliers. And and fundamentally, that’s what we’re going to talk about today. Right. So, advancing forward. So, how do we communicate with our vendors? So, we need to recognize that communication is is a two-way street. So, uh for the techies above you, you know, among you, sorry, we we might might be on UDP, right? So, we’re we’re broadcasting, but there’s no feedback loop. We don’t know if our communication is landing on deaf ears or our communication is actually being received unless they’re super responsive and say, “Hey, picked up your message.” Whether that’s via the portal or via the email platforms, we’ve got this in hand will turn that around for you. Honestly, that’s that’s a pretty rare response, right? So, uh it’s understanding how we can mature our approach uh by using obviously some of the tools that we’re discussing today so that we can recognize when our response has been picked up. We can understand the progress of uh of that questionnaire being filled in. So, we can see whether it’s, you know, been picked up at all, whether it’s 5, 10, 15, 20% complete. And you just can’t do that with with email and Excel. But, but obviously that’s perfectly possible and and possible with you know some of the TPRM platforms that are out there today. So let’s talk a little bit about taring and and how are you going to tee your suppliers and you know why is tearing important for for communications.

Brian Littlefair: Um you know I’ve run some pretty big companies and I’ve run some pretty small critical national infrastructure companies and regardless it it doesn’t matter. You can’t spend the same amount of time as with every single supply that you have. You have to somehow prioritize and understand where you’re going to focus both your personal time but equally your TPRM’s team time and your you know procurement functions time. Uh so that’s you know how we tier our suppliers typically in you know one two tier one tier two tier three and then understanding within that tier one where we’re going to focus our time and attention and that focus is all about how do we develop relationships? How do we move that relationship from a supplier into a strategic partnership or or a strategic relationship, but equally we can’t do that with all of our our tier one suppliers equally. Uh if we’ve got, you know, 100 150, it’s just unrealistic. So, every organization is going to have a critical number of suppliers that uh together construct, you know, how they effectively deliver products and services to their suppliers uh so that sorry, to their customers globally. Once we’ve identified them, we can understand that they’re the people we need to spend the majority of our time with. to make sure that the risk that they present, you know, if it if it were to materialize doesn’t impact the service or products that we deliver to our to our customer base. So, that’s ultimately what we need to do from from matering perspective. I’m going to get on a little bit about what some of those relationships look like and what some of the tactics that we can do to move that forward. So, a communication strategy is is really important as well. Uh, you know, and certainly what I’m not advocating is if you’ve got suppliers in tier two and tier three, which you will, you’ll have more supplies in tier 2 than you have in tier one and and more than likely you’ll have more supplies in tier three than you do in the others combined. Uh I’m certainly not saying we we ignore the supplies in in in both of the lower uh tiers.

Brian Littlefair: Actually, what I’m saying is we put in place an effective communication strategy that recognizes what a tiering looks like and how we need to communicate with those those different suppliers. So what are the key messages that we need to send a critical supplier versus what are those messages that we need to send someone in tier three and someone in tier three might be you know someone that supplies the canteen or the or the restrooms or or you know actually supplies stationary for the organization but but absolutely we can’t ignore the security risk that uh organizations present in tier 2 and tier three. I’ve seen many an organization breach from a tier 2 and tier three supplier because you know equally they may have legacy systems within within kitchens or legacy systems within you know stationary departments etc. which they have access to to check stock levels etc. So we can’t be complacent and we need to make sure that our communication strategy achieves our objectives which is we want to be able to broadcast we want them to receive we want them to understand the key messages that we want to to outlay to them. So let me talk a little bit about what some of those may be. So what do we want to communicate with our with our vendors and you know in my experience it’s around we want to make sure that they get the the right information at the right time, but actually it helps us drive forward our our strategic objectives of ultimately developing that deeper stronger relationship with them, but being able to move forward uh and and get our responses as as quicker as possible because because ultimately if you have an effective relationship with someone, it’s like us with our our friendships in life. If you have a great relationship with someone, you speak to them very regularly. If you don’t have a good relationship with someone, you rarely speak to them. And you know, that’s The same in in the business world. If you have a great relationship with someone and you send them a TPRM questionnaire, they recognize you as a strategic supplier. They recognize your importance to the business and they’ll turn that around quickly for you.

Brian Littlefair: If it lands on them cold and they don’t understand who you are and don’t understand the value you are to their organization, then you know it’s not going to be a a rapid turnaround and actually it might take some time for you to get that information to flow back. So, what do we need from a newsletter? It’s the what I call the who, what, why, where and when. So actually it’s breaking down, you know, who are you? What are you here for? You know, why are you actually communicate with them? What do you need them to do on your behalf? So it’s being fairly high level, quite broadcast. So this would typically go to, you know, all of the tiers and it’s actually just, you know, introducing any key strategic changes in your organization, anything they need to know about. And this actually is, you know, the the typical icebreaker. It gets, you know, into the organization, it gets distrib treated by you know supplier managers and relationship managers but you know it gets them to know that you are an important customer and actually it gets them to know that you are going to be sending in in TPRM meetings etc or questionnaires and and actually it’s important that they respond then as you come up the the tier levels I have always put in place a couple of of virtual meetings one is is the pulse meetings which you know is is very much like keeping your finger on on the pulse very short in in duration typically 15 20 minutes uh normally with the same stakeholders on on both sides. You know this is you know a little bit of interpersonal uh relationship mixed in with with business. So it’s a little bit of you know how’s the family, how’s the kids you know developing that interpersonal relationship. Equally it’s around you know any highlevel messages that you might want to put in place in terms of you know what’s working well, what isn’t working well. The pause meetings are are what they mean. You know you taking a breath, you’re pausing, you’re evaluating that that relationship. Uh you’re sitting down, you’re perhaps going through, you know, KPIs, you’re going through metrics, you’re actually trying to understand, you know, how is that relationship working?

Brian Littlefair: Uh, you know, you never really want to get the contract out with a supplier, but you might want to look at, you know, how is that that performance, what’s the feedback in terms of the the SLAs’s. And actually, one of the things that we we see as a, you know, as an increasing maturity is, you know, actually putting in place in in initial engagements what the expectations are for things like this you know effective response times to uh data or information requests from from either party. So so actually we do see the those things in in contracts but you know we don’t want to you know point them out. We want to be able to effectively manage them through through the relationship. So those two meetings I find really really effective. Uh and certainly with with new suppliers and and and tier one suppliers you can’t you know overestimate that that face-to-face interaction. So certainly through through co we’ve got very used to operating remotely. I’m certainly a strong believer that you know it’s a lot easier to to maintain a relationship that had some level of face-to-face interaction when that was was being set up. And I think as you know as an organization if we’re if we’re setting up that that interaction if we’re setting up that that service or product and we’re putting in place a key strategic relationship you know they’re typically will be those those face-to-face interactions and I think it’s it’s important as you know a key risk and and governance interaction that’s going to be happening you know annually going forward if not more frequently that you actually get some facetime with that supplier and explain what that process looks and feels like and then I recognize that that not everyone can do this but it doesn’t have to be you know a big fanf fair conference etc you know it’s fairly easily to to run it virtually but you know very mature organizations I’ve seen run the supplier conferences. You know, it’s it’s literally uh you know, where you get the management of both organizations together. You get the people that are responsible and accountable for for running the the service and the relationship between the two organizations. And we talk about the strategy.

Brian Littlefair: We talk about, you know, how things have worked, where things are going, you know, any key uh changes and relationships. But but equally, this can be for for all of your suppliers, right? It gets them on your page. It gets them to understand your expectations. s to get them to understand where the business is going, where it’s been, what’s its short-term goals and what’s its strategic objectives. And it’s where you can outline, you know, your expectations of how you expect to work with your suppliers. So, you know, what are your security requirements uh very very high level, but you know, it gets them to understand that you take security seriously and and actually, you know, it’s going to be something and a process that they have to engage with uh to maintain you as a customer going forward. So I think it’s really important that we we put ourselves in the shoes of our suppliers. So all too often uh we we look at everything from the lens of of our organization and what that looks like. Uh but actually I think it’s really important that we put ourselves in in their shoes um and and how we can make their life a little bit easier. So what we what you have is obviously we have a lot of people on this call that are going to be a different level of maturity. Some of you will have an Excel sheet sheet that you send out a questionnaire. Some of you will use tools like Prevalent uh and some of you will be in the middle kind of moving up that that maturity curve. Regardless, obviously we’ve all got a level of of suppliers and customers. Uh and obviously depending on uh the size and scale of our suppliers, some of them might get over a thousand of these questionnaires per day coming in. If you look at the the Microsoft, the AWS, the Salesforce.com, etc. So, we need to understand how do they view us? and you know how important are they going to see responding to our individual questionnaire and what can we do to potentially increase our chances of getting the information we need whether that’s using prevalent to to find that quicker and I’ve got a slide on later on or whether it’s influencing them and and improving our our process to make sure that we get that response.

Brian Littlefair: So a couple of things that we can do is we can become more important to them as an individual supplier. Uh and that means working carefully with the procurement company uh And one of my key sayings is, you know, complexity is the enemy of security. So if we have a very complex supplier footprint, if we look across, you know, individual domains for our business and we look across the globe, you know, if we’ve got 20 30 suppliers uh interacting with our business for a very similar product and service, does it always have to be that way? Uh we may have chosen that for business continuity, disaster recovery. We may have chosen that for global agility. So it might be the Great answer. But where we can, you know, synergize, where we can streamline, absolutely, that pays dividends. And why? Because, you know, we we become more important to them. We become a bigger customer. Uh, you know, they’re more likely to respond to our questionnaires and respond to our information if they view us as a strategic supplier as well as us viewing them. Uh, then obviously it’s developing that that relationship. So, moving up that value chain. So, suppliers actually want to be partners. They want to work strategically. They don’t want to be bidding for work every single year. They’d rather obviously develop that strategic relationship with their customer base and have some guarantee that as long as they deliver a quality product or service, that contract is going to roll over year on year. So, normally you’ll be knocking on an open door to say, look, we really want to deepen that relationship with you. We want to set our expectations. We want to understand how you work. And equally, you know, you’ve got requirements from a regulatory perspective to understand any third or fourth or nth party relationships they do from from a data perspective. So, so really from your tier one suppliers, you have to really start to get into that information flow. And then it’s thinking through, you know, what have you done to make their life easier? Have you streamlined this this process as as as as much as you possibly can?

Brian Littlefair: If you’re, as I say, still sending out Excel, if perhaps you’re you haven’t globalized your TPRM process and and as a company you’re sending same supplier, questionnaires from the UK, questionnaires from the US, questionnaires from from Asia, and you even the the Excel spreadsheets that you’re using don’t look the same. So them as a supplier, they’re kind of thinking, well, you know, what level of information do you want? Where do we send it? It’s it’s all different. So absolutely, there’s optimization that we can recognize that we can do to make that process a lot more streamlined and and actually help our suppliers out. Is your questionnaire expected by them, right? So, signposting, indicating, and you know, that’s where the newsletters can come in. That’s where the suppliers conference, the the pulse and the pause meetings to actually say, you know, here’s what this process is going to look like. Here’s where we are in the contract cycle with you as an individual supplier, and here’s where the relationship is from from a health perspective. You know, actually say, you know, things are going well. You’re hitting your SLAs’s or your KPIs or or actually, you know, we’re well below expectation and it’s perfectly fine to be obviously transparent with with vendors and and suppliers, but we need to sign post them what’s what’s coming down the line. So, you know, depending on on how um frequently you actually send out some form of assurance prod to your to your individual supply chain, but obviously, I mean, using tools like prevalent, you actually get things like the threat module, so you can keep a you know, a more active um you know, view on your supply chain. You’re not waiting for that individual questionnaire to come through. But it’s about deepening that relationship. making sure you have that effective interaction going forward. And then, you know, are you being kind of realistic?

Brian Littlefair: You know, if you’re a even if you’re a large multinational organization and you’re sending a questionnaire out to, you know, Amazon Web Services and Microsoft saying, you know, you want to come and audit their data centers or you want to do a physical audit of salesforce.com, you know, things like that aren’t going to be realistic. And we have to make sure that, you know, as well as setting ourselves up for success, you know, we’ve set ourselves up to to be realistic and we have to you know get our assurance sum up by some other mechanisms like their assurance program sock 2 sock 3 ISO uh you know other you know accreditations that they’ve been through so that we can understand that they are as secure as they can be and we have this strategic relationship with them but we’re not going to get them to to answer individual questionnaires and we’re definitely not going to have that that right to audit going forward. So let’s look at you know how we can optimize that that process to get this effective communications loop that we’re looking for. So, I think you know hopefully you’re picking up on the messaging that you’re more likely to get a response to your TPRM requests using an optimized platform than you are going to be running a a manual process. And the reason that is is your manual Excel is is very, you know, unique to you. It’s been created by you in all likelihood. It has you know, question sets that uh are very very relevant to you as a as an organization, but they’re worded, you know, uniquely to your to you. They’re structured uniquely to you. So, it’s the first time they’re going to see something in in that format and they have to actually, you know, invest the time and effort to understand what you’re looking for. Uh what do they actually have to provide to you? And and that takes a lot of time for them to do. Obviously, using a tool like prevalent, a lot of it is is boilerplate and you can pick up a lot of those responses and Certainly from a supplier perspective, they can codify their response automatically into a lot of the questions that they typically get asked from the many thousands of supplier questionnaires to come in. So just makes their life simpler, which obviously is is a good thing.

Brian Littlefair: But equally, it means that we get a response quicker and I’ve got a a slide on that coming up as well. So in my personal opinion, you know, most suppliers want to be able to respond as as quickly as possible. It’s not that they’re, you know, being awkward or or diff for the reasons I’ve just outlined. You know, if you’re running a manual process, they have a finite number of people on their side that are able to respond to these initiatives as well. So, you know, if it’s it’s if it’s a couple of clicks of a button to be able to get you the information you need, then obviously the turnaround will be a lot quicker. If it’s, you know, actually uh opening up an Excel that they never seen before, reading, you know, three 400 different questions and and typing the text into an Excel, obviously that’s going to be a lot longer turnaround. So we need to challenge ourselves on on how easy have we actually made them to do uh and equally automate here right.

Brian Littlefair: So u there’s a many organizations that I interact with now you know moving up the maturity curve in in heavily automating the TPRM process not just using you know the the the platforms but you know building in automated workflows and that can you know include going into the GRC platforms or you know automating compliance uh reporting introducing robotics into into the workflow but you know and and equally machine learning and AI but that’s probably a whole other webinar in terms of what that potentially looks like but you know we’ve come a long way uh and equally we need to recognize that this can be quite an intensive process to run it’s got a lot of value to deliver into the organization and deliver into the business but you know if we can automate how that happens so we can get that information disseminated to the decision makers as quickly as possible then then hey we need to be all for that going going going forward and then equally as we’ve just touched on the last slide are we running a global process or you know are they getting multiple questionnaires from us around the globe um I see this a lot as well so you know we need to recognize if you’re in a a large global multinational you know 50 60 countries presence uh a supplier in one country might not be strategic but but in another absolutely they may may well be and equally we need to recognize that it’s not always in a supplier’s interest to you know align with a with a global process from their perspective. Sometimes they can slice and dice an organization. I’m not saying they would but certainly I’ve seen it happen where you know the pricing is different in different organ different geographies. You know the SLAs is different in different geographies. So from our perspective it makes sense that we understand our interaction with individual suppliers regardless of where the geographies that that occurs. And then obviously are we using templates as as much as we can. Are we using the boiler plates that we’ve discussed? And obviously moving away from from the Excel spreadsheets is key. But what are we doing if we’re not getting the response, right?

Brian Littlefair: What are we doing if we’re we we’ve done all of this stuff and you know, we’ve worked effectively with the business. We’ve done everything that we can. We sort of set ourselves up for success. We’re just not getting that engagement into our third party risk management process. Well, you know, again, it comes down to that view of, you know, if we’re being ignored. Do they actually view this as an important process? If they viewed it as important and critical, then I don’t think they would actually be uh ignoring or or delaying the process. So maybe we haven’t set the process process up as as effective as we actually need to going forward. There’s a couple of you know must wins that I always put into my my TPRM process. You know, it has to be global and we’ve we’ve talked about that. You know, it can’t be run effectively locally. Uh if you if you do it locally. It needs, you know, more budget. It needs more people. It’s it’s highly complex and you can’t get a global view. So, so absolutely don’t try and do that. It needs to be mandated. Uh so, it can’t be optional. U you know, I’ve worked in in numerous organizations, as I’ve said, there’s always people that want to bypass this process. There’s always people that think their initiative is is really, really critical and it can’t go through the TPRM process. That has to be absolutely ruled out. This has to be a mandated global gated decision process that security has a veto on go or no go based on what the outcomes of this process say. If that is effectively implemented and you have a rule that no cash will transfer between organizations and no service can commence until this process is completed. Then you know you what you will find is that you have stakeholders on both sides leveraging and and you know lobbying to actually move things forward as quickly as possible to get to the answer so that the service can commence. You know the the internal stakeholders absolutely want to drive things forward and you know that’s the right thing to do for the business. The suppliers want to be able to recognize the revenue and get the service stood up. So they’re going to be doing everything they can to get the information to you.

Brian Littlefair: But the caveat for that is if you put that mandate in place, you know, if you’ve got that decision and you got that veto etc. your process will have to be highly efficient end to end and I’ll talk a little bit about that on on this slide. So if you are on the left hand side of this slide and you’ve got that uh veto in place and you’re running that mandated process, you can’t be in this world because ultimately the you know you become a a massive bottleneck to the organization. Everyone will be complaining about your process and they’re going to be trying to circumvent it at every stage or form. So this slide has a couple of facets. One is you know if we want to be able to optimize and and move forward. What do we look for? And then equally, it’s, you know, what can you do if you’ve got zero response from from a supplier uh or you want to be able to find information out from a supply very quickly. So, as I say, I’ve operated in in both of these worlds. I certainly was running security functions before. We had the benefit of tools like like prevalent and we had to use Excel spreadsheets. So, when you’re in that world or if you’re still in that world now, we know the situation. Uh a new customer uh relationship is starting to be formed with the organization uh or or a supplier organization. So day one we we know very little about that company in in the world of Excel. Uh you know you’ve got a little bit of information about the service, you send out an email to the supplier contact that you’ve been given. You know they’ve got to work through your very complex Excel spreadsheet. They’ve got to fill that in. And you know in that world we’re typically looking at a 4 to 8 week turnaround for you to get that response. That response then lands back in your team. You’ve got a team of, you know, three or four analysts that then need to look at that response. And depending on whether that Excel spreadsheet goes to analyst A, B, C, or D, you’re going to get a different outcome because they’ve both all all got different views on security. They all come at these contract or at these questionnaires with, you know, different biases, different preferences, etc.

Brian Littlefair: So, we’re not going to get a commonality of, you know, security review across our analysts. space regardless of what we’d like to think. So ultimately when you combine all this together, you might actually be looking at, you know, a 10 to 12 week turnaround to actually approve a new supplier to actually work with the business. And that that might be completely disruptive to your to your organization. And you can understand, you know, if you’re getting complaints about your process, then, you know, it’s it’s pretty pretty warranted in in that respect. And I’ve certainly gone into organizations when I’ve started as a a new security leader and I’ve seen processes like this in operation. But it doesn’t have to be that way. Uh and certainly I’ve matured capabilities to get to, you know, a world like what it looks like to work with a day a tool like prevalent. So for those of you that don’t know prevalent, let’s talk about the situation, what it looks like using a platform like theirs. The new supplier relationship is is started. You get the supplier name. Day one, you can go on to prevalent. You put the supplier name in. You can see all of the different uh customers uh questionnaires that they’ve potentially answered for for other customers. Obviously, you don’t get to see the names, but you can see all of that information that’s been prepopulated on that supplier. So, day one, you get access to a whole host of information about that supplier going forward. Actually, if you look at all the supplier questionnaires that are sent out from customers to their suppliers, there’s a huge overlap in the questions. There there might be written different ways and obviously there’s been attempts to put frameworks and standardization through them. But there’s a massive overlap. So you might get, you know, 85 90% of the the detail that you’re looking for within your questionnaire is within the tool already. So you might have some niche questions that you want to ask which are pretty bespoke to your individual organizations, but you’re going to want to know about their patching. You’re going to want to know about their instant response. You’re going to want to know about their policies, their BC, their DR, their compliance.

Brian Littlefair: All of that is going to be standardized questions that they’re used to responding to. So that information is going to be open and transparent with in the tool already. You’re going to be able to see, you know, some of the analysis that’s being performed on them and what their risk position is from a prevalent perspective based on, you know, all of the customers that have used that information on their on their platform before. So, you start to get some of that intel and and risk information that you want to push back into your organization on on day one. So, actually, you can start to have, you know, some of those informed conversations with your business, which is what you’re you’re wanting to achieve going forward. So, so hopefully you can see that, you know, this is night and day. So depending on where you are on your maturity journey and you know I recognize that you know all security people all procurement people all legal or data privacy depending on where you are on the core we want to optimize the service that we deliver back to the business. So let’s all start to move forward on on that maturity journey. Right. So I’m going to hand over to to Scott in a minute. Uh I just want to you know summarize up a few things that we’ve talked about. So we want to have effective communications. We recognize that. So we have to recognize that communication is is two-way. So we have to make sure that we build that relationship with our with our suppliers and we move it up that strategic life curve. We have to make sure that we have done everything we can to make that as easy as possible and that’s about you know removing inefficiencies from from our process. Inefficiencies means more resource. It means more more budget. So it’s the right thing to do for our for our organization as well. If you want to have a quick turnaround we have to have that great relation ship. So understand how we can build and and develop that relationship. So that’s everything from you know the newsletter to the supplier conferences and just understanding what you can do in your own individual organizations to mature that interaction. Um we want to streamline the tooling which is what we’ve just gone through.

Brian Littlefair: You know it absolutely makes sense to to invest strategically if if you think about the resource burn that you’re running in an organization to run a 10 to 12 week process versus something that you can essentially execute 90% in a single day. So I think the business case kind of builds itself for something like that. And and absolutely we want to be able to get to those risk informed decisions as quickly as possible because that’s what we’re all about in the security uh profession. So Scott, over to yourself.

Scott Lang: Thanks so much, Brian. I appreciate it. Um you know, excuse me. Just as uh Brian said a few minutes ago that he’s suffering from a chest infection, I’m suffering from a weird bout of sneezing. It must be the fall and all the pollen in the air just before I came off mute and off camera. I I bet I sneezed five times in like 10 seconds. Anyway, um thanks everybody for joining in uh the webinar today. I think Brian delivered some some pretty uh succinct and impressive guidance on just how to get your vendor’s attention, how to keep them focused and how to stay engaged with them throughout the uh the risk assessment process. I want to share with you in just a few minutes uh you know what prevalent can do to help automate and transform your third-party risk program. Help it be more automated uh from you know every stage of the life cycle life cycle from the point where you source and select a vendor to the point where you terminate and and offboard that arrangement. Next slide please Brian. Look our objective is really kind of three-fold for you in your TPR program. I mean first is to help you get the data you need to make better decisions and that can come in many forms. That might come in the form of getting good uh continuous risk intelligence from multiple different sources like you know cyber security scores, data breach history, um operational u business updates of financial information on your vendors, uh you know reputation scores, ESG scores, you know, whatever um to help you make good decisions. Sometimes when we talk about data to make good decisions, sometimes that means finding the contacts at your uh vendors who you think might pay attention to actually uh you know respond to the assessment. that you sent them. Uh second uh objective uh for you from our TPRM program from a TPR program that we work on with you is to increase your team efficiency and knock down silos. You know Brian talked about um you know managing a vendor relationship, a supplier relationship um you know throughout a life cycle and you know procurement invariably is the one that probably um owns the relationship on some level.

Scott Lang: Um finances involved D the security team is probably the one that actually executes on assessments more frequently than other departments. Audit compliance has to get involved. Risk management has to get involved. In an enterprise of any scale, you can get halfozen, you know, different departments that are involved in a third-party risk decision or in managing a uh a vendor relationship. And every one of those different departments um is going to have their own objectives, their own needs, their own risk reporting requirements, their own risks they want to manage. And they want to look at vendors there. way and that’s fair. You can do that in six to eight different systems or in a spreadsheet or you can look at it in one system that helps to address the needs of uh all those different constituents and stakeholders in the enterprise. That’s what we seek to help you do. And then third to evolve and scale your program as the number of vendors you want to assess goes up or goes down or you the business contracts or grows or you uh start a new project, you bring on new vendors, maybe you acquire somebody, you divest a business, you got to be able to evolve the program over time to address not just different uh risk requires irements and and um and tracking but also you know operational changes to the business and you we’ve built that capacity into our platform not only through how elastic it is but also um how we augment it with professional and managed services uh to help you kind of customize it to your needs. Next slide please Brian. Um you know I mentioned and you can build it out a couple more until you see the uh there you go. Uh you know we We we mentioned earlier that we look at risk at every stage of a vendor relationship of a supplier relationship and that’s not that’s no joke. I mean that’s you know legitimately we have capabilities built into the platform. We you know educate our customers on processes um people and technology at every one of these stages so that you know you understand that there are risks present and that there are solutions to address those you know challenges at every stage.

Scott Lang: From a sourcing and selection perspective we often find that customers struggle with a couple of things. Number one is not really knowing who the right contacts are at those vendors and suppliers um in order to do some sort of pre-contract due diligence. Kind of understand, you know, who they are, what their company fundamentals are, uh graphics, um you know, data breach history, financials, you know, whatever. You know, we do a lot of that for you. We automate that process. We consolidate information into a vendor profile that helps you very quickly see what the vendor or supplier’s score is on any one of these different metrics. to help you give some confidence and say, “Okay, these folks not only are a fit for um fit for purpose for whatever you know you’re going to be utilizing them for, but also a fit to your risk profile as well.” Second, from an intake and onboarding perspective, we see companies struggle a lot with different teams, different processes, different tools. Um, and what we do is we automate an onboarding process with a very discreet, very specific workflow tuned to your uh business needs, whatever your workflow is in place, and help you create a sing source of truth not just for risk information like we do in that first stage but also a single set of processes uh for onboarding and for moving that vendor kind of through an approval phase uh in getting them to uh to BAU. Uh third scoring inherent risks um you know we we find a lot of companies don’t do this with the level of discipline they probably should but doing a very quick inherent risk uh assessment eight to 10 questions that can be managed internally you get a pretty good score that will help you determine okay how do I need to assess these folks going forward based on criteria like you know um uh exposure to client facing processes or uh you know touching um uh you know uh data protected data for example it might you know influence how you profile how you tier how you categorize a vendor. Next is really the core of the platform and that’s the assessment and remediation capability.

Scott Lang: What we’ve done is we’ve uh uh created very specific uh risk uh questionnaire templates in the platform address dozens of different um risk types, you know, security, ESG, privacy, uh financial solveny, and more. Um, and then we give you the ability to very flexibly assess your vendors against, you know, any one of those uh different assessment types with built-in remediation guidance. Right? Every piece of content we load up into the platform, every questionnaire has built-in remediation guidance for pretty much every question based on, you know, that that that vendor’s response. That really that level of prescription really helps you to um you know automate your risk management process, your risk mitigation process and ultimately get down to a point where everybody’s comfortable moving forward with the vendor um you know throughout its its relationship life cycle if they’re you know taking or cons compensating recommending compensating controls or taking your your remediation recommendations. Next step is monitoring and validation. You know our approach here is to as I mentioned earlier to consolidate different feeds of thirdparty risk intelligence from different sources and then um pipe that into to your central risk register and allow you to correlate those findings against what the uh vendor or supplier told you in their uh risk assessment. So that level of validation of controls and processes and whatnot that it kind of comes through continuous monitoring kind of closes the gaps in between assessments but at the same time gives you that continuous feed of information to keep you uh kind of aware of what’s happening in between like contract renewal decisions or you know other business updates. Next is measuring SLAs and performance and from that I mean um establishing KPIs and KRIS um loading them into the system. We also have the ability in our platform to use um ML technology to extract API KRI phrases from contracts and autopop populate uh a dashboard and the platform that allows you to then assign owners and track progress toward those KPIs and KISS. By the way, uh Brian has given a a really excellent webinar for us in the past on um uh measuring the right metrics, right KPIs and KI.

Scott Lang: So if you have a chance uh check that out and then finally offboarding and termination um you know we we find that companies really struggle with the end stages of a relationship. Um and by struggle I just mean without some sort of prescription in place or defined process to end a relationship with a vendor you know you don’t fully know whether or not they’ve got access to data, whether all their system access has been terminated, if they’ve destroyed date if that was what was in the contract or you know all these final payments and whatnot have been closed off on. So again the objective here is to simplify and speed up on boarding give you one process uh to uh assess vendors across your enterprise and then bring teams together uh across the life cycle. Next slide please Ryan. Uh and just very briefly um uh you can probably even go one more slide uh after uh after this one. We kind of touched on that before. Uh you know this is just a representation of the types of risks that we manage or monitor in the prevalent platform. And we’ve got them bucketed out by these six categories. Um, and each one of these, you know, bullet points represents, you know, a questionnaire or a continuous monitoring feed that, um, you know, provide you that level of risk intelligence for that vendor supplier that, you know, you probably are getting from a maybe a disjointed tool tool set approach or maybe trying to manage in a spreadsheet. Next slide, please, Brian. Um, honestly, at the end of the day, you know, what we’re hoping to achieve for you guys is is three things in your TPR program. You know, number one, um, they help you make smarter, more, you know, well-informed decisions through good reporting. Um, delivering a very comprehensive uh, risk and performance event performance management interface. Second, to get you to a single source of the truth across your enterprise for assess ments for monitoring and for the life cycle. And third, to be very prescriptive in what you do about uh the results that you get from vendor risk assessments. If if they answered something in a particular area that was below your expectation, what do you do about it?

Scott Lang: You know, our approach is to help automate that process as much as possible for you so that you can close the loop on that risk either through cons compensating control or some remediation guidance uh from there. So, look, at the end of the day, we’ve got a a great platform, but we also offer uh managed services to help do this on your behalf if you so choose to do so. And that includes chasing down vendor contacts, onboarding vendors, executing on the assessment, analysis, and remediation process, and then following that contract and that vendor relationship throughout the life cycle. So, you know, we’re happy to help uh from from any one of those perspectives. Um I will end it there and flip it back over to you, you want to open up to questions.

Ashley: Thanks, Scott. Um, I’m going to go ahead and Whoopsies. I’m going to go ahead and launch our second poll so we can follow up with you regarding any initiatives or projects that you may have. Uh, we’re looking to see if you wanted to augment or establish a TPRO TPRM program within the next year. U, please be honest because we do follow up with you. But we have about 10 minutes left on the clock. So, why don’t we go ahead and get through some of these questions. All right, Brian. Someone asked, “How do you recommend that organizations motivate the suppliers to perform annual reviews after the contract is signed and the vendor is paid?”

Brian Littlefair: Yes, it’s a really good question and you know, we do see this a lot, you know, where you have a very collaborative supplier and then they get the money and then obviously they become less collaborative. You know, they’ve got what they were looking for. Uh I think it’s, you know, how you set yourself up for success, you know, recognizing that that is a situation that may occur. It’s a little bit around the carrot. the stick, right? So, it’s how you word your contracts from the outset and it’s how you word, you know, the relationships and set out how things are going to going to work going forward. Uh, you know, in many organizations, you know, we’ve had obviously contracts for our suppliers, but but equally, we’ve set out, you know, a way of working that we, you know, co-sign between our various different organizations and there’s obviously penalties for for breaking that. Uh, in that obviously, as you know, the the sharing of information in in a timely fashion. So, it’d be a pretty, you know, naive or short-sighted supplier that thinks, know, I’m just going to get one year out of this company and and move on. So, so typically it’s about kind of wording in to the contract that this is an expectation that this is, you know, something that’s going to happen. This is part of our risk process. So, so absolutely we need to to interact. We need to get this information flowing to you. And if you don’t, the you know, the penalty is that you won’t be awarded the contract next year and we will move on to another supplier who will and it you really have to get that blunt otherwise you’re going to be spending a lot of time chasing suppliers. You you obviously have the situation where individual suppliers are niche and unique and they recognize they are critical to your organization and and they have to be handled slightly differently because obviously you can’t get the stick out because you need them. Uh but ultimately it’s just about you know developing that relationship and and working things through but sadly the contract helps but but you know that it should be handled through the relationship initially right.

Ashley: Thanks, Brian. Uh, we have another question that asked, “When questionnaires are sent to suppliers, which recipients at the supplier are most responsive with completing and returning those questionnaires?”

Brian Littlefair: Yes, I think it’s, you know, hopefully it’s a security function uh because, you know, uh, obviously I’ve I’ve run this process within security functions a lot and I think that, you know, we get to a position where we know uh uh 90% of the information that needs to to go back. Um there’s a lot uh obviously we embrace tools like like prevalent from a from a supplier perspective because it allows us to you know communicate back in in a rapid fashion. Uh but typically all the answers even in a pre prevalent tool from a supplier perspective would be uploaded or at least validated by by the security function. Obviously it depends on the nature of of the business that you’re in but but typically in my experience the the responses from the security function here.

Ashley: Thanks, Brian. And one more question here. Somebody asked, uh, what’s the best practice to obtain a vendor’s financials to ensure their solveny during the due diligence and vetting process to assess financial risks?

Brian Littlefair: That’s a good question. Right. So, if you’re running a manual process, that’s a really hard thing to do. If I go back and you lock under financial risk, um you know prevalent have really thought through you know some of the areas that they kind of address and and communicate back on day one or things that they track from an organizational perspective. So you know in the Excel world that we talked about that’s going to be a really complex thing because you know getting hold of those financials depending on where you are uh in the UK uh you know anyone above a you know a one person organization has to file their business accounts publicly but that doesn’t tell you how how well I pay my bills. That doesn’t tell me tell you, you know, I typically pay my suppliers in 120 days over 30. So, being able to get that information and understand things like my credit rating off the bat on on day one is is really critical. And, you know, you’re not going to find absolutely every single supplier that you use from your organization on on Prevalent, but the more of us that use it and the more of us that populate the information on there, obviously, it becomes more ubiquitous and useful to to other organizations that are joining and obviously we benefit from the speed and pace by using it. Anyways,

Ashley: thanks Brian. It looks like we have one more uh question in the chat. Frederick asked, “How do you ensure security requirements are included in the budget and explicit in the contract? Uh he often sees that security isn’t even in the budget.”

Brian Littlefair: Yeah. And you know, I’ve lived in that world as well as well, Patrick, where you know, uh a new service is signed and you know, maybe the IT and the infrastructurees thought through in terms of they’ve priced it in servers but they haven’t priced through you know the security requirements that are baked in and that’s that’s about you know embedding and working closely and and look at one of my other webinars where I’ve talked about uh the relationship with between security and procurement uh because I see that you know that relationship is absolutely key uh if you are going to run a global TPRM process you know getting security aligned with procurement is you know really really important and I’ve done a whole webinar on what that looks like and I think that will you know answer your question but but in short you know that that relationship has to be effective they have to understand what you’re trying to achieve so that no contract can be signed without the fully costed security requirements being in there as well otherwise actually we’re putting the organization at risk but I go into a lot of detail on that other prevalent webinar.

Ashley: excellent well thank you so much Brian Scott and everyone for all of your questions. Uh they give us some great information to take in today. So I hope to see all of you either in your inboxes or at a future prevalent webinar. Cheers everyone. Enjoy the rest of your Wednesday.

Scott Lang: Thanks everyone.