第三方风险管理：固有风险与残余风险

艾希莉：大家好，欢迎各位的到来。能与诸位相聚，我们倍感兴奋。请稍候片刻，等所有人就位并完成连接。与此同时，我将启动首个投票环节——我们很想了解各位参与本次网络研讨会的动机。是出于学习需求？还是刚接触TPRM项目？抑或是现有核心客户？ 还是纯粹无聊，就爱听斯科特和罗姆尼说话的声音？如果是后者，我也理解。无论如何，请告诉我。当然不能忘记自我介绍：我是艾希莉，在普瑞兰担任业务发展经理。今天我们有位特别嘉宾——谷地国民银行第三方风险管理高级副总裁兼负责人罗德尼·坎贝尔。罗德尼，你好！

罗德尼：你好。

艾希莉：当然不能忘了斯科特·朗，我们公司的产品营销副总裁。嘿，斯科特。

斯科特：嘿，艾希莉。

艾希莉：顺便提醒一下，本次网络研讨会正在录制，结束后我们会尽快发送录播视频和演示文稿。目前各位麦克风均处于静音状态，但我们仍鼓励大家积极参与——请将问题提交至问答框，我们将在研讨会结束时统一解答。 今天罗德尼将探讨固有风险与残余风险之间的关系。那么罗德尼，现在请您开始讲解。

Rodney: Thank you Ashley and thanks to everyone for joining us. So today we’re going to talk about the true stories of a third party risk management professional um with a different twist on inherent risk and residual risk. Really, I want to focus on the disconnect between people, process, and technology and how that impacts the relationship between inherent and residual risk. Next slide. So, I want to make sure that everyone’s aware. I know that we’ve spoken a lot about inherent risk, residual risk from the technical perspective and also using technical terms, but I want to make sure that this particular message speaks to everyone. Um the individuals who work within TPRM, but also the individuals who are not within TPRM. Um the individuals who are uplifting a program for the first time. You’re trying to wrap your head around what should I do and what can I do. I want to make sure that we understand the relationship between inherent and residual risk. And as you see on screen, TPRM is an ecosystem of interconnected processes, tasks, and activities that together work to identify, assess, and mitigate risk posed by third party relationships. So the overall success of your program, third party risk management and the individuals that are stakeholders and contributors to the TPRM process. It requires business collaboration and organizational alignment. So again going back to what I mentioned originally, I want to discuss organizational factors that can prevent appropriate identification and mific mitigation of third party risk. Next slide. Now this is really interesting because I can tell you that many of us here today who are on this call, as I stated, you’re probably building a program and you’re trying to figure out where do I start? How do I look at this? So, I will say consider this. This is a learning opportunity for all of us. I think we’re all learners um in the making or subject matter experts in the making. So, consider this. If you were purchasing a home or a vehicle, you would verify all claims made by the seller before signing the agreement and issuing a payment. You would? Cuz I know that I would. So, why should you handle any other business transaction that you enter? Not be handled differently. So, imagine signing a contract for a new home or a new car. You’re going to make sure that you do your due diligence to make sure that that new home or new car is exactly as the seller stated it. So, why would you handle any other business transaction that you’re entering in differently? You would want to raise and position the same level of due diligence as you would if you were purchasing your own home or vehicle. Next slide, please. Your organizational role and responsibility in third party risk management. Now, this is really important because Again, you are more than likely a part of this process in your organization. Um, now whether or not you’ve been included in that process is another story, but I want to make sure that we understand for all of you here on the call, you’re probably a stakeholder, and a stakeholder can be many things within your business units. A stakeholder may be someone from your control function, a person who has a part or a role to play in your process. Are you engaged? Are you involved? Are you aware of what’s going on within the TPR process within your organization? You may be a vendor relationship manager. Now, I know many people are probably on this call cringing a bit because we know that a relationship management term has been dee has been deemed administrative processes in the past. We want to make sure that if you are the owner of a relationship, are you responsible for the relationship that you’re managing? Are you aware? Do you know what your supplier risk is? Do you know the impacts of your supplier risk? Are you utilizing your supplier engagement the way that it should be utilized? Are you engage with the supplier so that in the event of an issue or a risk event I would say can you contact them do you know who to contact so I think the vendor relationship manager role is very important is extremely important you’re part of the first line of defense and I think if you have no awareness as to what your role and responsibility is if you’re part of the first line of defense that’s probably something that you should discuss with your GPR team assuming that it’s centralized now internal audit internal audit again you’re probably pinching again but they are friends they help us get better so internal audit um have a role and responsibility in your TPR and program. Um they act as an effective challenge. They are the third line of defense. It’s important that you partner with internal audit because the goal is maturity. It’s evolution. You want to make sure that what you’re doing as an organization, you’re moving in the right direction, but you can’t do that alone. So no matter how smart you think you are, no matter how great and talented your team may be, you need to partner with their line of defense. It’s incredibly and crucially important. And then you think about senior leadership. This is really important because I want to say if you are part of senior leadership. You want to make sure that you understand what are the products and services that you’re utilizing to make your day-to-day business operations run as they should or run as expected. If something occurs within your business line, within your business function, are you aware? Are you aware of the number of products and services that you do utilize to operate as a business? And are you aware of the impacts and the risk? If you’re not aware, you should be. And I think engaging with your TPR team is critically important. I believe your TPR team should also engage with you. Remember collaboration is key. I also want to mention board of directors. Often times we do not mention the board of directors in TPRM. I think high level at the policy we do we talk about it in other calls. I see that other presentations and webinars mention the same thing. But I do believe board engagement and board awareness is important. It’s important because you are responsible for providing governance and oversight or management oversight for products and services that are supplying and supporting your organization. Many of these are critical core. Now, you want to make sure that if there are any if there any risk, anything that you identify that could potentially impact your organization, you want to make your board aware. Now, again, this is at a high level, but I do think that situational awareness, their engagement is critically important. Sourcing and procurement, you may or may not have a sourcing and procurement department. It may be integrated within your GPRM program as many are, but that relationship with GPRM is critically important. You are sourcing suppliers that your organization may potentially to use. If you’re disconnected, what you essentially do is overlook or probably bypass some of the processes that are required by TPRM. So, you want to make sure that sourcing and procurement are heavily engaged. They’re actively engaged. And TPRM is a department or as a function that can that can consist of many roles. So, not just the TPRM as a centralized unit, but also the control functions, the individuals that help support your business’s operations to make sure they run it sufficiently. Next slide. Whoa. An organizational issue. I tell you, this is a real organizational issue. And this is why I said I want to talk about inherent risk. I want to talk about the relationship between her risk and residuals from a different perspective. Not just getting into the semantics of risk categories. Not getting into this is what inherent risk assessment means for your organization. I want to talk about an organizational issue that prevents the complete accuracy of an inherent risk assessment. The identification of risk. in the mi in the mitigation of risk that you identify in that inherent risk assessment. Now look at this screen here. We see there are key organizational issues that prevent the proper identification and mitigation of third party inherent risk. Now some of these things and terms may be uh something that you’re well aware of and some of these may be terms that you’re unaware of. But think about what these means. Lack of corporate governance. What does that mean in your organization? You’re onboarding a supplier, a potential third party, critical or not. It’s important you have a process. If you don’t have a process in place, who knows who does what? What are the roles and responsibilities? How are they delineated throughout your process? At what point should this department or this function be involved? Who’s the stakeholder? What is the approval process? Do you all understand what is point A from point Z? When you don’t have corporate governance, processes are run all over the place. I can tell you that it isn’t repeatable. It isn’t reportable. It’s probably done many ways uh for many different things or many ways for some of the same things. Uh the next point is organizational silos and fragmentation that never happens. Of course it does. So organizational silos and fragmentation that is one of the biggest threats to onboarding any particular supplier. I say that because the silos the decisioning that is made within business departments need to be jointed not disjointed. But often times the ideas or the ideation the planning and identification of suppliers they’re done separately. So the greatest idea that one business function may have another business function who is an interdependent or interconnected department or maybe a shared service is completely unaware that will pose great risk to your organization. Fragmentation is often important too. You have business units that are probably working day-to-day side by side in parallel but they’re not communicating. So again you got to have that collaboration. You got to communicate. I think whenever there’s a third party engagement consider all of the risk consider all of the shared services and the shared responsib ility throughout your organization. So for example, if I’m a business function and I am looking to onboard a supplier, if that supplier has access to confidential information or confidential data, who should I involve? Exactly. I need to make sure I have the right people involved because if I don’t involve in the right people, the right departments, I’m going to make a decision solely based off of what I think and what I know. Now, keep in mind, I’m not in privacy. I’m not in information security, but I will make decision that a stakeholder within privacy and information security should be made aware of and should also participate in the uninformed independent decision makers that never happens. Of course it does. The uninformed and independent decision makers these are what I find to be the biggest threat to your organization whenever you’re dealing with third parties and products and services. The uninformed independent decision makers are individuals who are they’re they’re probably bright and brilliant at what they do. But the decisions that they’re making aren’t factbased. They’re decisions that are being based off of interpretation. Their perspective or perhaps their strategic goal or what their view of value is from dealing with a potential third party product or service engagement. I I think many times you see an organization you have a stakeholder or I would say business champion. Then the business champion wants to get this done. We need to get it done. That’s the individual who is kind of waving the flag of this particular third party product or service engagement. They’re telling you the reason why it needs to get done but they do not know how it’s getting done. They do not know the impacts. They do not understand the risk. They don’t understand the overall value and strategic purpose of third party products in service engagement. And this is critically important because that uninformed independent decision maker more than often times will be responsible for engaging suppliers and probably miser say misassessing but inaccurately assessing the inherent risk and also misidentifying the mitigation for the inherent risk as well. Internal misalignment Does that ever happen to you? It does. I’m going tell you why it happens. Internal misalignment is when you get a bunch of individuals, not in the room, but a bunch of individuals who are working toward the same common goal. You have the same purpose. Again, the product and service engagement make sense for your organization. The problem is this. When decisions are made that are disjointed, they’re not made together. We’re not connected. We are not all equally and collaboratively in agreement that this product and service engagement meets the same risk profile, meet the same measurements, the same goals. We we are in alignment with the impact. We understand the level of risk. We understand the holistic value. Then I can tell you that often times the actual product or service engagement as you intended it to be initially will not play out as originally planned. And another one which is probably most important now again take in mind these are not in any particular order. This isn’t a chronological order. This is justformational for all of you. Insufficient vendor betting practice. Vendor vetting is important. Often times we do not distinguish between vetting and onboarding. During that planning and identification process, are you verifying that the supplier is who they say they are? Are you looking at the infrastructure or corporate entity holistically? Are you asking for due diligence at the OnStar? Are you running old checks on your suppliers? What are you doing at the beginning to make sure that at the baseline level that these suppliers can pass stage one and get to stage two? I can tell you why it’s an organizational issue because often times you’re probably bypassing vetting or you’re consolidating vetting while contracting. So you presumably already selected as fire, but you haven’t the vetting process is to identify the impacts, identify the risk and discuss that internally with your group. Next slide please. Now here this is really important. An organizational recommendation and I have that in caps you see drive business value. value, quality service, and appropriate third party risk management practices. Now, everything that I just mentioned on the previous slide, here’s a way to address those things. Now, again, you have to make sure that you apply these techniques to your organization because it isn’t a one-sizefits-all. Everything is different. So, this is why I didn’t want to approach inherent risk and residual risk from the typical methodological perspective of this is what you do, this is the question that’s asked, and this is what you respond by. I think it’s important that we understand the people risk, the people element of how these process this can go wrong with the onstart. So when we talk about an organizational recommendation, I want to make sure that we address the concerns that I initially stated in the previous slide. So establish corporate governance, accountability, transpar transparency, fairness, responsibility, and risk management. Corporate governance is extremely important. How can you continue to source suppliers without a social strategy? Um has your strategy been operationalized? Do you have policies? Do you have rules? What is your governance? What is your framework? What is the process guidance? It’s easy. point a finger at a business function or an individual who isn’t doing the right thing. But if you don’t have process guidance to show them or point them in the right direction, then who’s at fault? I think that’s a shared responsibility. So if you are responsible for any TPR and program, you want to make sure that you provide effective process guidance. You want to make sure that you provide effective governance so that the individuals who play a role in a responsibility in this process have direction as to what needs to be done. Encourage crossunctional collaboration and stakeholder engagement. Be for engaging prospective third parties. Again, it goes back to the collaboration. You need cross functional collaboration. You need stakeholder engagement. It would be unwise and unfair of you to position or propose a potential product or service engagement to a stakeholder for sign off and not make them fully aware. So again, if you are a stakeholder, you want to make sure that before you are approving, before you are giving the two thumbs up to move forward with a product or service engagement, you have full awareness and transparency as to what the engagement tells not just the value, not just the cost savings, but the risks and the impact. And you want to make sure that your organization from a shared service perspective, they’re aligned and not unaligned. The understanding should be understood and not misunderstood. The next one, facilitate decision-m based on facts, not interpretation. This goes back to that uh uninformed and independent decision maker. And sometimes it’s not just one, it can be many. And many can be together or displaced or dispersed throughout the organization. You want to make sure that your decisions are fact-based. We’re moving forward with this supplier for these reasons. Your due diligence should be substantiated with actual work. Again, your decision making, the decisions that you’re making to onboard a supplier, not just simply because you need a product and service, but you need to make sure that you show true transparency, accountability, and due diligence for why you decided or determined to on board or engage this vendor. That needs to be fact-based. You cannot select or I would say you should not select a supplier based off of what you think. you should select a supplier based off of what you know and what you know may not be all the way good. I can tell you oftent times in in my previous life onboarding suppliers have not always been the greatest but those onboarding activities and processes were done with factbased decision-m not interpretation or what I think I knew simply because I have awareness of supply from a previous life and established internal business alignment on strategic goals purpose risks impacts and value before engaging. I mentioned this a few times again it goes back to that internal alignment. You need to make sure that the individuals who will play a role and responsibility in your process, they are align they’re aligned. If they’re unaligned, then that means you will have the perspective or idea of value with one group or one person and that can potentially raise or pose risk thereafter. So, how can you identify an inherent risk if individuals who are part of your risk function or individuals who are stakeholders in this shared collaborative process or shared service are not a part of the conversation or there are complet disagreement or have a complete misunderstanding of the product and service engagement that may be detrimental to your organization. So again, you need to make sure that your business functions are aligned, make fact-based decisions, but you do that cross functional collaboration and inclusivity of the groups that are a part of the shared service in the shared collaborative moment. Next slide, please. The ecosystem of third party risk management. So everything that we just talked about, we talked about the inherent risk, we talked about criticality and criticality we really didn’t talk about, but I want to be sure that criticality cannot be distinguished or just simply aligned by one person. It needs to be a collaborative moment. If you do not have all the groups, all the risk functions involved. Whose decision is it to be critical or non-critical? Whose decision is it that the inherent risk is high? Why is it high? Is it low? Is it medium? I think this is a collaborative moment. The engagement by your business functions. The engagement by the stakeholders is critically important to understand what the nature of the engagement is in the risk pose of your organization. So you want to make sure that you establish internal alignment so that you can establish an accurate inherent risk assessment for due diligence. We talk about that all the time. I think most of us on this call I can tell you me I’ve been on so many due diligence uh webinars. I’ve been a part of due diligence discussions. What should I collect? Can I collect it? If I don’t collect it, what can I or will I do? Those are all important questions. But I can tell you now, you will never know what to collect if you are not engaged at the OnStar. Remember, your inherent risk dictates a due diligence. Due diligence that’s collected is based off of the inherent risk posed to your pro by the product or service engagement and the inherent risk posed to your organization. But if you don’t have the right people involved to help identify that risk, then that would be a problem in itself. So you will miscalculate and probably unfortunately mischaracterize the inherent risk and unfortunately not collect the proper due diligence to mitate that inherent risk and the residual risk assessment as well. We talk about it, we pair due diligence, residual risk assessments together. We do. But here is the problem. A residual risk assessment is a point in time. It’s point in time assessment. It’s a moment in time where you collect a document. It can be a sock report. It can be a SIG, but is it is a document that is dated. The document isn’t up to date. Right now, me, you, all of your call, we’re looking to move forward with this product and service engagement, but your stock report and all of the other applicable due diligence material are not materials that reflect today. They may be materials that reflect last year. They may be materials that can reflect longer. So you want to make sure that you make informed fact-based decisions because for a sock report and again a stock report is really good, it is a control audit report, but I do want to make sure that we’re well aware that point in time assessments while they are efficient, I I do not find them to be entirely effective. So I do think you need to have other measures. Um continuous monitoring I believe is where you create strength is but h how are you continuously monitoring a supplier if you’ve misidentified the inherent risk and misidentified what should be done in the beginning so what I’m trying to show you is how these processes as an ecosystem are interconnected if you don’t if you don’t accurately assess the vendor at the onstar then your due diligence will be incorrect your residual risk assessment will be incorrect the residual risk profile will be incorrect selecting and contracting the supplier will be entirely incorrect because how can you memorialize the risk to do negligence anything that you found during the inherent risk assessment up into that residual risk assessment will be incorrect. So you can’t memorialize the right things as far as provisions are concerned in SLAs in your contract because everything was done incorrectly and your continuous monitoring is risk based. But how can you continuously monitor a vendor if you inaccurately um risk assess and have an inaccurate risk profile of the supplier? So what you’re seeing here is how all of these processes are connected but it’s really important that the people the people who are a part of these shared services are equally and actively involved and engaged in these processes because if you’re not then every subsequent step and every subsequent activity will be managed correctly. So again going back to that collaboration that internal business alignment make sure that you get your stakeholders involved. Make sure that you get them actively engaged. Let’s not present just the value of the contract at the cost of the proposition level. Let’s show a holistic view of what the contract is or the product or service engagement is. That includes the risk not including the risk simply because you may believe it’ll be a bottleneck or simply because you believe the stakeholders or the powers that be may decide to not move forward with your engagement again may be detrimental to your organization. So you need to be as transparent as you possibly can so that all of the right people who are in the room can make fact-based decisions. Next slide. Now before I say thank you, I I do want to make sure that we address any questions um that may be in Q. So, I’ll let Ashley or Scott to let me know if there’s any questions and we can talk through that. So, before handing it off to Scott,

阿什莉：嗨，罗德尼。我看到队列里有几个问题。埃德问："如何成功地向内部利益相关者强调计算第三方群体固有风险的重要性？"

罗德尼：如何有效强调重点？我推测你们是否提交了季度董事会报告？因为我认为高层利益相关者至关重要——若他们未能意识到产品或服务合作带来的风险，那么很遗憾他们将无能为力。无法提供支持，也无法成为你所需要的助力。因此我认为季度董事会报告至关重要——这是与组织高层沟通的契机，既要传达组织在TPR层面的现状，也要揭示风险所在，同时展示成熟度提升与改进的机遇。若能做到这点，我相信不仅能推动项目获得接纳，更能促使其持续优化与成熟。

阿什利：很好。呃，聊天框里确实还有几个问题，但斯科特，我这就把话题交给您，剩下的问题我们最后再处理。

Scott: Awesome. Thank you, Ashley. Uh, hi everybody. My name is Scott Lang. BP product marketing here at Prevalent. Uh, I just wanted to share a couple things about Prevalent, uh, here. to draft off of Rodney’s presentation regarding inherent residual risk. Uh just to touch on on a few ways that you preing can help you simplify that process of calculating inherent risk. Uh trans translating findings into action to ultimately reduce your risk profile and get down to an acceptable level of residual risk uh over time. Uh and really it all comes down from our perspective. What our customers tell us is that they want to accomplish any one of three things. The first in their TPR program. Anyway, the first thing uh they want to accomplish is getting the data they need to make better decisions. And from an onboarding or inherent risk perspective, that includes getting the right set of intelligence and the right people involved in the process to understand uh you know the company’s initial risk exposure and then identifying what types of due diligence is required uh based on the results of of kind of that very very baseline assessment. A second is increasing efficiency and and breaking down silos as Rodney mentioned. you know, there are awful lot of people in organizations involved in third party risk and um you know, I I grew up on a farm and the analogy we always used was if you have a lot of people’s hands on the plow, that plow’s not really going to go in a straight line. So, you know, who’s you know, who’s responsible, who’s accountable uh for third party risk, who contributes to it, who needs to be consulted and informed about it, and bring those people together under a single source of the truth of data and processes so that you can, you know, accomplish your organizational goals. Uh and then finally evolving and scaling uh their third party risk management programs uh over time. Chances are that program is going to change not necessarily from a scope creep perspective but you’re going to bring on new vendors and suppliers. Uh new third parties are going to be introduced to deliver goods uh goods and services to your to your enterprise to help you deliver on your expectations to your customers. Uh so how do you adjust and be agile uh over time and account for any any of those types of changes that uh that happen as as the or organization evolves. You know, our approach to addressing the third party risk man uh third-party risk management challenge and you know those three objectives that you saw on the on the previous screen are to look at risk at every stage of the third party risk management life cycle. You know, so often we take a look at risk on some level during the sourcing and selection phase or making sure that that company matches you know your company’s risk profile. uh in addition to the good or service that you’re going to be, you know, purchasing from them or utilizing being fed for purpose. Uh and then maybe we do some assessments or we look at on a contract renewal, but you know, how often is the that level of discipline and rigor carried out throughout the rest of that relationship life cycle? We see that problem happen uh pretty frequently and it involves a lot of different teams in the business, whether it be the procurement, vendor, supplier management teams, IT security teams, legal compliance, data privacy uh and many others. So we see these you know unique and distinct challenges at every one of these u phases of the relationship and our approach is to deliver a prescriptive process that helps you to um recognize and mitigate those risks at every stage. So that as that relationship progresses from the point that you source and select a vendor to the point where you offboard and terminate uh that vendor when the relationship ends you have the assurance that you’ve got visibility into the risks that you’ve got an action plan to mitigate risk down to an acceptable level and have the documentation and memorialization of evidence to prove it to the auditors. Um, and from our perspective, it really comes down to three things. Uh, that is simplifying and speeding up onboarding with a single source of the truth and a process that the entire enterprise can leverage. Second, streamlining that ongoing assessment process and closing gaps in risk coverage that often happens when different teams are involved in managing thirdparty risk and maybe using different tools. and different sources of intelligence and insights to get a picture of of whether that that third party um you know brings risk to the business and then finally unifying teams across the life cycle which I addressed. So starting in the lower left uh off to the uh to the uh to the lower right I guess in our in our half moon shape here you know what we can help you accomplish at the sourcing and the selection phase is adding automation and intelligence to RFX processes RFP RFI processes, you know, so often those things are done in silos, they’re done in spreadsheets, there isn’t a lot of automation involved, and there effectively isn’t a lot of risk visibility involved in whether or not um or in a in a new vendor or supplier that you’re looking to onboard. Um second, at the intake and onboarding phase, we can, you know, give you that single source of supplier truth, one supplier profile, uh one set of intake processes, one set of contracting and onboarding process that is extensible throughout the enterprise. So you’re ing and from the same himnil so to speak. And third, scoring inherent risks, something very close to our topic today. Um, you know, we give you the ability to score and categorize suppliers, you know, based on datadriven insights. It’s a combination of an eight question internal survey that you and other members of the team collaborate on answering as well as incorporating outside intelligence on potential compliance problems, financial risks that this meers might uh expose you to. Uh, a history of data breaches and cyber for security problems uh you know governance issues and and more all to give you a score to help you then uh prescribe a path to a more complete due diligence uh once onboarding is completed. Um fourth you know our specialty is in um streamlining and automating the ongoing risk management uh process and we deliver specific capabilities in our platform that enable you to do that across multiple different risk types. Now historically you know it vendor manage agement third party risk management was the domain of the security team and largely is is still today um because of the sensitivity of the data and systems and processes that you know you’re ultimately exposed to um or uh as a result of doing business with a third party. Um but you know our for example the prevalent platform has more than 200 builtin assessment templates uh that enable you to u you know question and and pose to um um uh to uh uh to to vendors specific risk based issues that you know are that matter to your business or matter to the board. Next is monitoring and validation um or validating the results of those assessments with continuous cyber security business reputational and financial insights. You know a lot can happen in between the time that you make an onboarding decision and that you finish your due diligence and and contract renewal happens. So we help you fill the gaps between those different um uh you know this you know those different types of assessments with the intelligence to to you know keep the team ab breast of any challenges that that that vendor might be facing and because not all risks are dedicated to um uh you know cyber or you know ESG risks or compliance risks or operational risks. Sometimes a risk is a performance-based risk. And we give you the ability to measure and manage your supplier effectiveness with built-in KPIs and KIS. And then finally, inevitably, uh, you know, like Neil Saddaka said, breaking up is hard to do. Um, so when it comes time for that vendor relationship to end and and that contract to terminate, you know, so often we see, you know, companies don’t have the rigor and the discipline built into the process to properly properly offboard the vendor and mitigate, you know, the long tail risk that you can be exposed to to. So we give you the, you know, the checklists and the document management and the compliance reporting uh to close that process off. You know, we address multiple different types of risks or risk areas um uh with our our platform and that helps you to give uh helps give you a good view of your inherent risk, measure the progression of that risk over time and then get you down to a level of of residual risk that’s acceptable to the business. And these are the kind of the general six categories that that we deliver uh risk insights into whether it’s an assessment built in the platform or whether it’s uh the result of continuous monitoring insights and intelligence uh that um uh you know that we consume uh and then correlate against those assessment results you know on your behalf and I won’t uh belabor the point read the fine fine print there you know how do we deliver it we deliver it um in a way that leverages the three great strengths of Prevalent and that is number one the people the experts that we have that help you um that do the hard work on on on your behalf if you desire that excuse me and that’s onboarding vendors managing them uh remediating executing assessments uh and then incorporating a tremendous amount of intelligence and data from a half a million different sources uh and putting that into a format that can help you make good decisions housing it in the platform with all the workflow and the automation and more uh to help you ultimately get down to that that level of residual risk that satisfies you know your board requirements. Look at the end of the day we want three things for you not three things from you and those three things for you are number one um to help your organization your third party risk management program uh be much smarter in its approach and that’s delivering you the comprehensive insights uh datadriven analytics and role-based reporting for multiple different teams throughout the enterprise. The second to give you a single source of the truth uh to combine assessments and monitoring together and then look at uh risk throughout the entire life cycle from onboarding to offboarding in a much more unified fashion that you might be doing it with spreadsheets or maybe with some disparate tools that really don’t talk to one another. And then finally, as I mentioned before, it’s a very prescriptive uh intelligentbased approach that gives you built-in recommendations uh remediations and more to extend out to your vendors and uh third parties and other suppliers um that ultimately you know can help you get down to the to the level that that you’re willing to accept. So you know from prevalent perspective that’s what our approach is to addressing the the problem of thirdparty risk management. Um and I think it ties in very closely to kind of what Rodney talked about today in terms of the big challenges that organizations face in thirdparty risk and um you know you know what the overriding issues are to get from an inherent to a proper residual risk score. So you So, at that point, I’ll stop talking. I’ll open it back up to Ashley. Ashley, if we have any other questions uh for either Rodney or myself, I’m happy to uh to take those now.

艾希莉：嘿，斯科特。非常感谢。我这就启动第二轮投票，以便后续跟进您可能涉及的项目。我们想了解您是否计划在今年内建立或完善第三方风险管理计划。请务必如实回答，因为我们确实会进行后续跟进。 不过在此之前，罗恩，我们先来浏览这些问题吧。看到大家如此积极参与真令人欣喜，我知道你想回应埃德的问题——如何向内部利益相关者有效强调计算第三方群体固有风险的重要性？

罗德尼：是的，这个问题我也想重新探讨，因为我设想ED可能正处于我多年前的境地。你们如何让利益相关方参与进来？我指的不仅是董事会，因为要达到那个阶段需要循序渐进的步骤。你们可能尚未获得季度报告层面的参与权或互动渠道。 而现在，高层管理团队和领导层作为利益相关方至关重要。我认为每项第三方关系都应进行固有风险评估。区分固有风险与残余风险尤为关键——我发现越来越多的组织仅报告残余风险，仅监控管理残余风险，却对产品或服务合作带来的固有风险缺乏真正的透明度和洞察力。 因此我认为，强调产品或服务合作带来的固有风险至关重要——而非仅关注内部或外部控制措施实施后的风险。必须确保高层管理团队与领导层（即我提到的协作模式）保持高频互动。我们通常聚焦于内部关系管理，这意味着既要关注组织内部运作，也要重视与供应商的外部关系。 但这种协作模式在内部同样重要。若您身处交易风险管理领域或隶属该职能部门，请谨记：这本质上是相互关联的流程与活动体系。与所有相关方的协作互动不仅有益，更可能是必要条件。 通过建立协作机制并形成基础共识，将有助于高层管理人员在整个组织中支持乃至倡导你们的工作。

艾希莉：很好。斯科特，接下来我们收到玛丽提出的问题：“Prevalent如何帮助组织完成年度袜子报告审查？”

斯科特：嗯，好问题。我们对SOC报告的处理方式是：若您已通过第三方审计机构完成报告并获得SOC报告，我们会协助您解读该报告。我们提供一项服务，即与您共同梳理报告内容。 我们会提取关键风险和关键控制措施，将其映射到我们的平台中，形成可长期追踪的风险清单。通过实施补救措施等手段，您就能持续监控风险状态。我们并非直接执行SOC 2报告或代为完成审计，但报告完成后，我们会协助您将内容转化为可操作的平台数据，让您真正实现风险管理——而不是拿着PDF文件发愁："现在该怎么办？"

艾希莉：谢谢，斯科特。那么罗德尼，我们还有个问题要问你。有人提问："在供应商群体中，你应该对多少比例的供应商实施主动风险缓解措施？考虑到库存分为高、中、低三个等级，同时考虑到大多数供应商风险管理项目团队规模较小。"

罗德尼：好的。那么当我们说应该对多少比例的供应商实施主动风险缓解措施时，我认为在识别出风险时就应主动采取缓解措施。当然具体实施的程度会有所不同——显然你不会像管理高风险、关键风险甚至中等风险供应商那样监控低风险供应商，但这取决于组织的风险承受能力，也取决于你实际识别出的风险。 这点很重要，因为我常听到许多组织甚至部分供应商风险管理项目或从业者声称：低风险供应商根本无需任何缓解措施。既然我们已将其归类为低风险，自然无需采取行动。 对此我持异议——今日看似固有的低风险，明日可能因突发变故转为固有的高风险或中等风险。这种转变可能源于多种因素：可能是产品或服务实质性变更，也可能是合作模式调整。例如今日与供应商合作特定产品或服务，明日却与同一供应商开展不同产品或服务的合作。 我发现多数组织（并非全部）存在这样的问题：当单一供应商提供多种产品或服务时，评估体系往往出现脱节。若初始评估为低风险，后续产品或服务便沿用相同评级标准——这种做法既不准确也不合理。 我认为这种做法不妥。必须确保每项产品服务合作都经过风险评估——不仅评估合作关系，更要评估产品服务本身。无论风险评估结果如何，都应据此制定管理监控方案。因此我认为必须实施风险缓解措施：即使风险等级较低，也至少应按低风险频率进行管理监控。

阿什利：太好了，谢谢你，罗德尼。那么斯科特，我们收到你发来的另一个问题——有人问：在现行平台内是否存在外部接口，能够定期高效地收集所需数据？

斯科特：嗯是的，实际上我们的平台包含一个开放的REST API，允许您与外部情报来源集成，为供应商评分或供应商评估增添更多背景信息。 此外我们还提供自主研发的持续监控解决方案，涵盖网络安全、财务状况、商业运营、声誉管理及ESG等维度——无论是数据泄露事件还是各类可摄取的数据源，都能为您补充背景信息。当然，开放API也支持您与现有工具进行集成。

艾希莉：谢谢斯科特，现在请罗德尼继续分享。托尼提到风险管理中我正逐渐意识到最具挑战性的环节之一，就是构建并维持有效的利益相关方参与机制。对于法律风险管理者而言，您会给出哪些关键建议来构建更具影响力的机制？

罗德尼：你看，我特别喜欢这个问题，因为它回归了今天演讲的初衷和核心。嗯，所有风险都很重要，但我确实认为人员风险因诸多原因在不同领域都成为关键因素。不过我认为你与其他职能部门的协作至关重要。我想——我想——我想相信你们现在正处于项目建设的起步阶段，或许还处于基础层面。 如何让环形防线协同运作？首先，你是否明确了组织中第二道防线的构成主体？是否有政策或治理架构规定哪些职能部门或团队实际构成第二道防线？这至关重要。不仅需要政策层面的规定，更要超越书面条款，实现与第二道防线的动态协作。 我认为这至关重要。 我观察到某些组织存在这样的现象：可能设有廉价的公关部门，也可能因覆盖多个风险领域而设立多个风险职能部门，但彼此之间却缺乏沟通与协作。我可以明确指出，这根本性地阻碍了协同防护——你们本应共同守护组织实体。因此协作的包容性是强制性要求，至关重要。作为风险控制职能部门，必须与邻近的风险控制职能部门保持沟通，即便你们审查的风险看似无关，但当涉及第三方产品与服务合约时，请谨记：所有流程与活动都是相互关联、相互依存的。因此至少应保持情境感知能力，即便你们尚未达到该层面。审查的风险可能无关联，但仍需讨论第三方产品与服务合作——谨记流程与活动具有相互关联、相互依存的特性。因此至少应保持情境感知能力，即便当下未直接参与风险补救或缓解工作。我认为建立内部风险职能部门与第二道防线的协作机制至关重要：需评估哪些产品或服务合作属于高风险关键领域，审查潜在问题所在， 确保团队在外部风险评估与内部应对措施上达成共识——既要明确如何应对外部风险，也要规划如何化解这些风险或其潜在影响。

阿什利：谢谢，罗德尼。接下来我们收到克里斯蒂娜发来的另一个问题，也是问你的，罗德尼。她问："当两个实体正在合并时，你如何处理两个TPR的合并？"

罗德尼：两个TPRM专业程序。这是问题所在吗？如何合并两个TPRM？我猜是这样。

艾希莉：好的。

罗德尼：是的。

阿什莉：我喜欢克里斯蒂娜动作快。是的。

罗德尼：有意思。所以谈并购时，关键是要对产品服务有清晰认知——我是说透明清晰的认知。我猜你属于收购方？是吗？或者你就是收购方？能回答这个问题吗？她大概属于待定类型。好的。 谢谢。那么这个决策将涉及多方面因素，因为我的视角既是TPR（交易后整合）专家，也是专业顾问。 我认为这个决策更应由高层领导和利益相关方共同商定，因为需要评估TPR项目的效果。坦白说，必须确定哪种TPR项目最适合贵机构——效果至关重要。或许存在整合空间，毕竟现有产品服务需要资源支持，而当前产能尚有余力。 但必须评估TPRM项目的成效——不仅要考量现状，更要展望未来。这关乎演进与成熟度。因此，若贵组织正在实施TPRN项目或管理TPR项目，就必须判断该项目成效不仅影响当下，更将影响未来发展状态。这至关重要。 我在此回答问题时，尚未明确该计划将整合还是拆分。但决策势在必行——同一组织不可能同时存在两个TPR计划。要么进行整合，要么其中一个TPR计划必须成为核心计划，我认为应是韦恩计划。

阿什利：谢谢，罗德尼。现在把话题交回给你，斯科特。有人问到你提到的Prevant对网络风险和合规风险的监控功能。请问这是实时监控吗？我的意思是当第三方发生数据泄露或网络安全事件时，Prevant的监控系统会立即通知我们吗？

斯科特：是的，简短的回答是肯定的。嗯，它与公告或漏洞披露的实时性相当。 所以您知道，大多数服务等级协议（SLA）或网络监控工具会设定一个20至4小时的窗口期——从发现事件（例如CVE发布或数据泄露公告）到通知您之间。我们严格遵循该行业标准SLA，确保在24小时内将信息推送至您使用的Prevalent平台实例，使您能据此做出决策。

艾希莉：谢谢你，斯科特·罗德尼。有人问：你觉得袜子文件比未经审计的SIG文件更有价值吗？

罗德尼：天哪，这问题我被问过多少次了？嗯，我觉得要看具体情况。我倒不觉得它们本身更有价值。确实，未经审计的SIG文件包含大量可直接运用的实用信息。但我的判断会综合考虑供应商的关键性、风险程度、供应商风险评级，以及整体的产品服务合作情况。 我必须承认SIG报告质量极高。我确实欣赏这份报告，但也要说明：它仅反映特定时间点的状况——就像我们从供应商或第三方获取的其他文件一样。我更关注当下而非去年审计结果，因为我需要立即与潜在第三方开展合作，今天就需要签署协议，因此更看重能验证外部控制措施有效性的文件。更关注当下而非审计师去年审核的内容——因为我需要立即与潜在第三方开展合作，今天就需签署协议，而手头文件却验证的是去年外部控制的有效性。这意味着我基于事实的决策，实则依赖于一年前的信息材料。这简直像在抛硬币。 我认为应尽可能获取相关信息来支持决策——无论是支持SA（自我评估）正确性还是支持签名（sig），都需要大量实质性文件信息来佐证。因为我确信在处理特定时间点的评估和特定时间点的文件时，补偿性控制措施是必要的。 我并非就此打住，但也要对所有与会者强调：我深知残余风险评估的重要性。我们都明白这类评估不仅对组织意味着什么，也清楚其对审计员的意义。 我们也清楚其对监管机构的意义。但请务必持续关注动态监控。我认为你们对新兴风险的价值评估尤为重要——不是当前存在的风险，而是那些可能损害或影响组织的潜在风险。你们必须对此保持警觉。因此要获取与当下相关的信息，同时结合可能与昨日相关的信息，综合运用并做出基于事实的决策。

阿什利：谢谢罗德尼。然后朱莉娅问："如果一个组织选择采取更保守的做法，只管理固有风险，那么你认为纳入残余风险的益处是什么？"

罗德尼：好的，我也多次听到过这个问题。我觉得这就像抛硬币一样，五五开，取决于具体组织和风险偏好。我听过别人给出的某些问题或答案都非常全面。 我的观点是：贵组织的风险偏好如何？在判断是否应采取保守策略、仅管理固有风险时，确实需要综合考量这些因素。我对此并不反对——毕竟固有风险确实存在。 我的建议是：固有风险与残余风险评估固然重要，但定期复核固有风险同样关键。许多机构在完成残余风险评估后，往往仅基于残余风险开展管理与监控工作。 我认为不该如此。必须定期回溯评估固有风险。需持续关注关系中是否存在重大变化——风险状况可能因合同修订、补充条款或修改而改变，这些变动可能要求加强风险管理活动，也可能降低管理强度。但重新审视固有风险同样至关重要。 我认为所有从事TPRM的机构都应如此操作，而非仅聚焦残余风险评估。所以这个问题我只能说——这要看情况。它取决于风险偏好，取决于TPRM项目的规模和执行能力，也取决于第三方扩展清单的规模。

阿什利：谢谢你，罗姆尼。最后还有一个问题要问你。有人问：“你的团队规模有多大？管理多少供应商？”

罗德尼：所以那个人就是那个匿名提问者？

艾希莉：是的。

罗德尼：行吧。这样说吧，我手下有个7到10人的团队，库存量大得惊人。有些事我得自己留着。这点你得理解。

阿什利：或者请线下联系我。当然，当然。罗德尼、斯科特以及各位，非常感谢你们提出的问题。他们今天都提供了许多值得深入了解的宝贵信息，期待在你们的收件箱或未来的预链接网络研讨会中与大家再会。各位再见，祝大家周三剩余时间愉快。

斯科特：大家再见。

阿什莉：谢谢你，罗德尼。再见了。大家再见。