第三方风险管理 101：评估、监控和缓解：第三方风险管理的核心要素

Melissa: Hello everyone. Welcome. Melissa: It’s great to see you all joining. Melissa: Um I’ll give you a minute while we wait for people to get situated and connected. Melissa: H in the meantime, I’m going to launch our first poll. Melissa: You’ll see it pop up on your screen. Melissa: And I’m curious to see what’s bringing you to today’s webinar. Melissa: You know, is it educational? Melissa: Are you in the beginning stages of your thirdparty risk program? Melissa: Are you a current prevalent customer? Melissa: Um you just let me know and uh let’s kick some things off with an intro. Melissa: My name is Melissa. Melissa: I work here in business development. Melissa: And today we are joined by a returning guest, Bob Wilkinson, who is the CEO of Cyber Marathon Solutions and former CISO at Cityroup. Melissa: So, welcome back, Bob. Bob: Great to be here, Melissa. Melissa: Good. Melissa: And, uh, we got you for one more, I think, because this is, you know, four-part series. Melissa: And, you know, last but certainly not least, we do have Scott Lang, our very own VP of product marketing. Melissa: Hi, Scott. Scott: Melissa, how are you? Scott: So good. Scott: Now that we’re uh up and running on this PowerPoint, um you know, today Bob’s going to continue with part three of our four-part TPRM 101 series where he will share best practices for the core components to enable scale in your TPRM program. Scott: And uh as a little bit of housekeeping here, uh this webinar is being recorded, so you will get this along with the slide deck um shortly after the webinar. Scott: Lastly, you’re all muted as you can see, so use the Q&A box for those questions that you have. Scott: Um you know, don’t be shy, ask away. Scott: And uh without further ado, I will let Bob jump into it. Scott: Go ahead. Bob: Thanks, Melissa. Bob: Um if we can uh scroll down. Bob: Uh so today’s webinar, as Melissa mentioned, is the third part in a four-part series covering how to build a sustainable thirdparty risk management program. Bob: So today we’re going to talk about supply chain risk. Bob: Do domains uh triage and risk assessment, continuous monitoring, and then how to automate uh your TPRM program and the essential role that that plays in the process in order for you to be efficient in how you operate the program. Bob: So, next slide. Bob: So, we’re going to talk about the criticality of thirdparty services, how to determine them, uh risk domains, which is the next topic I’ll get into, how to triage risks to be to to be more efficient in your overall risk assessment process. Bob: Not every new third-party relationship may require a full risk assessment, and I’ll talk about some ways that you can determine that. Bob: event triggers for a third-party reassessment. Bob: Uh what might happen after you’ve initially assessed an onboarding a third party that might necessitate going back and performing a reassessment. Bob: U the role of data science and analytics and how that can help you better understand, track, and manage risk across your full third-party risk management program. Bob: Then we’re going to get into continuously monitoring third parties, how it works, what kind of things you need to be aware of as you contemplate uh continuous monitoring, how to get started with a continuous monitoring program, and reviewing a checklist of items that you’ll need to consider. Bob: And then talking about automation in a third-party risk management program and a checklist of things that you should be thinking about and how you automate your program. Bob: Next. Bob: So, when it comes to determining the criticality of thirdparty services, there’s a few things that you need to think about depending on the size of your organization and the amount of resources that you have. Bob: One of the factors that that comes into play is how where should I get started? Bob: What should I focus on first? Bob: And the short Answer is those third-party relationships that are providing critical services uh to your business or for which your business considers certain functions, products etc to be critical for their success. Bob: So one simple way to think about criticality is if you’re sharing information, sensitive information, of your company with a third party and also depending on the volume of information that you’re sharing that may drive criticality because one of the big trends that we see associated with data breaches is the theft of sensitive information whether that’s personally identifiable information uh protected health information whatever the case might be. Bob: Another criterion that you can use for criticality is third parties that you grant access to your infrastructure. Bob: So when you grant a third party that infrastructure access, you potentially open a door into your greater uh corporate network and that poses a lot of risk with it if not done carefully. Bob: So you have critical business products or functions that you provide. Bob: You have the sharing of sensitive information. Bob: and infrastructure access. Bob: Uh and then also understanding beyond just your third party for your fourth and fifth parties, if your third parties are using them, if they’re granting access to your data or if they’re granting access to your infrastructure. Bob: Now, how can you go about getting that information and where might be a good place to start? Bob: One thing you can do is you can talk with your IT function that’s responsible for business continuity and disaster recovery because as part of their function, they’re going to need to know who all of the critical third parties are that are providing services to your organization. Bob: And that may be a way to jumpstart finding within your organization who your critical third parties are. Bob: The one caveat that I’ll offer with that is that it’s important that you consider how you scope your criticality. Bob: If you take too narrow a view and you miss some third parties who are critical for your organization, then you may find yourself in a position where uh you cannot um effectively mitigate the risk that’s associated with this. Bob: So that’s something that you need to very carefully think about as you uh go about establishing criticality. Bob: Next slide. Bob: So I want to talk a little bit about what I call risk domains. Bob: And when we think about performing risk assessments, we usually have some standardized process that we go through with many questions that we’ll ask a third party about. Bob: But not all of those questions are relevant to the service or product that a third party is providing to your organization. Bob: So I think there’s a more efficient way to do this and that when you group your third parties into what I call risk domains either based on the functions or products that they’re providing to your organization or the access that you’re granting them to various types of information and then other uh ways of lo ally grouping them. Bob: Whether that’s onshore versus offshore, whether it’s third parties who have access to employee confidential information, uh whether it’s third parties that have network access into your infrastructure, whatever those logical groupings are that make the most sense for your organization, when you do that, then you can focus more clearly on several things. Bob: things. Bob: The first is what are the key questions that you need to ask based on the service that’s being provided to you. Bob: So instead of looking at you know the the hundreds of questions that might be in a questionnaire, what are the single most important questions that you need to focus on for a from a risk perspective based on the function of service being provided, based on the access to the data that’s being provided. Bob: And by doing that uh you get several important benefits. Bob: The first one which uh for me is kind of overarching is we all deal with this problem not just of running a third party risk program but of having to deal with the growth that occurs year-over-year within your third-party uh use at your company. Bob: So depending on how you Look at this. Bob: A lot of organizations may have a 10% increase in the number of third parties that their organization is using over a calendar year. Bob: Nobody’s giving us 10% more resources to deal with that additional volume that we have uh to take care of on an annual basis. Bob: So by structuring your inventory of third parties into risk domains, for example, um which are my call centers, which are my payment processors, who are my software developers, who are my cloud hosting providers, or which third parties am I sharing information with? Bob: Um where is the service being delivered from? Bob: By thinking about those things, when a business says they have a need for a new third party, you can very quickly assess that you already have third parties who are providing that service. Bob: And if you have relationships with third parties who are already providing a service that one of your business units is looking for, you can take that to that business unit and say, “We already have existing relationships with companies A, B, and C. Bob: We don’t need to add another company.” And part of the selling point there to make is if you go with an existing company where due diligence has already been done, and they’ve already been onboarding. Bob: We already have an established relationship with them. Bob: Then we’re able to move much more quickly to support your business for whatever it needs. Bob: It also stops to some extent the growth in the number of third parties that you have in your inventory. Bob: And that does two things. Bob: The first thing it does is it mitigates risk because you’re sharing less of your data, less of your access with yet another third party. Bob: But it importantly also reduces the total cost of ownership for your third-party program. Bob: So by breaking your inventory into risk domains to leverage that information when a business comes and says I need uh uh third party for cloud hosting. Bob: You say we already have two companies we’re using. Bob: Why can’t we leverage what we already have? Bob: You’ve taken a big step on both risk mitigation and on more efficiently managing your program and actually saving your organization money and saving yourself a lot of stress in the process. Bob: Next slide please. Bob: So this is where we come to the question of risk triage. Bob: So when we think about uh risk triage what I’m getting getting at is rather than doing a full-blown assessment of a third party, if you categorize them into a risk domain, there are certain questions that you’re going to want to ask critical to that relationship. Bob: For example, if a third party is uh managing or handling large amounts of your sensitive information, what you really need to focus on there is how are they managing that information for you? Bob: How are they accessing that information? Bob: Are they processing that information for you? Bob: How is it protected in transit? Bob: How is it protected when it’s stored at rest etc? Bob: And by doing that you get a very quick sense of whether the critical element in the relationship which is that this third party is doing something with your sense positive data. Bob: Are they doing a good job with that? Bob: And ultimately what you can do is you can focus on based on the risk domain of a company that you’re thinking of onboarding. Bob: Those specific areas that will tell you very quickly whether you need to do more extended due diligence or whether you’re probably okay and you may not need to complete a full risk assessment. Bob: So, it’s a way to cut down on the overhead of doing full risk assessments for all of your new third-party relationships. Bob: So, and I’ve built this model out at very large organizations uh very successfully and help them to minimize the amount of risk assessment activity which needs to be done. Bob: And I’m going to talk a little bit more about uh the need for a risk assessment and periodic ongoing risk assessments versus continuous monitoring later. Bob: And suffice it to say that I’m a big advocate of moving to continuous monitoring very early in our relationship with a new third party because what happens at the end of the day is a periodic risk assessment is good on the day it completes. Bob: You have uh no insight for the other 364 days a year. Bob: So for me, Defining those questions that are important based on the risk domain that a third party falls into offers you the opportunity in a more streamlined fashion to complete due diligence on a potential new third party that you might on board. Bob: And it also allows for you to use more efficiently the resources that you have in your program. Bob: Next slide. Bob: So, periodic risk assessments, when you do make a determination that you really do need to do a full risk assessment of a third party, what are the important factors that you need to have in place in order to effectively manage that periodic risk assessment process? Bob: So, have you decided what process you’re going to use and what questionnaire to perform those risk assessments? Bob: Have you allowed for flexibility in your risk assessment process that will allow you to selectively focus on the areas that you need to concentrate on uh for a given relationship because there depending on what that third party is doing for you, you may not need to cover certain parts of a risk assessment questionnaire. Bob: So, So there are a number of standard questionnaires in the industry. Bob: There are proprietary questionnaires that people have developed. Bob: Um whatever you decide to use, have you the flexibility to focus in on what a third party is actually doing for you and only asking that information from the third party rather than just blanketly sending them the whole uh risk assessment. Bob: And Moving on from there, then you have to decide whether you’ll perform risk assessment on-site or remotely. Bob: Now, obviously, uh the pandemic had an in influence and impact on the performance of on-site risk assessments and these days things are primarily done remotely uh for many reasons. Bob: So, there are circumstances where you do need to go onsite to really visit them and to understand that third party these security practices both from a physical security perspective, logical security, etc. Bob: The next thing that you’ll want to look at is whether you’re going to use resources within your own company or whether you’re going to perform risk assessments using staff augmentation. Bob: So, will you hire a third party to provide you the resources to do the actual ass assessment which will then be provided back to your organization where you may decide that you need to do the review of the risk assessment or will you actually ask the third party not only to do the risk assessment but also to highlight any potential gaps that may exist. Bob: There’s another option where you could use risk assessment services companies and here we’re talking about about um companies that regularly perform risk assessments of third parties and then make the reports that come from that process available to clients for purchase. Bob: And they keep them updated on a regular basis so that you can schedule with one of these risk assessment services to complete the third party risk assessment. Bob: on your behalf and then to provide you with a copy of the report. Bob: That may be another option that you choose to use. Bob: And then moving on from there, what’s really the core to any third-party risk management program from my perspective is for the issues that are identified during the risk assessment, how are you going about managing the issue tracking and remediation process? Bob: Because we don’t assess Just for the sake of assessing, we assess to identify risk and once identified to remediate that risk. Bob: It’s called a third-party risk management program for a reason and that reason is to identify and remediate risk. Bob: And if you’re not remediating risk, then don’t bother doing a risk assessment. Bob: That’s an absolutely key point. Bob: And then what is your organization’s uh perspective on performing periodic risk? Bob: assessments going forward and at what cost and for what expected value. Bob: Um my view on this is that third-party risk assessments after you’ve completed the initial one offer minimal value in return for the the amount of work that needs to be done. Bob: The important thing after an initial risk assessment is completed is tracking any identified issues to complete rem mediation and the value that comes from assessing your third parties year after year after year is a continually smaller benefit to your organization and may not be justified by the cost. Bob: So what’s the answer to that? Bob: Can we have the next slide? Bob: Before I get to the answer, I just want to talk about event triggers and once we have a third party relationship established, there are certain events that may occur at that third party which may necessitate doing a reassessment of the level of controls that are in place at a third party. Bob: So there are several situations which jump out as necessitating a need for a reassessment and that may be a data breach. Bob: ransomware attack, whatever the case might be, uh, which impacts your organization. Bob: Another scenario is a change in ownership, whether the company is part of a merger or an acquisition, which may involve changing levels of control over how things are performed in the organization, a shift in technology platforms, migration from on premises to the cloud and all of those things introduce new risk. Bob: Another source of triggering a third party reassessment is new potential regulatory or reputation risks. Bob: Uh we’re on the cusp of a new third-party guidance being issued in the banking sector u by the FFIC And that should be forthcoming very shortly. Bob: And depending what’s in that final guidance, there may be a need for you to go back and re-evaluate whether your third parties are fully compliant with new regulatory guidance. Bob: As an example, another area that might necessitate um doing a an assessment is if you’re moving a data center to a new physical location or particularly these days into the cloud. Bob: And if you’re moving it into the cloud, you’re definitely going to want to do a a reassessment to make sure that you have the proper level of controls in place. Bob: Another aspect which at times gets neglected is how third party relationships change over time. Bob: And one of the ways that they change over time is that how much you’re asking a third party to do for you can directly impact the level of risk that’s involved. Bob: So if you start out and and this many cases happens, you start out doing a pilot with a third party where you’re sharing limited data or limited access with them and the risk assessment was based on that activity and you go back and you look at that third party relationship a year later and you found out well the pilot went well and we’ve given them access to the crown jewels and they can access all our customer records. Bob: That changes the risk profile of that third-party relationship and that’s important to note. Bob: Finally, another area where you may have uh reason to reassess is deterioration in a third party’s financial situation. Bob: And sometimes that deterioration can happen fairly rapidly. Bob: It could be because of a shift in technology. Bob: It could be events at the third party. Bob: And if you’re not monitoring the financial health of your third party on an ongoing basis, you may miss that deterioration and then find out that at some point that company goes uh out of business, in which case you’ve lost a key provider for a a service or product that your business offers. Bob: So by paying attention to that, you have the flexibility and the time to develop contingency plans. Bob: should they need to be put into place. Bob: Next slide. Bob: Data science and analytics and how might that help you in telling your third-party risk management program story and in monitoring the risk that your organization is exposed to on an ongoing basis. Bob: So what you can do here is you can develop a scoring mechanism for each of the third parties in your uh third party inventory. Bob: And one of the ways that you might do that is if you’ve grouped your third parties into risk domains, then what that allows you to do is not just individually come up with a way to score an individual third party but to score the risk that may be associated with a particular risk domain. Bob: For example, all third parties who have access to sensitive or confidential information. Bob: It also offers the potential to implement a model where you score the overall risk from third parties for your entire third-party portfolio. Bob: And that having a way to for risk for your third parties allows you on an ongoing basis to calculate the change in risk that either occurs with an individual third party, a risk domain of third parties or your entire risk portfolio. Bob: Now, I’m just touching on the surface of this here, but by focusing on the questions that you need to ask that are relevant to specific relationships that you have with third parties and waiting those questions, you can actually build an analytical model which will allow you to score and track the change in the risk of your third party program over time. Bob: Next slide. Bob: So now we get to continuous third-party monitoring. Bob: From my perspective, if you really want to know what’s going on with third parties and third-party risk, you have to monitor them continuously going forward. Bob: This is uh my point with periodic risk assessments versus continuous monitoring. Bob: On an ongoing basis, the situation at your third party can change very dramatically from day to day. Bob: Given all of the threats that exist in the environment, how efficient your third party is about managing the vulnerabilities that they’re exposed to. Bob: So, One of the other things that it will do for you is if you have a continuous third-party monitoring uh function set up within your organization. Bob: When it comes to onboarding third parties, you can prior to onboarding, prior to signing a contract, you have the ability to run that proposed third party through your continuous monitoring system and see if any any information any negative information is detected about that third party. Bob: Now how does continuous monitoring actually work? Bob: It looks at the publicly available information the footprint of a third party as it exists uh uh from a publicly accessible point of view and looks for vulnerabilities that either may not have been patched that might be able to be exp exploited whatever the case might be and it lets you know about that and it breaks it down into various categories and it scores the third party overall based on risk. Bob: So by leveraging continuous third-party monitoring you become aware of vulnerabilities as they arise at third parties. Bob: This knowledge allows you to be proactive in how you engage with your third parties. Bob: to make sure that they’re following up and that they’re fully aware of the risks that are out there. Bob: Where this becomes particularly useful is in the event that there is a new uh vulnerability released which has widespread applicability across the internet and where you need to know right away not just your own uh organization’s vulnerability uh exposure, but also what your whole third party inventories exposure may look like. Bob: So very quickly leveraging continuous monitoring, you can make an assessment of which of your third parties might be affected by a new vulnerability and then reach out to them a to make them aware if they’re not, but b to understand what actions they’re taking to correct the exposure that may exist there. Bob: Now when we get down into talking about third parties and there are a number of tools which are available is a one of the key decisions that you’ll make is how you will implement and incorporate a continuous monitoring solution into your organization. Bob: And this is no different than any other software tool acquisition that you might make. Bob: What I uh strongly suggest is that before you go running out and purchase a continuous monitoring solution, you understand how that continuous monitoring solution would fit into your operational process workflows within your organization so that it can be properly leveraged. Bob: You can implement the continuous monitoring system. Bob: You can add a list of third parties you want to monitor. Bob: But if nobody is looking at the results of that monitoring and there is not a clear way for that information to be funneled to the people who need to take action. Bob: For example, relationship managers for third parties reaching out to them and saying, “Hey, did you know you have these vulnerabilities and what are you doing about it?” Then it’s not worth investing in a continuous monitoring solution. Bob: You need to take an endto-end approach up front and say if we purchase this tool, who’s going to operate it? Bob: How are they going to operate it? Bob: Have they been trained in the right skill sets? Bob: Because the skill sets for continuous monitoring are different than the skill set you might need for risk assessment. Bob: So you have to make sure that you’re providing the right training and knowledge to your people to be able to leverage continuous monitoring to add value to your organization. Bob: If you don’t go through those steps, then it’s unlikely you’re going to get the real benefits that come from a continuous monitoring solution. Bob: Next slide. Bob: So, when you’re starting out with continuous monitoring, um, one of the questions that often comes up is, well, how do I get started with continuous monitoring? Bob: One of the things that I suggest to organizations to do is, well, if you’re not sure what to do, start the continuous monitoring on yourself and see what comes back. Bob: And most organizations are very surprised when they see what their risk profile looks like when using a continuous monitoring solution. Bob: It may reveal that in fact you have a number of vulnerabilities that haven’t been addressed and that in the process of doing that you can improve your overall security as well. Bob: And if you’re looking for a way to get the attention of management within your organization, running continuous monitoring on your company and highlighting any issues that are identified is a great conversation starter. Bob: They may not like the results but they won’t be able to ignore them. Bob: So that’s just one way you can get started. Bob: Now with continuous monitoring you can monitor in a in various ways. Bob: You can you can do multi-ter multiffactor and certainly continuous inventory discovery. Bob: So when I talk about multi-ter uh you can discover relationships potentially with fourth fifth and the nth parties that you were not aware of. Bob: So everybody talks a lot about third party risk management and I believe not enough about fourth and fifth party management. Bob: The fact of the matter is that over half of the security incidents that companies have start with third parties. Bob: But when you peel back the layers of the onion, you find it goes even further down the uh supply chain into fourth and fifth parties which are often the targets of hackers to exploit to work their way back up to the third party and ultimately into your organization. Bob: So understanding the tiers and what I would advocate is if you are running continuous monitoring uh that for those critical processes which you’ve defined which third parties uh are part of uh that you also monitor your fourth and fifth parties as well. Bob: because any impact at those if they’re part of your critical business processes may also impact you. Bob: Multiffactor is we’re not just talking about cyber security risk here. Bob: There are many forms of risk and some of them include financial, geographic operations, reputational, regulatory compliance and certainly a ESG. Bob: And if you’re not looking more holistically at the risks that you may be exposed through your use of third parties, then you don’t really have a full view. Bob: For example, do you know where your services are being delivered from by your third parties and how many offshore vendors might you be using? Bob: And if there’s instability in a country where a lot of your third party work is being being done and you’re not monitoring that and it results in service interruptions which it has in a number of cases that can present real problems for you. Bob: Finally, your your third party inventory is not static. Bob: It it’s periodically changing because the third parties that you use are changing. Bob: The third parties that your third parties are using, your subcontractors, the fourth and fifth parties They change over time. Bob: Companies come and companies go. Bob: They go out of business. Bob: Your third party may migrate from one supplier to another supplier. Bob: You need to be aware of that because it does have potential risk to you and you should have visibility. Bob: And one of the ways you can obtain that is through continuous monitoring. Bob: And then again, the skill sets that you use for continuous monitoring are not the same skill sets you use for risk assessment. Bob: And And that’s something that you really should think about. Bob: Next slide. Bob: So here’s a a checklist for things for all of you to think about if you’re contemplating starting a continuous monitoring program. Bob: So one of the things that you want to do is you want to make sure you have as complete a third-party inventory as possible. Bob: So So, when you’re starting out and you’re trying to build your third party inventory, sometimes it’s hard to get started. Bob: What most people do is they survey their businesses and say, “Who are you using as a third party?” There are several things that you might do which can help you in that regard. Bob: Some of them include uh if you’re trying to identify which third parties are critical, reach out to your IT, reach out to your, you know, disaster recovery and continuity of business people. Bob: If you’re trying to determine the completeness of your inventory. Bob: One thing you can do is go to your accounts of payable department and ask them for everybody they’ve paid in the last two years because if they’re paying somebody then they’re a vendor and you’re going to want to consider them. Bob: So that’s one thing you can do there. Bob: Next, have you developed and implemented operational processes for how to manage and most importantly respond to continuous monitoring alerts? Bob: You know, the the history of cyber security has many instances where organizations set up monitoring, but nobody ever looked at the logs. Bob: So, if you’re going to do anything, make sure that you have a way to effectively monitor the information that gets generated and have you established thresholds for escalation in the event that there are alerts so that the process can operate in a smooth fashion and most importantly document what your pro processes and procedures are. Bob: Do you have the ability excuse me the visibility into your extended supply chain? Bob: Do you know who your fourth and fifth parties are particularly those associated with critical business processes? Bob: Do you have reliable and periodically updated information? Bob: on the classification and volume of information that third parties are handling for you. Bob: As I said previously, that information changes over time. Bob: Many third party relationships start out as pilots, but they involve into full-fledged business operations and nobody bothers to go back and tell the third party risk team that that occurred. Bob: Another important aspect which has only been highlighted heavily over the last year is the risk that comes from operating third-party software. Bob: Think Log 4j, think Solar Winds. Bob: There are many examples of this. Bob: But the issue there is sometimes when an incident occurs or there’s dis disclosure of a vulnerability, what happens is you have no way to know whether your organization or any of your third parties are exposed to that. Bob: Most organizations, some where in their IT function have a software inventory of software that’s being used by the company. Bob: You should know what that inventory is and be able to leverage it in the event that there is a security incident. Bob: Do you know the physical locations of where the management of your information is occur occurring? Bob: There um there have been a number of cases that I’m aware of where third party risk just assumed that the corporate address for a company was where the service was being provided from. Bob: In managing third party risk, you only care about where the service is actually being delivered from. Bob: Make sure you know that. Bob: Also know what fourth, fifth, and nth parties might have access to your sensitive business information or might have been granted access to your corporate infrastructure. Bob: And if a third party did that, and granted it to a fourth or fifth party by sharing credentials, then that’s something you really need to be aware of. Bob: Do you have current contacts at your third parties so that when potential uh incidents are identified that you have a way to reach out to the right people to get action quickly because when you’re in a situation where an event becomes an incident, minutes matter. Bob: It gives you the ability to limit the damage that might be done to your organization to quickly take devices offline to take other actions that you need to take. Bob: Make sure your contact lists are updated and that you periodically validate that. Bob: And then finally, have your resource been uh trained and also escalation procedures. Bob: And it’s worthwhile to contemplate tabletop exercises where you walk through that not just with the technical people involved but with that in the event there is next slide. Bob: The role of automation in a third party risk management program. Bob: It’s increasingly important because there’s lots of data, lots of risk assessments, continuous monitoring, and other things going on. Bob: And your ability to automate your program is key in being able to manage it and to present to your stakeholders information about the status of the program. Bob: And those stakeholders are everything from your management potentially to the board, regulators, etc. Bob: And that you need to address all of the potential soft uh sources of risk. Bob: It’s not just cyber. Bob: They may be financial, operational, any of the uh categories that I list here, geographic, fraud, compliance, etc. Bob: So, tools to centralize your aggregated third-party risk pro uh posture Um, how you do that and how you automate that process internally is really important to being able to provide timely information to manage events when they happen and to keep your management informed. Bob: So the message here is automate as many aspects of your third party risk management program as you can. Bob: Next slide. Bob: So here’s a checklist of things that you want to consider when you look at automation. Bob: So automated centralized third party inventory that’s Check to see if there is a thirdparty software inventory for your organizations. Bob: Next, do you use a single process workflow uh for all third parties onboarded across your organization or there are there exception processes? Bob: There may be parts of your business where at for some reason given an exception following the standard onboarding process than you’re aware of. Bob: Do you have a standard third party contracts database? Bob: Many organizations that are older and have been around for years may not even have the original contracts or they may be in a file drawer in a warehouse somewhere. Bob: Has my organization implemented automated process workflow to perform due diligence? Bob: The days of mailing questionnaires as Excel’s spreadsheet attachments out to your third parties uh Um, we’ve moved way on from that. Bob: Consider automating using uh one of the GRC tools that are now available. Bob: Again, most important, do you have a process for tracking issues that are identified as a result of your third-party risk management activities? Bob: This is the key point and holding people accountable to remediate those issues. Bob: Do you have a process for tracking thirdparty performance? Bob: For example, in financial services, there are regulatory requirements that say on a quarterly basis, you need to document the performance of your third parties. Bob: That’s usually with relationship managers in the business who own those relationships. Bob: Next, for continuous monitoring, have I implemented automated solution pro in my process workflows so that key stakehold stakeholders are getting that information timely and Then finally, have you thought about your management reporting structure? Bob: Who needs what information and how you can automate that ahead of time so you can provide it on a timely basis? Bob: Uh, next slide. Bob: Okay, so that’s the end of this presentation. Bob: Um, in the next uh webinar in this series, we’ll be getting more into more detail about some of the things that can do uh to more effectively mana manage the future of TPRM. Bob: If any of you have any questions, here’s my contact information. Bob: I’m happy to talk with anyone about this. Bob: Bobcyms.net and my mo mobile number is there. Bob: Thanks a lot. Melissa: And uh Scott, over to you. Scott: Thanks very much, Bob. Scott: I am going to uh share a couple of slides here uh just just to kind of close up how uh prevalent can help. Scott: So, real quick, uh check Bob, can you see my screen? Scott: Okay. Bob: Uh I can’t see your screen yet, Scott. Scott: All right, stand by. Scott: All right, Bob: there we go. Scott: All right. Scott: There we go. Scott: Cool. Scott: All right. Scott: Uh folks, just want to put a button or a bow rather on on Bob’s discussion today to try and tie back some of Bob’s best practice capabilities to some things that probably can do to help help you accomplish those tasks. Scott: Um, it all kind of starts with what customers tell us they want to achieve. Scott: And invariably that’s any one of these three things. Scott: Yeah, there are other as well, but I think uh thematically they congeal here into into one of these three topics. Scott: Number one, getting the data you need to make better decisions and that means sifting through reams of um, you know, third party intelligence that are flowing into the organization maybe to different departments. Scott: Making sense of that data, triaging it, um helping you to kind of scale and understand uh how important or critical some of this information is to help you make decisions uh and to ditch manual methods like spreadsheets for example uh in in performing that base level assessment uh on your vendors. Scott: So get the data you need to make better decisions. Scott: Second, increasing team efficiency and break down silos. Scott: I mean this is like number one, right? Scott: uh from an efficiency perspective. Scott: You know, I mentioned before about spreadsheets. Scott: Uh we see a lot of companies uh when we begin our engagements with them that are using a bunch of different tools, maybe some spreadsheets and email to try and get some information out of out of um uh uh you know, their vendors, third party suppliers, whatever. Scott: Uh maybe that’s flowing into different departments that aren’t really talking to one another. Scott: Or maybe you’re using a GRC tool or you know, something that really isn’t built to be a thirdparty risk assessment platform. Scott: And then third, evolving and scaling your program. Scott: Um, you know, risks aren’t static. Scott: The types of risks you have to uh monitor aren’t static either. Scott: So, it’s important to have a solution in place that evolves with the times. Scott: Uh, stays, you know, up to date on current compliance regulations and reporting capabilities, is able to process and manage multiple different types of risk inputs to help you make good decisions, as I mentioned before, and then gives you the ability to to be elastic with the number of vendors you’re assessing on a regular basis, whether that be going up or going down or tiering or focusing on uh you know critical vendors or whatever. Scott: Get good data uh increase team efficiency and evolve and scale your your your program. Scott: Invariably those are the three things that customers tell us they want to achieve with their programs. Scott: Uh every day you know we take the approach where we look at risk and help you accomplish these three things across every stage of that of that uh life cycle of the vendor relationship from uh the moment you decide you want to source a new vendor and make a vendor selection to the point where you need to uh perform some level of intake or contracting or onboarding of that vendor. Scott: Scoring some inherent risks to define what their inherent risks are that are that your your company’s now going to be exposed to by doing business with them. Scott: What high level remediations that need to be put in place in order to you know kind of proceed with that vendor. Scott: Uh to performing that regular assessment and then recommending remediation recommendations, monitoring and validation of those results over time. Scott: You know, consuming different uh monitoring feeds and and making sense of the data, measuring uh the service level agreements and performance KPIs and KISS of the of the vendor over its life cycle. Scott: And then ultimately uh as every uh you know vendor relationship will eventually do and it will come to an end and when it comes time to terminate that relationship, what are the offboarding tasks and tactics that need to be performed to make sure that you’re not exposed to uh unnecessary risk after that arrangement uh comes to an end. Scott: That’s our our approach is to address those particular challenges at every one of those stages of the life cycle. Scott: Now, invariably um the the derivative benefit of utilizing a a solution like prevalent is that it ultimately brings teams together. Scott: You know, we find that procurement, vendor, supplier management teams are concerned with concerns and issues perhaps in early stages of the relationship, sourcing, selection, onboarding and such. Scott: Then that the effort tends to turn over to the to the security team to perform a deep security data privacy risk controls assessment and then you know maybe to the privacy legal compliance teams as that as that relationship winds down you know procurement’s also involved in that in that process as well. Scott: So it’s important to achieve three things right to simplify and speed up onboarding with a single process in a single source of the truth that extends to everybody in the organization that has a hand in thirdparty risk. Scott: Second to streamline that process and then close gaps and coverage that come naturally with you know different people and different teams and tools and silos uh kind of operating. Scott: And then third bring those teams together through one prescriptive process to progress uh a vendor through the third party life cycle. Scott: That’s our approach. Scott: Um we address multiple different risk areas uh in a prevalent platform. Scott: We’ve categorized them here into these six buckets. Scott: These are by no means comprehensive. Scott: Uh but it’s what I could fit on a slide. Scott: Uh but cyber security uh operational, financial, ESG, reputational and compliance risks. Scott: We either have a specific assessment in the platform with built-in remediation recommendations and reporting behind it or we consume a thirdparty risk feed that helps to um uh um you know populate your vendor profile and then augment uh an existing customer uh uh assessment as well in in one of these particular domain areas. Scott: We have 200 plus assessment templates ready to go in the platform. Scott: So how we deliver this capability to you is any one of three ways. Scott: Number one is through our people. Scott: The value that prevent really delivers is the expertise we deliver. Scott: If you want to do a managed services approach We can do that. Scott: We can do the hard work for you. Scott: Onboarding vendors, managing through the life cycle, offboarding them, remediating, managing, you know, whatever. Scott: In the middle, uh, you know, the second big value we deliver is the amount of intelligence that we drive into the platform. Scott: Something like half a million different constantly updated vendor profiles, dozens upon dozens of um, uh, sources of intelligence to help you add context and clarity to your risk assessments. Scott: And then finally, we has it all in this platform that automates workflows. Scott: uh reporting uh remediation activity uh and more. Scott: Again, at the end of the day, we’re hoping to accomplish three things for you. Scott: Number one, help your organization be smarter and how it uh manages the risk that you’re exposed to from a thirdparty vendor, supplier uh through great reporting, analytics. Scott: Second, help you unify processes, teams, people, and more. Scott: And then third, give you that prescriptive insight to help you progress a vendor throughout its relationship and you know, address your assessment, your monitoring, remediation work. Scott: uh in a single platform. Scott: So that’s what Prell offers. Scott: I’ll pitch it back over to you Melissa to open it up for questions. Melissa: Perfect. Melissa: Thanks, Scott. Melissa: Um so now would be a really good time if you do have a a question you want to drop in um throw that in the Q&A. Melissa: And I just launched the second poll on your screen um so we can follow up any, you know, TPR and projects on your radar. Melissa: I’m curious, are you looking to establish or augment a third party risk program within a year? Melissa: Maybe you’re still stuck in spreadsheet jail. Melissa: And um like I said, please be honest because we really truly do follow up. Melissa: Um I think we have time for maybe a question or two. Melissa: So um Bob and or Scott, any question that kind of speaks um the loudest to you at this moment? Melissa: And any other questions? Melissa: Um Bob delivered his email in the the slides. Melissa: So I’m sure you have it there and probably LinkedIn or Google’s your best friend there. Melissa: But uh I will let Bob and Scott kind of chip away at those. Melissa: So go for it, guys. Bob: Okay. Bob: Well, there There’s there’s one question that asked about the uh scoring the analytical model and the way the model works is there are certain basic controls that are associated in the model and it’s customized based on how a company operates. Bob: But for example, who has you know how does a third party handle access to sensitive information? Bob: There are certain aspects you know in transit, in storage, the volume of data, etc. that go into that. Bob: And when those questions get answered, there’s a numeric score associated with each question. Bob: Then based on that, an organization decides what it threshold is. Bob: So say that you know there are 20 questions that are asked about sensitive information and the score that comes back is a three on a scale of one to five with one being good and five being bad. Bob: The organization then decides if the level of control with a score of three is sufficient then I can onboard the vendor at that point without doing further due diligence. Bob: So there’s the aspect of what is acceptable to a company at that level. Bob: So that’s that question. Bob: Um let’s see what else do we have. Bob: Tell us more about the skill sets needed for continuous monitoring. Bob: Um what we’re doing there is it has to be someone who’s um should have some understanding of third party risk. Bob: Uh that they’re proficient in the use of tools. Bob: The vendor will pro depending on who which one you went with they would provide you some level of training and insight into this but really familiarity with your organization’s operational processes. Bob: So when you get information for example generated uh through a continuous monitoring tool set what you can do is you can either use it to inform threat intelligence that there’s chatter or there’s you know potential targeting of one of your third parties or a sock in the event that there’s an actual incident. Bob: So those are some of the things that you can do more. Bob: I can certainly talk more to that. Bob: But I think we’re out of time. Bob: Melissa, Melissa: you are right. Melissa: We are at the top of the hour and of course, you know, thank you Bob and Scott. Melissa: Thanks everyone for all your questions. Melissa: Um I did drop my email in the chat, too. Melissa: So feel free to reach out to me or Bob um if you have anything that crosses your mind at a later time. Melissa: And lastly, I hope to see a handful of you in your inboxes and at part four of this series. Melissa: So thank you everybody and take care. Melissa: See you soon. Bob: Thank you. Bob: Bye. Melissa: bye.