THIRD-PARTY RISK & BUSINESS RESILIENCY 2020 ACTION PLAN - BRENDA FERRARO, VICE PRESIDENT, THIRD-PARTY RISK, PREVALENT - cloudfront.net
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
THIRD-PARTY RISK & BUSINESS RESILIENCY 2020 ACTION PLAN PRESENTERS BRENDA FERRARO, VICE PRESIDENT, THIRD-PARTY RISK, PREVALENT
Housekeeping
• Download slides at https://go.oceg.org/third-party-
risk-2020-action-plan
• Answer all 3 polls
• Certificates of completion
(only for OCEG All Access Pass holders)
• Evaluation survey at the close of the webinar
• Find the recording on the OCEG site in the Webinars
tab under Past Webinar Recordings
2
Learning Objectives
• Identify how third-party risk can improve
business resiliency and continuity planning in
light of current events
• Define how program funding and the role of
vendor manager is shifting
• Outline how risk management is evolving
beyond basic compliance and toward more
continuous assessments
• Demonstrate how security ratings and
scoring tools are only one piece of the risk
analytics puzzle
• Learn how to use a community developed
model
3Poll 1
Do you have an OCEG All Access Pass (a paid membership) and would you like to
receive CPE credit for this event?
a. Yes, I have an All Access Pass and I would like to receive a Certificate
of Completion for this event
b. Yes, I have an All Access Pass but I do not need a Certificate of
Completion
c. No, I do not have an All Access Pass but I would like to get one and
receive CPE credit for this and future webcasts I attend
d. No, I do not have an All Access Pass and I don’t want to buy one at
this time (so I won’t get CPE credit for this event)
4Third-Party Risk & Business Resiliency: 2020 Action Plan Brenda Ferraro VP, Third-Party Risk bferraro@prevalent.net
Today’s Speaker Brenda Ferraro VP, Third-Party Risk, Prevalent • 20+ years of experience developing and implementing controls and KPI reporting for continuous risk governance and process improvement • Built and managed third-party risk management programs at Aetna, PayPal/eBay and Charles Schwab • Certifications include vBSIMM, CTPRP, ITIL and Certified Process Master (CPM)
Agenda
2020: A Time of Uncertainty
How TPRM Ensures Business Resiliency
Action Plan
Prevalent Can Help
Q&A
Confidential & Proprietary: NDA required. © Copyright 2020 72020
… a time of global uncertainty
Confidential & Proprietary: NDA required. © Copyright 2020 8Your 2020 TPRM Program Initiatives
Business Continuity Planning to Ensure Supply Chain Resiliency
Make the Business Case
Evolve the Role of Vendor
for Third-Party Risk Evolve Beyond Compliance
Manager
Funding
Move Toward Continuous, Increase Inputs & Use Commoditize Security
Proactive Assessments Predictive Analytics Ratings
Leverage an Evidence
Privacy, Privacy, Privacy! Sharing Community Model Move to True Risk
& Enable Vendors
Confidential & Proprietary: NDA required. © Copyright 2020 9Current Events = Perfect Use Case for Business Continuity
Planning & Resiliency
8 Critical Questions to Ask
1. Do you have a plan to recover from this pandemic?
o In your pandemic plan, do you have strategies to include transferring work and/or working remotely?
2. For mass employee absenteeism, do you have a scale-back plan for non-critical services?
Action:
3. Has your company taken mitigation steps to stop the spread of the virus?
4. For employees that have been exposed, have quarantine steps been invoked? Download a Free
Business Resiliency
5. Are you experiencing impact at any of your locations? Assessment from
o If yes, describe the recovery strategies activated and the effectiveness? Prevalent
o If yes, do any of the locations support our contracted products/services?
6. For potentially impacted fourth-parties that support your operations, have pandemic plans been
invoked?
7. How are you ensuring fourth-parties can continue to support their contractual obligations?
8. For limited individual subject matter expert employees supporting critical processes, do you have a
contingency plan in place in the event they are impacted?
Confidential & Proprietary: NDA required. © Copyright 2020 10Poll 2
Would you be interested in engaging with Prevalent for a free business
resiliency assessment to benchmark your program?
a. Yes
b. No
11Will 2020 Be the Year that TPRM Finally Gets the Funding it
Deserves?
• Risk managers continue to struggle to gain the visibility,
support and required investment to implement a strategic,
enterprise-wide program
• Challenges to program success: Action:
o Accurate source of vendor profiles and contact information internally
Download a Business
o Soliciting assessment responses Case for Funding a
TPRM Program
o Demonstrating program value to executives
• Results:
o Lack of consistency and urgency in how vendors are being
managed and monitored
o Limited program effectiveness
Confidential & Proprietary: NDA required. © Copyright 2020 12Vendor Manager Vendor Intelligence
Today: Vendor Manager (Vendor Risk) Tomorrow: Vendor Intelligence Manager
• Vendor intelligence is scattered in the silos of sourcing, • Expand to include a more comprehensive viewpoint that
supplier, contract, operational, risk and security tools spans strategic, financial, legal, sustainability and
• Collate, quantify, prioritize and communicate risks to the operational risk
responsible internal parties • Support broader programs with tighter integration with
internal systems and departments, GRC and ITSM
systems.
Confidential & Proprietary: NDA required. © Copyright 2020 13Evolving Beyond Compliance
• Compliance is a legal – therefore
You mean necessary – checkbox
there’s more
Must do for
to life than
compliance.
compliance? • Compliance ≠ security intelligence
What is
third
party? • A mature third-party risk
management program
o Is strategic and enabling
o Has the support of and visibility at the
executive and board levels
o Includes legal, procurement and IT
Action: Schedule a program maturity
assessment o Enables intelligence-based incident
management and response
Confidential & Proprietary: NDA required. © Copyright 2020Toward Continuous, More Proactive Assessments
• Assessing vendors using a control-based questionnaire on
a pre-defined interval (annually) means your risk data can
be 12 months old!
o How relevant can vendor risk analysis be?
o What value does this exercise provide in decision making?
• Waiting a year to gain visibility into the application of
processes or technology to address specific control areas
is unnecessary.
• Recommendation: Move away from “point-in-time”
assessments toward more continuous evaluation
methodology.
Confidential & Proprietary: NDA required. © Copyright 2020 15Increase Inputs and Use Analytics to Identify Outliers
More inputs into the risk equation ≠ increased
complexity in analyzing, prioritizing and responding to
the increasing volume of information.
Recommendations:
• Enlarge the number of inputs into risk management
decision-making
• Embrace advanced analytics to provide additional
insights and automate processes such as:
o Identifying outliers
o Creating automated findings
o Recommending remediations
o Triggering automations and workflows
Confidential & Proprietary: NDA required. © Copyright 2020 16Security Ratings Tools Are a Commodity
Good for: Visibility into where a company’s Limitation: External scanning only tells half
public-facing exploitable risks might be. the third-party risk story.
• No context
• No view of internal controls
Recommendation:
• Less focus on the threat feeds (they are all getting pretty good)
• More focus on integrating the intelligence into a broader risk management
process additional context, quantification, prioritization and remediation
capabilities
Confidential & Proprietary: NDA required. © Copyright 2020 172020 TPRM Vision
Privacy,
privacy,
CCPA is Only the privacy!
Beginning
Privacy will dominate the headlines. Are you
ready?
• Potential of 50 different flavors of CCPA = complex patchwork
of regulatory requirements.
• GDPR will have a second year to sink in.
• NY SHIELD
• Extensions to ISO 27001 and 27002
• Potential for a US federal data protection regime like GDPR for
the EU.
• Recommendation: Extend your PIAs to address California
requirements.Evidence Sharing is Caring…
• Collect-once-share-many community models will
grow in the next year
o Move from point in time assessments to a more
proactive, incremental sharing model
o Reduce the cost of re-assessing vendors annually
o Crowdsource risk intelligence
o Include proactive sharing of vendor performance,
events, satisfaction and other relevant insight that can
benefit other members
o Provide more aggregate, benchmark and analytical
information to automate and streamline the vendor risk
processes
• Industry-based communities grow as a result of
specific insights, shared vendors and expertise
o Legal
o Healthcare
Confidential & Proprietary: NDA required. © Copyright 2020 19… and Vendors May Lead the Charge
Today’s Vendor Reality How This is Evolving
Many vendors respond to surveys but do not have the • Vendors will request to proactively upload their evidence.
tools or visibility to understand how the assessments can • Upload, publish, and update their evidence in one place
help them proactively prioritize their own internal which can then be shared with all their customers.
remediation activities to strengthen their security and
• Adoption and maturity of vendor portals will increase
compliance posture.
over the next 12-24 months enabling both clients and
vendors to streamline processes and ultimately share
program costs.
Recommendation: Look for solutions that will enable your vendors to be more
proactive in uploading their own questionnaires and evidence – think of it as a
“publish and subscribe” model.
Confidential & Proprietary: NDA required. © Copyright 2020 20From Partial Known Risk to True Risk
Today = Partial Known Risk Tomorrow = True Risk
• Focus dedicated to mitigating unmet control standards • When the assessment technique applies attention to
• Lacks context both the “yes” and “no” responses and maturity level risk
awareness is identified on every “yes” response.
• Are “yes” answers good?
• Are “no” answers always bad? • Shift from focusing on remediating “no” responses
towards identifying maturity of “yes” responses for True
• Challenge: Applying risk disposition on partial risk
Risk and increased maturity on resiliency.
awareness can leave companies vulnerable by trusting
control standard maturity posture with a simple “yes”
response.
Action: Schedule a program maturity assessment
Confidential & Proprietary: NDA required. © Copyright 2020 212020 Action Plan
Confidential & Proprietary: NDA required. © Copyright 2020 222020 Third-Party Risk Management Action Plan
Schedule a program business resiliency or maturity assessment to determine where
your program is and where it could use some help.
Use a business case to ensure your program gets the funding it deserves.
Enlarge the number of inputs into risk management decision-making and embrace
advanced analytics to provide additional insights and automate processes.
Move away from “point-in-time” assessments toward more continuous evaluation
methodology.
Extend your PIAs to address California requirements (if you haven’t already).
Enable your vendors to be more proactive in uploading their own questionnaires and
evidence.
Confidential & Proprietary: NDA required. © Copyright 2020 23Prevalent Can Help
Confidential & Proprietary: NDA required. © Copyright 2020 24Simplify, Automate, & Scale
Your TPRM Program
Single platform unites controls-based
assessments, continuous vendor monitoring, and
a network of pre-complete surveys
• Delivers a complete 360-degree view of
vendor risks – internal and external
comprehensive risk profile
• Improves visibility and adds context to
scoring, and clarity for remediation
• Automates the end-to-end process of vendor
risk assessments, speeding time to value
• Scales to mature your third-party risk
management program for flexibility and growth
Confidential & Proprietary: NDA required. © Copyright 2020 25Closed-Loop TPRM
Deliver reporting to internal Determine who to assess & what
stakeholders and auditors by content to use – standard or
regulation or framework custom
Maintain an up-to-date • Gain immediate view of risks
risk register by entity to • Inform prioritization
track progress on • Use ongoing for more
remediation of control frequent insights
failures or cyber risks
Utilize flexible risk weightings, Determine collection method –
results from assessments, own, network, outsourced,
and continuous vendor combination – and interact
monitoring to prioritize seamlessly with vendors
Confidential & Proprietary: NDA required. © Copyright 2020 26The Prevalent Advantage
Industry Expertise
• Developed and exclusively manage the Legal Vendor Network
(LVN) and H-ISAC's Healthcare Vendor Network
• Chair the Shared Assessments Content Governance Committee
• Half of the top 10 Healthcare and Pharmaceutical companies
• Half of the Top 100 US Law Firms
• Outsourced options through Risk Operations Center
Market Leadership
• Leader: Forrester New Wave: Cybersecurity Risk Rating
Solutions, Q4 2018
• Visionary: Gartner Magic Quadrant for IT Vendor Risk
Management Tools, November 2019
• Top Ranked: Highest-ranked solution for
assess/monitor/validate controls in Gartner Critical
Capabilities for IT Vendor Risk Management Tools,
December 2019
Confidential & Proprietary: NDA required. © Copyright 2020 27Poll 3
In the next 12 months, do you plan to evaluate TPRM vendors in an
effort to establish or enhance your TPRM program?
a. Yes
b. No
c. I don’t know
28Questions?
Thank You!
info@prevalent.net
Follow us on LinkedIn
Follow us on Twitter
Confidential & Proprietary: NDA required. © Copyright 2020 30Appendix:
KPIs & KRIs
Confidential & Proprietary: NDA required. © Copyright 2020 31Key Performance Indicators (KPIs)
• Procurement / Business Owner TPRM Compliance
• Contract Due Diligence Timeliness & Completeness
INTERNAL • Risk Stratification / Profile / Requirement Accuracy
REQUEST
MANAGEMENT
• Top 10 Risk Entities
• Top 10 Risk Domains
• TPRM Stats for Improvement ENTITY
BOARD
REQUEST • Response SLA
REPORTING
MANAGEMENT
• Request Completion Timeline
• Initial vs. Onboarded Risk
• Risk Mitigation SLA Stats
KPIs
• Risk Reduction Forecast
• Internal Risk Accountability CONTINUOUS
RISK
THREAT • Threat Intel Factor Accuracy
DISPOSITION
MONITORING
• Inherent vs. Residual Risk
• Risk Reduction SLA
CONTINUOUS
EVALUATION &
• Review / Evaluate SLA ASSESSMENT
• Primary Control vs Compensating Controls
• Top Key Control Risks
Confidential & Proprietary: NDA required. © Copyright 2020 32Key Risk Indicators (KRIs)
• Internal Program Compliance
• Risk Stratification Accuracy
INTERNAL • Service Change Modifications
REQUEST
MANAGEMENT
• Enterprise Risk Forecast
• Overdue Risk Remediations
• Missed TPRG Program Controls BOARD
ENTITY
REPORTING REQUEST • Volume of Concentration Risk
MANAGEMENT • Point Of Contact Modifications
• Risk Recommendation Updates
• Missed Risk Mitigation Completion
KRIs
• Climbing Risk Reduction Forecast
• Risk Mitigation Validation Stats CONTINUOUS
RISK
DISPOSITION
THREAT • Threat Score Changes
MONITORING • Residual Risk Validation
• Nth Party Span of Risk
CONTINUOUS
EVALUATION &
• Ongoing (at least annual) Evaluation SLA ASSESSMENT
• Added Content Gathering to fit Threat Landscape
• Adjusted Top Key Controls and Risk Calculations
Confidential & Proprietary: NDA required. © Copyright 2020 33You can also read
