Emerging Trends in Third-Party Risk Management

Presented by:Carly Devlin and Max Aulakh

Moderated by:Tonya Preston

TODAY’S PRESENTERS

Max AulakhPresident/CEO

Ignyte Assurance Platform

Carly DevlinManaging DirectorColumbus Office

Overview of Third-Party Risk Management

Overview – What is it?

The process of analyzing, verifying, monitoring, and controlling risks presented to your organization, your data, and your operations by third-parties.

Managing third-party risk is generally comprised of conducting various types of due diligence activities on your critical vendors.

Third-Party Risk Management (TPRM)

Basic Market Drivers

Data Protection

Regulatory Compliance

Business Value

Emerging Drivers

Procurement Departments

Information Security Departments

Business Owners

Current State Process

1. Segment 2. Scope 3. Collect

4. Assess5. Remediate6. Report

7. Monitor

Source: OCEG.org

Current State | Vendor Risk Profile

Monitoring allows you to:

▪ Gather assessment trend data & breach data about your vendors

▪ Develop a plan for your vendor to reduce cyber risk over time

▪ Share relevant resources with your vendor (de-risk)

▪ Co-develop a “Target Risk” profile‒ Set of requirements/controls/questions that

should be met

Current Vendor Risk Management Process

Is this really enough?

Can we make the process more data driven?

Can the process be balanced and take in to consideration a holistic view?

Can we somehow partner with our vendors?

Questions from CISOs & Business Leaders:

Re-Defining the Vendor Risk Management Problem

▪ Third-party should not be in a silo‒ Only responsibility of the security department

▪ The problem is multidimensional‒ Quality, delivery, cost considerations, contract, cybersecurity & many

other factors

▪ Relevant & time metrics‒ Multiple sources of data to formulate a score vs. single method

Current Processes & Results

▪ Lack of trust‒ Business owners make decisions on vendors prior to engaging vendor risk

management teams

▪ Reduced budget‒ Vendor risk teams often struggle on getting additional headcount,

technology spend and other initiatives

▪ Program transitions to a Vendor Risk Management project‒ Security teams become responsive to new vendor requests versus

proactively addressing VRM risks

Emerging Trends | Forward Thinking Teams

▪ Holistic Vendor Risk Governance

▪ Enhanced Digital Risk Management

▪ Relevant & Data Driven Metrics

▪ Complete Vendor Scorecard

Emerging Trend # 1 – Holistic Governance

Vendor Risk Dimensions

Quality Delivery Cost Responsiveness Innovation Cyber Risk FinancialCustomer

Complaints

▪ Multidimensional vendor risk management▪ Balanced & properly weighted▪ Interdependency of dimensions

Emerging Trend # 2 – Enhanced Digital Risk Management

▪ Cyber & Digital Risk

▪ Inherent Digital Risk

▪ Residual Risk Management

▪ Target Risk Profile Development

Vendor Inherent Risk Profile

Inherent Risk

Cost

High

Medium

Low

Vendor Criticality

High

Medium

Low

Regulatory

HIPAA

Business Associate

SOX 404 DFARS

Type

Cloud

On-Prem

Development

Data Amount

100 – 200 Records

200 – 300 Records

1000 – 2000 Records

Residual Risk Management

▪ What if vendor cybersecurity risk/residual risk remains too high after the assessment?‒ Do you still conduct business with them?

▪ How do you help your vendors manage flow down requirements?

▪ What can we do to de-risk your vendors from cybersecurity perspective?‒ Supply chain experts use “The Beer Game” to

illustrate power of data sharing to manage product spikes & distribution to protect both the vendor and client.

Emerging Trend # 3 – Relevant Metrics

Vendor Risk Dimensions

Quality

Relevant Metrics

Delivery

Relevant Metrics

Cost

Relevant Metrics

Responsiveness

Relevant Metrics

Innovation

Relevant Metrics

Cyber Risk

Relevant Metrics

Financial Risk

Relevant Metrics

Customer Complaints

Relevant Metrics

▪ Relevant & timely▪ Data driven▪ Help your business make the best informed decision versus only communicating on

taking a risk-based decision

Emerging Trend # 4 – Complete Scorecard

▪ Depth▪ Coverage

Sample Data & Vendor Risk Dashboard

▪ Customized Third-Party Data Pipe‒ LexisNexis‒ D&B‒ OFAC‒ Others

▪ Tailored Risk Algorithms‒ Monte Carlo/Scenario‒ Bayes Network‒ Language Processing‒ Intent Analysis

Key Takeaways

Summary

Trend #1: Holistic GovernanceTrend #2: Enhanced Digital Risk Management

Trend #3: Relevant & Timely MetricsTrend #4: Complete Scorecard

▪ What is TPRM?▪ What are the basic drivers?▪ What are some emerging drivers?▪ What emerging trends are forward thinking teams exploring?

THANK YOU!

Max AulakhIgnyte Assurance Platformmax@ignyteplatform.com

Carly DevlinManaging Director

cdevlin@clarkschaefer.com