View
0
Download
0
Category
Preview:
Citation preview
Emerging Trends in Third-Party Risk Management
Presented by:Carly Devlin and Max Aulakh
Moderated by:Tonya Preston
TODAY’S PRESENTERS
Max AulakhPresident/CEO
Ignyte Assurance Platform
Carly DevlinManaging DirectorColumbus Office
Overview of Third-Party Risk Management
Overview – What is it?
The process of analyzing, verifying, monitoring, and controlling risks presented to your organization, your data, and your operations by third-parties.
Managing third-party risk is generally comprised of conducting various types of due diligence activities on your critical vendors.
Third-Party Risk Management (TPRM)
Basic Market Drivers
Data Protection
Regulatory Compliance
Business Value
Emerging Drivers
Procurement Departments
Information Security Departments
Business Owners
Current State Process
1. Segment 2. Scope 3. Collect
4. Assess5. Remediate6. Report
7. Monitor
Source: OCEG.org
Current State | Vendor Risk Profile
Monitoring allows you to:
▪ Gather assessment trend data & breach data about your vendors
▪ Develop a plan for your vendor to reduce cyber risk over time
▪ Share relevant resources with your vendor (de-risk)
▪ Co-develop a “Target Risk” profile‒ Set of requirements/controls/questions that
should be met
Current Vendor Risk Management Process
Is this really enough?
Can we make the process more data driven?
Can the process be balanced and take in to consideration a holistic view?
Can we somehow partner with our vendors?
Questions from CISOs & Business Leaders:
Re-Defining the Vendor Risk Management Problem
▪ Third-party should not be in a silo‒ Only responsibility of the security department
▪ The problem is multidimensional‒ Quality, delivery, cost considerations, contract, cybersecurity & many
other factors
▪ Relevant & time metrics‒ Multiple sources of data to formulate a score vs. single method
Current Processes & Results
▪ Lack of trust‒ Business owners make decisions on vendors prior to engaging vendor risk
management teams
▪ Reduced budget‒ Vendor risk teams often struggle on getting additional headcount,
technology spend and other initiatives
▪ Program transitions to a Vendor Risk Management project‒ Security teams become responsive to new vendor requests versus
proactively addressing VRM risks
Emerging Trends | Forward Thinking Teams
▪ Holistic Vendor Risk Governance
▪ Enhanced Digital Risk Management
▪ Relevant & Data Driven Metrics
▪ Complete Vendor Scorecard
Emerging Trend # 1 – Holistic Governance
Vendor Risk Dimensions
Quality Delivery Cost Responsiveness Innovation Cyber Risk FinancialCustomer
Complaints
▪ Multidimensional vendor risk management▪ Balanced & properly weighted▪ Interdependency of dimensions
Emerging Trend # 2 – Enhanced Digital Risk Management
▪ Cyber & Digital Risk
▪ Inherent Digital Risk
▪ Residual Risk Management
▪ Target Risk Profile Development
Vendor Inherent Risk Profile
Inherent Risk
Cost
High
Medium
Low
Vendor Criticality
High
Medium
Low
Regulatory
HIPAA
Business Associate
SOX 404 DFARS
Type
Cloud
On-Prem
Development
Data Amount
100 – 200 Records
200 – 300 Records
1000 – 2000 Records
Residual Risk Management
▪ What if vendor cybersecurity risk/residual risk remains too high after the assessment?‒ Do you still conduct business with them?
▪ How do you help your vendors manage flow down requirements?
▪ What can we do to de-risk your vendors from cybersecurity perspective?‒ Supply chain experts use “The Beer Game” to
illustrate power of data sharing to manage product spikes & distribution to protect both the vendor and client.
Emerging Trend # 3 – Relevant Metrics
Vendor Risk Dimensions
Quality
Relevant Metrics
Delivery
Relevant Metrics
Cost
Relevant Metrics
Responsiveness
Relevant Metrics
Innovation
Relevant Metrics
Cyber Risk
Relevant Metrics
Financial Risk
Relevant Metrics
Customer Complaints
Relevant Metrics
▪ Relevant & timely▪ Data driven▪ Help your business make the best informed decision versus only communicating on
taking a risk-based decision
Emerging Trend # 4 – Complete Scorecard
▪ Depth▪ Coverage
Sample Data & Vendor Risk Dashboard
▪ Customized Third-Party Data Pipe‒ LexisNexis‒ D&B‒ OFAC‒ Others
▪ Tailored Risk Algorithms‒ Monte Carlo/Scenario‒ Bayes Network‒ Language Processing‒ Intent Analysis
Key Takeaways
Summary
Trend #1: Holistic GovernanceTrend #2: Enhanced Digital Risk Management
Trend #3: Relevant & Timely MetricsTrend #4: Complete Scorecard
▪ What is TPRM?▪ What are the basic drivers?▪ What are some emerging drivers?▪ What emerging trends are forward thinking teams exploring?
THANK YOU!
Max AulakhIgnyte Assurance Platformmax@ignyteplatform.com
Carly DevlinManaging Director
cdevlin@clarkschaefer.com
Recommended