Atul Vashistha:
Let’s pivot to leveraging your knowledge, what you are seeing, and what you’re thinking. So, let’s first start with, we’re past Covid now, as you think about 2023 what are your thoughts on the risk environment and more particularly what would you say are your top priorities as you think about 2023?
Vincent J. Scales:
So put simply, my key priority right now is getting deeper with our risk assessments, both from a perspective of understanding the nth parties that might potentially be involved, but also going beyond entity level risk assessments and really getting down to service or product level risk assessments. I would say that the reason for this is that our customers and regulators are demanding increasingly detailed information on how we’re leveraging third parties in the operation of our business and about how those third parties themselves are operating in the specific context of our business and our specific customers. One of the challenges that I see with that is really that by expanding the scope of our risk assessments and our risk management process, we’re constrained like pretty much everybody else by the triple constraints model, cost, time, and quality. Time and cost started to become a really serious factor and it’s really never been more of a focus for my program managing costs than right now.
we really have to be able to balance what we’re doing in risk management and what our business is doing to support our customers and to generate revenue in really a grand bargain of sorts.
And neither is time, we’re seeing business stakeholders become more vocal that risk management must not be allowed to inhibit our speed to market. And to enable our business to support our customers while also ensuring that our control objectives are met, we really have to be able to balance what we’re doing in risk management and what our business is doing to support our customers and to generate revenue in really a grand bargain of sorts. And as a risk management leader, that is huge for me, ensuring that the way forward that we land on can do both.
Atul Vashistha:
I think that’s a good way to explain both the challenge and potential solution, which is you think about time and cost, and you cannot subjugate quality. But time and cost are big drivers because that’s what the business is asking for. You just said something, Vince, that I think is critical to kind of stand out. What you said was it’s not enough to just monitor or manage or assess the risk of the third party, but you have to relate that to the services that they’re providing. And let me put another kind of layer on top of that and I’d love to hear your thoughts on that, Vince, which is also the location aspect as you put on it, right? So, talk to us a little bit about as you start to layer these, again, what other challenges is it adding, and if you have any thoughts on solutions that you’re considering, or you think that people should pay attention to.
Our risk operations center really plays a key pivotal role in kind of translating the bolus of external data that are now becoming available about third parties and really mapping that to what we’re doing with that.
Vincent J. Scales:
I mean, really as third-party service providers continue to become more distributed in how they’re offering services, that location aspect becomes very critical. However, it needs to be very specific about how your firm is interacting with those third parties. Continuous monitoring providers, which I’m sure we’ll talk about later, really have the ability to potentially overwhelm you with information. And that’s where our risk operations center really plays a key pivotal role in kind of translating the bolus of external data that are now becoming available about third parties and really mapping that to what we’re doing with that. So, for instance, it’s really key to understand where your exposures specifically are with that vendor.
While we would not want there to be any natural disasters, for instance, if there was an earthquake in Mexico that impacted manufacturing for a supplier and we were to receive an alert about that, it would be important and incumbent on my organization to ensure that we’re seeing what our exposure to that potential disaster in Mexico that’s impacting manufacturing is, making sense of that information and translating that in a way that our business can use for decision support is, I think, the secret sauce to getting that right.
And also, I would say that there’s a kind of a second factor here, which goes to resiliency. Understanding concentration risk and understanding, again, the engagements that your firm has with a supplier can kind of help you when there is this geographic type of impact or risk events, really discern whether or not your business will be impacted and whether or not you need to sound the alarm. What I don’t want to do, especially as we continue to monitor more and more risks and gain access to more and more information, is to cry wolf. I don’t want to lose the belief of my stakeholders by alerting them too often.
Atul Vashistha:
So, Vince, I think this is great advice to both solutions but also the role of solutions plus the risk group like yours at large enterprises, which is, hey, it’s not enough just to know what’s happening, what that risk is, but is it relevant to me? And if it’s relevant to me, what actionable insights do I as a risk group provide to my business so that they can actually know or take action around? So, you said a few other things as you were talking about it, Vincent, even a few years ago when I would talk to risk leaders or even procurement leaders, often they were not thinking beyond what the financial health is and what is the cyber health of my third party or my supplier. And now as we think about that, it’s just not enough to think about just the financial and the cyber health, but you need to understand sanctions and you need to understand location. Talk to us a little bit about how has risk profession kind of evolved from just the concentrated thinking of limited risk to now saying, hey, you need to look at its full spectrum.
Vincent J. Scales:
And you kind of hit a tool on the two main risk domains that I think every third-party risk management program is overly indexed on, which are financial and cyber. In addition to financial and cyber, I think it’s increasingly important to monitor, for instance, the physical security suppliers that will be storing our sensitive data. I know that for some, certain small aspects of physical security roll up underneath their cyber due diligence, but for me, it’s much more than that. And I think that this extends especially in firms with significant, I would say, with many large customers, large enterprise customers, those customers are increasingly expecting firms like mine to exercise due care to ensure that suppliers have a strong physical security hygiene. Because if you have all the cybersecurity in the world but the physical controls are extremely lacking, that pretty much invalidates any potential protection that the strong cyber controls might have.
Another area that we’re monitoring is privacy risks. Again, privacy is sometimes lumped up underneath cybersecurity, but as regulators increasingly focus on privacy, I mean I think we saw that White Castle, the hamburger chain, is facing a 17-billion-dollar privacy fine or something crazy. I had to read that twice just to make sure it was a billion with a B. It drives the importance of going deeper into privacy risk management. I think this is borne out by the fact that there are now tools like Supply Wisdom that are treating privacy like a separate risk domain as its own, as it should be. And maybe the final area tool that I would mention would be ESG risks. I think that many events have happened in the market that is driving the importance of ESG risk management up, but none more so than investor demand for that information.
And as a result, I think you’re probably very aware that the SEC has now changed the requirements for ESG disclosures for public companies and as a public company, the firm that I work at includes ESG in their 10K filings. So now when you have this combination of extremely focused regulation from a very aggressive regulator and our exposure and partnerships to and with third parties, you put those together now all of a sudden managing ESG risk of your supplier base rockets up the chart in terms of importance.
Atul Vashistha:
Vince, I think you bring up a very good point about ESG and I think one would say is not specifically talking about your organization, but organizations like yours have actually been taking proactive steps to make sure that you are not just looking at your own ESG practices, but in your case holding you responsible or I should say in charge of ensuring what some would call in greenhouse gas emission scope three is what is beyond that? What is the ESG status of the locations I’m getting services from or solutions from, products from, and also what is the ESG status of my third parties? Talk to us, Vince, about as a risk leader, you are seeing these increasing requirements of risk management from financial cyber to compliance to privacy, and now ESG, talk to us a little bit about how you are managing from an information labor effort perspective and how maybe is some of it being benefit from having new solutions like continuous monitoring coming to you?
Risk management in my experience across various industries is sometimes seen as a non-value add and requires a lot of justification.
Continuous monitoring products are really changing the game in terms of what we are able to do and what we would like to do because the information that continuous monitoring partners such as Supply Wisdom.
Vincent J. Scales:
So, the first thing I would say is that really having a foundational baseline that helps illustrate, demonstrate, and visualize, what our absolute requirements are is critical. Risk management in my experience across various industries is sometimes seen as a non-value add and requires a lot of justification. Being able to explicitly detail what we are required to do, what we are expected to do, and what would be nice to do, that’s kind of my three lines of defense in a way because what I build my program for is what we’re required to do and that’s where our regulatory requirements come in, the various requirements for our customers, layering onto that are the industry best practices. As you noted, continuous monitoring products are really changing the game in terms of what we are able to do and what we would like to do because the information that continuous monitoring partners such as Supply Wisdom and other specialized to accomplish on our own with the resourcing that we have and the supplier base that we’re entrusted to manage.
So, I would say that one of the ways that we’re leveraging continuous monitoring tools in our arsenal is by working with our procurement department to ensure that each third-party engagement has a designated owner with day-to-day operational responsibility and knowledge. Because what that allows us to do, as I had touched on earlier, is truly act as a clearinghouse for risk intelligence. Our risk operations center is underpinned by a GRC platform, which I think that really that’s the key to being successful, having a strong GRC platform, because that automation allows you to bring in the various risk alerts and intelligence from various providers and channels that directly to those frontline people in the business. And as we had talked about earlier, how it’s so important to contextualize, to translate the risk intelligence that you’re getting from your partners into something that’s germane to your business, having that linkage between who owns an engagement with a third party specifically, and I don’t mean like the executive champion or the budget owner, but whom day-to-day is working with that supplier.
We’re able to vet an alert and choose whether or not to send it directly to that person. And what we’re now seeing is that we’re able to move at the speed of the business while also helping to shape, I would say, decision strategy, with intelligence and information that our business owners and managers would not normally have access to. I think that when you think about what’s on the mind of somebody in a business unit, it’s the requirements of their customer. They’re not overly focused on scanning Google alerts, for instance, for information about the third parties they may be working with. That’s a role that continuous monitoring really helps us play and fill in.
Atul Vashistha:
I think, Vincent, you’ve described a really good model that people should remember because we’re not seeing it necessarily implemented across enterprises, which is your GRC TPRM platform is your source of where all this data is captured, including your assessments, where continuous monitoring is integrated. And then you have a risk operation center, which is your risk group, that is actually taking that and ensuring that it specifically actions within the company. But the final piece you just talked about also is who is the connection to that third party that actually has the knowledge of the third party that also becomes a participant in that program? Then you can actually completely close the chain.
Vincent J. Scales:
And that’s really a tool that’s been a supreme focus of my organization over the last year or two and we’re calling it vendor governance oversight. And what we’re working to do is to build a governance framework that doesn’t take the managerial tasks of a third party out of the business. That’s where I think they belong. KPI measurement, SLA measurement, and contractual term enforcement, that’s best done on the front lines by the people who are working with these suppliers and who know the relationships. What we’re trying to build for and to solve for is really building a framework that ensures that not only engagements with third parties have defined owners, but that for instance, the various third party focused elements of our corporate policies and requirements have controls in place that are part of our enterprise control library. And what we’re really working on now is we’re extending our due diligence where we conduct inherent risk assessments, conduct focused due diligence based on the outcomes of those inherent risk assessments, and then open findings and basically then enroll that supplier in our continuous monitoring.
We’re extending that process now not just to due diligence, but also to due care, because I think that too often in firms, I think a lot of us have been guilty of this or know scenarios where this happens, when that contract with a third party is executed it’s turned over by the procurement organization to that business unit, to that initial requester, and once risk management has conducted their risk assessment, unless continuous monitoring shows something I don’t think there’s an additional focus. And so what this opens up is a blind spot between onboarding and offboarding, and by building this framework that I’m describing, what we’re looking to do is as a result of what we find in our due diligence and the potential findings we might open, this new frontier is then having controls based on the control objectives of our existing corporate policies that we would apply automatically with our GRC platform based on the inherent risk or even the residual risk of that engagement.
We would then test those controls. So, it’s not enough, I feel, now to just gain assurance that for instance cybersecurity requirements are being met and to rely on outside-in views that companies like Supply Wisdom can provide. Going to that next level is creating a framework that enables folks in the business in a lightweight and non-distracting way to ensure that our third parties are actually doing what they signed up to do. Are they actually encrypting sensitive data with an appropriate cipher strength? Are they encrypting that data at rest and in transit privacy for instance? There are a number of different risk domains that lend themselves to this type of control development and what I would say where continuous monitoring hooks into that is if there is some sort of material event, we’re then able to leverage this framework to gain assurance that in the wake of an event, say a breach, that we are still protected, that the controls that we’ve defined are still in operation and that our customer’s data, our employees’ data, our sense of technical data, that all that is secure.
Atul Vashistha:
Vince, you described that actually really well, and I think that’s a really leading practice and if it’s done thoughtfully and engaged with the business prior to putting it into place, you’re actually not just doing good risk management but you’re actually focusing on resiliency also at the same time.
Vincent J. Scales:
And a tool as you hit on, it’s really with the engagement of the business. We leverage the internal survey, which is called the integrity survey, and it’s anonymous, it’s nonretaliatory, and basically, the purpose of the integrity survey is for everyone in our business to answer some questions about how they feel their ability to do their work with integrity is and what they feel the performance, how much integrity people around them are performing their work with. And what this allows our compliance and ethics teams to do is hone in on potential areas of improvement. And the reason I mentioned this survey tool is that in the last running, in quarter three of last year, a number of the verbatim responses included things like, “I manage vendors on a day-to-day basis, and I don’t really have a lot of guidance. I’m not really sure how I should be managing this vendor.”
And one person even said, “I feel as though I am screwing up every day.” And so really engaging the business and building this framework, it actually takes a lot of the effort out because it’s a very prescriptive routine that says if you’re having a vendor who has access to our facilities, for instance, every year make sure that they’re background checking their employees when they bring them on. Make sure that they have legitimate credentials that we are managing in a timely fashion. And it takes the business away from having to essentially do that guesswork on their own.
Atul Vashistha:
Now I think, Vince, again, you described a practice, a discipline, a process, leveraging of tools really well that would enable risk managers to do why they signed up for that role, which is actually risk mitigation, risk advice, and not just risk identification. So this is a case where with the number of risk vectors rising, if you don’t put a process like what you have put into place with the tools you’ve put into place, your risk managers are just not going to be efficient. And if you want them to have speed, do it at a lower cost with high quality, you have to be able to do that. Let me ask you a last question on capabilities and then, Vince, anything you think that risk managers should know that I haven’t asked you. What are your thoughts on the application or leveraging of AI and tools like that?
ChatGPT is already burning up the news cycles and showing us the power of generative AI for text creation.
Vincent J. Scales:
So, when it comes to AI tools, specifically generative AI, we’re right at the beginning of the hockey stick when it comes not only to the hype but also to legitimate use cases. I think that generative AI is going to have much more of an impact on risk management than the previous buzzwords of the year. For instance, blockchain, which as we saw didn’t really materialize at all in risk management. In the immediate short term, I see generative AI being used by service providers to respond to questionnaires, which are for better or worse still the foundational building block of pretty much all TPRM programs. In the longer term, I mean, I’m going to use a sci-fi reference here, but I definitely see conversations between Ais, like Neuromancer and Winter mute from the book Neuromancer… for any sci-fi fans… where initial questionnaire-based assessments are conducted between outsourcers and service providers automatically.
That might be a way off, but probably not too far. ChatGPT is already burning up the news cycles and showing us the power of generative AI for text creation. Imagine if a firm that has to respond to many security questionnaires has a generative AI that’s been trained on that firm’s security controls, I think it could do a pretty decent job at eliminating the need for a human to respond to those questionnaires while still providing the same product that a human would. Or at the very least I think that an AI could prepare that questionnaire and then a human could review it and submit it back to their customer. And what I think is really a prime example of how AI will augment humans, I don’t think that AI is coming for our jobs in risk management, but I also do think that it’s going to help us do more with less and make the humans that we do employ much more capable and consistent.
Atul Vashistha:
Vince, I think that’s the best answer I’ve had on this question of anybody, because not only did you kind of talk about a very specific use, actually it’s a beautiful use that I hope providers are working on, which is you are answering all these surveys constantly. There may be variations in the question, but if you train that AI you can actually respond to all of it and now humans are focusing on answering only the more complex issues. So I think AI plus humans, for me, I’m very, very optimistic about that. And so the contribution of both AI and humans gets better over a period of time. So, I’ll definitely keep an eye on it. Vince, was there anything else in risk management, I’ll talk about career and career advice at the next point, but is there anything else I should have asked you or any advice that you have for risk managers as they’re building programs?
Vincent J. Scales:
Yeah, I mean I think a tool, when we’re talking about AI for instance, that’s kind of one of the major flashpoints of technological change in third-party risk management, but I think if we also want to take a look at another one that would be GRC platforms. I think that when you see the rise of not only SaaS offerings of GRC platforms, but on-prem ones as well, it really underscores the importance of having any sort of GRC platform as part of your TPRM program. I think that in fact when you look at a kind of five-step maturity matrix for third-party risk management, I don’t think you can get above a two-level of maturity without one. I think that if you don’t have a GRC platform you’re basically leveraging spreadsheets and paper questionnaires. And what we’re doing with GRC here at Verizon, we’re in the midst of actually a major GRC transformation that will bring all of our risk management compliance and assurance functions onto one shared platform.
We’re really using that shared platform to increase the value of what we’re doing and to elevate third-party risk management beyond just simple box-checking. We had talked earlier in our conversation about the amazing amount of data that third-party providers like Supply Wisdom are generating daily that’s focused on our supplier base. Without a GRC platform to feed that into actioning on analyzing, and assessing the information, it would be extremely time-consuming. And by having a GRC platform at the heart of our risk operations center model, we’re able to do it some levels of alert we can drive automated decisions with no human interaction. Some notifications are so severe, like for instance a data breach where our company’s name or the names of our customers or partners of ours are located, we can channel that directly to that frontline business owner that I’d referred to earlier.
Whereas another example would be we can also open up a finding automatically against that supplier, which then initiates action. It’s not just informational only at that point. We’re going to blast that information out to the business and help them stay informed and make sure they start that conversation and drive that conversation with a supplier about what our potential impact is. But we’re also able to, with an audit trail, start an action process that will hopefully realize the mitigation, the elimination of any potential impact from the event that we detected. And I think if you’re intelligent about how you build out your GRC platform, you can realize all of that with no human intervention.
Atul Vashistha:
I’m so glad you brought it up. I wrote an article in Forbes two years ago, and it was titled The Future of Risk Management is Automated, my vision at that point in time was we were already automating risk identification full spectrum, but the piece that was not automated was risk mitigation. And like you said, if you were to combine your continuous monitoring and your GRC together well, you can actually, like you just said, you can trigger automated action so that humans are focused on the most complex issue, not the ones you talked about, and you can actually increase the speed to action by automating all that. I’m really, really glad that you actually brought that up. So, Vince, let’s move to the final piece of our discussion.
