The Future of Third (and Nth) Party Risk Management

How RiskVision’s innovations in diligence and screening, risk assessment, contract onboarding, oversight and control, ongoing monitoring and response / termination protocols transformed Third Party Risk Management

riskvisioninc.com

845 Stewart Drive, Suite DSunnyvale, CA 94085 USATel: +1.408.200.0400Fax: +1.408.200.0401Info@RiskVisionInc.com

©2016 RiskVision

The Future of Third (and Nth) Party Risk Managementriskvisioninc.com©2016 RiskVision

The Future of Third (and Nth) Party Risk Management

According to a recent survey released by the Ponemon Institute, 70 percent of respondents believe that third party risk in their organization is increasing significantly. The report also highlighted that in the past 12 months, organizations spent an average of approximately $10 million to respond to security incidents as a result of negligent or malicious third parties. Further, organizations must now consider the suppliers and partners of their vendors, creating an “Nth Party” risk management

problem of much larger magnitude.

RiskVision is the industry’s first risk intelligence solution designed to address the growing enterprise requirement for an integrated, automated 360° approach to Third Party Risk Management (TPRM). (see figure 1).

The highly decorated RiskVision platform offers design and engineering innovations that deliver industry-best usability, scale, automation and time to deployment advantages – at a fraction of the cost of traditional solutions. RiskVision’s TPRM solution delivers innovation in every step of TPRM, including risk-based classification, due diligence and screening, risk assessments and scoring, contracting and onboarding, risk oversight and control, ongoing monitoring, and renewal / termination. The RiskVision platform scales to over 300,000 services managed and supports access by 10,000+ practitioners while exclusively identifying, managing and tracking risks in many-to-many relationships, including services, contracts, third and fourth parties. Other efficiencies include dynamically updated business hierarchies, configurable workflow, advanced risk analytics / KPIs and an independently-certified secure vendor portal.

Using RiskVision automation, Deutsche Bank reduced processing approval to onboard new vendors by 60%, from 163 days to 65 days.” – Managing Director, Deutsche Bank

2

Figure 1: 360° View of Third Party Risk

“ “

Busin

ess C

on

text

Risk

Third-Party Information

360º View of Third-Party Risk

Financial Viability

Human Resource, Legal

IT Security

Compliance

Privacy, Data Protection

Benchmarking

Market News

HR Screening

Threat Intel

Public Records

Incident Probability

Cost of Incident

Organizational Impact

Third Party Concentration

Services & Parties (Contracts, Payments)

Business Continuity and Resiliency

The Future of Third (and Nth) Party Risk Managementriskvisioninc.com©2016 RiskVision

RiskVision Innovation in Third Party Management Effectiveness and Efficiency

RiskVision’s TPRM solution offers an integrated and extensible data schema, allowing for a third party risk modeling design centered on a broad range of goods and services types, contracts or organizations, using full many-to-many relationship correlation. This enables clients to use RiskVision to analyze risk from many vantage points, including organizational entity, legal entity and geography views. RiskVision has deep third party ecosystem integration with a broad range of contract, payment, HR, legal and other systems, market news services, screening services, security benchmarking providers, threat intelligence feeds and more. RiskVision also provides embedded functionality for Performance Management and Contract Management with a secure permissions-based Document Repository to report on KPIs and KRIs.

Figure 2: RiskVision Third Party Risk Workflow

3

Contract Systems: Oracle Contracts / PeopleSoft, SAP / Ariba Contracts,

Payment Systems: SAP / Ariba Pay, Zycus Source-to-Pay

Custom Integrations: Asset Repositories, Human Resource, Legal Entities, Organization Structures, Transfer Pricing, etc.

HR Screening: Kroll, Red Flag Group, Thomson WorldCheck, etc.

Market News: Bloomberg, Dow Jones, Dun & Bradstreet (D&B), LexisNexis, Moody’s, S&P, Thomson MarketWatch

Security Benchmarking: BitSight, Information Security Forum (ISF), SecurityScorecard

Threat Intelligence: Crowdstrike, FS-ISAC, FireEye iSight, NVD, Verisign iDefense, Anomali, Soltra

Content Packs: ISO, NIST (various), COBIT, Shared Assessments SIG Lite and SIG Full, CSA, FedRAMP, PCI DSS, HiTech/HIPAA, AICPA, BITS Risk Catalog, SANS Top 20 CSC, CNSS, MISMO, FFIEC, OCC, FSA, BaFin, MAS, ENISA

Questionnaires: Anti-bribery and corruption, trade regulations, promotional practices, business continuity management, billing, health, safety, information management, intellectual, labour, privacy and data protection, corporate responsibility, solvency, product quality/GxP, current good manufacturing practice, and FDA, communications.

New Request

Service Classification

Due Diligence& Screening

Critical | High | Med | Low

Termination

Renewal

Contract and Payment Systems* Internal Group Outsourcing

Vendor in Service

• Model risk by contract, service • or third party with many-many • relationships• Search vendors’ matches • for service request and • classification• Determine pass / Fail finalists

Contracts Onboarding

Third Party Risk Analytics

• Pre-set or dynamic workflows to • • hand off risk assessment data• Manage legal requirements SLAs, • transfer pricing, etc.

• Risk scores by function, aggregated and normalized• Real-time, trending metrics by services & vendors• Always on monitoring of third party data• Dynamically updated organizational hierarchies• Reporting by legal entity and org structures

Risk Oversight + Control• Framework for risk tolerance,• incident probability, KPIs, authority • matrices, concentrated risk, etc.

Ongoing Monitoring• Secure Third Party Portal• Third Party workflows, delegation• Questionnaires and Notifications• Threshold-based scoring analytics

Risk Assessments

Functional Risk Reviews and Scoring

• Pre-built content mapping to controls and risks• Out of box questionnaires from many sources• Modular, parallel, visualized workflows• Standard and custom risk scoring algorithms

√ Financial Viability√ HR & Legal√ Business Continuity

√ IT Security√ Data Protection*√ Compliance*

Functional Risk Reviews and Scoring√ Financial Viability√ HR & Legal√ Business Continuity

√ IT Security√ Data Protection*√ Compliance*

Contract Systems

Public Records Verification

HR Screening& Marketing News

Benchmarking& Threat Intel

Auditors

RegulatoryCompliance

HR Screening & Market News

Benchmarking& Threat Intel

1

2 3 4

5

Renewal / Termination• Ensure business continuity in case • • of third party failure• Promote third party services • renewals

Contracts

Payments

IT Security6

The Future of Third (and Nth) Party Risk Managementriskvisioninc.com©2016 RiskVision

RiskVision streamlines the process of managing third party risk, delivering industry-first capabilities in many phases of third party workflow. RiskVision innovations include classifying new service requests into priority workflows, automating functional risk reviews, and delivering deep insight via highly tailored analytics dashboards.

Comprehensive Due Diligence and Screening. RiskVision helps organizations execute a detailed background check on any entity or third party, no matter where they are located in the world, gathering relevant information from verification processes (AML, CFT, ABC, EDD), subscription-based services, pre-assessment benchmarks and public records. RiskVision’s screens for positive or possible matches for any risk entity with a high level of accuracy. Pass / fail reflects relationships, business profile, and control risk.

Risk Assessments. RiskVision offers a broad range of risk assessment content, including ISO, NIST, COBIT, shared assessments, and more (see below). Risk assessments are performed for each functional area, including an independent review by Information Security (IS) as a stage gate before vendor onboarding. RiskVision offers pre-designed workflow paths for each functional area, enabling them to quickly and efficiently run an assessment, attach evidences, and return their security risk scores to the vendor team.

Flexible Contract Onboarding. RiskVision embeds and evaluates contract terms and conditions to ensure your contract establishes the appropriate rights, responsibilities and service level agreements for all aspects of your relationship with your third party vendors. RiskVision can use pre-set workflows, or via data integration, dynamically driven workflows, to drive collaboration among purchase stakeholders, procurement, and the vendor team.

Risk Oversight and Control. RiskVision provides an organizational framework to establish risk appetite, incident likelihood and impact, tolerance metrics, KPIs, authority matrices, and other business measures to ensure a collective strategy and understanding of third party risk, and to meet internal audit and regulatory governance requirements. RiskVision manages all findings, gaps, and exceptions, and identifies controls that resolve vendor risk. Striking an optimized balance between business goals and operational risk management is the ultimate goal.

Ongoing Monitoring. RiskVision correlates inherent risk of various business activities plus monitors third party data such as financial, security and market news, to trigger alerts and notifications as necessary. RiskVision schedules vendor review assessments via a secure portal, which is certified against external and internal threats. Further, RiskVision uses legal, payment system and market rating data to trigger unscheduled reviews. Finally, RiskVision offers Active State, a data architecture breakthrough that provides an end-to-end, “always on” assessment capability. This offers organizations a continuous risk level/posture, carrying forward all assessment objects such as controls, exceptions, findings, responses and tickets at the current workflow stages and dates, and archiving a current snapshot at any time interval.

Renewal / Termination Protocols. To ensure business continuity in the case of a third party failure, contract expiration, service level agreement breaches or other event, RiskVision streamlines the transition of the activity to an additional third party or back in-house. Pre-built or custom workflows are used to remove a vendor or service, and reconcile with data in contract, payment, and security systems.

RiskVision Innovation in Every Phase of Third Party Risk Management

4

6

The Future of Third (and Nth) Party Risk Managementriskvisioninc.com©2016 RiskVision

RiskVision Advanced Third Party Scoring and Analytics

RiskVison offers innovative analytical insight into every phase of Third Party Risk Management. RiskVision exclusively identifies, manages and tracks risks in many-to-many relationships, including services, contracts, and third parties. RiskVision correlates dynamic business hierarchies with flexible scoring algorithms. This unique combination enables advanced analytics for third party KPIs / KRIs, such as functional risk trending, vendor concentration, contractual SLA performance and more.

Figure 5: Vulnerability Risk Prioritization Analytics

55

Figure 3: Vendor Contracts

Figure 4: Risk Assessment Scoring and Calculations

Figure 5: Vendor Risk Dashboard with Performance Management Metrics Trending

The Future of Third (and Nth) Party Risk Managementriskvisioninc.com©2016 RiskVision

RiskVisionProven Results with World Class Clients

RiskVision develops comprehensive risk intelligence solutions for the enterprise. The highly decorated RiskVision platform is the industry’s first risk intelligence solution designed for today’s real-time, big data, threat-centric world. RiskVision’s architecture and design deliver the industry’s best usability, scale, automation and time-to-deployment advantages – at a fraction of the cost of traditional solutions. CIOs and CROs of the world’s leading organizations and government agencies rely on RiskVision including AXA Group, Cisco, Deutsche Bank, E*TRADE, Exelon, First Data, Fiserv, HCL, Novartis, Roche, Safeway, Sheetz, Southern Co., Time Warner, United Health Group, U.S. Departments of Defense, Health & Human Services, Justice, and Veterans Affairs, and dozens of other clients worldwide. For more information, please visit riskvisioninc.com.

Figure 6: RiskVision’s proven results, industry leading scalability and fast time to value

These leading organizations already benefit from the future of Third Party (and Nth) Risk Management with RiskVision.

6

• Up to 75% time savings for internal and external response coordination and service enablement• 5 to 10x increase in number of suppliers that are risk-reviewed each year• 10s of millions of dollars reduced in pending fines from regulatory audit findings resolved before the deadlines• Up to 30% reduction in anticipated regulatory-driven Third Party Risk Management staffing• Minimized organizational exposure to security breach risk from third party’s access and data

Customer Third Party Scale Delivery Mode Time to ValueContent & Data Integration

70,000 Parties300,000 Services

2,500 Parties10,000 Services

2,000 Parties6,000 Services

10,000 Parties30,000 Services

500 Parties2,000 Services

BaFin, FSA, MAS, OCCOracle / Peoplesoft

SAP / AribaZycus

Custom – HR, Legal Entity

FFIEC, OCCCustom – Org Structure

FFIEC, OCC, PCI DSSCustom – Assets, Org Structure

Motion Picture Content Security

Shared Assessments, PCI DSS

On Premise

Cloud

On Premise

CloudOn Premise

On Premise

6 months

3 months

4 months

5 months

3 months