Building a Resilient TPRM

Program With AuditBoard

Jonathan Juchtman Grant Gucker

Supervisor Supervisor
Cyber Risk Consulting Cyber Risk Consulting
RSM RSM
 ● Introduction

● TPRM Foundations and Key Trends From 2024

● Explore AuditBoard’s Role in TPRM

Agenda ● Identify Operational Benefits

● Prepare for Future Challenges

● Q&A
01 Introduction
 Jonathan Juchtman Grant Gucker
RSM Supervisor RSM Supervisor
Cyber Risk Consulting Cyber Risk Consulting

● 6+ years of experience in security and privacy risk ● 6+ years of experience in cybersecurity and risk
advisory advisory
● Specializes in security and privacy engagements ● Specializes in TPRM, and risk assessments based on
across frameworks like PCI, NIST, and GDPR frameworks like ISO and NIST CSF
● Professional affiliations and credentials: ● Professional affiliations and credentials:
○ Certified AuditBoard TPRM Project Lead ○ Certified Third Party Risk Assessor (CTPRA)
○ Certified AuditBoard Cross Comply Project Lead ○ Certified AuditBoard TPRM Project Lead
○ Certified Information Privacy Manager (CIPM) ○ Certified AuditBoard Core Administrator
○ AWS Certified Cloud Practitioner ○ Blockchain Council Certified Blockchain & Supply
Chain Professional
RSM Consulting Overview

RSM $9.4B 820 64,000 120

International revenues in calendar 2023 offices people countries

Combined RSM US and RSM Canada Revenue mix

$3.7B 1,150 15,462

revenue in partners and employees in 28% 33% 38% 1%
fiscal 2023 principals in fiscal 2023
fiscal 2023
Assurance Tax Consulting Other

RSM | 5
Poll Question #1

How frequently does your organization assess the

effectiveness of its TPRM program?

A. Annually

B. Semi-Annually

C. Never

D. Unsure
 TPRM Foundations
02 and Key Trends
From 2024
CISOs agree:
The biggest area
for improvement
in 2024 was
third-party risk
 Third-Party Risk Management
Reliance on third parties continues to increase as a way for
organizations to gain greater efficiency, effectiveness, and
cost savings by shifting non-core functions to specialized and
experienced vendors.

Third-party risk management enables users to

appropriately manage their vendor ecosystem
and manage risks against internal policy or
external factors, such as:
• Regulatory requirements that impact vendors

• IT security and cybersecurity risk programs

• Data privacy and protection

• Internal and external stakeholder alignment

• Financial, operational and IT audit

Risks Associated With Third-Party Relationships

Operational Financial Strategic Reputational

Cybersecurity
Risk Risk Risk Risk
Risk

• Vendor failure to • Poor vendor data • Vendor financial • Misalignment • A data breach at a
meet IT-related handling may lead instability may between a vendor’s third-party provider
SLAs can lead to to unauthorized disrupt services or strategic decisions could leak
operational access, or data loss, necessitate costly and the company or
organization’s goals customer data.
downtime and incurring regulatory alternatives,
can reduce service
reduced service penalties and affecting the quality and
quality. financial costs. organization’s • Statements or posts
competitiveness. on social media
operations and from your
• Failure to meet • Inappropriate budgets. third-party
vendor access to IT • Dependence on a
production few critical vendors providers could
timelines could systems increases • Failure to perform heightens the present backlash
result in delays or the risk of insider could lead to potential impact of from customers as
decreased product threats, data theft, unbudgeted any single vendor's the public could
quality. or operational failure. associate the
replacement needs.
sabotage. vendor with the
organization
receiving services.
Market Trends
External factors shaping the risk landscapes across industries

Social / Laws and

Economic Environmental Ethical
Political Regulations

● Workforce protests ● Import and export

● Supplier
● Natural disasters ● Civil unrest and strikes regulations
bankruptcy
● Global pandemic ● Exporting ● Bribery and ● Food safety
● Economic
restrictions corruption compliance
recession ● Enhanced emission
reporting ● Diversity tracking ● Employment ● Sanctioned
● Banking disruptions
practices countries
2024 Trends in Third-Party Risk Management
Cyber Insurance
Vendor Resilience Continuous Monitoring Regulatory Updates
Coverage

Identification of
critical vendors and
Interagency Decreased
dependencies 4th-party monitoring
guidance, SEC, NIST ransomware coverage
supporting critical
processes

Risk rating and Automation and AI Increased cyber

Outsourced services
classification systems integration requirements for TPRM

Program/Project Management

Board-Level Metrics and Reporting

12
Cybersecurity Risks Associated With Third-Party
Relationships CYBERSECURITY
RISKS

WEAK OR IMMATURE THIRD-PARTY SOFTWARE LACK OF OPERATIONAL

CYBERSECURITY HYGIENE Third-parties providing RESILIENCE
Third-parties with weak technology to the Lack of disaster recovery
cybersecurity practices organization can introduce planning could lead to
could lead to entry points exploitable vulnerabilities, prolonged downtime
for cyber attacks or outdated technologies, or
improper handling of data. weak integrations.

INSUFFICIENT ACCESS NON-COMPLIANCE TO INCREASED SPREAD OF

CONTROL SECURITY STANDARDS MALWARE
Excessive access or weak Non-compliance to industry Malware introduced by
access control, could result regulations such as HIPAA, third-party systems
in loss of IP or inappropriate PCI, GDPR, etc. could expose connected to your
access to sensitive the organization to environment could
information. additional risks. inadvertently spread
through multiple layers.

INADEQUATE DATA LACK OF SECURITY SHADOW IT

PROTECTION AWARENESS TRAINING Unauthorized devices or
Failure to protect data in Failure to identify software can lead to
transit, or properly dispose phishing attacks can Insecurities.
of data could leave lead to security incidents
information exposed. via human error.
 Managing “Nth” Party Risks
Follow these steps to better manage your vendor

Fourth-Party Dependencies ecosystem.

Create an Inventory
Understanding your vendor ecosystem, and monitoring “nth” dependencies, is becoming ✔ Ask your third parties to identify fourth parties they
increasingly more important as organizations are outsourcing now more than ever. depend on to provide your services.
✔ Start with critical and high-risk vendors.
✔ Document within your vendor inventory.

Third Party Understand Access

Vendors, suppliers, and ✔ Will the fourth party have access to your data,
YOU
relationships you have directly systems or network?
contracted with. ✔ Will the fourth party have physical access to your
building/offices?
3RD
Example: Your Software as a PARTY ✔ Will the fourth party interface with your customers?
3RD
Service (SaaS provider) VENDOR PARTY
VENDOR
Address Concentration Risk
4TH
Fourth Party (nth party) PARTY ✔ Analyze fourth parties to evaluate for
A vendor that your vendor is VENDOR concentration risks:
4TH
dependent on to deliver a PARTY
✔ Same fourth party
4TH ✔ Similar geographic areas
service or product to you. Your PARTY
VENDOR
✔ Operational reliance
third-party vendor has a direct VENDOR 3RD
contract with them, but you do PARTY Understand how your vendors
not. VENDOR manage their vendors
4TH
✔ Understand how your vendors manage their vendors
4TH • Note: The goal is not to evaluate the maturity
Example: Your SaaS provider’s PARTY
VENDOR
PARTY of their TPRM program, but to ensure proper
cloud vendor. VENDOR
due diligence was completed on critical
fourth party vendors.
Priority Steps to Implementing a TPRM Program
Building a Comprehensive and Effective Third-Party Risk Management Strategy:

1. Establish cross-functional governance and

oversight team

2. Define the TPRM program’s objectives and

quantifiable goals

3. Identify and categorize third parties

4. Develop a risk assessment framework

5. Implement scalable TPRM technology

solutions
Priority Steps to Implementing a TPRM Program
Building a Comprehensive and Effective Third-Party Risk Management Strategy:

6. Perform risk-based due diligence

7. Establish standardized and risk-based

contracts

8. Implement continuous monitoring

standards

9. Train and develop talent

10. Review and update the program regularly

TPRM: Developing a Plan
What issues are we solving? Vendor risk management Defining top risks and
• Inconsistent execution by business owners program basics thresholds
• Broad signature authority/spend authority
• Increasing supplier risk related to cybersecurity
• Alignment between procurement, sourcing, legal, Ownership Technology Financial risk IT security risk
security and risk management
• Inconsistent information available for proposals and
Governance,
no central team/technology to retain vendor data Policies risk and
Operational Compliance
risk risk
• Longer lead times for completion of due diligence/ compliance
screening
• Inconsistent procedures for business and vendor
interactions for request and survey analysis
• Aiding and informing the business on third-party
management risks and expectations Vendor monitoring and
Strategic value
analysis
• Lack of practice aids, work programs, tools and
automation for execution of work and ongoing
vendor reviews
Vendor key Innovation
• Lack of valuable automation, analytics and performance
C-level value Strategic
partners and
metrics
alignment with governance, risk and compliance indicators integration

(GRC) efforts to generate new ideas for further

Select and
monitoring of partnerships, sponsors, affiliates, etc. Vendor
evaluate
Vendor
Business value
transitions categories
vendors

17
 AuditBoard’s Role
03
in TPRM
Poll Question #2

Does your organization utilize a tool such as

AuditBoard's TPRM solution to facilitate its TPRM
program?
A. Yes

B. No

C. Unsure
AuditBoard Overview

RSM Solution Offerings in AuditBoard

RiskOversight CrossComply
RSM Services: Enterprise Risk Management RSM Services: Information Security
& Risk Assessment Assurance & Advisory
Elevate risk management programs by Manage cross-framework
integrating strategic, operational, and IT risks. compliance, including SOC, ISO, NIST, PCI, and
more.

ESG TPRM
RSM Services: ESG RSM Services: Advisory & Assessment
Extend your audit, risk, and compliance Strengthen the foundation of your vendor risk
capabilities with streamlined ESG program management program to stay ahead of vendor
management. risks.

SOXHUB OpsAudit
RSM Services: SOX Outsourcing, RSM Services: Internal Audit Outsourcing,
Co-sourcing, & Staff Augmentation Co-sourcing & Staff Augmentation
Tackle all of your SOX compliance requirements Streamline and boost your work
with ease and precision, together. and deliver more strategic value throughout your
audit programs.

RSM | 20
Highest implementation customer satisfaction rating of all AuditBoard partners
AuditBoard’s Solution for TPRM Programs
Vendor
Benefits of a robust TPRM solution: Onboarding
Process
• Centralized vendor inventory
• Streamlines vendor intake and assessment process Vendor Risk
Assessment
• Enhanced visibility Process

• Improved scalability Reporting

TPRM
• Allows for ad hoc vendor monitoring through surveys
• Automatically assesses the vendor’s criticality and
assigns a risk value
Issue
Tracking
Periodic
Monitoring
AuditBoard’s Solution for TPRM Programs

Streamline Vendor Evaluation and

Onboarding

• Automate workflows for requesting,

submitting, and reviewing vendor
questionnaires.

• Aggregate details to create a central

vendor inventory.

• Leverage auto-inherent risk scores to

prioritize your vendor inventory.
AuditBoard’s Solution for TPRM Programs
Conduct Vendor Risk Assessments With Ease

• Create custom assessments or utilize

out-of-the-box templates to perform vendor
assessments.

• Simplify decision-making with auto-risk

scoring.

• Track mitigation efforts to demonstrate

program improvement.
Third-Party Risk Management
Visualize, assess and mitigate the third-party risks
facing your organization

Improve visibility
Gain insights into vendors with real-time data and
streamlined questionnaires to understand your
third-party risk.

Automate workflows and risk scoring

Prioritize your inventory and focus on the vendors that
matter most with auto-inherent risk scores and
weighted questions.

Streamline issue management

Facilitate collaboration with business stakeholders
while streamlining vendor issue tracking and
mitigation through robust dashboards and reporting.

24
 Operational
04
Benefits
TPRM Program Execution With Technology
Benefits of using technology in TPRM programs:
● Improved efficiency
● Enhanced monitoring capabilities
● Greater transparency for internal audit

Automation:
● Streamlining processes
● Reducing manual tasks
● Enhancing accuracy and efficiency

Centralized data management and reporting:

● Benefits of centralizing TPRM data
● Integration with other risk management tools
● Role of analytics in identifying risks
● Customizable reports for different stakeholders
Benefits of TPRM Tool Integration Capabilities

TPRM platform integration across cloud ecosystem :

● Proactively manage vendor risks by automatically monitoring them through integrations
with security and vulnerability tools.
● Gain real-time risk insights into vendor security and compliance across your ecosystem.
● Seamlessly scale, adapt, and grow to support expanding audit, risk, and compliance needs.
TPRM Program Development and Continuous Improvement
Operationalize TPRM Optimize and
Establish Program
Technology Automate
▪ Implement administrative ▪ Build vendor inventory within ▪ Monitor fourth-party
controls to establish critical AuditBoard TPRM module dependencies
processes, define roles and
▪ Define risk tiers for all vendors ▪ Integrate with risk-data
responsibilities for ownership
based on data sets, critical providers for ongoing vendor
and accountability, and align to
processes, etc. monitoring and real-time
internal or regulatory
dependencies assessments
▪ Deploy due diligence
questionnaires ▪ Report risks to senior leadership
▪ Develop and manage due
diligence questionnaires through dashboard and
▪ Build key performance indicators
reporting packages
▪ Choose from templated (KPIs) into dashboard and
questionnaires or create reporting ▪ Integrate with other modules of
custom questionnaires to AuditBoard
align with your internal risk
appetite
▪ Establish scoring criteria for
repeatable, scalable and
objective evaluations
RSM TPRM Capabilities and Expertise
PROGRAM EVALUATION DESIGN, BUILD, AND OPTIMIZE MANAGED SERVICES

Ensuring alignment to regulatory

Developing repeatable and scalable Aligning your risk appetite with a turnkey
requirements, internal policy, and/or
programs with automation and solution for managed success.
Leading practices.
efficiencies.

CAPABILITIES

MATURITY ASSESSMENT POLICY AND PROCEDURE VENDOR RISK

Assess the maturity of your DEVELOPMENT ASSESSMENTS
program’s controls across Build foundational Expertise and resources to
the third-party risk program-level documentation complete vendor risk
management lifecycle. to ensure repeatability and assessments.
scalability.

PROGRAM AUDIT TECHNOLOGY MANAGED PROGRAM

Evaluate the design and ENABLEMENT A turnkey solution to ensure
operating effectiveness of the Subject matter expertise to successful completion of
third-party risk management help you select or implement third-party risk analysis.
program across the a new third-party risk
engagement lifecycle. management tool.

<<<Full Program Development and Customizable Services Are Available>>>

10 January 2025 RSM | 29

Poll Question #3

How does your organization perform risk

assessments on fourth parties?

A. Security risk monitoring solution

B. SOC report reviews (4th party)

C. Questionnaires (4th party)

D. Other

E. No 4th party risk assessment process exists

 Prepare for
05 Future
Challenges
 01 Data Security and Privacy Concerns

AI Risks
02 Compliance and Regulatory Risks

As businesses increasingly
integrate artificial intelligence (AI) 03 Operational Disruptions due to AI Integration
into their operations, several key
risks are emerging that require
careful consideration.
04 Ethical and Reputational Risks From AI Misuse

05 Intellectual Property and Legal Risks

 AI Governance Framework
Leaders with relevant expertise oversee the program, ensuring the integration
of organizational values and ethics into AI system design and implementation,
Governance, supported by robust governance policies and procedures.
values, &
ethics

Applicable regulations are factored into the design Regulatory Unbiased & Through stakeholder engagement, the AI system is
and implementation of the AI system. compliance fair designed to be unbiased and fair.

Business
Processes

The stakeholders should be able to This system is designed, trained, and

understand the input and explain the
Explain & Consistency monitored so that its outputs are as expected
model's output. transparency & reliability and maintain a level of quality over the period.

AI systems

Incorporate data governance, data access, and

Clearly define ownership of the model and Privacy & privacy policies and procedures of the organization
its input and output. Capture and retain an Accountable data
audit trail of key input and updates. into the design and implementation of the AI system.
protection

Security &
InfoSec standards and policies must be reflected in the AI resiliency
system's design and operation, protecting it against the
impacts of adversarial attacks.
Poll Question #4

What is your organization's biggest concern

regarding the adoption of AI technologies?

A. Data privacy and security risks

B. Ethical implications or bias in AI systems

C. Compliance with regulatory requirements

D. Lack of transparency in AI decision-making

E. Over-dependency on AI vendors
Q&A
 The Modern Connected Risk Platform
Elevate your audit, risk, InfoSec, and ESG programs with the intelligent, collaborative, connected risk management platform.

Audit Risk
Elevate your impact with risk-based Visualize and address every risk
auditing and SOX assurance across your organization

● Audit Management ● Enterprise Risk Management

● Internal Controls Management ● Operational Risk Management

InfoSec ESG
Automate across each area of Streamline your ESG program
IT risk and compliance management and ensure audit-ready data

● IT Compliance Management ● ESG Program Management

● Third-Party Risk Management ● ESG Controls Management
● IT Risk Management
Thank You!

If you qualified for a CPE credit, you will

receive your certificate by email by
the end of the day.

Questions?
Email [email protected].