TAG Cyber Interview: Managing Third-Party Risk Using Prevalent

What is the role of visibility in third-party risk management and how does your platform optimize such visibility?

The old maxim is true: You can’t manage what you can’t measure. And I would add: You can’t measure what you can’t see. Enterprise risk visibility is at the core of our platform. It starts with procurement—gaining pre-contract visibility into risks like vendor finances, data breaches or compliance problems—and extends to offering a single role-based platform that multiple enterprise teams can use to view the risks that matter to them. We do this through customized, role-specific dashboards and reporting.

Tell us more about how you support TPRM through the use of your vendor risk network.

Our networks are on-demand libraries containing thousands of vendor risk reports that are continuously updated and backed by supporting evidence. Customers use the networks—Exchange, Legal Vendor Network and Healthcare Vendor Network—to get a jump start on their vendor due diligence process by gaining immediate access to completed assessments, helping them scale their programs so they can shift their time and energy from hounding vendors to identifying and remediating exposures.

Can you share some insights into the future of TPRM in the coming years?

We see TPRM moving towards greater levels of outsourcing, involving more enterprise teams and risk types, as well as evolving to a more continuous model and going deeper in certain industry verticals. First, enterprises rely on an ever-widening network of third parties, while also facing an expanding web of geopolitical risks, regulatory requirements and cybersecurity threats. Unfortunately, most companies manage these risks by using manual processes that place a greater emphasis on risk identification than risk remediation. Over the next several years, organizations trying to scale effective TPRM risk programs will hit a wall, causing them to adopt more automated and proactive approaches, such as leveraging external business process outsourcing firms and/or dedicated purpose-built external TPRM software.

Next, enterprises are being pressured by a range of stakeholders—including regulators, investors and consumers—to improve visibility and oversight of their exposure to third-party risk. While organizations may begin by focusing primarily on cyber threats, they will see the need to enable risk-based decisions by proactively assessing and monitoring a more comprehensive risk profile throughout the third-party relationship. This will require the rationalization and harmonization of technology, processes (workflow) and people.

Departments and teams will need to consider risk in all activities and decision making, including activities that are currently more focused on operational efficiency. Teams responsible for everything from sourcing and onboarding new vendors to managing their performance over time will continue to consume risk intelligence from similar data sources (e.g., a comprehensive risk profile) and begin to leverage insights from their peers in supporting contract negotiations and discussions related to their respective workstreams.

Enterprises will also continue to enhance third-party programs by utilizing integration, automation, intelligence networks and analytics to continuously assess and monitor their extended supply chains more closely. Finally, enterprises in certain verticals will continue to adopt sharing networks to accelerate risk identification and place a greater focus on risk remediation. These sharing networks will evolve beyond assessment sharing to intelligence sharing as enterprises and third parties design, embrace and enforce open communication to proactively share insights related to cyber, compliance, incidents, performance and more.