Vendor Risk Management Programs Demystified

Megan Phee: Hi, I'm Megan Phee. And this is GRC& Me. Where we interview industry thought leaders in governance, risk and compliance. On hot topics, industry specific challenges, trends, and more. To learn about their methods, solutions, and outlook in this space.

Szuyin Leow: Hello, everyone. And welcome to our next episode of GRC& Me. My name is Szuyin Leow and I am our VP of customer success and services here at LogicGate. I get the pleasure of overseeing our implementation services, professional services, customer success teams, all of the wonderful folks that our customers here at LogicGate to work with their risk cloud platforms. And today, I am very happy to be guest hosting GRC& Me with one of our rockstar customers, Stephen Crouch from Texas Mutual. Stephen, thanks for being here today. And could we start off with you telling us a little bit about your background in governance risk and compliance?

Stephen Crouch: Sure. Thanks Szuyin. Happy to be here. So my background in GRC, well, I do have a finance background. I've worked in the healthcare services for several years. Had a bit of insurance exposure from doing that. When I moved over to Texas Mutual Insurance, they specifically do workers compensation insurance, and was hired on as a risk analyst. And quickly got involved with our vendor risk management program. From there, we had already established our relationship with LogicGate a few months before I had gotten there, but we put out our vendor risk management platform first. And from there, we were able to find a few things that we needed to tweak and correct. But yeah, that was really how I got my exposure into GRC right there from the beginning. It was about three years ago when that happened. So yeah, it's still fairly new to me.

Szuyin Leow: Fairly new, but also it feels like the three years have, yeah, it's flown by and it's been really exciting to see how you all have evolved your vendor risk management program over the years. So we're excited to dive into some of that with you today. Let's go ahead and kick it off. Would you mind starting with just sharing what your current vendor risk management or third party risk management process looks like today at Texas Mutual?

Stephen Crouch: So we currently are in the process of bringing on one of our former IT security reviewers. If you want to call them that, they serve now in a role specific to BRM where they are helping out with the contract reviews and reviewing compliance for security protocols. We also have some contributions from our architecture, our enterprise architecture group. In the rest of our company, we try and raise an awareness as far as risk culture. And so, anybody that has an involvement with the vendor, we refer to them as our business contacts. They really own the relationship with the vendor and take a lot of the burden, the work off my plate by helping further that relationship with the vendor, making sure that when we are needing to assess the risk of any vendor, that they're able to reach out to that vendor, any documentation, if we're sending the vendor a questionnaire, making sure that that's completed in a timely process. Other people that are involved in the process would be the leadership, specifically the chief risk officer, who I work under, and making sure that our policies and procedures are in line with the company's risk appetiteness from an enterprise level. Another role that we refer to as our executive sponsor, it's really the person who owns the budget or is in charge of paying for whatever product or solution that we're using. And anytime if an exception comes up where something might not exactly within our policy, we have a process for creating an exception for one time events. And so when, anytime an exception pops up, then we get these leadership positions involved with making sure that we're okay, that it doesn't necessarily fit our policy, but it is within our risk appetite and we're okay with moving forward with giving that vendor a stamp of approval, if you will.

Szuyin Leow: Fantastic. Well, definitely sounds like you all have a lot of good buy- in across different stakeholders, different groups at different levels in the organization as part of your vendor risk management program, which is a really critical thing to make sure you can build that, that culture of risk awareness and risk management that you spoke to. However, one of the things that I know, I think I've heard from you and some of our other customers, it sometimes can be challenging with having multiple different stakeholders or groups involved in a process. So sometimes there can be some misalignment per se, or just different understandings of definitions throughout the process. And one of the things that you've shared with me in the past, Stephen, is that there was a particular definition that you all have at Texas Mutual around a critical vendor. And what qualifies as a critical vendor. Could you explain to our listeners what that term means at Texas Mutual, and why maybe in the past there's been some confusion around that term?

Stephen Crouch: Right. This has just recently become a hot topic for our risk office. The use of the word, critical, means different things around the company. And so, whenever my colleague is putting together her business continuity plans with each department, they have what are called critical business functions, and it's really specific to the department. So it's critical to them, but not necessarily critical to the company as a whole, where it might impact an internal function is how we would describe it. But a critical vendor, the definition that we're trying to hone in on is something that affects our operations or our ability to service our policy holders, not necessarily like a supplemental service, because there's a few perks and benefits that we offer our policy holders, but really, what affects our ability to write a policy, to underwrite it, to service those claims, to be able to make payments. Because the last thing we want is one of our policyholders to be twiddling their thumbs waiting for a check to come in the mail. Anything that is going to directly affect our ability to do those things. So then you start getting into things that's run off of our network, the infrastructure, and hardware that supports those type of things. That's all things that we would consider critical to the business. There's a few things that we try and take out of there, similar to what I described as a supplemental service, like a benefit or a perk that we add to our policy holders. It's something that we label as regulatory, where we have to use this vendor. And sometimes we say, are they really even a vendor if it's a legal body or entity that we have to report to? We don't really have a choice. It's something that we have to do. So it's not like we're going to send them a questionnaire. So yeah, we're trying to account for things of that nature as well. So for anything that doesn't meet any of descriptive terms that I've used, we just say that's not critical. So it could be anything from possibly a janitorial staff, or recently recategorized anything that had to do with our facilities to not be critical since we have a work from home policy for company wide now. So yeah, we're always trying to reassess what these categorizations are and what vendor's being labeled as what.

Szuyin Leow: Makes total sense that those definitions could change over time as the world around us is changing and evolving. So yeah, that reassessment motion is really important. And that's a good example you shared of why we need to be revisiting our definitions over time. In line with that, obviously, the past few years, we've all been going through a lot of change, and new experiences with the pandemic and just everything else going on in this world. As Texas Mutual's business has evolved over time and figured out how they need to adjust to those changes, how have you seen your third party risk management program change from a people process technology perspective? What are some of those evolution pieces looking like?

Stephen Crouch: Once I took over the vendor risk management role that we have within our risk office, I started to look at what we could revamp, where things could be improved. And the first thing that I came up with is identifying that we want to capture what's called, inherent risk, up front. What do we know about this vendor? What risk can we already identify? And then whatever questions that we would then want to ask the vendor, reach out to them to get more information to get a more complete look at the risk. That gives you what your residual risk is, whatever responses they give back. Because the vendor, more often than not, can provide the mitigation that you're needing to see if they're within your or risk appetite. So once we identified being able to capture the inherent risk and then having a score for the residual risk afterwards, we then decided that it would be appropriate to, if we're sending a vendor a questionnaire, we want to be able to see where... create a spectrum for each one of the questions that we're going to send them. For example, if we're asking a vendor to look at their financial statements, what are the things that we're looking for? And then providing a score to show where they fall within our risk appetite. And using calculations to then compile a score that will tell us whether, if the vendor is not within our risk appetite. This then will lead us to future decisions that are going to be made down the road. The main one is, if a vendor does not really pose a large risk and there's no real concerns that get raised during the review process, then the reassessment that we're going to send out will be later down the road. But if it's something that is a vendor that has access to data, let's say, or they are a critical vendor, then we're wanting to review them on a more frequent basis. So the scoring was the real, the first big change that we did when we're starting to revamp our VRM process, there have been a few other things just trying to tweak user... make things more user- friendly. The other things, we've reached out to our stakeholders internally to see how we can make things more user- friendly for the employees that we have at Texas Mutual. A lot of that came down to making things more discoverable, using different table reports. So our stakeholders at Texas Mutual could quickly identify which vendors are held up in the questionnaire process. What vendors are coming up for a new assessment in the near future. And being able to quickly identify what action items do I have as a risk owner from these vendors. The one that we've most recently done is linking up our business continuity plans with vendor risk management. So if you have a critical vendor that's entered in our VRM system, it should show up as a critical business function within BCP. And sometimes people leave things out. We just wanted to reconcile all that together so it makes sense and we can account for everything. See that's where my accounting background came into play here. I wanted to make sure everything ties out. That's mainly the things that we've been working on.

Szuyin Leow: Yeah, absolutely. Definitely lots of parallels, for sure, between the systematic approach you need to take in accounting, and vendor risk management. With some of those different changes you've talked about that you made in the program, with scoring and making things more discoverable, and driving more of that visibility and connectivity between BCP and TPRM. Have you seen any impacts or results yet, Stephen? In terms of the process being more efficient, or more effective, or just having more engagement from stakeholders? Have you all been able to see those results yet?

Stephen Crouch: So, as a result, the changes that we've made, the stakeholders, first off, have just been more engaged with what's actually going on with their vendors. They're not just paying the bills and letting the vendors do their things. They are engaging in the relationships that has also raised awareness to what kind of contracts do we have with each of these vendors? And we're running a fine tooth comb over those because we know what's at stake now. So that risk awareness is definitely running through the blood of our company. The other thing is, we're identifying where the flaws in our current system are. Like I mentioned before with the whole issue with, what is a critical vendor? Things like that are coming up. So we're trying to make things consistent, making sure that the language that we use makes sense to people, because a lot of individuals, the business contacts, as we call them were asking questions. They would come to me and ask," I'm not sure what to categorize this as?" So, continually refining those definitions because it's a dynamic function of our company. Vendor risk management is going to be changing for the foreseeable future as far as I can tell. But the other thing that I've noticed that has paid off is, once we're identifying where those bottlenecks are and our process, the aging for when something is sitting in a certain review step, those outstanding days are definitely shrinking so that we're turning around these reviews a lot faster than we were before.

Szuyin Leow: That's great. Really glad to hear that both efficiency, and engagement have picked up overall because of those evolutions you all have made over time. When you think about where Texas Mutual wants to take your risk management program going forward, what are some of the major goals that you all have defined for the rest of 2022?

Stephen Crouch: Right. So I mentioned that we were working to link up our business continuity process with our third party risk management, making sure that everything ties out there, that all of our critical functions are being linked up. The other big thing that we're looking at is risk quantification. And we are fortunate enough that our IT security group is really wanting to do this as well. They're backing this effort. And so, we're exploring how we're going to put that together, because at the end of the day, we can say that a certain vendor poses a risk, but what is actually going to be the dollars and cents of the risk that we're taking on? If, let's say, if a breach happened, what is the monetary value of that? How much would we have to pay in damages? As we see that breaches are becoming more and more common through third parties, we have to say that it's within our risk appetite to use a cloud service. We keep our data on the cloud, and there is a possibility that there could be a breach, and we're doing everything that we can to prevent those things. But we have to know how much is too much of a risk. If a vendor is not doing their due diligence, as far as putting their security protocols into place, then we're not going to use them. And so there's certain things that we specifically stated in our risk policy that if a vendor is not meeting these things, we will not do business with them and we will transition away from them.

Szuyin Leow: I guess having those, the clarity on where your threshold is, is really important. And certainly what you said about the desire to be able to articulate risk in dollars and cents more is something we're hearing from a lot of our customers. So, it makes a lot of sense that you all are interested in diving deeper into risk quantification. What are some of the other metrics? When you think about quantifying risk and being able to communicate to other folks about risks in your TPRM program at more of a numeric and quantifiable level, what are some of the other key metrics that you all track at Texas Mutual?

Stephen Crouch: We're working to just build out a risk register of all the different risks that we have at Texas Mutual. And a lot of those have to do with the third parties. And any time that we're bringing a vendor into the picture, we put a whole list of all the risks that could happen if this vendor goes bankrupt, if there's a data breach, like I mentioned before, and what are the severity or the likelihood of those things happening? Those are really the two things that really feed into that risk quantification that we're looking to get at. So these are basically plugging in all the variables that allow you to perform that risk quantification. And so, the metrics that we're looking at is how many vendors do we have that reach that top threshold of severity? How many vendors, or specifically, how many critical vendors do we have that have a high likelihood of something bad happening and how can we mitigate those things? The other thing that we're looking to put into place is to track how have we lessened our risk exposure? Because we have our risk appetite, and let's say it's sitting right there in the middle of the spectrum. How can we get it to shift further to the green, if you will? We want to take on as little risk as possible, making sure that we're operating our risk office in an efficient manner. But yeah, how can we lessen our risk appetite? And how can we lessen our risk exposure? And tracking that over time. So that would be something to throw in a graph that as you can see that risk lessening, that's going to make any board member happy to see that.

Szuyin Leow: All really powerful numbers that help to communicate the impact of that risk. When you think about building that risk culture and the buy- in that you all have been able to get from other stakeholders within the Texas Mutual business for TPRM, how have you all done that? How have you gotten the stakeholders to really care about third party risk management and vendor risk management?

Stephen Crouch: Right. It took quite a bit of time to build out the relationships with all the business contacts because everybody's busy, everybody's got a lot of stuff on their plate. And then here I come in saying," All right. All right, guys, we are, I'm going to put in a VRM program and I'm going to need all y'all's help tracking all these different things. Establishing contact with the vendors to make sure that we can get answers for the questions that we have." And so for the first year, it did take a lot of effort to reach out to the vendors that we needed to send questionnaires to, and get those completed, and review those, figure out what this risk is. But then, once that upfront work was completed, then it made it a lot easier for us going forward to just say," Here, we already have the answers." We can reach back out to the vendor and say," What of this has changed? And can you provide us new documentation if necessary?" We're also able to identify the vendors that were not responsive to the questionnaires, figure out what vendors didn't need one that we may have sent one to. And doing all the upfront work. It was a bit time consuming, but everybody at our company agrees now that we're in the second year of this, that all of our vendors have been assessed. It's a lot easier. The process is almost automatic at this point, other than having to go and review the new documentation that comes back out. The other thing that I would add is that we've put together workshops to educate our stakeholders. That really gets people thinking, because they like to hear stories about businesses that didn't pay attention to the risk culture, and look what happened to them. It gets people thinking about," What are the things that I do at our company that affect the risk appetite that we have?" Because it doesn't matter what level you are in the company. You could be the CEO, or you could be a first year analyst, you are exposed to risk one way or another. And so getting people thinking about that really opens their eyes and it gives them the assurance that you have value at this company, whether you realize it or not. So I think most people, when they leave our risk workshops, they have a good feeling and they want to help us, which is good. Before, like I said, when VRM just showed up out of nowhere, a lot of people were like," Oh, this is just another thing I have to add to my plate of something to do." But yeah, the attitudes have definitely changed I think. Other thing that I would add is just working with our vendors, we want to make sure that our business contacts are able to delegate the responsibilities. Now we identified that there's a few individuals at Texas Mutual that were responsible for 20 to 30 vendors, which is not something that any, I don't think anybody could actually manage that many relationships. So we encourage them to delegate these out to other people, to let them help you with these, so that if there's any issues that arise, they'll come to you and let you, but making sure that we can get other people involved in the process has been a big help.

Szuyin Leow: Yeah, absolutely. 20 to 30 vendors could be a full- time job. Huh? Just managing all of that risk.

Stephen Crouch: Yeah. We're going to have to hire on new people just to cover them.

Szuyin Leow: I also love what you shared about the risk workshops you all hosted. I think the power of storytelling and being able to really help folks understand, this is real, this has happened to other people. And like you said, that they, as an individual, really can contribute to making an impact and ensuring that we're all doing the right thing for our companies and our customers by understanding our role in the process. So I love that you all did those workshops. That's great. When you think more broadly, Stephen, about how Texas Mutual has been utilizing their logicGate risk cloud platform to build out the TPRM program, build out your BCP program. Are there any other benefits that you can think of that you have experienced in getting your processes into a holistic GRC platform?

Stephen Crouch: Being able to tie our risk register, and our business continuity plans, and our vendor risk management, our third party risk management programs altogether, trying to document everything has been a challenge. But I do think that once you get that documentation, you can start to do reporting on it and assessing where your company stands. What's the exposure that, at least for our company, what's the exposure that we have to cloud services? How dependent are we on these third parties to do our business? I've seen a lot of lists of top 10 risks for the insurance industry, or just top 10 for fortune 500 companies, and dependency on cloud services or third parties is usually in the top five. And the risk that goes along with those is usually number one, being data breaches and cybersecurity. So, being able to know what your risk is? I think that's why Texas Mutual put together an enterprise risk management group to begin with, is because they wanted to know these things. And so, I found value in my role as being able to help provide an answer for what that actually is. The ability to document all these things and provide some value to our company, I mean, it's not going unnoticed. I think people are now becoming more appreciative of what's actually going on.

Szuyin Leow: That's fantastic. Love to hear that and being able to connect the dots between things that, to other folks, they might think of it as," Well, we've got risks over here. We've got our vendors over here. We need to come up with these plans that this team is asking us to make." But when we can really help them to see that bigger picture of how it all fits together and how it really does impact the broader business, it's great to hear that you've all been able to get some more of that buy- in and understanding with your stakeholders at Texas Mutual. Fantastic.

Stephen Crouch: Sounds good.

Szuyin Leow: Thanks, Stephen. Really appreciate it. To learn more about risk cloud's third party risk management solution, visit LogicGate. com and while you're there, download our ebook, How to Make Your Work Life Exponentially Easier With a Holistic GRC Program.