The Finnovate Show
The Finnovate Show

Episode · 3 months ago

Linda Tuck Chapman: Supply Chain, Third Party Risk and what you need to know

ABOUT THIS EPISODE

In my conversation with Linda Tuck Chapman, CEO of the Third Party Risk Institute, she discusses what forward-looking organizations are doing to rethink their third party risks. Discover how leaders look at their extended enterprises with a focus on value and risk, changes that matter, and reducing churn.  

...as a leader of your company, you muststay up to date with your strategies and execution or risk obsolescence.Welcome to the Fin of a show, financial services innovators bringing you thefuture today and now here's your host, jerry Purcell. It's the fin of eight show brought toyou by Innovation 3 60 groups. I'm jerry Purcell. Get ready to think aboutyour biggest challenges and capitalize on your biggest opportunities. Afterthis. Executives depend on external consultants to fill knowledge andexperience gaps or to have an experienced mine audit. They'rethinking the Innovation 3 60 group brings together a wide range of proventhought leadership from around the globe and cost effectively makes itavailable to you, Get the insights, advice and systems you need to succeed,learn more at www dot innovation 3 60 dot com. Our guest today is linda tuckchapman linda is Ceo of a third party risk institute. Her background includeschief procurement officer roles at three major north american banks and asa management consultant specializing in complex strategic sourcing and thirdparty risk management. Linda is widely recognized for her work helpingorganizations to develop and embed practices in this arena. On Thursday,28 in the world, is recognizing Linda as one of Canada's top women incybersecurity. Very cool. The epidemic is still with us and its impact onrelationships and predictability, business resilience, costs, supply anddemand and the overall threat landscape continues to be significant, but whereuncertainty exists, so does the...

...opportunity. Today Lynn and I will talkabout what forward thinking companies are doing to embrace modern risk andrelationship management, to strengthen their competitiveness and effectivelymanage their extended enterprise linda. Welcome to the show. Thanks very muchso. Let's start by casting our minds back to the old days, you know, precovid, what was the lay of the land back then? Well, I think that when itcame to third party risk management, certainly in the financial servicessector, there was a growing appreciation that there was businessbenefit. But I don't think any of us recognized what a wonderful, actuallypositive impact it would have on many companies ability to ride the wave ofuncertainty and to actually to have greater assurance as the resilience oftheir organizations. So it's kind of interesting jerry because it felt, Ithink to some organizations, a little bit like a sort of a regulatory, heavyhanded it is very, very highly regulated area. In fact, in thefinancial services institution, they have an overall safety and soundnessrating and the M and the camels rating, which is what is called, is based onthe management capabilities of the organization. And there are a fewthings that you can really measure the management capability specifically. Butthird party was deemed to be one of four primary areas, including audit andbusiness resilience. And basically, when you step back and look at it insuccession planning, so when you step back and look at it through party riskmanagement was forced to the top of the agenda because regulators wereconcerned after 2008 crisis. But it's really proven to be such, such a greatbenefit to organizations that I don't think we ever foresaw that. So thenCovid hit the pandemic has affected organizations from around the world andhow has it affected supply chain and third party risk management. Well, I'dlike to just differentiate between third party risk management, you know,what does that really mean and where to supply chain fitting. Because these areall terms that get thrown around a...

...little bit indiscriminately. So thirdparties are they started out the regulations and the focus started outon vendors. So it Expanded from there after the regulatory guidance came inin 2008, to talk about 3rd parties. And that's the first time that term reallystarted coming to the forefront and anybody is a practitioner or an expert.It took us a while to figure out what the heck does even a third party mean,But it's any business relationship that your company is in, as long as it's nota relationship as your customer. So that really opens up the floodgates forwhat a third party is now. The way that we've really tackled this is a tounderstand who the third parties are, what risk do they present? How are wegoing to mitigate those or have the third parties helped us do that throughgood controls and then how do we manage to monitor the relationships. What'sdifferent about supply chain is, you know, I'm a services, Galarraga cameout of financial services and I understand services, complex servicesextremely well. And the risk element of it, where I've had to stretch myselfjerry to learn is on supply chain, because supply chain is all aboutsupply and demand and the logistics of moving durable goods around whether itscomponent parts or whether it's finished goods and in certain sectorsthat mean, you know, in the financial services sector, that might meanservers and computers and furniture, which have never really been a concernto us before. But in other industries, I mean, supply and demand is such ahuge, huge issue. So what we're facing now with the pandemic is that, that weall have to pay attention to the supply chain. Whether or not we're inmanufacturing, consumer factories, goods, anything with a, uh, some sortof production line. Because now we're worried about being able to get eventhe basics hardware, you know, hardware and equipment is in short supply. So ifI step back, I've got vendors right as part of 3rd party, I have non vendors,which could be a joint venture or...

...channel partner or a correspondentbanking, etc. There's a lot of different types. And then we've gotthis whole thing around supply chain risk. And that's called me to bringdifferent language to the table. Yeah. One of my clients almost on thefirst day of the Covid situation started to have to deal with offshorelocations and the fact that they couldn't operate and one wouldn't havethought of that as supply chain in the past, but it actually is that it's aservices supply chain, but it's a supply chain. So what other kinds of,of, you know, perceived risks and different kinds of things have changedas a result of this newest crisis that affected us? Well, I think the biggieis really interesting. The UK has put out some really good guidance to theirfinancial services sector, talking about operational resilience and beingsuch a focus for me is looking at the resilience in your extended enterprise.I was really happy to see this guidance come out because it adds a dimension.So what we know is that you have to know the criticality of the third partyrelationship and the activity that it supports, right? So what are you doing,What are they doing for you? And then we also need to know the exposure torisk and there are many, many types of risks that were exposed to. So how dowe recognize them? How do we mitigate them, et cetera. But what I really likeis it had occurred to me even before the pandemic hit, and it's certainlythe pandemic brought it home. For me, it's missing a dimension. Because whenthe pandemic hit, I talked to a lot of I'm risk management associations,subject matter expert. So pretty well every F. I in North America is a member,and so I run around table. And when the pandemic hit, We usually meet twice ayear while we were meeting every week for 12 weeks to talk about stuff. Allright. It's like, okay, what do we talk about this time? Just trying to getlike, what's going on, etcetera. But basically what was missing for me is islistening to some of those executives saying, well, we're really payingattention to our top tier enterprise...

...critical relationships. I'm thinkingthat's probably not where the problem is going to lie. These are big, wellrun companies, right? So if you look at the regulatory guidance in the UK,which came out actually before Covid Hit, it talks about the impact onrevenue and that's what we're missing today in our practices. The impact onrevenue has to be a consideration because even some of those smallrelationships, if they're a choke point in your ability to deliver goods andservices to your clients or to run your core services and internal operations,they're important, right? We didn't pay much attention to them because theywere kind of like lower down the tier, not as important, et cetera. And we'velearned a lot. I think that basically we have to change our practices andthat's one of the biggest changes I think that really needs to come now. Sohow has it changed the way that organizations look at their their risksand their supply chains? Well, I think the really great thing for being suchan avid practitioner, a third party is that I think that the importance ofmanaging your extended enterprise is finally landed finally landed for justabout everybody. They now kind of get it that, okay, so we're only so big Ourextended enterprise, which is all those third party relationships is us times,you know, 10 or 20,000 you know, for a big bank, they could have thousands,tens of thousands of relationships and that's what powers your company. Sothose who might have thought that, gosh, we're kind of doing this and we have tocomply. I think probably had the big crossover into Yeah, this is important.Let's figure out how to get on top of it. That that's music to my ears and itshould be to anybody who thinks this is important. I would imagine that there's some newand different kinds of risks that are represented in the whole move to workfrom home, much more distributed technology and information flowingagainst perhaps not secure networks and that kind of stuff. What sort of thingshave you been experiencing with your...

...clients in that space? Well, I'll lookback to one of your early remarks about about offshore, the way that youstructure your offshore relationship can certainly change the risk profile.So we know that it is, you know, there's, there's often good laborarbitration, very good practices in other countries, but what we found waswith when the pandemic hit and people were suddenly working from home.Although the facilities that would normally work in highly secure workingfrom home, it's a big question. So that actually caused a lot of organizationsto rethink their, basically their service delivery strategy. So I'm notsaying that they pulled work away necessarily, but certainly a number ofcompanies repatriated some of the activities that included non personal,nonpublic personal information. Right? So the P. I. N. P. P. I. They pulledthose activities back and said they had to be in in the domestic north americanmarket, right? So they may not have pulled them away from the third parties,but they certainly pulled them out of the the geography ease. We also sawcompanies really stepping up and being resilient. So when all the contactcenters in the Philippines were shut down, companies like, you know, bankswould, they've already got people who were not able to go into branches whoknow the products well, right? They know their customers, they know theproducts, they just had to teach them how to use the telephony for contactcenter, and they're, you know, they did a great job of moving along, but from apure cyber risk perspective, you know, there really are grave concerns arecontracts never contemplated work from home. We, most organizations didn'treally have a four review of how that was going to look with their clientsworking from home. And so what it really did was focused as to doubledown on things like endpoint security, you know, that last mile and accesscontrols and, you know, reinforcing codes of conduct and clean deskpolicies and and confidentiality. So there was certainly no assurance thatthose things were being well followed...

...in. You know, if you're in a crowdedplace with other people trying to do their thing multi generations,sometimes it's very difficult to know whether or not the privacy was there,but organizations really stepped up to try and help their third parties stepup and and the third parties themselves. I really feel that has improved ourpractices worldwide as a result. Yeah, I've got some clients that have beenbeen touting their innovation and the innovation is we put zoom on a process.What what what sort of changes and innovations have you seen that is themost kind of intriguing to you or most may be surprising. No, that's a goodquestion. I think that the innovations to deal with with the pandemic, I can'tnecessarily Nigeria that I've seen a ton of innovation that we would endorse.I mean, you know, zoom is certainly early days was proven to be quite inquite a vulnerable platform. And in fact, I was on a zoom conference acouple of weeks ago that was hacked and it was really shocking what, what wesaw. And so it's still not entirely secure. So I can't say I've really seena ton of good innovations except for the ability of risk professionals tostep forward and really, really show their stuff and have the organizationbehind them to let them do what they, what they know how to do. So thingslike, you know, this endpoint, security sharing security and protocols with,with their third parties, et cetera. That's what I really saw. But in termsof innovation, honestly, I mean, I'm at a loss to give you a good answer onthat one. Well, we've worked, we've worked for a couple of banks that youand I over the over the years, and I know as we go through these phases orchanges in the marketplace, that certain skills become much moreimportant. And I imagine that the, the third party risk skills are coming tothe fore, just like the commercial...

...special accounts people all of a suddenbecome very important when there's a downturn in the economy, who's going tocollect the money back, you know, sort of thing, Right? Yeah. You know, andit's basically, I think that third party risk management is starting tomigrate into a profession unto itself, which is nice, but you know, not oralorganizations of the same. I mean, they they're they're different sizes andshapes and because of that, they're organized so differently. So if you'rein a smaller company, you have a chance to have a broader span of control. Andif you're in a very large company become very, very specialized. And sothe trick is, can we take the best practices from both of those models andfind a way for them to meet in the middle. So this morning, I was on along call, I guess in the US the regulators for in the financialservices sector are trying to harmonize their guidance to financialinstitutions So that they're they have one set of guidance for a 3rd partywhich will really, really be a very, very helpful thing because if you havemultiple regulators regulating the same thing in slightly different ways, itdoesn't strengthen your perimeter as well. It brings, it brings diversethought, which is good, but it brings practices that can be confusing fororganizations who are facing oversight by many, many regulators. Lots ofoverlaps and stuff. Yeah. Yeah. The world is moving fast. It'sdifficult to keep up your executive team routinely needs new ideas to keepthem ahead of the competition. Imagine having a plan in place in 30 days tofocus your innovation efforts, improve customer experience, accelerate yourmove to digitization or increased speed to market. Our guide to acceleratingyour innovation agenda provides you with insights and time saving resourcesto plan your path forward, contact...

...jerry to book a quick call or for yourcomplimentary copy at www dot linkedin dot com, backslash in backslash, jerryPurcell, G E R R Y P U R C E L L or email jerry at jerry dot Purcell atinnovation 3 60 group dot com. So what about clients? What sort ofthings do banks and their clients need to be thinking about and keeping trackof as the world evolves? Well, I think that, you know, one of the things thatI really encourage people to think about if they're in a company andthey're on the, on the management side for these complex relationships. Youknow, one of the things that people always worried about, this notion oftied selling, but I've always, when I was in a corporate job, I was, you know,CPO and had a third party risk. So I had a lot of insight into therelationships that that the banks that I worked for had and I made it apractice to have a, you know, sort of customers, third party program,particular customer as supplier program in the company's where I worked becauseI think that you don't share specific information, certainly not about aboutcredit or business plans etcetera. But having, allowing your organization tosee the both sides of the relationship and when you are interacting with athird party, that's also a customer of your organization. It's actually a veryhealthy thing as long as you don't make it a condition of award that yourclient or threatened to delist them if you're going to leave. But I think thatthat that comfortable coexistence of the, of the revenue and expense side ofthe organization is something that we should do more thoughtfully because ifyou have a large relationship with the third party as a client and nobody inthe third party risk of procurement organization understands that there area client of your organization and that...

...you have deep relationships all overthe place. I think you're kind of shutting one eye and then tying atleast one hand behind your back in the relationship management side of things.So that that's one change I I'd like to see and you can certainly do thatwithout breaking the law and without even intending to have any wrongdoing.So what worries you the most? Well, it's the cyber attacks, that actuallyis the most worrisome thing right now because in the past the cyber attackswere against individual companies, right. Whether it was ransomware orattempt to breach. But what we're seeing, I think there probably wereones before solar winds, but we weren't as aware of them. But what, what'shappening right now is that the attacks are against software companies that arewidely used in many, many, many organizations. So, Solar winds, forexample, was basically it was keys to the kingdom software, right? It was allabout access rights and administration of access rights and tens and tens ofthousands of companies were using solar winds and then they had malicious codethat was in an update that nobody knew about and that basically gave the badguys a lot of access to companies that had good practices but didn't didn't doenough homework on their software providers. So we're seeing these typesof attacks are have become the norm and because of that, you know, the worldfeels a lot more unsafe right now until we find a way to, to deal with thisbecause what's happening with solar winds is once they're in, they canchange their permissions and their profile inside of your systems. So theylook legit. And that's why we don't know where these types of hacks areinfiltrating because they're, they're so well hidden. So there's somesolutions coming up with that to try and spot them. But that's my biggestworry is that somehow rather, you know,...

...all of the wrongdoing around cyberattacks and the pervasiveness of the attacks themselves so that they're,they're actually able to access not just one company, but tens of thousandsof companies with one successful hack is probably our greatest threat rightnow. So you're worried about another covid wave? Well, I'm always worriedabout another Covid wave because I'm supposed to be going to Florence italywith my husband who was a sculptor. You know, I really, really, really want togo. So, you know, but is there going to be another way? I believe that we areCovid is with us for much longer than we think. And it's a good thing. Wedidn't know that in the beginning. But this delta variant is apparently quitesuccessful with people who have already had covid who are not vaccinated. Andthat that's very problematic because of the unevenness of vaccinations in theworld. And if, you know, it doesn't matter if it's a far away country. Imean, we are a global society that's always on the move. And so if it's inone place, it's a matter of, you know, it's not, it's not if it's when is itcoming to you? So we are so fortunate and basically being in a wealthy nationthat I'm fully vaccinated. I'm sure you are too. I feel totally grateful forthat. But I do worry about what's going to happen because these viruses are sotheir, their only purpose is to, is to survive. So they mutate to survive. Andbecause it's so hard to vaccinate the entire world, of course, there's goingto be more waves because there's going to be more variants. So as a thirdparty risk advisor, what would you tell your clients that we've learned as asort of an industry around the first sort of experience with covid that weapply this time around? Gosh, you ask the best questions jerry. So I guessthe first thing is really to appreciate...

...your extended enterprise and to look atit through a different set of lenses. So one of the things that this workinggroup that I'm involved with is going to hopefully have some influence onregulators is looking at some of the current practices and reallocating someof our scarce resources to better youth. So one of the ones that easily comes tomind is looking at the recertification process. So we built ourselves thesebig engines to onboard third parties after doing extensive due diligence,which can take you know, two or three months sometimes and a lot of costumework effort. And then we backed ourselves into this recertificationprocess where the more important the relationship, the more frequently youre certify and the recertification process today is just put put themthrough the same do deal again. So that makes no sense because these bigcompanies are well run, there is well run as many of the clients that theyserve and better. So I think that really the notion of continuousmonitoring where you can subscribe to services to alert you to things likecyber attacks on your third parties or changes to financial risk, financialratings are what you need to know. And then look for the things that couldfight you right. There's out of all of the controls. We look at there are somethat you would deem you if you were to rate the controls themselves, some ofthem you would rate very high impact if there is a deficiency and a risk event.Access controls. Perfect example. So there are others that are good to havein place. But the impact of a risk event would be much less if there is adeficiency in that control. So I think that that's stepping back and lookingat your population, looking at the impact on business resilience andrevenue and then for the recertification process in particularto look at just what matters if it's not. There are heaviest hitter incertain terms of controls and the other things that might have changed and theyforgot to tell you like, gosh, we move the service delivery location or weoutsource something to 1/4 party, right?...

You want to know those things. But ormaybe we took your, you know, your your superstar office manager off youraccount. So look for the things that matter and stop going through thisendless turn because it's killing us. It's killing its blinding us to riskmanagement because we're so bogged down with doing things that don't add a lotof value. So that's what I'd like to see change. That's what, that's why Ithink for the next wave we need to do a better job of reallocating ourresources. So in effect to our risk assessment of our risk assessmentprocess. Well, well, exactly. The only thing I can say what the cost benefitof this, right? Because I floated this idea to heads of third party risk of anumber of them and some of them I got the stock answer. No, that's what wehave to do. I think, well, that's what I'm not. What I'm asking is like,should we be doing this? Is this as you know, we got to do this and others likewhat a great idea. Yeah, it's in our policy, we have to do it. Well, who setthe policy? I did, yeah, totally heard that before. So let's look at ourcrystal ball a bit. What does he think the future looks like? What what kindsof things should we be thinking about? Well, I'd like to see even morecooperation somehow. Rather we've convinced ourselves that our ability toidentify, assess management control risk is a bit of a secret how we do it.So I like to see a few things happen. One is I'd like to have more openpractices and that could be led by organizations that exist today indifferent sectors or by say, Isaka or or you know, I so or or one of thoseorganizations because right now the information that's available toorganizations is pretty scanty. So I wrote two books, right? I wrote I wrotea book on the what and why? Which is third party risk management DrivingEnterprise Value. And I have one being published in the fall by institute forinternal auditors. Although it's really not for auditors, it's well they canread it, but it's a practical guy. So a...

...third party risk management, apractical guide to try and get under the covers around what? Like how do youtranslate your principles into action? So how do you build strength in yourorganization? Because right now, we still hope these things close to ourchest and we need to not just share them inside of our sector. We need toshare them with other sectors and with our extended enterprise because youcan't tell me that if somebody takes down the electrical grid, that's notgoing to affect us. All right. So shouldn't we share our practices? Well,we we do a lot of work with organizations around innovationcapability and one of the primary capabilities that differentiates a highperformer from a low performer is what we call openness and openness. This ineffect collaboration amongst within the industry and the sharing of ideas andstuff like that. So it would absolutely be something that would add value. Ithink, what can I have you have you seen any innovation in third partiesthat you think is something that we could, you know, you know, the answeris I'm the interview here. Okay. I'm always curing is there something outthere that I haven't bumped into yet? Well, I don't know. So I guess if wejust expanded along that, that sort of opened this discussion, absolutely. Thesharing of the ideas, the sharing of tools and techniques, even patents andthings can can make a big difference. Because ultimately what happens is itimproves them because you're gathering information. It's like I have clientswho have invested millions of dollars in new products, but they neveractually talk to a client. And so it's kind of the same thing. If you're goingto build a risk management regimen, wouldn't it be kind of cool to talk tosome other people about it and build it out and make it better? And in aninteractive way you end up with a better and result well and from a thirdparty perspective they're being inundated. So you send out this duediligence questionnaires or how are we going to do it? And then basically theyget not just all their new clients that...

...they're trying to win business orbeyond bored, but they have to keep pace with all of this avalanche ofrecertification process. And then during the pandemic, the number ofalmost every organization sent out surveys. Right? So tell me this thatand the other thing, so you multiply that by their client base and then youmultiply that by the sector and you're saying, hey, isn't there a better way?So, you know, I like to see more utilities come to the forefront, but Ithink the utilities need to be built in a way that organizations can consumethe information, the output from due diligence into their environment,because the risk profiling, risk appetite for every organization isslightly different than the other. So if we could come up with some standards,what we're looking for and and and let organizations absorb that into theirtechnology, that that would help a lot. But that there's a couple of attemptsat this, they've been struggling. And so is there is there a better mousetrapout there to do this? But I think the only way you can do it is actually isto have the due diligence results in a format that they can be absorbed into,into the risk profile and the risk tolerance of their clients. Yeah, yeah.Which we should be able, particularly, there is a standard kind of approach tothings kind of thing. Right? So, so what we so one last question. What wetypically do is in the discussion is to offer advice to either newbie or oreven experienced executives in the space about about what they should bethinking about in today's in today's world or maybe even going forward. Wellif your organization has not yet come to, if you were sitting, yourorganization have not yet come to the to the appreciation that your board andyour senior your senior executive in your C suite are interested in this. Ithink that that's probably a good place for people to start is to get a goodhandle on what the reaction is at the...

...top of the house and how they can help.And when you are actually providing data or to the senior executives, whatyou really need to do is turn it into information and it needs to beconsumable so to identify some deficiencies in your controlenvironment or some, you know, serious risk exposures, no senior executiveswants to get that information without a really good solid recommendation and acouple of options on how to address it. So that I think is is one of the,that's one piece of advice and the second is, you know, there's a lot oftalk right now around concentration risk. That's that's a big, big thing.And so I'd also like to like just like to plan to see that concentration riskis actually, it's an information point. It's not, it may represent differentlevels of risk, but it's certainly by no means is something that you shouldavoid because there are some huge benefits in concentration. You justneed to understand what you're signing up for and whether or not there's anymichigan's that you can place against it. But to shy away from it and to comeup with these strategies, which is undoing all that. We didn't sourcingprocurement all those years ago. Makes limited sense. It's not going to addvalue to the company. So please do not recommend that you just disinvest someof your key third parties because you have a high concentration and that wasa better and try to integrate five different kinds of computers into onenetwork that would create all kinds of other kinds of risk. I would think so.Thank you. Thank you linda. So, so that wraps up this episode And as always, Ilook forward to hearing thoughts from you, our listeners about today's show.Please keep the conversation going. And if you like the show, tell your friendsand please take a minute to radar show or post a comment. Go to www dotinnovation 360 dot com or your favorite podcast site. To find out more and tolisten to more shows linda. Thanks for chatting with me. It was very, veryinformative. Okay, well thank you for...

...inviting me here. I appreciate it. Staysafe. And we'll see you. Next week. You've been listening to the fine ofeight show with jerry Purcell. If you like the show, share it on your networkand subscribe on itunes or wherever you listen to podcasts and you can go towww dot innovation 3 60 dot com To listen to more shows, download thetranscription from today's show or to contact today's guest. This is theinnovate show, Financial services, innovators bringing you the futuretoday.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (20)