How organizations can maintain a third-party risk management program from day one

In this podcast recorded at RSA Conference 2020, Sean Cronin, CEO of ProcessUnity, talks about the importance of third-party risk management and how companies can get started with a proven process that works.

third-party risk management program

Here’s a transcript of the podcast for your convenience.

We’re here with Sean Cronin, CEO of ProcessUnity. Can you tell me about the company and what kind of services and products do you offer?

First off, it’s great to meet you. Thanks for taking the time with us. At ProcessUnity we have a governance risk and compliance platform that’s a SaaS-based platform. Our flagship product is a vendor risk management product that really focuses on third-party risk and vendor management.

These days, certainly a lot of heavily regulated industries, financial services firms, healthcare firms, pharmaceutical firms, are starting to be concerned with who their vendors are, their suppliers, their third parties, and how their data is either exposed or how they’re using that data. We help them understand that relationship.

At this point we’re growing quite rapidly because it’s certainly a hot space. We were talking earlier, third-party risk is kind of becoming a first type of priority for a lot of organizations. And now we’re seeing organizations, that aren’t as heavily regulated, start to say: “It makes sense for us to understand who we’re doing business with”. And then as we expand that footprint, we also help folks in other risk pillars, things outside of third-party risks like policies and procedures, contract management. We’re doing more in tangential areas of third-party risk.

Tell our listeners why should companies be paying attention to third-party risk management?

Third parties certainly are having a lot to do with data breaches these days. You read any study, Deloitte, Ernst & Young, any of the unbiased studies out there, a number of the data breaches are actually coming from third parties and vendors, so that we recognize that you might have your four walls or your firewalls under control, but what you’re doing with other vendors and other folks in your supply chain, certainly puts your data at risk. We think that’s certainly important.

A lot of these heavily regulated industries are actually getting audited and examined to understand how they understand the ecosystem of third parties. But we’re also seeing it go down-market. Not just the heavily regulated industries, but other areas and other verticals are starting to really think about how they interact with third parties, what data they’re sharing, and also what kind of value they could get from those third parties.

Are they understanding the metrics, the measurements that they measure those vendors on? Are they getting what they paid for? Are they getting the level of performance they expect? And because of that, I think we can optimize a lot of those relationships and help them better understand that ecosystem in which they behave.

third-party risk management program

Well It sounds like a really popular industry. So, how do you see ProcessUnity differentiating itself in the market?

First and foremost, we really took our time to hire subject matter experts in our industry. We’ve got lots of practitioners that have years and years and years of governance risk and compliance expertise. They’ve run third-party risk programs for some of the largest banks and financial institutions in the world. They’ve run risk programs at heavily regulated industries. Our people, first and foremost, is a huge differentiator.

Number two, our products. It’s incredibly configurable, incredibly easy to use. But that’s such a common thing that folks claim. I actually like to say it’s easy to administrate. Some of the platforms that, if you will, we compete with. You can do those things, but you need to pay IT developers or other developers or even the company that you purchase the system from, to configure it for you. From our perspective, we like to empower our clients to really run the programs and configure the applications on their own. And so, from that perspective, I like to say, ease of administration.

It’s also easy to use. First and foremost, not just for our clients, but for the vendors. So, think about it, if you’re an important vendor in a vertical like financial services, you’re getting a million of these questionnaires. Wouldn’t it be nice if when you came in, it was a simple to follow survey that you can click and add policies and procedures, and connect everything really simply and easily?

And that’s one of those things that I get proud about because every once in a while some of my large clients say “hey, I just got this email from a vendor” and they said “hey, we just filled out your questionnaire, and it was one of the easiest systems to use”. And I think from my perspective, that’s us being good stewards to our compadres out there who are vendors. We’re a vendor too. We’re helping eliminate vendor fatigue because it just makes it easier so that people want to go in, fill in their information, be more proactive with their end user, and actually provide the right information. That’s a point of pride for me, certainly, that vendors and other third parties kind of like filling out the information and find it very intuitive.

Given all that, what kind of advice would you give to a company who is looking to start a third-party risk management program?

First and foremost, whether it’s with our product or other products, think about why you’re doing it, right? Think about what you’re doing with your third-party risk program. What you want to accomplish. And a lot of people used to tell me from a governance, risk and compliance perspective: “I’d like to get through my examination. That’s not good enough. Tell me what you want to understand.” And some of my CISOs, CIOs, chief procurement officers say: “We’d like to have a geographical representation of our vendor population. Let’s look at what the geographical concentration looks like. Let’s look at the vendor inventory. Do we have overlap? Do we have too many vendors in one particular area or third parties in one particular area, where we could unify with the best practices?”

I just highlighted best practices. Go with somebody who understands the third-party risk challenges. Nowadays, a lot of folks, because it’s such a hot space, people are saying: “Oh, I do third-party risk!” But when you dig a little deeper, you find that they don’t have the depth of expertise. And so you want somebody that you want to partner with to really be able to bring best practices to bear on your organization. Because if you’re a very mature organization, we have a really powerful product and we can configure it to your exact use cases and we can make it work for you.

third-party risk management program

But what happens if you’re a little bit more immature in this vendor management and third-party risk area? Well, don’t worry. We’ve got a best practices product. It’s actually a kind of a turnkey solution, which will really already have preconfigured workflows, use cases, all of the user roles, all of the questionnaires set up for you. So, if you just want to get started and you want to have a more prescriptive best practices capability at your disposal, we can help with that as well.

If you’re just starting out in this area, I would say take a look around. It’s important. And then really look at the folks that you’re trying to work with and the depth in which they understand the vendor risk management and third-party risk management area. And if it makes sense, an out of the box program like we have is a really great start.

What’s most important about the out of the box product, and my product strategists and product managers always make me promise to say this – it’s prebuilt, but you can configure and make it better. So, you can mature it as your own program gets that level of maturity, that takes it to the next level.

Thank you for the insights Sean! Is there anything else you would like to share with the Help Net Security audience?

I think at the end of the day, I touched on it earlier, third-party risk is a first world priority, it’s a first type of risk priority. It’s no longer “nice to have”. The reality is, it’s never going to go out of style to understand who you’re doing business with and where your data, your customer data, if you’re in healthcare, your patient data is.

So, understanding that ecosystem, understanding how you interact with those third parties is really important. So, we just stress that. Think about it, whether you’re in a heavily regulated industry or a different vertical, it’s really important to think about what that ecosystem looks like.

I would just like for you to finish by inviting listeners to come to your website for information about your products and solutions. Just give the URL and invite them to come to the website.

Certainly we appreciate your time and welcome everyone to come visit our website – We have lots of information, materials to help you understand the space. It’s educational as well as it certainly has lots of information about all our product offerings and certainly a lot of our use cases from our clients and other areas.

Don't miss