Blogpost

2022 Third Party Risk Summit: Day 2 Recap

Lifetime Achievement Awards

Catherine Allen (Founder and Chairperson of Shared Assessments) was honored to present these awards “to two extremely deserving recipients” at the 2022 Third Party Risk Summit.

Ms. Allen noted Security Magazine called Dr. Larry Ponemon (Founder, Ponemon Institute) “one of the most influential people in security.” Other accolades include his contributions to Shared Assessments and TPRM. Ponemon is “the brains behind our long-standing vendor risk management benchmark study and other research.” Allen also acknowledged the importance Mr. Ponemon’s wife, Susan, has played in Ponemon Institute’s work in risk management. Mr. Ponemon was pleased to be given the Lifetime Achievement Award reflecting that “over the years it’s been a wonderful collaboration with Shared Assessments.”

Ms. Allen described Atul Vashistha (Chairman and CEO of Supply Wisdom) as “one of the smartest people I’ve ever met” before noting the highlights of his career, including serving on the Department of Defense’s business board for twelve years and partnering with Shared Assessments on“numerous projects, webinars, papers, and thought leadership pieces.

Keynote Address: ESG

Bob Mitchell, Vice President of Human Rights and Environment, Responsible Business Alliance (RBA), spoke eloquently about how to transform organizations from achieving compliance to making an impact through ESG. The nearly 500 members of RBA, spread across more than 120 countries, have a vision: a global industry that creates sustainable values for workers, the environment, and business.

RBA works on improving industry recidivism, acknowledging many vendors are simply trying to pass the compliance tests rather than meet the spirit of the goals. So, RBA shifted from trying to enforce compliance to making an impact by getting low-performing factories to do better.

“Give them time, encouragement, and a path, using carrots instead of sticks, but the playing field needs to remain level,” explained Mr. Mitchell. He described the office of RBA’s general counsel as “an internal law firm…sometimes you need to be the cop, not giving a pass to serious violation [child labor, etc.].” Mr. Mitchell closed by observing that even teams that are tireless in performing due diligence can drill down into their supply chain and still find the highest levels of risk at any layer of the supply chain.

Panel: ESG and TPRM

Mr. Mitchell joined Sabastian Nile, Partner at Wachtell, Lipton, Rosen & Katz and Atul Vashistha, Chairman and CEO of Supply Wisdom, in a deep dive conversation led by Shared Assessments Senior Advisor Gary Roboff on the impact of Environmental, Social and Governance (ESG) requirements on outsourcers and third parties.

As the conversation progressed it grew increasingly nuanced, beginning with the decline of Dyson’s market value because of ESG concerns, how to incentivize boards and CEOs to take the right actions when they’re focused on short-term objectives, explaining the concept of “double materiality” in the EU, the impact of SEC regulations on capital, and how companies that don’t — or won’t — provide ESG data may become uninvestable.

Key takeaway concepts include:

  • What is material today may not be material tomorrow, and vice versa.
  • Having a line of sight across supply chains is imperative.
  • Different boards have different perspectives, including on ESG – some see it as a compliance issue, and others see it as a strategy or opportunity.

Panel: Regulatory and Standards

With an increasing patchwork of guidance, standards, and regulations affecting third-party risk management programs, this session covered awareness around upcoming regulations and standards currently being evaluated including those from the OCC, CISA, NIST, and CCM.

Shared Assessments Vice President Tool Development Colleen Milazzo talked with Tamara Culler, Acting Director for Governance and Operational Risk Policy Office of the Comptroller of the Treasury; John Carlson, Former Executive, Amazon Web Services, FS-ISAC, BITS; and Jon Boyens, Deputy Chief, Computer Security Division, NIST.

Re-enforcing a theme brought up throughout Summit, Ms. Culler said the OCC does not want compliance to be just a checklist; people should think about how it applies to their organization specifically. Mr. Boyens agreed and acknowledged NIST is struggling in terms of flexibility. He added that while NIST just released a 300-page guidance document  titled  Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST is trying to make this information more consumable so organizations can be responsible to the regulations. Mr. Carlson noted financial regulators will increasingly monitor third party risk; there will be calls for greater standardization; and toolmakers will deliver better tools, including tools for continuous monitoring.

Keynote: The World at Risk – Russia’s War on Ukraine

Dr. Evelyn Farkas, Executive Director of the McCain Institute and Deputy Assistant Secretary of Defense for Russia, Ukraine, and Eurasia under President Obama, delivered an impassioned, riveting overview of Vladimir Putin’s goals in attacking Ukraine, what options are available to NATO and the U.S., the obstacles facing each side, and what constitutes victory.

Panel: Complex Supply Chain

Shared Assessments Senior Advisor Bob Jones, discussed how to identify critical dependencies across both inbound and outbound supply chains and how to gain greater supply chain sovereignty with Erin Joe, Senior Executive, Mandiant; Alpa Inamdar, Transformation Leader, AIG; and Edsel Garciamendez-Budar, Information Security Director, Pepsi Co.

During the wide-ranging conversation, Ms. Inamdar discussed how recent events around the globe, especially the Covid-19 pandemic, have driven the need for continuous monitoring: “we started looking at real time alerts because the information was changing extremely rapidly…you couldn’t rely on those outside assessments you did three years ago.”

Mr. Garciamendez-Budar noted how important it is to talk about how to handle recycling and dealing with partners in supply chains that routinely dispose of water waste materials that create ESG concerns. Ms. Joe discussed what her company’s learned from dealing with the SolarWinds attack, especially the importance of performing the basics thoroughly and diligently: “Another lesson learned from SolarWinds was doing all the basics really well mattered, and the more that you can perfect that, the better.”

Panel: Shared Assessments Program and Research Update

Shared Assessments CEO Andrew Moyad reflected on what was accomplished during the past year and what is ahead for our organization. Phillip Bennett, Manager, Information Security Governance, Horizontal Services, Navy Federal Credit Union, 2022 Shared Assessments Chair, and Paul Kooney, Managing Director, Protiviti, 2022 Shared Assessments Program Vice-Chair, contributed to the discussion.

Mr. Moyad said Shared Assessments is looking forward to expanding our community, education and offerings. Furthering career opportunities and partnerships in TPRM is a priority. Launching a reseller program and creating new educational offerings and benefits are on the horizon.

Closing Remarks

As part of their closing remarks, Catherine Allen and Andrew Moyad noted that risk is at the top of the agenda for the C-Suite and boards and third party risk management is in the epicenter. We are so lucky to work in the risk management landscape because we have to think broadly, we have to think holistically. Risk management is a great career path to move forward into the C-Suite whether as a CRO (Chief Risk Officer), a CISO (Chief Information Security Officer), a CCO (Chief Compliance Officer)….or a CEO.