Software Asset Management – Audit Susceptibility

CoverSusceptibility is defined as ‘the state or fact of being likely or liable to be influenced or harmed by a particular thing’.

In the case of a software audit, Susceptibility is the likely severity, disruption and extent of financial exposure a firm may experience in the event a software publisher issues an audit notice. Negotiating the reduction or elimination of software audit findings, while valuable, is NOT Software Asset Management.

Effective SAM requires careful orchestration, monitoring and entitlement management. SAM encompasses successful alignment of policy, procedures, controls, procurement, IT and PMO processes with rapid infraction identification. Properly executed, SAM not only minimizes audit exposure, it delivers efficiency of software investment.

Like regulators such as the OCC, CFPB and others examining compliance, software publishers produce significant Third Party Risk exposure requiring proactive and dynamic management. The TPRM Forum is pleased to share the introduction of the Audit Susceptibility Index assessment designed to help SAM operations identify the actions and tactics to mature their operations and establish enhanced productivity and efficiency.

For additional information on how we can support your SAM needs, please use the CONTACT page.

When did TPRM become a Tool-Centric Discussion?

TPRM DecomposedThe Third Party Risk Management community is dominated by content focused on GRC and TPRM technology tools. White papers, research reports, web-ex presentation fill our in-box daily. Each claiming unmatched ability to solve our challenges.

What is missing from this ongoing barrage is guidance and best practices on how TPRM leaders can successfully leverage to support the other key elements of TPRM operations. Best Practices such as:

·         How TPRM leaders can effectively build organizations and operations integrated with business operations, procurement, VMO and legal.

·         How the tool can enable quick, accurate and dynamic monitoring combined with the other activities such as RCSA’s and contract triggers to provide a single risk view.

·         How do we establish rapid, ‘fast-track’ risk processes to meet business expectation

·         How to integrate existing tools to maximize investment

TPRM leaders understand the importance of the TPRM platform, but it is an enabler, not the complete required solution. Let’s build on this foundation and expand the discussion to encompass a comprehensive TPRM solution!

TPRM-VMO: A Single Team Mindset

pexels-photo-262524.jpegIn a recent survey conducted by the Technology TPRM Forum, Third Party Risk leaders indicated a growing focus on establishing strong partnerships with internal vendor management teams. This was identified as the top action with the intended benefit being able to more effectively support business demand.

actions

While the value of an aligned VMO-FLOD is clear, reality of establishing the needed collaboration remains elusive.

  • Vendor Management teams must become more aware of risk as a necessary dimension to incorporate in their operations and not view FLOD representatives as an extension of internal audit.
  • FLOD team members must bring value, enabling the VMO to meet business demands with risks assessment and monitoring integrated into operational process.
  • VMO must see value – FLOD must establish credibility.

Essentially an environment of trust and an appreciation for one others perspective is required to pull the team together.  Without this foundation, no level of effort will yield the necessary results. FLOD will take on more of an oversight function, impacting SLOD effectiveness and ultimately lessening the contribution of audit.

The Technology TPRM Forum intends to conduct a follow-up survey among TPRM and VMO leaders to identify specific best practices being leveraged today to form a strong, productive VMO/TPRM bond.

TPRM Survey Respondent Profile

cropped-tprm-forum-logo-21.png

Thank you to the 114 risk professionals who completed the IT-TPRM.com survey on the impact of Digital Transformation on TPRM operations. The survey is now closed and we have initiated analysis of the results but wanted to share the typical profile or average demographics of the respondent.

Respondents to the IT-TPRM.com survey are:

  • Members of their TPRM organization
  • Work in the banking and capital market segment
  • On average, have $100 billion assets under management
  • Is being impacted by digital transformation
  • Cloud is the leading digital technology impacting operations
  • Primary operational focus is accelerating support of business operations
  • Most concerned about identifying 4th and 5th parties for business continuity
  • Believes regulators will increasingly focus on capacity and concentration of third parties

We will release final survey results and analysis next week!

TPRM-Business Continuity Disconnect?

BC3

The IT-TPRM.com survey on the impact of Digital Transformation ask respondents the specific areas and activities TPRM leaders are taking with regards to Business Continuity. Results so far show a significant separation between oversight and governance tactics versus operational engagement. It appears TPRM professionals have limited interest or involvement in areas necessary to execute the business continuity plan, preferring to focus on assessing effectiveness of contract terms, identification of sub-contractors and alignment across parties.

Do you agree? Does this lead to ineffective business continuity? Does this create an unnecessary void between TPRM and operational execution?  Should the FLOD be more engaged in scenario and BIA development?

Please take the survey and share your opinion.

Are TPRM Leaders Underestimating Blockchain Impact?

Digital Tech Analysis - Q2

Responses continue to stream in for the IT-TPRM.com survey on the impact of Digital Transformation on TPRM operations. We remain on track to share the full survey Mid-June!

The survey ask respondents to identify the digital technology dynamics impacting their organization currently or in the coming 12 months. To no surprise, Cloud, Cybersecurity  & Automation are consistently identified as the technologies of greatest impact. The surprise so far is how low Blockchain is trending as a key area of focus for TPRM leaders.

At the recent RMW GCOR conference, during the regulator panel they stated the areas of great focus and interest is Cloud, Automation & Distributed Ledger (Blockchain). Are TPRM leaders not seeing what is emerging on the horizon or not clear as yet how it will impact their operations? Share your thoughts! Please take 3 1/2 minutes to take the survey.

Take the Survey

 

IT-TPRM Survey: Impact of Digital Transformation

white ipad
Photo by rawpixel.com on Pexels.com

Help us identify emerging best practices!

IT-TPRM.com has developed a targeted survey with the input and support of multiple TPRM leaders. The purpose of the survey is to identify emerging best practices being employed by TPRM teams to effectively meet the demands of digital transformation. Our plan is to share the complete research results by the end of June with the full TPRM community. Hopefully the results will help risk leaders fine tune their current digital agenda and bring enhanced value to the business.

Thank you for taking 4 minutes to answer the 10 questions on the survey. All results are anonymous and will be reported in aggregate.

Survey Link

 

FLOD: Get in The Game!

american-football-football-defense-tackle-159574.jpegThe Third Party Risk Management organizational structure of 3 distinct layers of defense (FLOD, SLOD, Audit) is widely recognized as risk best practice. However, as I meet with risk executives and leading advisors focused on this community, there is an all too common opinion the First Line of Defense (FLOD) is less effective in digital and technology settings than designed.

It appears FLOD teams are challenged by the complexity and pace at which third party risk issues must be addressed to support their organizations digital agenda. This dynamic is producing a gap between TPRM and IT operational teams, making the FLOD a disconnected, oversight function versus operational contributor.

The ISACA manual for the Certified in Risk and Information Systems Control (CRISC) designation identifies a possible root cause of this FLOD/TPRM dilemma. Section 1.6 of the CRISC Manual states “The risk practitioner is not expected or required to be a technical expert in the design, implementation or support of IT systems and applications. However, strong knowledge of general IT concepts is invaluable for anyone whose roles and responsibilities require close and ongoing interaction with IT staff. The identification, assessment and monitoring of IT risk, as well as recommendation appropriate responses to the risk that is identified, require that type of close and ongoing interaction.”

To meet business demands, FLOD must establish credibility and be fully engaged with IT operations to become an integral part of the team. TPRM leaders must closely evaluate the skills and capabilities of their FLOD to form this critical linkage.  FLOD teams need to feature a blend of IT operations, InfoSec and risk backgrounds. By taking this proactive measure, TPRM leaders enable their FLOD to ‘get in the game’ and contribute at the speed necessary to achieve success and empower digital transformation.