Can You Rely On Third-Party Risk Assessment Questionnaires?

Questionnaires are an important part of third-party due diligence programmes.

But by relying on questionnaires, businesses entering into third-party relationships assume their service providers will respond with transparency and accuracy.

PrivSec Third-Party Risk will consider whether the risk assessment questionnaire is a sufficiently robust mechanism for lowering risk exposure, and explore how businesses can obtain comprehensive and meaningful responses.

Transcription

Robert Bateman:

Hello. Welcome back to PrivSec Focus: Third-Party Risk. I’m Robert Bateman, head of content here at GRC World Forums. Now, before we get into our next session, just like to say another big thank you to our sponsors. Our premium sponsor, ServiceNow, who is supporting this event along with our headline sponsor, ProcessUnity, both really interesting companies doing some great work. Please look at their pages, available via your left-hand menu. You can also use that menu to chat with our panelists. We had some great interaction with our last panel. Always good to see lots of audience questions, so please think up some great questions, and you should get some answers.

So our next session is about third-party risk assessment questionnaires, and how far you can trust them in your due diligence processes. Our host for this session is Guilherme Campion, who is a data privacy specialist at Mercado Libre. Over to you, Guilherme.

Guilherme Campion:

Hello. Good morning to you all. I don’t know where are you watching it from. I’m from Brazil, Sao Paulo, and it is pretty early in here, so good morning. My name is Guilherme. It is a hard name outside of Brazil, so you can call me Gui, as you want. And as announced, I’m a data privacy and data protection specialist for Mercado Libre. I have a legal background, and I moved to the security and data privacy affairs. It’s been several years now. I have a post-graduation in compliance and risk management, and also hold several certifications in those areas as well. They are very dear to my heart.

And our session will be composed with… First introduction for our panelists for this round table, maximum five minutes. And then we will go to our questions and round table debate. We will get from 25 to 30 minutes there. And then we will try to hold the last 15 minutes for questions from the audience. So please, if you have any questions, any doubts, any suggestions, please send them to us. We will be more than happy to share them and to debate them as well. And now I pass the word to Hernan to introduce himself as well.

Prof. Hernan Huwyler:

Thank you so much Gui. My name is Hernan Huwyler. I’ve been playing with risks, controls, assurance, privacy, transformation, SAP, and many other thing that nobody cares, usually, in their organizations for the last 24 years in North and South America and also North and South Europe. I also directed some masters in compliance and risk, and I am heading the IT risk consultancy services at Danske Bank. So it is a very challenging area in knowledge and decision making and to protect the IT assets, particularly with vendors, outsourcing agreements and partnerships. So third-party rates are always very high in the agenda that we have for all the activities.

Guilherme Campion:

Great, Hernan. Thank you, and welcome. And now I pass on to Onur, to also introduce herself.

Onur Korucu:

Yeah, thank you, Gui. And hello everybody. Thank you all for taking the time to attend this session. I hope the content we have prepared for you will be very useful. My name is Onur Korucu and I am working as a senior GRC data protection and cyber security manager at Avanade UK, Ireland. And previously I worked in multinational professional services companies, such as KPMG, PWC, and Grant Thornton. I help organizations create [inaudible 00:05:31] tailor made and well established information and cyber security governance structures, and data protection practices too, that mitigate the risks they face in their businesses and help them comply with the regulatory requirements.

And so my current role in technology companies a little bit different my previous role, and we are empowering companies in areas such as GRC, cybersec, infosec, data protection by using Microsoft technology solutions. And I am a global investor of women in tech. I think this is important, and I’ve got a lot of these kind of certifications in cybersec, infosec and data protection area, and this third-party management is one of the best topic in professional services. And I’m really so exciting to tell all my experience and share all my knowledge with you today.

Guilherme Campion:

Great. Thank you. We have some really good panelists today and to begin our session, we will pass the word back to Hernan and he will speak little bit about risk management, audits, checklists. And the first question we have is, what are the biggest challenge for conforming responses in due diligence questionnaires Hernan?

Prof. Hernan Huwyler:

What I have seen in my experiences, the way that we are actually ensuring that the third-party controls are being performed. We may see that there are some policies, there are some control that they are designed, some commentaries in the [inaudible 00:07:10] questionnaires. However, we need to know which are the real control attributes that we need. Which are the real contractual closes that we need to follow, and we need to challenge, and we need to document that controls are effective? And this is the requirement how to adjust our approach to challenge suppliers, the third parties in general, on our requirements. So it also requires us to have a very clear set of requirements and controls and thing that we cannot compromise, and they are aligned to our compliance requirements and our risks.

So at the end of the day, another challenge that is very important when we are reviewing third-party questionnaires is what do we do with our results? Are we rejecting the potential supplier? Are we changing a clause? Are we getting some insurance? Are we getting some additional measure into the contract? Or we say “Okay, we cannot go.” This is an ongoing decision. We are rejecting the potential supplier, or there are some conditional closely that we can take and then we need to follow up and need to measure. And also we need to understand collaterals and how we can derisk the contracts, how we can change the contractual scope, the services, in order to ensure that the third-party have the right capability to address those requirements, and they are aligned to what we need. So this is another challenge that I see in practice.

Guilherme Campion:

Yeah, that’s for sure, Hernan, including the high numbers of third parties that we have, it is not an easy task. And for our second questions, how do you define the level of control assurance in due diligence questionnaires?

Prof. Hernan Huwyler:

Coming back to your comment, the high number. Yeah. When we have a high number of anything in management, we need to focus. We need to look for risks. And so what do you do I do here? You have a clear segmentation of third parties, not only related to the [inaudible 00:09:58] risk that we are expecting for a type of contracting or the type of category manager that is involved. It’s the level of risk for a particular agreement. You may have a critical services survey provider with a huge and very important agreement that you need to follow, but then there may be other thing that you are buying from that supplier that you need to assess. It’s not the same level. So you need to go to the particular agreement. And my practical tips here is to start segmenting the third parties into essential service providers outsourcing is very critical, critical outsourcing… Or not critical outsourcing, but as long as you got outsourcing and critical and essential service providers, that should be a segment you should manage on a different way. Whether you also got some strategic partner, some critical partner for some kind of activities, particularly business activities, a high factor here.

I also like to define that there are some segments of third-party that they are posing high fraud risks that you need to separate and to [inaudible 00:11:18] the questionnaire and the type of challenge that you’re doing, the assurance, whether they got access to sensitive assets. They may be IT assets, of course, information is key, and environments, so you need to ensure how can you, particularly with personal data, how you are managing that process and dependencies. Dependencies, and now after also COVID, we are segmenting third parties on the solvency [inaudible 00:11:52]. It’s becoming very critical. And once that you get that and you get the different segments, you need to do something. So you need to assess the controls to their responses.

Sometimes they are going to say “Yes” or not, and that is good. I do not recommend something like most of the case, a few of the case, half of the case, whatever, because they may create a dispute with the third-party because the work cases is never clarified, and I think that the controls can be failed or being effective, nothing in the middle. I also like to ask for commentaries on the principle to comply or explain, if you are not doing that, please explain what you are not doing that in the commentaries, and then going to the evidence, they need to submit some evidence that if you’re asking me you want to review that. And the certificates are provided with some level of assurance for providers that they may be internal audit or external assurance provider auditors.

You need to you also say the type of report that you want to use. So SIE, those are very good tips here in order to also get input from vendor management and in case, basically that is the answer, you focus on which are the segments, which are the type of contracting that is going to have more than a baseline new deletions. How do you are performing and haste new deletions.

Guilherme Campion:

Great, Hernan. And I also have a follow up question to that. Do you believe that we need to have different types of questionnaires for different type of levels of third parties? For example, in my mind, I’m thinking a third-party that would possess a high risk for data privacy versus third-party that would possess a high risk for another area. Do you believe in having different questionnaires? Or should you reuse one questionnaire? [inaudible 00:14:00] Which would be your opinion?

Prof. Hernan Huwyler:

The deletions process is always the same. You define your third-party, you define the scope. So you need to say “Is an intermediary a third-party?” “Is a custodian bank a third-party? “Is a partnership agreement a third-party or not?” For me they are, but it depends on the scope of your area. Once you define the process, it should be the same, adjusted to the contract, adjust it to the vendor, and adjust it to the controls that you are required to comply with. And you need to control that the vendor are managing. So for me, each control self assessment, new diligence, ongoing new diligence is specific. In the controls, the controls need to be relevant for the operation and the contract and the contractor process. As a process, it should be the same. You need to have one single source of truth to see the third-party from different angles.

Guilherme Campion:

Thank you. And for our last question for you, Hernan, how is the control at the station on due diligence evolving?

Prof. Hernan Huwyler:

Well, we are seeing now… I am seeing much more solutions in the market that they are able to get external data for the potential supplier in order to facilitate the segmentation. We are also seeing different initiatives in order to have pools of companies in an industry performing the same due diligence. You don’t need a Barclay, City Bank, Deutsche Bank to knock at IBM asking for the same due diligence. So, right now there are a lot of synergies that we can have some pools of organizations that they are dealing with due diligence in a centralized way for a group of companies or a whole industry. And this is one of the tendency that I like the most. Also, I like that there are better procure to pay solutions that they are integrating all the division for bend or outsourcing partnership, everything in one single source of truth and one process.

And also I am seeing more interest in the fourth and the fifth parties. So how we approve and we bet, and we screen, and we assess the risk, not only for our vendors, but also for our subcontractors. And it’s a lot of potential here. It’s very, very, very exciting how we are going to the supply chain. And I also like that now due diligence is covering much more activities, of course we need to start talking about sanctions screening for the vendor. Now, after Russia, that the listed entities has almost duplicated since February 22nd. We are seeing now that due diligence is working close to sanctions screening, anti boycott, and also anti fraud is very important. You have some matches to identify politically exposed people in the supply chain, to identify people that are exposed financially, new areas that now we are also consolidating into the due diligence.

Exit plans are becoming very, very critical because we are saying “Okay, this is due diligence, this is the [inaudible 00:18:14]”, but there is an end. And now, because of COVID, and also because of the European banking authority guidelines, we are getting a lot of attention on exit plans, and there are plenty of compliant requirement that we are seeing as a tendency. But the continuity is a big issue for all essential service providers, water waste, hospitals, transportation companies, utilities in general. And it’s very, very exciting where we are now in terms of new complier requirements, ensuring business continuity.

Guilherme Campion:

Thank you, Hernan. It caught my attention when you said about supply chain management, it is a very big challenge for us also, for data privacy, to have vision of which of the companies are controllers, the operators, and also the sub operators. And when you have a exit plan and you also need to have in place a program to make sure that perhaps you delete all the data, or the personal data, and it is a challenge, how to make sure you do that. It is not easy at all. Now we go to Onur, which will be focusing more on the data security vision of third-party risk management. And our first question is: What makes a third-party risk management program successful?

Onur Korucu:

Thank you, Gui. First of all, thank you very much. Very informative comment for Hernan. I think this was perfect, and I really, really agree with you and Hernan, because all organizations, we need this C-Level and the management support. This is a big step for all our projects and all these kind of risk management program. And for the questions, actually, I can start with that, managing third-party risk is not new, but the level of risk average organization takes on this and dealing with the third-party is a necessary of business, but it is vital for organizations to know exactly who they’re dealing with. And I can give some examples from my company right now because, in my previous role, I always be a advisor and I try to support all the internal issues in the companies.

But right now my company is a third-party, as a Microsoft implementation and configurations projects supporter. So without this risk management knowledge, it’s [inaudible 00:21:06] compliance and regulatory requirements, not to mention companies `putting themselves at this risk of fraud and all associated financial and reputational risk that goes with it. And I want to focus on this cyber security and data security areas too. And this is important, especially after this pandemic periods, cyber attacks are increasing in frequency, sophistication and impact, with perpetrators continually refine… They’re a force to compromise systems, networks, and information, and an accelerate, this trend to increasing of using technology, internet, and third-party vendors at our organization to improve their customer experience and drive operational efficiencies like change management, access management, or webpages, everything. They are using third parties, and as a result, organizations are looking to build an efficient and scalable process for managing these third-party risks, because it’s a little bit different, your internal risk management progress and third-party risk management progress, really a little bit different.

So many organizations are beginning to develop process on board need vendors and put their existing vendors through a robust and tailor made third-party risk assessment processes. And I want to focus on the third-party risk management life cycle, because we have to promote organization security based on third-party enrollment, and the life cycle includes setup on tearing. And this includes developing business requirements, assessing stakeholders and performing an initial risk assessment plan. This is important because mostly when we start a third-party risk management project or process, we have no issue risk assessment plan in the internal part of the company. So we have to start at the beginning of the story. So this step is really so important to understand and assessing the stakeholders and defining our needs to our third-party companies and due diligence and selection. And this phase includes conducting third-party risk assessment and SME evaluation.

Like Hernan said, we need some auditors, we need some SMEs, we need some organizations help, and reporting and putting controls in place, and third-party selection. And then the other one is negotiation and onboarding. And in this past contract negotiation and residue risk review and approval and contract onboarding issue is really so important in this area. And at end, ongoing monitoring and management, because generally we started to make these kind of plans, we started to assess all our risks, but it’s not ongoing process for all these companies, but ongoing monitoring and management and tracking system and risk monitoring and remediation and contact with your relationships management and termination management is really important. So it’s a continuous work. It’s not today’s work. We have to continue moving on this, and by performing and take these tasks in order, all organizations can make wiser decisions regarding increasing security with third-party organizations.

But at this point, the question is how should companies proceed? And I’m going to basic answer with better governance, because strong governance has clear benefits in reducing risk with increased transparency, that are aligned to strategy and consistent regulatory compliance. You have to work together with your business, not just with IT, not just with cyber security team, you have to work together with your business, because these third-party needs is their needs and companies can reduce their overall third-party risk profile by embedding third-party risk management practices in all levels of organization.

And moving from having no formal governance over third-party and taking risk for short term benefits to a more intelligent risk based approach that is better aligned with your enterprise strategy. And this strategy includes evolving from having employees with legal training and trained professionals and executive champions that align service delivery to your company’s strategic objectives, and developing standard side process, and proactive decision making using analytics instead of being in a, when I say this firefighting mode and only tackling issues when they arise, this is important.

This is not today’s job. Again, I mentioned this because it’s a continuous work and creating fully wise tailor made [inaudible 00:26:30] tools and support decision making. This is important because today… In the past, we tried to solve all these kind of risk management issues with the Word and Excel, and these kind of documents, but now there are a lot of good technological solutions and we can use this technology instrument to support our processes for these risk management issues, and managing third parties… Ongoing process, as I mentioned, it’s not about just detective action. It’s about prevention rather than reaction. So there are tremendous the most benefits to gain from impressing the extended enterprise. And indeed, today’s competitive business environment demands it strong governance must go hand in hand mitigating risk while enhancing converts and positively impacting companies reputation and the bottom line.

Guilherme Campion:

Yes, it is a very good point, Onur, and also given the fact that many companies do not have a strong governance, third-party risk management, or even do not have a good mapping of all the third parties that they do have. So I really think the automation and having, perhaps, a centralized and a good governance problem goes a long way to tackle the new third parties and also all the backlog. And for our next question for you, Onur: Which key risks may have a significant impact on your business operations?

Onur Korucu:

Actually, it’s not easy to classify everything, the significant impact after all this technology era, but there are three emerging trends that drive increased third-party risk. One of them is increased incidents related to vendors, because your suppliers are causing more disruption. This disruption is really important, I want to highlight this because business disruption means money for the companies, and risks are not being managed, information security, privacy, anti fraud management, can be some examples for this point, and other ones… Regulators focusing on supplier risk. So these are increasing the pressure on organizations to better manage their supply chain risk. This pressure is important because sometimes I can use this for our benefits because it’s a pushing point, but sometimes it’s not so easy to manage because, for example, in UK and Ireland, a lot of companies needs that SOC2 report to prove they are third-party management progress.

And this is not so easy to comply with this kind of standard sometimes. And the other one is pressures from economic [inaudible 00:29:40], because especially after this pandemic period, economic conditions means higher margins for supplier and increase this risk supplier disruption. And if you look at this threat landscape, it’s constantly evolving and new threats are every day rising, and risks typically different categories like financial, and reputational, and legal, and regulatory and operational. And this operational part is really so important, because risk that this third-party could disrupt your operations. For instance, your software vendor is hacked, leaving you with a downed system. Think about it, you cannot manage your own business without their help, and if their systems is hacked, you can lose all your personal data, and your company’s strategic data, and these kind of things means that you are losing money, you are losing your reputation, you are losing your customer trust.

And although those are more common types of third-party risks, in some cases, risk may overlap and data breach, for example, it’s a regulatory threat, but can also be operational. And third-party companies can call security breaches, but third-party relationships are necessary for many organization functions, of course, but unfortunately there are practices that companies and organizations can follow to improve the security, by taking security measures like monitoring risk factors and third-party inventory. And your organization can avoid the possible issues that can arise from these partnerships, so this continuous work is really so important. You have to ask this performance questions, not just annually, you have to ask when your conditions, when the situation is different in your company, or the environmental, or in your sector. And when you are looking for ways to bring third-party sector to the next level, using automation through third risk management frameworks and tools is a practical option, but just relying on the third-parties can be dangerous.

So practicing third-party risk management is a vital to ensure the safety and the success of an organization, and even the best risk management practices… Because I saw some questions on my screen from our audience. Maybe it can be an answer from the beginning, risk management practices are only as good as the people who follow them. Most third-party breaches are caused by a failure in enforce existing rules and protocols. It would be best to be transparent with your vendors about what you expect from them, and ideally, security posture will be contractual requirement for your company. Great one.

Guilherme Campion:

Yes, for sure. The point that I think that we’re not talking enough, perhaps is the awareness as well. Not only third-party awareness, but our internal awareness that third-party risk manage is important for data privacy, data security. Otherwise we end up having a weak link, human error, internal and external as well. And, Onur, for our last question: How can we identify and manage the third-party impact on cyber security risk?

Onur Korucu:

Yeah, my favorite area is cybersecurity, always, and there are a lot of things to talk, and every day business experienced cybersecurity incidents can become disruptive, costly, and significantly damage their reputation, over the world, and large companies at the center of vast data ecosystems, however, face a particularly [inaudible 00:34:09] problem, like managing cyber and privacy risks around information that travels to third-party and beyond because it’s not just third-party, and beyond, this is important for the privacy area. And these businesses share data with service providers and subcontractors to improve their service delivery, and reduce costs, and perform their internal operations. In the process, data changes ownership multiple times, and documentation travels through ecosystem in their sectors, in their country, these kind of ecosystems, and third parties are efficiently custodians of the original information.

And it’s critical to know what steps they’re taking to safeguard information further down the value chain. And if you’re looking at the recent cyber attacks, [inaudible 00:35:09] made many different of challenges, more apparent. One of the most important revelations in that enterprise security is as dependent on the global cyber ecosystem as it is an action of particular institutions. Think about it, CIO and CSOs are accustomed to managing their own operations, and ideally having a strong influence on how to enterprise employees and contractors behave, but it’s a really big risk to take and understand all this budget investment issues. So the truth is that no matter how large an enterprise is, its one player among millions across the global internet. It’s security posture is dependent on everyone of its employees and contractors and suppliers, resellers, cloud partners, and sometimes even customers, but also on the same elements, belonging to another company out there and in their own market and in their wider global economy. This is important, because all they are… They’re actors in our companies who can touch our datas, and enterprise has its hands full even keeping other controlled, it’s direct users to address their vulnerabilities generated across all this cyber space requires a commonly maintained by global security defenses.

If your company has this kind of teams like, like a SOC team, like a cyber defense team, like an incident management team, that means that enterprises have to communicate openly with their partners and rivals. This is important, this transparency, and this third-party data breach may force your organization to respond… Incident, they are outside of your control, or originate from an indirect source. This is important because sometimes you want to control everything in your company. But if there is an incident, the source is outsource, and if you cannot control that, this is not easy to solve the problem in the short term. Although you might not have an obligation to respond under current breach regulations, your organization could still suffer significant reputational damage as a result of the incident. Virtually, your customers could be at increased risk from criminal seeking to exploit a data breach regardless of how to incident originated.

And maybe I can say two good areas to improving defenses are communication, and third-party cyber security, as with any at scale improvement these issues have no simple solution. Many public institution and private sector companies have, however, achieved by tackling these two different arrays. Cyber hygiene, because this is a good motto, after cyber resilience, I really like the cyber security hygiene, because this is the hygiene conditions for the companies, it’s very critical for the awareness, and trueness, informally high level of cybersecurity hygiene across organization, including for new accusations and parties, transparency and open communicate are needed. I can give these answers for the cyber security area.

Guilherme Campion:

Thank you. Thank you so much, Onur. We would also have a few questions for the data privacy part of the third-party risk management that would be given, but given the high number of questions for our [inaudible 00:39:19], and I think that we perhaps should move to those questions and try to tackle them as best as we can. For our first question, perhaps you for you Hernan: Do you think reliance is placed on questionnaire, as tick box exercises to show auditors and regulators? We are doing proper risk understanding of our suppliers and data inflow and outflow.

Prof. Hernan Huwyler:

If you are working for PayPal compliance, yes. Just go ahead and say “Look, this is the document that I wanted to have.” Done. If you are working to protect your organization, you need to know which are the controls attribute that you need to look in the evidence. You need to be very clear about why they are here to comply with your requirements and your policies. And you need to come back to the supplier and say “Look, this is an end goal. You got the policy, but the policy is not meeting my requirements. You need to comply with my policy, it is the attribute that I need you to deploy. I hope you like it, or I am not going to sign the contract.” Those are the thing that we need to ensure to avoid working for auditors and regulators and paper compliance.

Because all the other thing, there is a document. Any prosecutor is going to blow it away. And how do you understand the reason? And then you also address other question that they are talking about it [inaudible 00:40:58] and how we do a risk assessment. If you’re doing a risk assessment, that is a data cocktail of different things related to the vendor, then you put everything together and say “One point” if it is not dealing with personal data, “Three points” if it is dealing with confidentiality data. Why three, not two, nor four? And then all the things are coming together. And finally there is an escalation based on a scoring system, heat maps, wet finger in the air, catastrophic. So if you really want to understand your contract, your vendor, look at the clauses and assess the risk that the vendor will default. Each of the questions assess the potential consequence on you, the probability that you have said that the vendor with the current controls are going to fail, use a [inaudible 00:41:55] simulation, use a log normal distribution, and finally measure math. Risk is not an opinion. You need to have a good modeling, not because you are doing a due diligence. Just before, when you decided to outsource, to get a contract, this is the thing that you need to assess. Notice scoring systems, well documented in science that they are misleading.

Guilherme Campion:

Great, Hernan. Great point. Thank you. We have a interesting question from the audience. Respective of NGOs working with local suppliers and stakeholders, to what degree can cultural nuances pose challenges to questionnaires, specifically when considering integrating practice? I would like to start at not… Only for NGOs, but for third-parties as a whole, I think that we have the different regulations from different part of the world. For instance, here in Latin America, we have different levels of data privacy regulations, some are very restrictive and some are not. So, I would think that perhaps you could choose the most restrictive regulation that you have for a region and apply those controls to every risk third-party partner. So I would like to know your view. We are from different part of the world, so I think that would be interesting. Onur, if you want to begin.

Onur Korucu:

Yeah, yeah. Yeah, I totally agree with you because a lot of different restrictions and the legislations really based on geographically. And for example, if we are looking in here, I lived in Turkey before I moved to Dublin, and in Turkey, government focusing on [ISA 21 7001 00:44:04]. And the financial area is always focusing on COVID. [inaudible 00:44:08] But in here, for example, they’re really really focusing on SOC2, and they are dealing with US, that’s still why we are focusing on SOX ITGC audit for third-party management. But the company is always offering this questionnaire as a service, and have tried to fill this gap by offering response validation services. But these solutions do not scale well and tend to be cumbersome and time consuming for organization completing this questionnaire. Not only that, but one size does not fit all industries. So that’s why at the beginning, all of us trying to mention that if you want to create a major third-party management for organization, you have to understand the needs and the differences of this sector, of this geographical issues, of the legislation, and all this environmental issues, And you have to tailor made it for example.

For example, think about a stocks audit. When you try to put the right domains on it, there are three main points. You can focus on this, but you have to negotiate the control points with your client, or with the organization, or with your own company, because you have different processes, you have different postures of technology, you have different infrastructure. So you have to focus on this. For example, some company use these third-parties just for the software issues, but some of them using them for the legal issues, or some of them for using them to manage their data, like cloud companies. So this is important, you have to understand your company’s needs and what kind of data and operations your third-party organizations are touching. So, I mean that managing third-parties is essential to security of every company, large and small. Given the limited resources of most companies, it’s important to ensure that third-party risk manage process is efficient, effective, and provides the highest amount of the value for the effort expended. So my advice for our audience, you are the boss for these processes. So question your questionnaire and to try to provide a tailor made checklist, not just follow ISA 21 7001, not just follow NIST, SOC2, SOX, or just like that, you can use all these kind of standard frameworks, best practices to create your own tailor made third-party management checklists, and questionnaires.

Guilherme Campion:

That’s great, Onur. Thank you very much. And following up with that, we have a question that I’ll make a little bit shorter, that is asking in asking how to balance the questionnaire assessment, relationship building, regulatory compliance, and monitoring. How could we balance all those risk assessments that we need to do in building a strong relationship with our third parties? Hernan, would you like to add something?

Prof. Hernan Huwyler:

I am going to add something to pass the ball to you, Gui, that you are the expert with privacy. So let me just get the ball and pass it. We are not going to bother each third-party with one questionnaire for ID, another questionnaire for compliance, another questionnaire for sustainability, another question questionnaire for privacy, and then everybody’s just getting different opinions on what needs to be done, and so on. This is a small practice, it’s a lot of waste. So how do you think that we can help privacy compliance in relations with the other requirement that we have, Gui? What do you think is a good practice?

Guilherme Campion:

I think that having a centralized approach would be better, as you mentioned before. And try to as best as possible build a good relation, but also enforcing risk management with our third-parties. That being said, because it is business as usual, we are not doing anything that any other company is not doing, and they also need to do their risk assessments. So companies would be… Or we expect them to be used to answer to questionnaires about data security, data privacy, third-party risk management,And we need to evolve as, as a whole for all companies to make it easier and still build a very strong relationship. Guys, we are short of time. I would like to thank very much for Hernan and Onur, for you great inputs and participation. Thank you very much for your time and availability. And I would like to thank everyone that are with us in this panel. Thank you so much. If you have any questions, please send us and we will try our best to reply. Thank you very much and have a great day.

Onur Korucu:

Thank you very much.

Prof. Hernan Huwyler:

Thank you so much. Bye-bye.

Robert Bateman:

Thanks so much to the panel there. Another brilliant, very insightful session about third-party risk questionnaires. Important not to make them a tick box exercise, but still, I think a core part of the due diligence process for many companies. So stick around, in-