Episode Transcription
Shatyoki
Hello and welcome to the third episode of What’s the Risk?A signal x podcast.I’m your host, Shayoki Battacherjee and this podcast is brought to you by SignalX, a company that’s at the forefront of making due diligence,automated, using AI and making your business transactions safer and more efficient than ever before.So today, once again, we are joined by our most beloved guest, the co founder of SignallX himself, Mr.Govind Balachandran.
Govind, today we are discussing the importance of having a continuous monitoring system for a company to keep a track of .Most of your critical vendors like to set the stage.Could you explain to our listeners how continuous monitoring works in the context of third party risk management?
Govind
Sure Shatyoki, thanks for having me here
So, the idea behind having continuous monitoring is that a significant portion around 83% of risksfrom third parties develop after the party has been on boarded into the system.So therefore the necessity for giving the capability to organizations to monitor the risk and compliance posture of the parties that they are doing business with.So traditional assessments, risk assessments are point in time assessments wherein at the time of onboarding, a business may do certain checks to ascertain the identity or the compliance posture of the third party.Continuous monitoring is about tracking the changes or the risks that are developing on the posture of that third party overtime during the course of the engagement.So this involves keeping a pulse on the vendor using public data and also involves automating routine data and disclosure connection from vendors.So that is the essence of continuous monitoring and why it is required today.
Shatyoki
That is a very interesting answer.So when we talk about continuous monitoring, we often hear about the importance of real time data.Like that’s the continuous word I think, resonates the real time, how you are fetching the data you are generating in real time and then the analysis parts comes in.Back to my question.So the importance of real time data and risk management.So can you elaborate on how continuous monitoring provides this exact real time insight and why it is so crucial to mitigate the various types of risk that your vendor expose you to as an organization? Yeah.
Govind
So today, Shatyoki, the risk posture of vendors and suppliers or any third party for that matter changes very quickly.So you see litigations coming up, you see parties shutting shop, disrupting operations, you come across parties that are getting entangled in bribery, corruption and various types of non compliant activities that cause reputational harm to enterprises that engage them.So the time it takes for the posture to deteriorate today is very less.The risk signals can come out of nowhere.We’ve seen multiple cases where third parties out of the blue are getting tangled in insolvency and bankruptcy applications, litigations orrates, et cetera are happening.And there is a sudden, sometimes a realization that the salaries are not paid and therefore there is a labor strike that is expected to or that is happening at the supplier.So therefore the requirement for enterprises today to have access to data that is real time or near real time.When it comes to looking at understanding the risk and compliance posture of third parties, there is an enormous amount of data that is available which can be tapped into from financial positions to compliance posture to litigations to changes in ownership, market sentiment, reputation, customer feedback.Various types of alternative data points are available today which can be tapped into to generate a feed of risk intelligence data streams which can help enterprises monitor the fast changing posture of third parties that they do business with.
Shatyoki
Yeah, absolutely agree with you.So now we have been talking about continuous monitoring, but nowI want to look at the other side of the topic that we are discussing today that is critical vendors.So when we talk about companies outsourcing their businesses activities to vendors and suppliers,we understand that there is already a risk factor formed when they are on boarded or like when the company has decided to onboard this supplier to do certain business operation.And in order to keep the supply chain streamlined, somehow the companies tend to partner up with numerous vendors.So I think this they do to avoid the third party concentration risk or like supply concentration risk.So my question to you here is what makes a vendor critical in the first place?Is it like the criticality is based on how much responsibilities leaved upon that particular vendor by the employee organization or the level of risk that the vendor poses to the company.
Govind
So it’s a very good question Shatyoki and it’s also a tricky question to answer for enterprises today.The reason why it is tricky is that different functions within the enterprise have different levels of criticality assigned to the same vendor.So it could be a vendor which is carrying sensitive information business data.So from a CISO point of view it is a critical party, but it may be a vendor that is not doing significant commercial transactions with the business.So from a finance point of view it is not a critical vendor.So from an internal audit point of view,there may be parties that are considered critical.From an enterprise risk management or risk team point of view, there maybe certain parties that are considered critical.Or it could be a party that may not be a significant player.But when it comes to a commercial position but it could be somebody who’s supplying an essential component to the business on an ongoing basis.So generally, when we look at third party risk management, we have enterprises using tools like SignalX to first do certain levels of checks across the entire third party, then do enhanced diligence on certain subset of this third party network, and then monitor further subset of these third parties that are perceived to be critical by different teams.So one of the benefits of having automation is that the cost of monitoring is significantly lower and having a platform allows you to have different business teams come on the same platform and enroll different third parties that they perceive to be critical to the organization.So this means you can leverage automation to reduce the cost it takes to monitor parties.You don’t have to have additional operational bandwidth and you can invite different business teams to come on the platform and enroll parties to monitoring depending on their levels of perceived risk.
Shatyoki
So I think in the current business landscape thisESG, cybersecurity and being compliant with the regulations.This has become a major contributing factor to decide how the criticality of a vendor depends for every organization.
Govind
True.I mean we have seen cases where out of the blue there may be a reputational risk exposure coming from a vendor.There may be cases of severe sustainability compliance, noncompliance from the supplier side that may come up in litigations or that may come up in media.And then, of course, the risks kind of fallon the enterprise today, and the enterprise ends up taking certain damage on the reputational, financial, or even compliance posture because of these third parties.Hence the requirement for monitoring.
Shatyoki
Nice.So then let’s come back to the continuous monitoring.Let’s club up the two sides of this topic and let’s go forward with the continuous monitoring required for critical vendors.So in your experience, this is from avery personal experience point of view what are some major benefits that are organization can gain when they think about implementing a continuous monitoring system for their critical vendors.Just to start with thinking like, what benefits shouldI be getting and what benefits are actually the organization deriving after implementing like what expectation they should have when they’re thinking of this.
Govind
So the idea behind continuous monitoring is proactive remediation of risks.So when you are able to detect in advance,that, okay, there is a party where, say, for example, layoffs are happening, or there’s a party where an adverse litigation has come up, or there is an ownership change that is happening, or there is party that is seen to be say over the last six months, the compliance posture has deteriorated.The statutory compliance posture has deteriorated.When such signals are seen, then that gives an opportunity for the business teams to be alerted on the deteriorating closure and look at remediation in terms of understanding what is going on.Secure some additional information from the party.And also, in some cases, plan for alternative sourcing arrangements which can help you manage the risk, reduce the dependency that you have on the vendor, and prepare for any failure that may happen on the vendor side.That is interesting.So we discussed about doing a continuous monitoring before onboarding a vendor and doing some kind of checks before onboarding a vendor, like performing by round checks and all.And then after onboarding a vendor, this continuous monitoring becomes a crucial part to keep the supply chain safe through and through and risk and consider who are your critical vendors.
Shatyoki
When you are defining your critical vendors, is it important to give certain level of risk assigned to them that this vendor is a threat to meat tire one level, this vendor can pose a threat to my organization at tire two level.So how that segregation works and how does the monitoring frequency or the monitoring implementation change according to the various class of vendors you create within your singular through and through supply chain?
Govind
Yeah, so we advise customers to have a very simple tier one, tier two, tier three rating system.Or sometimes it can be a high medium low risk party kind of label that is issued on third parties by different business teams.So developing that consensus is a time taking process where, like I mentioned, getting different teams to agree on whether somebody is critical or not, but given the automation capabilities that is there,it is very easy for businesses today to monitor all the parties that are considered critical by all the business teams. Right?So, yes, you can label parties from a high medium low.Different business teams may have different perception of risk which can be factored in and then such monitoring can be implemented.There are two components to monitoring here.I mean, one is basically monitoring the public data landscape, which is an enormous set of data lookingstarting from GST filings or litigations or media or labor data, or corporate filings, et cetera, which change month on month on any entity and then the second component is basically collecting disclosures on various compliance such as maybe cybersecurity posture or maybe sustainability posture, et cetera.On an ongoing basis it could be once every six months or it could be once a year.Automating that process is also part of the monitoring activity.So yes, it is a good idea to classify third parties into different buckets depending on severity of risk and through automation it makes it possible for different business teams to monitor all the parties that are flagged as high risk entities or tier one suppliers.
Shatyoki
That’s great.In the last answer you talked about the automation.So automation plays a significant role in continuous monitoring.And we are currently like in 2023 we are living in the premature era of AI and automation and we are expecting to see a lot, and I believe we all can see that how much AI can make its contribution.When we think about or when companies think about third party risk management or any form of risk management.So in the light of this can you explain how automation aids in this process and the potential risk of manual monitoring?Like whichever companies are currently doing their monitoring activity but they are doing it manually, how automation contributes in this and then when AIwill be slowly moving into this and already it has moved into this industry and making some real disruptions in the technology front.So how will this go?
Govind
Yes, so manual monitoring is a very laborious task which makes it very difficult for enterprises to implement a manual monitoring process.I mean, you would require significant staff and very laborious operation of screening parties on an ongoing basis.So therefore continuous monitoring was more or less limited to conducting certain disclosure based assessments on an annual basis on certain suppliers. Right.So the problem with this is you get to know if there is any change in the risk posture after a year or in the best cases, around six months later in case you have a team that is deployed to do this kind of assessment every six months. Right.So now there are two key capabilities that have surfaced on the third party risk management side whichmakes near real time continuous monitoring possible and which makes it possible for businesses to do this with very less manpower and resources deployed.One is that there is an emergence of enormous amount of public data which is consolidated by platformslike Signalex to give such insights to enterprises without having to have people sit through, do this kind of scanning on a monthly basis and generate reports.Right.The second thing is that AI systems are now making it possible for you to parse documents and understand the disclosures that are provided to you by these third parties and through technologies like this, then you no longer need large teams of people to go through the data.You no longer need people to sit down and manage that entire document collection and processing piece and it can be fully automated and then you can essentially generate insights on a much quick, much quicker basis, on an ongoing basis and also without having to deploy a large team or people to do this kind of laborious exercise.So, continuous monitoring is one of those areas in third party risk management which can significantly leverage automation and AI and public data and then reduce the time it takes to do this exercise for enterprises.
Shatyoki
That’s a golden nugget again right there.For companies who are still doing manual monitoring,this is the absolute, the perfect time to shift to automation, adapt to the technology and implement your continuous monitor, automated continuous monitoring into your third party risk management program.So finally, Govind, I would like to ask you from your personal experience and this thing,some tips or best practices that you might want to recommend for organizations who are newly looking forward to implement a continuous monitoring system in their third party risk management program or for the companies who have already have a continuous monitoring, maybe AI is not the thing that they have implemented or automation is not they are happy with.So what kind of factors does it contribute to when you are thinking of like a perfect continuous monitoring system you are looking forward to implement?
Govind
I think one piece of advice, that it is very easy for enterprises today to leverage automation in continuous monitoring.So that maturity in automation is already there,the maturity in public data is already there and now AI has also come to maturity.So starting off with automated systems likeSignalX is a very simple process.It allows you to create a portfolio of vendors for a business user and enroll certain parties into monitoring.So leveraging automation for monitoring is an extremely simple, low effort activity and we strongly advise enterprises to start that journey there instead of thinking about creating risk teams to do certain manual monitoring.So automate that entire thing is the piece of advice.
Shatyoki
That’s great advice right there Govind, I believe now we have come to the conclusion of our episode on how continuous monitoring is becoming so much crucial to monitor your critical vendors.So I would like to thank you Govind,once again for joining us on this episode.We always look forward to such valuable insights from you.
Govind
Thanks a lot Shatyoki, it was great to be here.
Shatyoki
Yeah, I’m sure our listeners have learned alot about continuous monitoring from this episode.Let us know how you like this episode and always do remember to subscribe to our podcast series What’s the Risk?It’s available on Spotify and YouTube. Both okay, so thank you so much for tuning in and I’ll meet you in the next episode.Until next time, this is Shatyoki Bhattacherjeei signing off.
