rsa-iceberg seminar: building an effective supplier risk management program
TRANSCRIPT
WEBINAR • OCTOBER 19, 2016
BUILDING AN EFFECTIVE SUPPLIER RISK MANAGEMENT PROGRAM
JESSICA HOOTEN HCA Healthcare
CHRIS GABEL HCA Healthcare
JOHN HEUER Iceberg
Presented By
Today’s Panelists
JESSICA HOOTEN Consulting Security Risk Controls Engineer HCA Healthcare
CHRIS GABEL Consulting GRC Application Engineer HCA Healthcare
JOHN HEUER Senior GRC Consultant, Finance & Banking Iceberg
“How Do You Know?”
Who are your
suppliers?
Who are your supplier’s suppliers?
Which suppliers are
most critical to your business?
How quickly can you assess a new
supplier for risk?
Do you trust your supplier
risk information?
What opportunities can your vendors help you achieve?
Volume & Complexity
Financial Counterparties
Consultants
Maintenance Companies
Raw Material Suppliers
Software Providers
Couriers
Law Firms
Hardware Providers
Landlords / Lessors
Parts Suppliers
Insurers
Employment Agencies
ISPs
SaaS Providers
Credit Bureaus
Utility & Telecom Companies
Marketing Companies
Security Guards
Accountants
Medical Business Associates
Property Managers
Partners/Ventures Integrators
Third-Party Sellers
Identity Protection Providers
*Source: Shifting Toward Maturity, EY, June 2016
73%
21% 6%
Less than 10,000 10,000-29,999 30,000-49,999
How many third party suppliers are in your organization’s inventory population?
Areas of Risk
Financial Wherewithal
Strategic Risk – “Concentrating eggs in one basket” / Failure to
execute Credit, Liquidity Operational
(incl. Geopolitical)
Regulatory Compliance
Information Security
Business Resiliency Errors & Fraud
Privacy Non-
performance / Poor Quality
Reputation Risk Inadequate 4th Party / Supply
Chain Governance
• Founded in 1968, headquartered in Nashville, TN • World’s largest private operator of healthcare
facilities • 250+ hospitals and freestanding surgery centers
located in 28 states and the UK • 26+ million patient encounters and 8.1 million
emergency room visits each year • Ranked #63 in Fortune 500 • 233,000 employees; 37,000 active physicians;
79,000 nurses
#11 Best Places to Work in IT Computerworld
World’s Most Ethical Company (7th consecutive year) Ethisphere
About HCA
Overall Challenge and Goals
Decentralized vendor governance processes (e.g., tracking findings)
Spreadsheets currently used to gather data and used for reporting
Ask vendors the same questions over and over
Limited visibility of vendor inventory
Challenges
Overall Challenge and Goals
Centralize vendor functions and processes across the enterprise
Ensure that process ownership, roles, and responsibilities are clearly defined and develop efficient, repeatable processes
Enable “ask once, use many” approach to gathering data
Monitor and assess new/potential vendors and ongoing monitoring of existing vendors
Provide reporting of vendor security risk to management
Goals Decentralized vendor governance
processes (e.g., tracking findings) Spreadsheets currently used to gather
data and used for reporting Ask vendors the same questions over
and over Limited visibility of vendor inventory
Challenges
Why Archer? Currently use Archer for Risk Management, Incident Management, Issue
Management, Policy Management Assess compliance with company standards using NIST Cybersecurity
Framework Ability to aggregate all vendor data throughout the enterprise (corporate,
divisions, facilities) Effectively use the
“Ask once, use many” strategy Associate existing questionnaires
Discussion / Q&A
JESSICA HOOTEN Consulting Security Risk Controls Engineer HCA Healthcare
CHRIS GABEL Consulting GRC Application Engineer HCA Healthcare
JOHN HEUER Senior GRC Consultant, Finance & Banking Iceberg
Supplier risk management success
1. Effectively manage large number of vendors via automation
2. Get the entire organization on the same page – break down silos!
3. Confidence that you can meet growing regulatory requirements
4. Greater certainty in an environment of increasing volume and sophistication of cyber threats
5. Gain agility to respond more quickly to changing environments and emerging markets.
THANK YOU icebergnetworks.com/srm
JESSICA HOOTEN HCA Healthcare
CHRIS GABEL HCA Healthcare
JOHN HEUER Iceberg
Extra / back-up material
Regulator Focus - Top 5
1. Enterprise-critical third parties 2. Oversight & governance 3. Information security & business continuity assessments 4. Onboarding activities 5. Consumer protection
Quotable …We find the smaller vendors are where our greatest risk can be. You can’t overlook any of them. The due diligence required is not just one time at on-boarding a vendor but ongoing monitoring must be a key aspect of any risk management program. Senior Information Security Analyst at a Major Canadian Financial Institution