my name is john gillespie we'll be talking today about the third of four grc applications this one is vendor risk management we talked last time about risk management which is the internal position of the company when it comes to the risks of simply doing business we have people we have machines we have business processes we have buildings and simply because we have those we inherit risk we also do business with third parties and that brings a whole another level of risk and that's what we're going to talk about today we'll go over what vendor risk management is we'll do an overview a demo and then have a short qa vendor risk management is four different things it's the process of identifying the risks of having a relationship with a vendor and it doesn't matter what type of vendor it is you have a vendor who provides physical security you have vendors that provide food services potentially you have janitorial you have i.t you have cloud service now is a cloud provider so servicenow is technically a vendor that would have to go through this whole process and if the client uses vendor risk management in servicenow then servicenow potentially you know could have to go through their own type of vendor risk assessment through the vendor portal once you've identified those risks you then evaluate the internal perspective of the relationship to get the feedback from the people who know the vendor relationship best and we're talking about the internal vendor risk managers the internal vendor managers who deal with the vendor on a daily weekly basis once you've gotten their perspective of what the inherent risk is of having a relationship with the vendor then you move to getting the vendor's perspective of that relationship and your focus is going to be on what if any is their level of compliance with applicable areas of concern this has a lot to do with the type of vendor that we're actually talking about you're not going to go to a physical security or a food service or a janitorial vendor and ask them for information on their network security practices and procedures potentially they don't provide that service you do want to know that they are compliant in their own processes but you don't necessarily need to go to that level of detail with that specific type of vendor there are a lot of different ways and methods of communicating with a vendor and getting the information the most common of which is called the sig the standardized information gathering spreadsheet it's provided by the st louis group every year they put out a new version and it just keeps getting bigger and bigger and bigger the nice thing about servicenow is that acknowledging that there are existing capabilities out there that people already have in place they have built in to vendor risk management the idea of the integration and being able to leverage the pre-existing data that vendors have already gathered we as a potential vendor have all of this information sitting there we've already gone through the different processes the different assessments with people who want to use us and servicenow basically has said great you've got that let's let you use that we're going to see that here in just a few minutes once we have the vendor's information then we evaluate the risk of simply using it are we going to have a relationship with this prospective vendor and if so do we need to address any issues and then go back and forth with them and and get anything fixed in order to evaluate and approve going forward having that relationship we do this via two-step process there is an internal side that we talked about and it's called the tiering assessment this basically uses the out of the box assessment engine to send a survey to the vendor manager any additional people who have first-hand knowledge of that vendor and it basically asks them a series of questions prompting them to provide enough information so that you can get a baseline risk of using that vendor once we have that baseline risk that will help us define what we need to go to the vendor for so we got there our baseline risk internally now we're going to go external back to the vendor and we're going to present a series of questionnaires and document requests and we're going to do that inside of servicenow but outside of the normal service portal or frame set once we've done that and we have this completed then we just simply set up the automation that allows us to re-evaluate on a regular basis now we talked about basically having the vendor giving them the assessments these document requests inside of servicenow there's a lot of security concerns that clients have what do you mean they're going to get into my instance technically it is true they will get into the instance but servicenow has actually addressed this with two different things one the moment you turn vendor risk on it will actually install two different roles the snc internal and the snc external every single individual that does not have the snc external role already say for instance you've turned csm on and it installed it but every single individual is going to get the snc internal role anytime a vendor contact is created that vendor contact will automatically get the snc external role the two roles basically combine to do two things it locks anyone with the internal role to either the frame set or the service portal and it locks anyone with the external role to the vendor portal or another external portal such as the csm portal the vendor portal which is included is a completely separate and segregated service portal which is only accessible to the vendor contacts with that snc external role and that means that even as true admins we cannot although we may be able to log into the vendor portal we cannot access data through the vendor portal you will actually get an error that you're not allowed to access the portal so even as admins we are locked out of that anyone with the snc external portal will not be allowed to log into either the service portal or the frame set it is completely separate and segregated but because it's servicenow it is also completely collaborative and we'll see that here in just a few minutes the enhancements to vendor risk have been many over the past couple versions first of all vendor risk started out as just the vendor assessment the first primary and major enhancement was the addition of the internal tiering assessment and the sig integrations which started a couple years ago and allowed the standardized information gathering spreadsheet from 2017 to be used every single year that the st louis group puts out a new sig servicenow will put out a new integration point and allow that sig to be used the latest one that's coming in paris allows for 2019 and the 2020 versions of the sig they've also in paris brought about the idea of a vendor engagement there this this was actually missing earlier and it's it's basically the concept of the industry types the vendors that are brought in to do specific work in say facilities management or security or food service or construction you can create an engagement record for that vendor to cover their work over a span of time and say that for this engagement we want to look at multiple vendors to work with us over this span each one would have its own assessment but that engagement could then allow you to compare them the next is the vendor hierarchy and the concept of just like departments companies may have sub departments which you would want to have a relationship with so you might want to have all the levels of that company inside of servicenow and then be able to assess the different levels differently the ability to use the electronic signatures has been brought into vendor risk not only internally but also externally for vendors themselves and you can require those and then there's there's the final enhancement and that is the risk area as we talked about last time risk is set up and categorized by frameworks and those frameworks allow us to group and categorize risk and bring a higher level perspective almost a snapshot of risk across the enterprise well with risk area categorization you can now include the vendor risk in that higher level snapshot the final enhancement to vendor risk is not an actual plug-in it is probably the holy grail of grc i've mentioned that term a couple of different times when we talk about grc and its different modules policy and compliance which we'll talk about next week risk management vendor risk management and audit management while they are designed to work independently of each other and they can be installed independently of each other and run in independently they work best when working together the holy grail of grc would be to have a complete and robust risk management framework and a complete and robust policy and compliance management framework that integrate together so that every single risk has a correlating set of controls that mitigate that risk to the enterprise acknowledging that vendors bring risk vendor risk and those assessments can be related to specific controls themselves and what that allows us to do is look at the risk across the enterprise internally and externally just through business processes operationally and the relationship to a vendor and the mitigating control sets that not only we have to use but that the vendor should be using also so controls can be related to the internal side of the house the servers the assets the applications and business processes but they can also be related to the vendors processes by the questions we ask them that's where we want to get clients to and normally when we look at projects that is usually a wave three or four or even five most clients are not ready to go that far and may never be building out a complete and robust risk management or policy compliance management or vendor risk management can be a year and a half's worth of work the initial setup is pretty easy it's not difficult and there are not a lot of changes that you really want to make because of the different integration points between all of the three modules but getting to getting the company getting the client to the point where they are able to manage this and start gathering the data over time becoming comfortable with each of the three modules and then building the integration points between all three with all of the data relationships that's what takes so long and people we have to give them time to do that there are a lot of servicenow account reps and sales people that i have dealt with in the in the past five years who will often push for risk policy compliance and vendor risk all in one shot let's do one big big project and get it all up and running while it's doable it almost guarantees a wave two and a wave three because wave two will be optimization of the processes within the system as they find things that they miss the first time wave three is going to be the integration points between them and yes that can take a year and a half to get there it will take time guarantee it all right let's jump into the demo and we have demo 15 here if anybody wants to get it get in and take a look at the actual system we have vendorist installed completely you'll notice that this is the paris version we do have both vendor and engagement level we're going to stick with the vendor side of the house because we're going to go back and forth between both the vendor risk administrator and the vendor contact today we're going to go back and forth between the two we always start with a vendor record and with render records i'm going to pull one up here we're going to look at acer as a vendor acer provides hardware of course it is a valued partner with a ranked tier and from a vendor tier it is we could say that it's critical or high to our business processes we have our internal vendor manager we can have a business owner we can have our vendor type we can have a lot of different data about them but right now we just want to do the internal side of the house let's look at the perspective of the of the the vendor manager on the relationship between acer as a vendor and our company we're going to do that by going down to what's called a tiering assessment and we can look at this one tiering assessment has been created and it's basically a record that allows us to generate a survey we do this because we over time will generate multiple tiering assessments historically so that we can look at them from year to year and then compare the internal perspective over time we have sent a questionnaire to the to this individual so adam harrow we can look at the questionnaire here and it is using the standard assessment engine functionality all of grc at the moment uses the same assessment engine that the rest of servicenow uses so if you've built a survey using the assessment engine then you can build a questionnaire for a tiering assessment same thing for the questionnaires sent to the vendor itself it still uses the assessment engine the questionnaire is basically a set of questions using the assessment engine and if you haven't seen it we'll look in the designer real quick and that should become very clear how easy this is the questions are all around the relationship of the vendor in specific areas but what is our nature of the relationship what is our nature of our interaction and what is the vendor's behavior what is that relationship impact on compliance and risk management each of these has a set of questions and we can go into them it looks like things are a little slow in the instance at the moment such as how would you characterize our relationship do they provide a strategic competitive or operational advantage if it's a prospective vendor yeah it could definitely be in the in the future but if you've used them for a couple of years and you're being asked to compare vendors then what is their current operational advantage of using them what's the complexity of switching from this vendor to an alternate what's our nature of interaction here do they handle or access company ip or a customer's ip do they store process or transmit pii etc etc we're getting into the details of the relationship from multiple perspectives security wise data wise we want to get the internal view of the risk of using this vendor what's going to happen is when we look at the results when this comes in it's going to give us a vendor tier and this will be the risk internally of using the vendor and let's just say that we come back with a moderate risk what this is going to allow us to do is then decide what is the next step and there are two points here you can automate this process based on the vendor tier that is scored and there is scoring behind the questions and answers based on that vendor tier we can automatically generate a vendor risk assessment assign questionnaires and document templates to it and have it ready for the vendor risk manager to send it to the vendor most companies do not start there they turn that automation off they want that second set of eyes on the vendor risk assessment process they want to build it themselves so having defined that this is a moderate risk for the enterprise we're going to then go to the next step and we're going to build out an assessment for the vendor to then respond to so i'm going to go back to my vendor record and we can see the assessments by going to the assessment tab and there's several in here i'm going to just open one of them up and so i have a risk assessment for the vendor acer it applies to the vendor and we don't have a questionnaire or document request and that's fine this is part of the automatic um generation of these records and it relies on some some some configuration up front so let's talk about that real quick first of all i've got to have have a vendor contact now every vendor has a set of contacts that they deal with and this is where the snc external versus snc internal role comes from the vendor contacts are actual user accounts they are hidden from the user records in the user profile table but they are user accounts they are provided a password they can log into service now if you build a password reset option for them they can reset their own password but these individuals are users in the system that can update records and they are record specific to their assessment for their company there has to be a primary contact and that primary contact has the primary contact true they have to have an email and servicenow does send them emails with here's your link here's your here's your id here's your initial password requires them to set their password and clear the system generated one and then gives them a view into servicenow that looks like this this is the acer manager acer one he's the primary contact for acer with our vendor assessment portal he's in the portal right now and he can see a lot of different things he can see him his own company and that he is the primary contact he can see the different engagements so acer provides projectors acer provides service outsourcing and it provides software to the company so i can have different assessments for those individuals what the vendor can also do is create his own team and that's why we have multiple groups or multiple users here as vendor contacts the vendor manager that primary vendor manager internally is the one that should give you the primary contact at the vendor but from there we allow the primary contact at the vendor to manage his own team create additional users and the system will send them the exact same email with a link and an id and password and request them to go in and and change that and we do this because some of these questionnaires are huge mention that earlier with the sig this allows the primary contact to delegate sections of vendor risk assessments to these other team members so if we look at the team we have the primary we have two more that have been invited another has been invited and is already logged in and you can tell where they are and then you can say show me the engagement contacts for pr for the different projectors and we can say well i want to make for the primary contact for this one i'm going to remove two and then let's go to the service outsourcing and i can say i want three to be the primary contact and remove four so the delegation is pretty easy to do from a vendor manager standpoint on the vendor side we can go back to the assessments and you can see that this assessment for the hardware engagement assessment it's basically sitting there waiting and we're looking for questionnaires and document requests and this is where the configuration comes into play on our site and what we would want to do before we ever roll this out live so let's take a look at that configuration before we go any further let's go to the assessment configuration we're going to go down into the assessment templates as questionnaire templates and document request templates under the assessment setup the assessment template is a bundle and you can see we have several configured here some of which reference an actual date these are from the sig the standardized information gathering assessment and you can have multiple because people may not on their end have gotten around to using the 2019 if they have the 2018 they can upload that into the system so there's that huge spreadsheet can be uploaded directly and then all they have to do is fill in anything that's missing but when we look at say the quality assessment template it consists of questionnaires and document requests and we do it this way because a document request can be something very simple that says if you have a report or a document upload it and you're done if you have an iso certification and you are a facilities group then we want to see your iso cert so upload that document if you have a sock one of sock 2 reports upload those documents for us document requests are very simple it's it's a it's a simple question the attachment feature and that's it the questionnaire is the actual survey these assessment templates allow us to create specific questionnaires and document requests for specific industries i can have an assessment template specific for physical security one that's specific for cloud service providers another one that is say janitorial i don't need to go in and create these ad hoc i can have them all set up ready to go pick the template i want it will add the document requests and the questionnaires and then i can send them to the end user let's go ahead and do that i'm going to go back to acer we're going to say i'm going to do a new assessment and i'm going to give it a name and i'm going to pick the assessment template i'm going to pick the quality assessment we had looked at earlier you'll notice there's some automation behind the scenes to fill out data it's going to say that the risk rating is valid for a year from at this point it's still in draft it's no problem and then we look at our schedule i'm going to give the whole assessment process 30 days that's cool i'm going to give the vendor 10 days these are the out of the box numbers and i'll tell you right now almost every single client has changed these out of the box numbers because the vendor takes a lot longer than 10 days to get these questionnaires submitted back to them but this is the way it is out of the box and that's that's pretty easy to change as a default i'm going to save this and you notice the automation has said okay you picked this template the bundle so i'm going to send this questionnaire and these two document requests all i have to do is when i'm ready click submit to vendor and now these assessments have been sent you can see they are sitting there submitted this one as well and now if i go back home as the acer primary i should be able to go to my assessment and see that right here is my quality assessment that was just submitted to me i'm going to open that up and i'm going to look at my different values here let's look at the sample section a b and c standard assessment engine functionality again if you've built a survey you can build a vendor risk assessment we have a couple of options though i can say you know what show me the ones where i need to follow up with the company nothing show me the ones that are unanswered pretty much everything we'll go ahead and answer some of these and then we'll go to the next one and we have the different sections now if i go back to this and we look at some of the document requests i can see that this is in progress it tells me how many i've answered which is nice and then i can say you know what let's assign this to three and two so that they can work on it as well my sock one report i'm going to assign that to 3 and my sock 2 report i'm going to assign that to 4. now they have the ability to come in they will get notified they have the ability to come in and actually do these and again like i said the sock report is pretty simple yes i have one attach your document and you're done that's all that these reports are the one thing to remember as you deal with the vendor contacts only the primary vendor contact associated with an assessment is allowed to click the button and submit back to the system and they can do so even if things are in progress or have not been started this is because servicenow has had a lot of its own vendors that it uses this with tell them that they need more help with this and they want to set up calls or a webex or something and go through it with them that's not a problem because it's completely collaborative i'm going to submit the assessment it's going to say that these are incomplete so i'm going to say on my sock i'm going to say no we'll exit there on my sock 2. i'm going to say no now i can submit i do want to submit and you'll see it here on this side the responses have been updated i'll do a quick reload and now i can actually view the responses i can work with the vendor and view the responses and say okay for your sock one let's see what you said you said you didn't have one okay so i'm going to create an issue and i'm going to add a comment for a vendor and make sure that we follow up and i'm going to say for my own team need to know why and then i'm going to for the vendor say we have to have a sock 1 in order to proceed now notice that i said include this question when creating an issue i'm going to create the issue and it's going to tell me yes that i've done so okay and then i'm going to return this to the vendor so i've added comments i'm going to return it to the vendor i said yes i've got invade comments and i'm going to give him a few days longer let's give him three more days to do this all right a lot going on the background our our our days have been updated automatically this says it was returned it's 50 complete i'm going to refresh here on the back end and i can now see that this quality assessment has been returned and i can continue working on it now as i mentioned this is completely collaborative so i'm going to open this up and now i can see that he has given me his comment and i can see that here but i'm going to go even further on this side we opened up an issue i'm going to open that issue and i'm going to include the vendor in the resolution so let's take this i'm going to say this is critical i can see down here the question that was involved they do not have a sock 1 report so let's address this and say the vendor has to remediate we have to have a stock 1 and i can assign this out first thing i'm going to do is is is assign it to a group internally and we'll just pick somebody and there's no users that's okay we'll move it to analyze okay now i'm going to say you know what let's submit this to the vendor and i want it visible on the portal and i'm going to leave this open so here i am on the vendor side of the house yes i know you need one i'll get to it later wait a minute what's this i have an issue let's open up the issue oh this is critical they've just created it and it's that they okay so they have to have fine let's go attach a file i go and i attach my sock 1 report and i oh and it shows up over here complete collaboration presence is honored between the vendor portal and the frame set um the vendor can see that i am working on it with him i can see that the vendor is actually looking at the issue that he's updating it and i can say here's my report and automatically i see this here this is designed to get people off the phone and out of email and get them to collaboratively work on the issues in real time together i've seen multiple clients ask servicenow for this exact functionality internally so that a control attestation or a risk assessment or a change risk assessment or a resolution survey for an incident can have this type of functionality where you can you can be gathering the data or or submitting data from the end user standpoint and collaboratively work with them to make sure that the right data is input or that anything is addressed that needs to be at that final point in time so we've addressed this i'm going to resolve the issue the issue automatically goes to review we'll reload the form and i'm going to back out of this and now i can as the vendor manager i can review yes here's his sock one report we're good we can close this out so now i'm back to my vendor assessment i've addressed my issue it's closed complete my vendor risk area has been defined for me this is a security risk because of the nature of the questionnaires that we have sent and right now because what we've gotten back this is a high risk vendor there are other issues we need to address with them we have to get the vendor to respond to the sock too we have to get the vendor to complete the rest of the assessment a lot of clients have told me that if this were to come back they would not even proceed with the rest of this if the vendor does not want to take the time to finish the assessment they won't even consider them it's basically the idea of asking for the sig in a spreadsheet and the vendor waits two weeks and says oh i'm i'm working on it i'm working on it and you never get it they will basically kill the the entire assessment and just cancel it we're not dealing with this anymore what that allows you to do however is keep the historical history of the interactions with the vendor oh two years later somebody says hey this is this is a great vendor we want to deal with them you can go back and look and say well you might want to rethink that because our past experience is that they're not that great to work with they have problems coming up with documentation they are not timely in their responses etc etc having gone through all of this there is one more layer of automation that can be put into play and it is the idea of repeating this assessment on a regular basis now i can say if there is any incorrect answer create an issue for me when i go to generating observations it will automatically do that but the idea of saying i want to redo a vendor assessment every year is a completely separate record the repeating assessment record basically allows me to define the time frame that the next assessment should take place and the repeating assessment is basically for the vendor we want to do the next assessment nine months from the completion of the first one and that one should end three months later now the results are only good for one year these are the out of the box values i've seen a lot of clients say well no we're going to do one every three years so the next assessment creation should be in 32 months the next assessment end date should be 36 the results should be valid for 1092 days once you set this up and you apply it to the vendor risk assessment simply applying it here and completing the assessment and closing it will start the trigger and the system will start watching and every day it will say is there a repeating assessment there is is it related to a vendor risk assessment that has been closed for that proper time frame and if it sees one that matches those parameters it will automatically generate a brand new vendor risk assessment it will be in draft and it will allow you to simply say yes this is still the right vendor contact these are still the right questionnaires send it on the one big miss and this is the final piece of vendor risk basically the concept of reporting is it's very difficult to get a perspective of what's pending for repeating assessments there's lots of information on where vendors sit real time my vendor classifications my open issues my vendors by risk rating upcoming vendor risk assessments that are simply set to work going forward but the system seeing the repeating assessments there's no out of the box report to do that i've worked with a couple of clients trying to do that it's kind of difficult because of the the joins you'd have to do between the repeating assessment and the actual assessment but reporting is pretty robust from both a vendor and an engagement standpoint of everything that is going on and where our vendors sit both by tier by industry by type by risk rating by open issues and these are out of the box alright as always if you do come up with a question feel free to send me an email thank you everyone for your time today and hope you have a great week [Music] you