okay welcome everyone thank you for joining us today we're going to be talking about third-party data privacy risk what it is why it's important and then we'll demo how you can assess monitor and mitigate that risk using servicenow my name is mike d'andrea and i'm the grc advisory solution architect here at provesto i specialize in helping our customers understand how they can leverage their investment in service now to comply with various privacy laws and regulations i'm joined today by my colleague eric smith our integrated risk management pre-sales lead and servicenow platform solution consultant we are also joined by theresa law director of product marketing management at servicenow eric would you please introduce yourself and teresa absolutely thanks mike uh so as mike said i run pre-sales at cavastic i've been working on servicenow for about 11 years now most of that time as a solution architect and a business process consultant and most of that time helping my clients with governance risk and compliance it's been an exciting time you know watching the the grc capabilities of servicenow grow initially it was is you know good tasking and some good risk definition and now they're uh they're in a really good spot on gartner and foresters reports uh and the capability set is amazing and i'm i'm happy that you guys were able to join us today and as we walk through some of it uh teresa if you would give us a little more of an introduction for yourself absolutely thanks eric hi my name is theresa long the director of product marketing at home servicenow as mike mentioned i've been with servicenow about three years with grc actually three and a half years with grc the entire time and we've seen it just skyrocket as the market has changed and grown and as the customers needs have changed and grown and this pandemic in particular has really put a focus on grc teresa thank you for the intro thanks for joining us today i understand you have a little bit more you want to share with us about servicenow absolutely i want to talk about my most favorite topic servicenow risk and compliance we're really proud at the growth and the recognition that servicenow grc or integrated risk management has seen in the market we've been the focus of multiple leading analyst reports across forester and gartner and actually many analyst supports worldwide risk and compliance is not one thing as you can see we've actually taken leadership positions in the vendorous management magic quadrant in the it risk magic quadrant we have magic quadrant and as i mentioned integrated risk management or grc is not just one domain servicenow's integrated portfolio of applications spans policy and compliance and risk operational risk soon to be privacy audit and of course vendor risk management which is what we're talking here to talk about it's all built on a common platform and i know eric and mike are going to be going into this a little bit more in detail but i did want to point out the fact that all of these products work together and they share the common data model and that's very important as we see here unique to servicenow we're actually born in the front line so our vendor risk management connects and contextualizes third party risk with those first-line users the business users the executive users and then through the vendor portal we connect to that comprehensive risk capabilities that we have with third-party engagements our risk exchange that's all built on and connects to that common data so we can share data across the enterprise and then as you saw earlier that connects to the policies and the risks to be able to identify operational risk business continuity challenges policy violations and all that's extremely important to be able to build resilience and as we've seen in the case of this pandemic building resilience is vitally important that's very important because resilience is extremely important especially as we're seeing in this pandemic and operational resilience is really about being able to continue to serve your customers in the face of disruption so for vendors that's being able to follow this four stage life cycle using your assessments to be able to anticipate whether or not you need to find an alternate vendor because you don't want that supply chain disruption you want to be able to assess the fact that your vendors are not going to be able to provide you with your materials if you're in a situation where they're quarantined for example prevent any disruptions and then respond very quickly and most importantly be able to adapt so perhaps you need to ask additional questions to assess your vendors more accurately maybe you need to put more controls in place but then the whole idea is to be able to build that supplier resilience across your customers your products and your workflows so with that i want to turn it back over to eric to be able to mike to be able to tell you a little bit more about third-party risk management danny thanks teresa so mike let's dive into it okay thank you eric as theresa pointed out a comprehensive vendor risk program is indeed a critical element of operational resiliency so let's talk about vendor risk as we all know in today's highly competitive global and digital economy businesses must rely on a network of vendors to provide the products and services they need to generate revenues to reduce costs and basically to help them achieve and maintain a competitive advantage even moderately sized businesses rely on hundreds if not thousands of third-party vendors and one of the most uh common types of third-party vendors that businesses rely on are data processing firms now last year 90 of businesses relied on vendors to process data on their behalf all kinds of all kinds of vendors vendors like payment processors order processors credit card processors and so on so while relying on these vendors is essential to a business it also introduces a significant amount of risk last year 21 of data breaches were confirmed to be caused by vendors and the average cost of the data breach in general was 4.29 million dollars and this went up by nearly 10 percent whenever a vendor was involved so businesses are well aware of this risk two-thirds of them reported seeing a growing number of third-party incidents and nearly half acknowledged that managing third-party risk is indeed a priority for them but only a little over a third reported having sufficient resources to deal with that risk so as a result 50 percent of businesses reported really not having a clear understanding of the full uh scope and nature of their third party relationships and nearly that many 43 percent um said they lack knowledge of the vendors contractual terms and conditions and 41 reported that they don't even monitor vendor risk so this situation exposes these businesses to significant risk so this risk is greatly magnified when personal data is being processed now personal data being any information relating to an identifiable individual it's also called personal information or pi or personally identifiable information pii and by similar terms and while different laws define it differently it really includes things like age marital status social security numbers bank account numbers uh but it also includes things like purchasing preferences and even your internet browsing habits this information has value not only to your business but also to hackers and other nefarious actors so any misuse or unauthorized disclosure of this personal information exposes your customers to what the ftc has referred to as an unwarranted invasion of privacy and this can result in things like identity theft financial loss reputational damage and other harms to the individual so to protect so to protect people from these types of harms governments around the globe have enacted stringent data privacy laws that make businesses that collect and process personal data accountable for safeguarding that data no matter who does the processing this means your company can be held legally liable for your business failure to adequately protect the data they process on your behalf now several of these laws listed that are listed here um you're probably familiar with the eu's general data protection regulation it really sets the standard for uh privacy uh worldwide um but if you do business in many of these other jurisdictions i'm sure you're familiar with these requirements as well here in the united states things are a little different there's really no comprehensive federal data privacy at all while there are industry-specific federal laws like hipaa which protects the privacy of personal health care information phi personal data protection in general is largely left to the states and california led the way in this area by passing the california consumer privacy act or the ccpa and that law went into effect uh january 1st of 2020. and other states like nevada and maine have followed suit and acting their own laws and many other states have data privacy bills that are currently working their way through their respective state legislatures now domestic has published a series of blogs on the seat on the ccpa as well as on the state of privacy laws across the country and these are available on our website and they can be accessed directly uh from the link shown here so what all these different privacy laws have in common well actually they have a lot of things in common but one is that they impose very hefty funds including both civil and criminal fines for violations and if that violation is willful enforcement agencies like the department of justice here in the united states can get involved and file criminal charges also many of these laws like ccpa and hipaa they grant individuals the right to bring private rights of action for lawsuits and these can be private lawsuits or they can be class action lawsuits against businesses that fail to protect their personal data in addition significant or repeated violations can be can attract the attention of government agencies like the ftc who can then launch into investigations into your company's business and your data protection practices so the consequences of non-compliance can be very significant so what do you do about it how can you protect your organization from third-party induced privacy risk well the key is to adopt a trustbud verify approach you start by contractually obligating your vendors to comply with your data privacy and security provisions then you continually assess your vendors especially your clinical vendors to evaluate how well they are complying with their obligations then best practice is to periodically audit them to gain that additional layer of assurance and confidence but last year while 94 of businesses reported that they trusted vendors only 59 actually assessed their vendors and fewer yet only 25 auditing their vendors yeah and mike it kind of strikes me i mean there's there's an obvious risk hole here you know based on the potential regulatory fines and and harm to the company harm to the customer that you've outlined you know that's that 41 of businesses that aren't assessing their vendors at all uh you know it strikes me there's a huge missed opportunity here the 25 of businesses conducting periodic audits so that goes against the trust but verify but also i think those businesses those 75 percent of businesses are missing a massive continual improvement opportunity um they're not going back and seeing you know how we've asked vendors questions what kind of responses we get maybe how we can ask fewer questions better questions basically improve that assessment process right and validating the validating those responses so that's a good point and that's absolutely the situation and we saw earlier that the lack of resources uh makes vendor risk management extremely challenging and a common frame that you and i both heard often is uh so many vendors so little time therefore anything that we can do for anything that can be done to enhance the efficiency of the overall vendor risk assessment process is a really good thing and this is where servicenow comes in and where servicenow really excels so eric let me turn this over to you so you can tell us about servicenow irm and how it can be leveraged to mitigate third-party vendor risk absolutely and it's one of my favorite topics and um you know the the servicenow suite uh you know governance risk compliance um you know now it's becoming known as irm integrated risk management uh it's it's it's very it's become very capable and it's not just third party risk it can help your business in several other ways you see here the application and its components so policy and compliance uh that's been around for a long time and that's the blocking and tackling if you will it's the external frameworks regulations that you have to comply with uh understanding how those break down into individual citations uh understanding how they break down into individual controls which can then be applied or scoped if you will to your business so how do those external things apply to our lines of business the services we offer our locations individual servers individual databases bring it down to that level it's also helping the company monitor and manage their policies so not just making those policies public breaking them down to the controls and scoping them to the business so we can do continual compliance sometimes that's a automated process sometimes it's really automated and servicenow can help gather actual data points using indicators and make sure that those you know external frameworks are being complied with that policies are in place um it can also help you you know monitor and report and respond when things break down then you know risk management uh it started off kind of as just it risk management but really it's more it's it's become more closely aligned with the business as well and you're gonna be able to relate all the risk to not just i.t but to the business understand their likelihood of occurring understand the cost the potential cost that they do um also you know mitigate those risks what do we do if a risk is here and now it's an issue and we have to deal with it well servicenow can help with the tasking of that the assignment um and it can also relate to the security operations capabilities in servicenow and understand if there's vulnerabilities that we're exposed to as a business uh if there's threats that could come into being what are the risks to the business and and how much could they cost us and it really helps you make good business decisions as one of my clients said to me um you know i'm not gonna spend two million dollars to mitigate a risk that might cost us 100 000 if it comes into being well that business couldn't make those decisions with without some really good application support uh from application like servicenow audit i love the way audit has grown and it's it's not just managing your audits in servicenow they're called engagements um what i like about it is there's an accelerator built in if you've run audits in the past and they have their specific task steps and the specific types of evidence they need to gather well you can leverage those again for the next audit and speaking of evidence servicenow makes it really easy to gather evidence not just from the business you know hey give me the spreadsheet give me this data but also using automated collection of evidence and gathering in one place for an audit and that kind of you know that strikes it one of the things that i really love about servicenow is just one big happy relational database that plays nicely with others so if you're using other applications in servicenow i.t service management i.t operations management customer service management or if there's a platform outside of servicenow that you're using that's already entrenched and adopted servicenow can leverage that data help you you know get about your day a little quicker when it comes to irm then that brings us to vendor risk i'm not going to belabor this one too much because we're going to see it in the demo uh but you know it's kind of the one of the new kids on the block if you will uh servicenow grc wise uh that helps you get ahead of the third party risk that vendors are bringing to your company and eric you know the nice thing about this got it right there very very well is you know you can take those vendors and the information for those vendors and you can use that policy and compliance application and create controls so you can see non-compliance within the platform you can see risks for vendors within the platform so you can build that holistic view of risk across your entire extended enterprise which includes your vendors it all works together beautifully thank you so we see here the vendor risk assessment process and i just wanted to take a moment to walk you through this because you know mike theresa and i know that this isn't complex that it is intended to be so easy that the business can do it if you will uh or you know the the chief risk officer or you know his folks it's it's made to be easy to work with but if you're seeing something for the first time you can kind of imagine complexity where it doesn't really exist so the main thing you need to understand is that vendor risk assessments are built as you see here you know from the bottom up typically you start by creating a library of questionnaire and document templates so the questions we're going to ask vendors the you know the proof the documentation we're going to ask from them and then you'll have you know different types of questionnaires for different types of vendors so you have one questionnaire for let's say a hardware vendor or another type for a software vendor or yet another for a data processing vendor which as mike clarified can be very important then you draw from these templates and you create different types of assessment templates so that's stored potential now you can relate those assessment templates to those different types of vendors and it's not just you know are they hardware software data etc in our example it's you know are they a strategic partner is this somebody that's a critical part of the business uh or is it just a you know just in time uh product vendor uh it's a smile we're just working with once you can associate those assessment templates with these different types of vendors now once you've created this library if you want to assess a particular vendor then you just grab one of those templates and assign it to that vendor we find that the best time to do some of this is when you're on boarding a vendor make sure up front you're understanding the types of risks they're exposing you to and the type of rigor they have on their side um but also you can do it as needed you can have it automatically triggered by a triggering event or you can do it periodically let's say monthly quarterly annually now once that assessment template is assigned to a vendor now you have a live vendor risk assessment uh and we're going to be working through a couple for a imaginary vendor called data now in the demo itself now another workflow i wanted to show you and this one i'm not going to walk through at all it's really just to make a point that um you know once you submit that assessment to the vendor or there's an issue you have them working with you on it or you task the vendor everything they do happens in a vendor portal that you're going to see that's very intuitive simple uh and that's where all that back and forth happens so you know the assessor can flag an assessment that comes in for follow-up vendor interacts with it in their portal they can return questions or comments to the vendor and the vendor goes to the portal to see that if issues are created that's where the vendor works with it all the back and forth communication with the vendor happens in the vendor portal in real time or near real time and that completely untethers your your team from depending on phone calls email and ad-hoc tasking significantly accelerates the process yeah eric i think it's it's worth it to point out at this point that you know we can do these assessments at the vendor level but you can get really granular you can get down to the engagement to the project that they're working on you can do it by region so you can see what your risk is like for your data centers in emea versus north america um so we really can you can really get a sense for the risk and where that risk is coming from for your vendors outstanding well let's see what it looks like uh so we're going to go ahead and pivot to a demo all right so we see here a servicenow instance now today we're going to be following around wilhelf tarkin he works for a company we're just going to call empire llc uh he is a vendor manager so while he is highly focused on vendor risk and dealing with that mitigating it etc and that's a big part of his day he's also got some responsibilities for onboarding new vendors so we're going to kind of see you know at a glance some of the features that can help him with vendor performance if you will another capability of service now so as he logs into servicenow he sees his favorite dashboard uh this is vendor risk dashboard and at a glance he can see is he having a good day or a bad day vendor wise so moff can see you know he has 196 vendors here two of them have a critical risk rating two of them have a high risk rating and i don't have a moderate risk rating etc uh you can see the tiering right up front and all this is click through capable so if he wants to look at just as high risk rating it's there to click through there's also some different graphs that can help him understand his vendor posture at a glance so here we see all of our vendors and they're stacked by the risk rate they're sorry they're here we see all of our vendors and this graph is by their risk rating but it's also stacked by the type of vendor so i mentioned that you know you might respond differently to somebody who's a strategic partner versus somebody who's just a valued partner still love them um versus somebody who's a tactical supplier just kind of a just in time or as needed speaking of that we can also see our vendors buy that rank and there are pre-built assessments to help vendor performance managers uh with this tiering so there are questions that you can ask the vendor you can ask them yourself to understand which one of those tiers that vendor falls into we also see a crossover of our risk tier and risk rating for all the vendors he can also manage all of his vendor issues so in service now vendor issues can be created manually but typically they're going to be created by an assessment we send an assessment out to a vendor and we get a response back that we didn't expect or we didn't like it can automatically trigger an issue and there are different rules for that so you can accelerate routing you can accelerate tiering if you will but here we see all of our issues by priority by state so at a glance we can see that you know there's there's the the vendors of moderate risk uh there's a few assessments out there that are still being finalized with the vendor as an example here we can also see open issues by priority by vendor and there's one that's critical is work faster uh there's a couple out there for um data now as well uh that are high priority we're gonna be seeing a little bit more about those today we see all the active issues by vendor and also some aging so we can make sure that the football is being moved forward now as as moff clicks into data now he sees there's two active issues right now uh one has already been uh submitted to the vendor there's a workflow process in the background we're gonna see a little more about this in a moment uh but it's already been assigned to one of his his uh colleagues uh on you know the empire llc side if you will to take a look at this issue and understand what needs to happen next to get more information to address it to mitigate it and then it's also it's already been assigned to the vendor for the vendor to work through then there's another one that's still in a state of analyze so this one just came in it was an auto-generated issue by one of the data data privacy assessments that we sent that vendor we can also see a glance how vendor assessments are going overall so we see a little bit of a chart here that there's some declining volume back in december you know we uh we had a few more assessments going out we're expecting a little bit more of our vendors and we can also see that there's 77 total assessments out there and we see them broken down by who they went out to and then this tab is kind of where the vendor risk management and vendor performance management cross over a bit so of all the vendors we can see their their classification as for risk we can also see uh their scoring these are third-party vendors where we've done a little bit more introspection to understand how they're doing on the services they're offering on our behalf we can also see their risk assessment and their security scores now yeah if moff is is a little bit more action oriented this day and he doesn't just need to see a dashboard there's also a workspace built by servicenow just for the process of managing vendors and you see here muf's three vendors that he's responsible for now he can look at all of them uh and this can be um permissions based so if you want certain vendor managers to see certain vendors and not others that's that's all within servicenow's capability set so for a particular vendor we're gonna look at cloud msv for just a moment there's quite a bit of data available so we see the cloud msp as a valued partner we see their vendor manager is vicki jonas so if moff has any questions that he's asked you know about that vendor how they're being on board how they're doing he can also work with an internal colleague you can have communication and tasking support within servicenow there their overall scores of 36 percent room for improvement and the average performance of their service offerings is 60. now they haven't been with us long enough for vendor satisfaction score but their automated assessments within servicenow that can go out to customers that can go out to internal folks who rely on that vendor and they can say you know basically on a scale of one to five unhappy face exceedingly happy face how did that vendor do and as all those assessments come back it percolates up into a vendor school we can also see what services this vendor offers on our behalf and how they're doing individually we can see any any assets that that vendor is responsible for you know databases servers uh what have you we can see the contracts that apply to this vendor uh in this case we see a little bit of total cost who the contract administrator is some information about expiration uh now i mentioned that that vendor had some room for improvement well there can be there can be improvement initiatives and these have their own uh workflow life cycle if you will as well if there's something let's say sla performance or customer satisfaction that a vendor needs to work on you can launch an improvement initiative it doesn't just have to be one particular vendor it can be all of our software vendors need to get better about this one thing we can also see the service level agreements that apply to the vendor but let's go back to the one we're a little worried about today data now is being onboarded right now so we haven't quite tiered them yet we haven't quite scored them risk-wise we've just sent a few assessments to them and as we're going to see there's a few assessments awaiting their attention so we see that there's a risk scoring rule applied to this this is an i.t vendor and this strikes at what i what i mentioned where if it's a hardware vendor software vendor if they touch you know phi if you're in healthcare if they have this element they have that element if they're in this location from that location you can apply different rules that will help you not only ask the right assessments to get a good score but also calculate those scores we're going to dismiss all those notifications uh so some of the vendor based scoring hasn't happened yet because we're still on boarding this vendor but we can click in here and see their risk rating details how they're doing at a glance so how does all this come together well let's go back to our servicenow instance uh moff has a few uh favorites that he works with every day now teresa mentioned that this can cross over into actually managing individual controls i want to show you a little bit about how that can happen so this is an authority document um authority documents in servicenow grc are the you know the the external frameworks the regulations the policies the individual policy elements uh that govern how we do business and they can have their citations so the verbiage and they can have their controls and control objectives the action and these things have a life of their own these controls can be related scoped if you will to locations to services to things and all of these as they perform and as they're assessed either in an automated fashion or via tasking they're going to receive sorry guys i thought i had my zoom closed let me kill it with fire so as these authority documents are related to control objectives and controls these things are going to have a life of their own so as non-compliance is noted as non-compliance is reported as compliance etc all of that is going to be noted in a compliance score percentage again kind of a good day or a bad day for that control that one element of an external framework or a policy relating to something about your business and we see over here some compliance score percentages and all that's going to roll up into an overall compliance score percentage just for that authority document in this case this applies to the vendors so this is going to drive some of our behavior in the background with assessments and how they get scored and you'll find um eric you know as you know just about every privacy authority document regulation initiative framework it includes citations for vendors vendors are actually key to maintaining a good strong privacy policy and program absolutely and um you know policies i i love that you mentioned policy and program there uh policies are your friend uh in this world policies are a great aggregator within servicenow so if you want to look across multiple regulation regimes and just say our change management controls you can have a policy for around change management and help you grab all those and see how we're doing compliance score wise and also related to vendors so we see here our assessment metric types we mentioned this in you know in the presentation uh this is where uh the actual vendor risk assessment starts to come into being and there's quite a few here uh you know business resiliency compliance some of these are going to be performance related financial viability as an example uh but we begin to see some things related specifically uh to vendors the data privacy uh or you know how are you protecting uh your customers our customers private data you also see sig so standardized information gathering uh there are several different flavors of that and i'm not going to dive into these because we're going to kind of see in a real world fashion what these assessments look like i'm going to show it to you from the vendor perspective but i do want to stop for a moment and say this is not something you should be daunted by at all these these assessment templates are relatively easy to work with and there are several other accelerators to make it even easier so you can import from excel uh there's a template this can provide to help guide you along with that as i mentioned there's the the sig questionnaires which are available in the servicenow store so you can start with those uh all the way from the full to the light and then also there is an assessment designer and it's all drag and drop so if there's booleans that's just a boop drag drop if there's a choice um you know it's drag drop if there is a question that only needs to be asked based on the response to another question so if this is a yes then ask this question easy peasy and then also you can have stored potential as far as questions uh so it's actually better if i show it show you here because it's categorized you can also pull from categorized uh lists of questions a question bank if you will so i don't want demographic questions i just want data privacy questions does your organization haven't maintained an inventory of all etc yes i want that one drag drop so you can begin to see how you can build out additional assessments for yourself so let's get back on track with uh you know the issues that might have been coming in you see here a list of vendor risk issues now there's you know you can read the titles and understand what these issues you know what has prompted them uh missing background checks um you know they have insufficient session timeout period set these can be triggered by automated uh these can be triggered by automated indicators within servicenow so if you know that this data point isn't what you expected then trigger an issue as far as vendors typically what's going to happen is that they responded in the assessment in a way you didn't expect so let's just look at the issues particularly the data now so we see that there's two issues that are currently active and they were both auto-generated um how easy was that uh so in this case um there was a question that was was a no when it should have been a yes if you will and it was automatically generated and assigned to that vendor's manager for triage as we go into that issue we can begin to see that life cycle so it starts off life in the analyzed state as adam worked through it and said okay this needs to go back to the vendor for you know some addressing here's the priority then it can be submitted to vendor via click just one click if the vendor works with it on the vendor portal they do what they're asked and then they they submit it all that back and forth happens in the vendor portal now in this case uh you know just having an issue out there probably wasn't going to be enough so in this case we generated a task now for this it was gather all the details of this recent data breach that you just notified us about in this assessment and we've even added the steps uh make sure breach is contained um you know assess what what happened there you know how bad was it uh make sure that you notify the customers etc step by step now this one was created manually but i do want to point out that these can be automated if there are tasks that need to happen for a particular type of failure you can have that automatically happen if you want to templatize uh if the these steps uh in order you know are always the same well you can have that um the world is kind of your oyster here as the vendor works with this particular task on this issue it has its own life cycle as well so what do we know about data nowadays well on the vendor record we're going to see quite a bit of data so i'm not going to spend a lot of time on the uh the up top part um you know we we know they're uh we know they're in it services we know we're still on boarding them uh but we can see some financial information etc where they're locating all that but the really interesting stuff is down here in the related lists so this happens to be the vendor manager view i'm going to show you the risk manager view in just a moment but we can see the assets the contracts the slas uh any particular catalog items they support for for our employees uh who the stakeholders are vendor categories uh etc and we can also create a vendor improvement initiative from here so if we wanted to see what that looks like from a vendor risk perspective a completely different set of data and you can set these different views up you saw there at a glance there's several of them based on the role of the person who's viewing it so for the vendor risk manager they see what agreements we have with via now they see what business services they support uh what contracts are in place how many assessments are currently out there in flight uh what issues we have and then we get to the real meat of it what risks this vendor's associated with and what controls this vendor is associated with so this begins to help you make sure that vendors are compliant not just what you're asking them to do but the frameworks and regulations that you have to comply with the policies that you've established and you can see at a glance are we having a good day or a bad day there all right so what does this all look like from the vendor's perspective you know i've i've showed you the way that uh the vendor managers or you know vendor risk managers if that's the specific role can work with all those data and service now i've pointed out there's quite a few accelerators to make it a little bit easier for your business but how easy how easy is it for the vendors themselves well here's the vendor assessment portal uh in this case i have it pulled up in my chrome browser but i do want to point out this is also you know it can be mobile enabled uh so if they if that vendor is always on their iphone or their ipad or you know they're out in the field they can get a look and feel that's very similar to this and just as intuitive to work with so currently i'm eric smith hi uh i work for data now and um all i know about this moth tarkin guys he keeps sending me assessments and uh recently he sent me an issue and then all of a sudden he tasked me what do i do about all that well as i click into my company record i'm going to begin to have quite a few options we'll see that there's two assessments out there uh one of them we already we already completed we already kicked it back to uh you know empire llc but man they just sent us this new one so let's see what that one's all about okay well there's you know different questions they're going to ask me and then there's uh you know they're going to want to see elements of my sock one or four i don't think i'm the right guy for that i think that i should go ahead and say that that's my andre so you can see that you know at a click on the vendor side they can use servicenow to help with their task so that they can get it to the right individual they can triage on their side so they can get you the information you need on your vendors back as rapidly as possible let's go into the questionnaire we can begin to see uh what's this is just an example this is just an example i'm going to get something for you that's a little bit more specific to data privacy but this sample shows you what some of the questions can look like so you can have booleans you can have click boxes you saw this is a dependent question so i clicked yes so you know you can have ones that pop up additionally based on previous response uh you can say that certain questions are required that's what that red asterisk was indicating and once i clicked it turned gray uh you can also have attachments they can click on the paperclip easy peasy drop the evidence that you need uh and they can also drag and drop onto this one uh they also have options as they're working through it so if there's 50 questions and they know 10 of them they can go and do the 10 they know save it not submit sign up to the individual who assign it to the other individual who does know so i'm just going to go and discard my changes let's get to examples of something that might be a little more germane to you so data privacy risk quick assessment this was already submitted and we've already responded to it to the best of our ability and this prompted an issue so we have a few view options in that example where i'm going to answer 10 and one of my colleagues is going to answer the next 40. we can just show unanswered questions just let's just see what work is left to be done and we'll see here some of the examples of privacy related questions we can ask do you have a data privacy officer or chief privacy officer etc do you incorporate privacy by design uh do you have dii this one has your organization suffered a breach within the past two years yes we have wow we would like to know more about that so on questions like this you can ask those additional questions right off the bat but on something this weighty a data breach you can have servicenow automatically create an issue which is what happened in this case noted right here that's an issue so now let's look at how the vendor can work with that issue so i go to my issues drop down and i see there's just one gear so as i click into that issue there's there's a back and forth communication that can happen right here so mike d'andrea my colleague on my side of data now created this without his knowing by that response to the data breach question that's how the issue came into being that is noted here but this has already been back to my vendor manager at empire llc uh grand moff tarkin and he's already added a task so let's look at that task gather details of recent data breach with supporting documents okay easy enough let me click into that uh and then moff has given me some steps i need to contain the breach etc i can go ahead and start progress let him know that i'm working on it and it shows up on his side real time oh they're working on that issue good when i have this documentation of these actions all these actions and i have it ready i can attach it right here save the company sees it immediately now when i'm ready to resolve it you know i think i've followed all these steps resolved task again shows up automatically so eric i think this is probably one of the most powerful things um that we've got in the vendor portal is this it's just real time and i don't know if people actually really understand the fact that this is real time if somebody we saw that other screen the issue screen that had that notes comments tab if you clicked into that you would have seen this exact same correspondence back and forth the same workflow it is happening time and i think to be able to get questions answered that quickly to move things along that's what really drives the efficiency for vendors to be able to return those assessments quickly and have companies organizations be able to process them more quickly and that's saving people just tons of time but it's this real time chat capability that helps to drive that and i think it's it's something people don't always notice um because it's sort of lying there but it is so very powerful 100 and and and teresa you and i are kind of focusing at the you know the person who has to manage all of it what about executives you know if executives if something's percolated up to that level and they want visibility how are we doing with that vendor issue they can add themselves to the watch list or be added and they would they could be notified of these notes as well so they can see real time in real time that's kind of the secret you know it's not three weeks from now it's in real time absolutely so we've talked a lot about easy well how do we make it easy for the vendors well they've already got a pretty good portal uh but there's also you know there could be a frequently asked question page so you see here some stock things but as your vendors work with your version of the portal uh if things come up issues come up you know with them just getting into the portal or using it uh you can have frequently asked questions here to address it so that's our vendor risk management demo uh we've also seen some of the vendor performance issues uh we've seen how all of this can be used all the way down to your vendors so to sum up regulators have made it very clear that when it comes to privacy uh you're responsible for all the data you collect you cannot contract away your responsibility or accountability and a vendor breach equals your breach so make sure that you have something in place hopefully like what we showed you today uh to make sure you're responding appropriately just sum up some of the things we saw today um the five key components how you assemble a vendor portfolio we saw a little about how you onboard your vendors uh we learned a little bit about vendor assessments uh we also learned how those assessments come into being we also saw the vendor portal itself and how the vendors can interact with not just your assessments but issues if they happen we also saw a little bit about how you can begin to remediate those issues and respond to them and we touched on the grc slash irm integration with all of this process i do want to say there that we skimmed the surface there uh we didn't really show you much of how audit can be brought into this uh or you know the external frameworks we showed you the control there's more to share there so i just want to say that if you want to hear more about that please contact us or service now and ask for a more detailed demo so with that uh thanks for joining us first i hope you enjoyed that but uh we did have a few questions come in uh so let's go and take a look at that see how we can help you out um all right i think this one might be for mike maybe theresa if you have something to add here the question was we often contract with the same vendor to provide different products or services can we assess the risk for each product rather than assessing the overall vendor risk yes um hey that's a really good question yes and that's exactly how it works as teresa mentioned earlier in the demo in servicenow the different products or services are referred to as vendor engagements for example take the microsoft aws would be a different engagement than say microsoft office 360. and so servicenow allows you to assess the risk for each of those engagements separately and optionally you can roll those up into an overall assessment risk or for uh for the for the vendor in this case microsoft so yes that's exactly how it works yeah and it actually goes a little further than that even i mean because you mike is exactly right you know it assesses the engagements but you can have a hierarchy so you might have child vendors that are or subsidiaries below your your vendors you can actually get that risk score for each level of the hierarchy and then as mike said each engagement with a project or a service or a location and that rolls all the way up to the top so you know we were talking about earlier you can really get as granular as you want and pinpoint that risk to security risk or privacy risk or financial risk or you know whatever you're seeing out there so you can really really get a feel for where that risk is coming from with your vendors outstanding we had we have another question um let's see we might start with michael in this one and let's see where it goes question is you mentioned that you can relate questions in the questionnaire to your internal controls uh if a vendor answers a question wrong what happens with the corresponding control status yeah that's another really good question and uh let me think about that a second okay so here's how it works uh when the question is answered wrong uh the associated control flips from compliance and non-compliant and a vendor issue a vendor risk issue is generated now once you have that issue you can handle it in various ways for example you can simply accept the risk but regardless of how you handle it that control status stays at it let's say let me put this one that control status doesn't change until the vendor is reassessed and found and that control was found to be compliant all right we had another question can we manage vendor contracts with respect to renewal and explorations yes and you can do this in multiple ways and service now another good question okay so one way you can do it is when you you know if you want to uh continually monitor your vendor to see how well uh they're complying with their contractual obligations um as you pointed out in as you pointed out in the demo area uh you can set up these vendor agreements as authority documents in servicenow in the servicenow policy and compliance application and when you set it up in policy and compliance servicenow will ask you to specify a valid to date and then once you set that date as that date approaches servicenow will notify you and then actually 30 days before that date service now will trigger a workflow automatically that will route the agreement for review and approval which allows you to at that point either renewed or determinate as designed it's a very efficient process i'm standing yeah and mike and it it occurs to me that there's there's even more there um servicenow also has a contracts management application it's kind of outside the grc purview but it can relate to it if you need to manage that renewal expiration extension with the financial aspects of it servicenow can get into that level that's a that's a great topic for another conversation for your procurement folks but it can do even more yes everything you just mentioned but it can do more yeah absolutely and i think the uh i think the the thing that we overlook sometimes is it's the power of the platform you know all of these applications are residing on a single platform so we're able to to easily share this data about the the dates that you're first talking to that vendor or the the dates that they're up for renewal or the information you're getting back from that that contracts application um it really is the fact that we have a single common platform underneath everything that that allows us to do all of this outstanding and thank you everybody for joining us today teresa thank you for joining us mike great working with you as always uh hopefully you enjoyed this uh make sure that you check out more on demand webinars the url is here go to servicenow.com search for events and on-demand webinars thank everyone for your time today