Lunch 'n Learn

Streamlining Vendor Risk Management

Protecting your business in the era of SaaS compliance

November 17, 2020 12:00 PM

These days, you have more vendors that handle critical customer data and more opportunity for data breaches than ever before. This makes vendor risk management a critical activity for any compliance team. The problem is, properly assessing vendor risk is a messy, manual process that involves reviewing vendors, distributing vendor security assessments, tracking responses, and collecting evidence across teams through a mishmash of spreadsheets, email, calendar invites, and multiple discrete tools. 

Aptible Comply now comes with vendor risk management capabilities which solve all of these pains. Watch our on-demand webinar where we’ll demonstrate how Aptible Comply can help you:

  • Automate the distribution and review of vendor security assessments 
  • Effortlessly manage and track vendor management related activities through integrations and automatic tickets
  • Continuously monitor your vendor risk program


Presented by

Rob deJuana-Matthews
Marketing
Kyle Taylor
Product Management

Transcript

Rebecca (00:04):

Hello, everyone. Good afternoon or good evening, depending on where you are in the world right now and where you're viewing this from. My name is Rebecca. I run demand generation marketing at Aptible, and I'm just going to start with a couple of housekeeping items. You're all on listen only mode, so if you do have a question, feel free to type it into the Q and A box and we'll keep an eye on that throughout the presentation and make sure that we're answering those as we go, if it makes sense.

Rebecca (00:35):

We'll try to leave some time at the end as well, to answer any of your questions. If you're having any sort of technical issues, feel free to just use the chat and you can send that directly to me as well. I have Kyle and Rob here from the Aptible team, and they're going to be talking today about putting vendor management on autopilot, how you can protect your business in the era of SaaS Sprawl. They'll start with a brief PowerPoint intro and then go into some live demos. With that, thank you all so much for joining, and I'm going to hand it over to Rob.

Rob (01:06):

Thanks, Rebecca. As Rebecca said, we are here today to talk to you about protecting your business in the era of SaaS Sprawl and putting vendor management on autopilot. I'd like to welcome you all and get started with some introductions. As Rebecca said, I am Rob dejuana-Matthews, Senior Product Marketing Manager here at Aptible and I'm joined by my colleague, Kyle Taylor, who is Product Manager for vendor management and all things customer trust.

Rob (01:34):

You're in really great hands today. Kyle is awesome at this. Once again, welcome to the webinar and thanks for taking the time out of your day to join us. Kyle?

Kyle (01:46):

Thanks, Rob. Yeah, I'm super excited to talk about vendor management. Like Rob mentioned, I'm focused on the relationship between vendors and their customers or prospects. And so, obviously, this is a big portion of that, and I'm excited to jump in and talk about what it means to create a successful vendor risk management process and program, and talk about some of the learnings we've had just as we've talked to people in the industry.

Rob (02:16):

Yeah. As we get started, I think it's important for us to bring up that what we've found over the years as we've gone on this journey to build trust on the internet and engender customer trust, is that it's now much more difficult to evaluate your vendors and to trust them. It's important, and we'll talk about why. I mean, to be perfectly honest, the reason you're here is that you know that it's important.

Rob (02:46):

But we've tried to come up with some ways that we've found that help companies be more efficient at this and also be stronger, because one of the things about vendor risk management is that it's a complex thing and complexity breeds both extended amount of time that need to spend addressing it and also the potential for error. And so, we're trying to deal with that complexity in a good way.

Rob (03:14):

But before we get into much more, little bit of extra housekeeping. We're not going to just talk to you for 45 minutes. At different points of the presentation, we're going to have some polls and we'll use the poll feature to capture your feedback, because we want to know how you're dealing with the challenges of vendor management and how much time you're spending. It's really for us to get a sense of where you are and how you're dealing with these things.

Rob (03:40):

We'll also have about 10 minutes for Q and A at the end, as Rebecca said. Go ahead and put any questions you have in the Q and A tool. If we run long and don't get to them live, we'll go ahead and respond to them via email. For an agenda, just a quick shot, we're going to go over the challenges of vendor management. Most of you already know this, but just humor us. We're going to go over protecting your business in the era of SaaS Sprawl.

Rob (04:05):

We will talk about what SaaS Sprawl is, how we're making it easier to manage vendors in this era with compliance vendor management. We'll show you a demo, which we are really excited about what we've built, and then we'll get to Q and A at the end.

Kyle (04:22):

Awesome. Thanks, Rob. Let's start it off a little bit interactive, like Rob said. We don't want to be talking to you all webinar long. So we're going to start off with our first poll question. We'll use these responses to inform the topics we talk about throughout the webinar. Rebecca's going to launch the poll, but we're curious to hear how much time per month does your team spend on managing vendors. Rob, I don't know about you. I know for me, as I've been talking to customers across the spectrum, it can vary widely depending on the size of the company, how many vendors you have, but also what tools you're using to automate and the size of your security team and your procurement team. Does that-

Rob (05:13):

For sure.

Kyle (05:14):

What have you found when doing some research in the industry?

Rob (05:17):

It's the same thing. It varies widely. Some people are front-loaded so there's a lot more during the assessment period. And then some people spent a lot of time on vendor review. Sometimes, and we'll talk about this later, it's compressed right before an audit. But the truth is that the amount of time is really dependent on where you are as a company, and how many vendors you're bringing on, and what your team size is.

Rob (05:46):

It can look like a little bit of a weird bell curve because as you go up and the number of vendors that you're dealing with, but not necessarily team size, it starts becoming a real slog. And then it starts to get a little bit easier. Although the amount of time that you spend is always growing.

Kyle (06:05):

Well, thanks for answering that. We've got some responses here and that'll help us down the line in our presentation.

Rob (06:13):

Actually, let's go into that really quickly. Before we start on SaaS Sprawl, 67% of you said that you spend between 11 and 20 hours a month managing vendors, and depending on your team size, that's quite hefty. That's pretty interesting. And then, the rest of you were at six to 10, so that's cool. We have some numbers that we'll talk about a little later, and actually that jives with them. So I'm glad you're here.

Rob (06:46):

But one of the reasons why you're probably here is not to just give us information on how long it takes you to do these things. It's because vendor management was become a chore, and that's because of SaaS Sprawl. What that means, besides from the buzzy words, is that it's the result of a cloud-based delivery model. We're all in SaaS tech. We know how this has progressed. It used to be that everything was on prem. So the security of your vendor who was selling you software that you installed in your network didn't really matter to you.

Rob (07:27):

Unless they were putting malware in it, you installed it and the security of your network was all that you needed to know, and you were fine. As time went on, we moved into a hybrid model where your most sensitive data was still in your network and your customer data was still in your network, and you were shopping out things and putting things in other people's environments that weren't necessarily business critical. So they weren't critical vendors.

Rob (07:54):

You were willing to just take some things at face value. You said, "What do you do around this? How's your physical security? Where is it hosted?" And it was an easier conversation. But today, none of that is the case. Critical data is in someone else's system. You really aren't controlling it via your own network. And so, what has happened is your compliance, to a certain extent, is dependent on your vendor's ability to protect data and to be secure, and in a sense, their compliance.

Rob (08:33):

That makes it a lot harder for you to just sign off and say, "Yeah, I'm going to accept this risk." What you want to do is find out, okay, how serious are you? How do you respond to incidents? What are you doing in very specific situations so that you have a bit more confidence in their ability and confidence that the data that they are processing is safe? It's important to know how much risk you're being exposed to by hiring a vendor.

Rob (09:06):

The ways that people start negotiating these conversations is interesting. Kyle, do you want to talk about how people are trying to start this or kickstart this conversation?

Kyle (09:17):

Yeah. With everything going into the cloud, you see more and more companies, your vendors, and probably most of your companies, trying to be a little more proactive about letting people know about their security posture and making sure that there's a high degree of trust between them and their customers. And so, what a lot of companies have done, and I'm sure you've seen these around the internet, is build out these security and trust pages on their marketing websites.

Kyle (09:49):

These are great. These are really helpful. It's a great way to get an overview of the security program at a company, and to see which compliance frameworks that they're using and to make sure that what they're using is the ones that you'd like to see in your vendors. And so, it's a great way to get a snapshot. But as we all know, these in and of themselves usually aren't enough.

Kyle (10:19):

Maybe for some vendors that are housing little too little or no information, you might do a course overview and look at these pages and sign off on them. But for the majority of your vendors, it's a little bit more of an investigative process.

Rob (10:36):

Wait, Kyle, I just want to say something. You're telling me that people aren't going to say on their marketing websites, "Hey, we had an outage and it took a little while to get solved and customers were not happy"?

Kyle (10:49):

Yes, these are on marketing websites. That means a lot of the information you're interested in when you're reviewing a vendor is not going to be promoted on these websites because these are meant to really show people in their best light. But if you're doing vendor management right, you want to make sure you know what happens with your vendor when things go wrong, and that's where the investigation comes in. And so, you might dig a little deeper.

Kyle (11:18):

You might say, "Yeah, I need to see a copy of your latest SOC 2 report." You'll probably start collecting some of these documents that we show here on the slide and reviewing those. These help you get a clear sense of how mature the security program is at this company that you're reviewing, and help answer some of those questions you might have after you just look at their security or trust page.

Kyle (11:47):

And so, after you review these documents, a lot of times for vendors that aren't critical and have lower risk, you might be satisfied with what you find. But there are several vendors, if they house important data for your customers, or if they have access to important systems or databases, of course just reviewing the documentation isn't enough. And that's really where the vendor assessment comes in.

Rob (12:15):

Oh, everybody's favorite part, the vendor assessment. Look, we all issue them and we all have at one point or another had to deal with them. Look, we know the whole entire process is a pain. But in order to truly understand the vendor's security posture, you have to send a vendor assessment. Some companies will use pre-made assessments like SIG Lite or VSAQ. Others will create their own bespoke assessments or they'll put together some edit things and put in new questions.

Rob (12:49):

But the reality is that the overall process is pretty much the same. You either pick an assessment to send if you have multiples, or you'll customize the assessment. If you really have to, you'll write a whole new one. Then you'll send it and do a bunch of follow-up with the vendor. This is where it starts getting sloggy because you'll have people on your team, whether it's procurement or whoever's requesting that this vendor be reviewed, saying, "Hey, for metrics reasons, or because we need to get some work done, we really want to onboard this vendor within the next couple of days. Can you get through this process?"

Rob (13:30):

And you're like, "Well, it's not really something I can control, but I'll try." You try to get the vendor to move a little quicker. Then when it comes back, you've got to review all of those responses and you have to make sure that they're okay. The reason why you've potentially given them an assessment is because you saw something in the documentation that you asked for that flagged something for you. And you're like, "Okay, I need more information on that."

Rob (13:54):

And so, now, in this questionnaire, you're going to find the same things. You're going to say, "Hey, I need some clarification on that," or, "Could you tell me more about how you deal with this?" And so, you send it back and then there's the back and forth again. Then when you get your responses to those flagged questions back, you have to review them and then say, yes, this is okay or not. You have to make a determination about whether you're going to approve the vendor, reject the vendor, or do something in the middle where you're mitigating.

Rob (14:20):

That's a lot of time spent. And so, what happens here is we all come to the realization that this doesn't scale. If you have three to five vendors that you're reviewing every month, this might be a solution that you could cobble together. But as it grows and your team doesn't necessarily grow along with it, this gets really rough. The biggest problems that you have out of this are that the assessment process is slowing down procurement.

Rob (14:55):

You're not able to get the vendors through the process and get them approved and get them onboarded quickly enough to meet the needs of the business, and that while you're doing all of that, you're just dumping resources into it. It's a time sink for your team and you're really in this situation where you're not focusing on the things that matter. You're just focusing on all of the little tasks and activities and follow-up that you need to do in order to get these vendors on board.

Rob (15:29):

And so, we're going to do a bit of a call-out here on some stats that we've seen. What we're seeing here is on average, but we're seeing companies and numbers all across the spectrum, as we've said before. It's important to note that some people are going to say, "Hey, these numbers look great. I'd love to have these numbers." And other people will say, "Oh boy, these numbers look really bad." That's just the nature of it because you're going to be spending time doing different things, depending on whether or not you have some tools already, or whether or not you have processes in place.

Rob (16:08):

But what we've been seeing is akin to what's on the screen right now. I'm not going to spend too much time going into it because, like we've said, it's really more about where you are and where your business is. But I think, Kyle, there's something to be taken away from the numbers that we're showing on the screen right now, right?

Kyle (16:31):

Definitely. I mean, the big takeaway is, yes, there's time savings to be had if you can improve your vendor management process. But aside from the time savings, I think a lot about just the complexity. You talked about the back and forth and the email threads and keeping track of where vendors are and which vendors have what risks. A lot can be lost in that, and really that's the biggest issue, is, yes, a better process saves you a lot of time. But also, a better process prevents you from making a critical mistake with your data or your customer's data. That's why vendor management is so important.

Rob (17:18):

There's one other thing that I want to call out real quick. As part of an effort to get a better sense of how much time in the market is being spent on vendor management, and to give people a benchmark against which they can evaluate how their team is doing and how they want to be doing, we're putting together a report, not just on vendor management, on the state of compliance in general for 2020.

Rob (17:45):

As part of the follow-up to this webinar, you'll receive a link to the recording, but you'll also receive a link to our state of compliance 2020 report. If you take the survey and participate in the report, we'll send you the aggregated data so that you'll get a chance to see not only what other people like you are doing, but also how this is affecting compliance as a whole, is affecting the entire market.

Rob (18:14):

I think that that's really important because we'd like your feedback for this, but not just because we'd love to see the numbers, I just like seeing those kinds of numbers, but because this tells us where the pain is in the market and not just for us, but for you as well. You can see like, "Okay, we are spending a ton of time doing this, and maybe we can think about changing our process and making it a little bit better."

Rob (18:42):

But speaking of questions, it's time for another poll. How many assessments on average does your team send per month? Kyle, what are you seeing when you talk to people about this?

Kyle (18:55):

Yeah, it really depends on maturity, but I'm seeing a lot of companies doing anywhere from five to 10 and upwards to 20. Some companies, some large companies, are doing more than that. But that's typically more enterprise level companies. And so, it's that like five to 20 sweet spot that I'm seeing. But like I said, it's all across the board and it really depends on size of the company and how quickly you're growing and how many employees you have.

Kyle (19:39):

That often determines the size of departments and the tools that those departments need and the amount of vendors needed to review increases. And so, this is a problem that never goes away. In fact, it's a problem that just gets worse and worse and worse as your company grows.

Rob (19:56):

I do want to also put in context that, as we think about the numbers that we talked about previously, there were 150 assessments a year on that list, and that's 12 a month, just over 12 a month. I mean, when you think about it, and when we talk about the polls, the polls are now closed, 25% of you are in that world, 11 to 15 assessments a month. Another 25% of you are sending about five to 10. And then, 50% of you are saying that you send less than five, which is actually pretty good.

Rob (20:32):

You're in a good spot to be thinking about how to make vendor management more efficient, because as you start to grow, you won't see the amount of time being spent on it when you do hit that 11 to 15 a month. And so, to talk about how to do that and protecting your business in the era of SaaS Sprawl, how we can make this better and more efficient, and you can really protect yourself and your business.

Kyle (21:06):

Yeah. We talked about vendor assessments. I mean, obviously, those are a huge portion of the vendor review process or an important piece, at least. While you can never fully automate vendor assessments, there always needs to be some oversight and review. At the same time, there's a lot of process that can be automated. It's usually, let's pull that out of email threads and let's service that in a record that's tied directly to your vendor in the system that you're using, because when I think of the vendor assessment process back and forth, a lot of times I think of, "Okay, who have I sent an assessment out to? How long ago did I send those assessments out?"

Kyle (21:58):

If I haven't heard from someone in a while, I should probably follow up with them to make sure that the ball is still moving forward. Am I waiting on them or are they waiting on me? After I review their assessment, there might be some questions I have on some of their answers. So I'll send those back over to them. But I need to make sure that they actually answer all of those and not just some of those. And so, there's a lot of points in this process where stuff can fall through the gaps on being able to mark answers, which answers pose the highest risk of flagging answers that don't give you enough information.

Kyle (22:38):

And so, being able to take some of that automating, automation in the communication process, but also in the reviewing the assessment process and the waiting and coming up with a risk score, a lot of that can be automated. As you do that, you'll find not only will it save you time, but it reduces the complexity and mitigates a lot of the risk that's inherent in the process because you want to get it right.

Rob (23:08):

Yeah. One of the things that I think is important to touch on is that as you automate, you're removing, as Kyle said, the ability for error, and human error is a thing that we all have to deal with. But it also is making things move much quicker, because if you were to take your assessments and hand them off to a human being and say, "Hey, just do the follow-up. Make sure it gets filled out." You have that problem of someone will try to work on it at the end of the day on Friday to your vendor, and then they'll send it back.

Rob (23:45):

It hits at someone's desk at like 5:01 on a Friday. I mean, now we're all always home, but normally, it used to be that at 5:01 on a Friday, that person was logged off and halfway to their car. And so, you didn't get anything back till Monday. When you automate this, everything moves just that much quicker. As soon as that vendor hits submit, it is in your inbox and you have a notification saying, "Hey, you're ready." So you can move at the speed that you want to move, as opposed to the speed that everyone is moving.

Kyle (24:24):

Yeah. Thank you. Another thing is, if you have a serious vendor management program and process, if you're doing it right, I should say, you have controls in place to make sure that you're continuously monitoring those vendors that you onboard, and that you're always aware of that risk and monitoring that risk. I know I've seen a lot of companies that I've talked to, they do do periodic reviews of vendors. But a lot of times it's compressed in the few weeks before an audit comes due.

Kyle (25:03):

First of all, that's just super stressful. If you've ever talked to someone on a security team close to audit time, you know their life probably feels a lot like an accountant's around April 15th. It's just very stressful time. But also compressing all of those and doing them at one time isn't really in the spirit of what you're trying to accomplish with vendor management and continuously monitoring risk. If you bring on a vendor and you've got a control that says that you need to review them every six months, if they're a critical vendor, you want to make sure you're doing that every six months, not when ever the SOC 2 report or audit comes up.

Kyle (25:43):

And so, making sure you have controls in place to automate that review process is important. Continually monitoring vendor risk goes... We've bucketed into three categories. Integrations are important with whatever tool you're using. Those can help you populate your inventory by bringing in vendors from other systems of record. Automations are really important. These are those repetitive tasks that you know you need to be doing, but you always forget.

Kyle (26:16):

These are tasks and tickets and items that need to come up without fail like clockwork. And they need to be done within a reasonable amount of time. So automating that ticket creation and generation and follow-up is really important. And then intelligence and evidence gathering. So making sure whatever system you're using is continuously building the picture of your security program and your security posture, so that when that audit does come around, you know exactly where to go to show how you've been interacting with all your vendors over time.

Rob (26:55):

Yep. Time for our final poll. How many people on your team are involved in managing vendors? I think while we wait for that to come through, something that you said, Kyle, was really, really big for me, that these are repetitive tasks that you need to do, but that sometimes you forget to do. I feel like that is the common thread throughout all vendor management. Every part of it, even as we're breaking it up into these pillars, it's all just repetitive task, repetitive task, repetitive task. That's spread across a lot of people, isn't it? How many people do you normally see involved in vendor management?

Kyle (27:45):

Yeah. It seems to me like teams of three to five are being asked to do a lot, even if it's a big company. I guess what surprised me the most is some larger companies that I've seen are really having just a few people tackle this problem and making sure. They're not just in procurement. They're on the security team and they're wearing multiple hats. They're doing vendor management today, and then they're doing some more GRC-focused stuff tomorrow.

Kyle (28:27):

And so, it's an interesting dynamic where it seems like a lot of people in this space are being asked to wear a lot of different hats instead of just focusing solely on this problem of procurement or vendor management.

Rob (28:43):

Yeah. To that point, we have our poll questions have been answered, split three ways. 33% said that there are six to eight people involved in vendor management. Another 33% said two to five. We talked about that three to five person team. And then 33% said one. Oh, there's Rambos out there. Oh boy.

Kyle (29:12):

Well, and that's what I'm talking about. You've got teams where it's one person and they're having to do it all, and that can be stressful, to make sure everything is taken care of. That's where a really good process comes into play.

Rob (29:27):

Yeah. Speaking of a good process, we've talked about continuous monitoring. We've talked about automating your assessments. But what we're talking about doing to make life better is not just addressing these small pieces, because you can do that, and there are people, maybe some of you, who do this. You have a strong process in one area, and then you have a tool that's working okay for you in another area. And then the other two areas are just putting pieces together.

Rob (30:03):

But the truth is that what you're looking at here is your entire vendor life cycle. There are activities, manual activities, all along the way, no matter what you're doing, even if you have tools, from screening your vendors, to onboarding them, to doing your monitoring, which depending on what your process is, as Kyle said, could be happening just around audit time, and then terminating your vendors, which a lot of companies do part way.

Rob (30:38):

But we talk about automating it. We're talking about keeping track of all of the work associated with the vendor management process, and that's difficult. It doesn't scale because it's hard to know where each vendor is in the process, and then within those small processes along the way. If you had a vendor for a while, you know that you don't have to screen them again. But you do know that you have to make sure that you're following up, making sure you're getting any of their new documentation, that you have to review them consistently and make sure that they are still as trustworthy as they were when you first started working with them.

Rob (31:20):

We all do this. We have to terminate vendors because we moved on. We found something that works better for us. And so, you have to make sure that your team is properly taking care of that. So any shared Slack channels, you've got to get rid of those, any email addresses that they might have been using, if they had access to some other tool or some data that was coming through. So you have to make sure that you're keeping up with all of the vendor issues, all the periodic reviews.

Rob (31:49):

That's a full-time job, making sure that from the minute you start engaging with them to the minute that you need to review them again, or that you're leaving, takes a lot of time from, as you've seen, either a number of people or just one. Getting that automated and brought together so it's cohesive and you don't have to worry about it as much is a huge part because you'll know at anytime given time when an auditor or a customer asks for a customer audit or even internal audits, you can say, "Oh, that vendor, yeah, I know. I've got it."

Rob (32:27):

That leads into the last part, which is consolidating your activity data and tasks. Now everyone talks about this. They say single source of truth. They talk about having a centralized place. The reason everyone talks about it is because it's the ideal for everyone. There are a lot of solutions out there that will link to all the different places you have. They'll link to your different sources of truth. So your spreadsheet, they'll link to Box where you're collecting your evidence.

Rob (33:01):

They'll link to Jira and maybe Asana, and they'll link to your risk register. But it's not all collapsed. What we've been talking about is getting rid of the inefficiencies of multiple spreadsheets, multiple tools, ticketing systems that make it hard to keep track of all the work that you're doing and just bring it all into one place. You can say, "You know what, what's going on with Slack? Bring it up and you have your initial review.

Rob (33:28):

You have all the comments on that. You have the initial assessment, any things that need to be remediated there, you have ongoing reviews. You have any evidence, new documentation they released about an updated SOC 2, or continuing operations letter, or even documentation that they've signed with you or that you've signed with them. And so, now, if you can bring all of that together, you have an easily accessible, easily auditable trail that's in one place.

Rob (34:01):

And so, we've talked about it and we've teased you enough really. What we've been doing, when we came up with these, is we said these are the four things that we really need to solve. They're the biggest problems, and if we could solve them, we'd make people's lives a little bit easier. I know, I'm a product marketing guy. I'm supposed to be excited about this. But I am, and the reason I am is because this makes it better. I've done this before. In a previous life, I ran a product line. I had to issue VSAs and I had to answer them.

Rob (34:37):

Boy, security questionnaires are awful. Now we've made it better. And so, Kyle, I'm going to turn it over to you to show what we've done.

Kyle (34:51):

Awesome. Yeah. Let me jump in here. Let's talk about what we're doing to help put these processes into a software that will help you build out a scalable and efficient vendor management system. Here's a vendor inventory. I'm sure it looks familiar to a lot of you. It's overwhelming. We've got a list of all our vendors here, but what we've done is we've made it easily sortable by risk, filterable by any vendor attributes that you might want to filter it on.

Kyle (35:36):

Most importantly, we've built in a lot of these hooks all along the way. Rob laid out the process of a vendor, where you review them, you onboard them, you re-review and monitor them, and then you off-board them. Whenever you add a vendor in our system, it can kick off a series of workflows, and those can be determined by you. Although we have some out of the box of things that need to be done as soon as a vendor is onboarded.

Kyle (36:10):

Likewise, when you archive a vendor, you can kick off a series of workflows that need to be done every time a vendor's offboarded. And so, those are a few ways, through our tickets and our ticketing system, that we are helping you automate this process. But before I jump into that too in depth, let's talk about the inventory, but let's also talk about the single source of truth.

Kyle (36:38):

If I click into one of these vendors, I see some of these properties I saw on the table. But then I start seeing lots of interesting things, like all the tickets over time that have been associated with this vendor, any evidence that's been collected that maps to this vendor and maps to the frameworks that I am interested in and going to be audited on. It tracks every single thing that's ever been done in regards to that vendor over the course of time.

Kyle (37:09):

So when edits were made, what changes were made when people added documents or removed documents? Speaking of documents, that's another thing that we track all along the way. So whether this is the compliance documents that you've collected during the review process, or whether this is the sales contract, or maybe the NDA that you've signed, all of that can be housed here in one place.

Kyle (37:34):

And so, really what we're trying to paint is like a historical picture over time. Anytime you interact with this vendor, we collect that data and we store it here in the inventory and on the vendor details page. You can also open up reviews on vendors, on a vendor. Let's say the marketing department has a new tool they want you to review. I've already fired up a review here. I'll just jump into it.

Kyle (38:01):

This review right here is for Atlassian. You can see that I've provided some information on what type of a vendor this is, the description, who requested it, which department it's going to be used for. But here's where a lot of the magic happens in the review process. You're able to pull in tasks and you're able to assign those tasks out to different members of your team, depending on who would be best suited to fulfill those tasks.

Kyle (38:34):

As soon as those tasks are completed, those tickets are completed, they're marked off and you can see the progress or the review as it goes along. But one thing we've heard time and time again is like, "Great. Here's a tool I can use for vendor management or GRC and vendor management." But a lot of the people I'm interacting with when it comes to procurement or vendor management are members of the team who won't have access to this tool. And I don't want to give them yet another login to sign into and manage. So how do these tasks come into play?

Kyle (39:11):

Well, the truth of it is you can assign these tasks, whether they are a member of your Comply accounts, your Aptible Comply account or not. If they're not, we've integrated with Slack, we've integrated with Jira, and we've integrated with email, or some of the integrations we have where it can then connect to that system and be assigned out in that system. And then they can complete the task in Jira with comments and notes. Once they do, it will show up in this system as having been completed with all the necessary attachments or notes that you might need for these different tasks.

Kyle (39:51):

Same thing with Slack and email. It'll send them a notification in Slack. They can complete the task there. Once they do, it'll be marked off. And so that's an important aspect as we talk about these automatic tickets that get created throughout the onboarding process, during the review process here, and then also during the off-boarding process. Those can be tracked in whatever system that your team is best suited to utilize.

Kyle (40:23):

You can see here there's a common thread. This is a great place to just throw notes after you have calls with vendors, to make notes of things you may need to follow up on or other things, and they always stay within this record of a review. And finally you can send out assessments. We have some default assessments that we build into the product, but you can also upload custom assessments that your company uses. You can either use ours or yours. It doesn't matter. We've made it as customizable as possible.

Kyle (41:01):

I've already opened up a security questionnaire, and it got sent off. As you can see, I can change the email, point of contact email. When I send the assessment off, it hits my inbox and it looks like this. Of course, when you log into Comply, all of this is white labeled for your company. So you'll be able to see your logo and branding here anytime you send an assessment out to one of your vendors. And then they can jump in and start reviewing it.

Kyle (41:33):

They don't need an account. It's at a unique URL, a secure URL that they have access to. But they can hit that URL, make changes that are auto saved. Then they can leave and come back. I know, Rob, you mentioned you've been on the receiving end of a lot of these assessments.

Rob (41:55):

Oh God, yes.

Kyle (41:56):

I know sometimes I've been in a system and it requires me to essentially fill out the whole thing in one sitting, and that's just not doable. And so, I leave the tab open, and then inevitably a day later, I forget and close the tab and all is lost. So we want to make sure we protect against that. But they can come through, and I've just created some sample dummy answers here. They can come through and fill out this questionnaire. When they're done, they'll submit the assessment.

Kyle (42:27):

Of course, I get a warning because I've only done eight of the questions. But I'll just go ahead and confirm and submit that. They get a notification that it's been submitted. And then if I jump over here to the other side, to the customer side, and I refresh, I can see that their answers come in. I can review all these answers. But I can do a few things. I can set a risk level on one of these answers. Let's come down here to some of these more meaty questions.

Kyle (43:00):

I might say, "You know what? This particular thing, this poses a high risk based on their response here." I can even flag a question for edits. And so, I can say, "We're going to need more info here." Obviously, I'd probably give them a little bit more detail than that. But you can see, when I create that flag, it creates it in the UI and I can approve questions that are sufficient, have answers that are just fine, and come here and approve. You can see my progress here on the side as I'm working my way through it.

Kyle (43:40):

I see I've approved four questions so far, documented one risk. I've flagged a question. After I've gone through and reviewed and flagged any questions that need some additional response, I can go ahead and send the assessment back to the vendor. So I can reopen the assessment and let them go edit it again. They'll receive an email, and when they hit that link again, I'll just refresh in this case, they'll come through and they'll see, oh, looks like they flagged this question. They need a little more information. Let me revise my answer. They can go through and do all that.

Kyle (44:18):

Once it's submitted, of course, that is updated here, and I can approve it on my side. Once I accept it and unlock it, and this particular assessment is checked off and it's ready to go. And so, when I revisit the review, I might have other remaining tasks in the process, but I see after I've accepted, this is checked off. I can see if there are any flags or risks in the status here.

Kyle (44:52):

And so, this is the process that we've created, and there are a lot of fun things on our roadmap as well, that we're building in to make this better and better every day. But the key is, all along the way, you want to create these tasks and these automations that make your life easier. The tool does all the heavy lifting of the back and forth communicating. It lets them know when assessment has been submitted or lets you know when an assessment has been submitted, and lets your customer know when you flagged answers and need additional responses.

Kyle (45:28):

It keeps track of where everything's at and reminds people to follow up on things. And that's something that's really important. Then, of course, the onboarding and the offboarding automation to make sure you're always kicking off those tasks that you need to do during those events. We can also automate the review process. You can set periodic tasks and tickets up that run you or members of your team through that yearly review of your vendors and make sure it's done on time and in a timely manner and efficiently and effectively.

Kyle (46:05):

Thanks for letting me jump in and geek out a little bit on this, Rob, and showing you what we've been working on. It's really exciting. Like I said, it's something that we're trying to improve all day, each day.

Rob (46:32):

All right. Thanks, Kyle. I hope that that showed you everything that you needed to know. But if it didn't, please let us know in the Q and A. If you have questions, we're happy to answer them. If you want to see more, we're happy to get you a demo and you can definitely talk to our sales team who is absolutely great at answering all these questions. We do have a couple of questions, and the Q and A is still open if you have any more.

Rob (47:03):

But, Kyle, this one's for you. We're currently using an assessment vendor that requires us to use their assessments, which has not always suited our needs. Is it possible to customize your assessments?

Kyle (47:20):

Good question. Yeah. And I touched on it briefly. We do provide what we call a baseline assessment. It's a great assessment that covers all the important parts of vendor security and data security. But we do allow for you to upload your custom assessments. We know a lot of companies prefer to use something out of the box and that's why we provided these default assessments.

Kyle (47:53):

But a lot of companies also have their own process and their own questionnaire and their own assessment. For them, it's important to make sure that their assessment's the one that's getting sent out. So you can customize it. Like I said, it's all white labeled and the experience is really slick.

Rob (48:10):

Cool. Thank you. We have another one here. Does Comply flag risks on its own based on the vendors' responses?

Kyle (48:20):

Great question. Currently, that is part of the review process when you're looking through an assessment. And so, you are going through and flagging those questions and creating more tailored follow-up. In the future, we're looking at automating that even further, where maybe they have a few different choices to respond to an answer. And if they select a particular one, it could automatically follow up, or it could ask follow-up questions.

Kyle (48:52):

But as far as the question flagging goes today, that's when you go through and you're reviewing and something maybe catches your eye that doesn't quite jive with you, or you need more follow-up on. You can flag that and go ahead and send that over to the vendor.

Rob (49:10):

Cool. We have one more here. Actually, we have a couple more. Do your recurring tickets integrate with other ticketing or workflow management systems? Our procurement team use Asana and our engineers use Jira. Would people still be able to use them or would they need to log in to Comply?

Kyle (49:29):

Yeah, so we have an out of the box Jira integration, and that allows you to hook up Comply to Jira, and then push to Jira. But also when things are checked off in Jira, to record that in Comply. And so, it's a bi-directional integration that you can use to have your team fulfill all of these tickets and requests in their own project management software. Like I said, we also have a Slack integration and an email integration, where these can be pushed out to, and just responding in Slack or replying to an email can help you check off these tasks and document anything that's required or asked for in those tickets. Great question.

Rob (50:23):

Thank you. There's another one about integration. Do you integrate with systems like Oracle to import vendor payment details into the supplier table?

Kyle (50:34):

Great question. We currently have out of the box integrations for different services that help us import vendors and SaaS systems into your inventory. Currently, that's Okta and JumpCloud. These are access control providers. So if anyone on your team is accessing these systems, we can pull those in directly. We do not integrate with Oracle, but this is the feedback we're looking for. We know there are a number of systems, either in spend management, ERPs, where you're tracking accounts payable or just your vendors in general. And we want to be able to work with those systems. And so, we're continuously building out those integrations.

Rob (51:29):

Cool. A couple more here. We take a risk-led approach to vendor management. Does your tool have a way of servicing or prioritizing vendors that expose us to more risk?

Kyle (51:40):

Yeah. Great question. The vendor inventory is easily sortable by risk. I know a lot of times reporting with the executive team is a lot of the reason why people ask this question, is like, "I just need to have a quick view of where we stand on vendor risk. I want to see who our most critical vendors are and what risks they pose to our business so I can present that to the executive team and make sure that we're all on the same page." So, yes, we've created the ability to assign risk to vendors and then sort and filter by those risks and track it that way. Great question.

Rob (52:21):

Okay. One more. Can we integrate your product or service with our multi-factor authentication controls?

Kyle (52:28):

Yes, absolutely. We're a security company at heart, and so this is really important to us. We probably built it into the product a lot sooner than other companies would have. But it's because we've got our own compliance controls in place that require us to have multi-factor authentication on critical vendors and important vendors. So, yes, you can integrate with multi-factor authentication through Comply.

Rob (52:59):

Cool. I believe this may be our last one. We've used a solution that provided automatic risk scoring, but we stopped using it because we didn't have visibility into how the risk scores were determined. Does your tool allow us to set rules for how risk scores will be determined?

Kyle (53:16):

Yeah. This goes back to the comment earlier in the webinar where vendor management really is an investigative process. And so, what we did, with reviewing these assessments, is we allowed you the ability to flag risks on a question by question basis if you wanted to. This rolls that up and so that you can really assess at the end of the day, okay, what's the total amount of risk or liability I'm taking on?

Kyle (53:46):

A lot of times, you see a lot of products that assign risk scores, but it's hard to know how they got to that number. We didn't find that to be super useful. We do think that there is something to be said for standardizing and automating your risk scoring. And so, in our near-term roadmap, what we're building out is the ability to wait and create almost like a rubric, a scoring rubric for these questionnaires.

Kyle (54:19):

And so, as questions are answered in various ways, they automatically get assigned risk in a way that you and your company want to assign it, instead of just making you use an out of box assessment that assigns a score that you don't really know how they got there. We let you tell us which questions are more or less important to you. And then we'll be assigning the risk score based on that. So that's something we're actively working on.

Rob (54:49):

Awesome. Well, I think that is it for the questions. I want to say to all of you who took the time out today, thank you very much for taking the time to be with us today. Also, for anyone who's watching on demand, thank you for taking the time to watch this through. Kyle, Rebecca, thank you both for being here day.

Kyle (55:13):

Thanks, Rob. It's been a lot of fun.

Rebecca (55:15):

Thanks everyone.






Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form. Please try again.