Third-Party Risk Management with Origami Risk

Good morning and welcome everyone. Thank you for joining us today for today’s solution showcase covering Origami Risks third party risk management solution. I’m Raina Hawthorne and I’ll be guiding you through today’s session. I’m joined by my colleague, Josh Newsome, who will walk us through today’s demo. Over the next twenty minutes or so, we’re going to set the stage by discussing challenges organizations face when managing third party risks. We’re going to introduce, of course, Origami’s risk third party risk management solution and our partnership with Argos Risk. Then we’ll head into the centerpiece, a demo that shows how Origami helps you simplify due diligence, automate assessments, and gain unprecedented clarity across your vendor ecosystem. Finally, we’ll wrap up with some key takeaways and open the floor for your questions. Josh, let’s start by kind of jumping into the problem. Yeah. Thanks, Reina. So listen, if you’re responsible for assessing or monitoring third party risk, you already know by now that the landscape is, you know, it’s changing dramatically right in front of our eyes, right? Through conversations that myself and my colleagues have with Oradot Me Risk clients, we really see three consistent pain points that come up re repeatedly. The first is really the fragmented vendor data. What we see is that there’s vendor contracts, security questionnaires, things like certificates of insurance, or even risk scoring. Today, these are really scattered across multiple things like spreadsheets, inboxes, shared drives, or different systems that are maintained internally. What really makes it is really impossible to get a unified view of risk. Second, just inconsistent or incomplete assessment. So as we think about our clients today, you know, teams are often relying on manual questionnaires, inconsistent criteria, or even outdated information. What this leads to is both a a continuity and consistent data across these questionnaires, but it it really opens the door for blind spots, especially in complex supply chains or new vendors onboarded quickly. The idea here ultimately is to be able to evaluate vendors apples to apples or with the appropriate set of questions that are in alignment with the industry or the vertical or the the services or goods or products that they provide to an organization. And third, we really talk about this, you know, monitoring gap. Even organizations that perform strong initial vetting, where they struggle is how do they continuously monitor the cyber posture, the financial stability, or even the compliance status of each of those vendors on an ongoing basis? Without ongoing visibility, issues tend to surface after they’ve already become incidents. So so what’s the result? Right? Risk teams spend more time chasing information than they do actually managing the risk. It becomes an administrative burden to identify what information do they need to collect from the vendors, what risks of that is does that represent, instead of actually focusing more on what is the risk, how do we mitigate it, and do we want to continue to execute business with a given organization. And And that’s where Origami’s third party risk management solution comes in, and is ultimately aimed at changing that. I love that, Josh. Thank you. As we said, Origami Risk’s third party risk management solution helps you move from reactive to proactive vendor oversight, all in a single integrated platform. You can centralize every vendor record. So your contracts, your certificates of insurance, questionnaires, financial and cyber ratings, anything that you want to gather or document about your vendors or your third parties can put all of that into one place. You can automate onboarding and due diligence using a standard SIG or SIG lite questionnaires, or you can create your own custom questionnaires like Josh pointed out. You could have it based on the, third party’s industry or the services that they’re providing to your organization and have different assessments for different situations. It helps you to score vendors consistently with auto calculated scoring across security, financial, operational compliance, and ESG domains and more. You can link vendors to enterprise risks. So going beyond just tracking vendor management, can actually expand that to what does this mean for our enterprise risk, those controls and obligations. It really helps connect this piece of your program to the bigger GRC picture. And then you can strengthen monitoring with our Argos risk integration, giving you kind of that intelligence you need on financial posture and cyber indicators without additional manual effort. And here’s the important part. Origami Risk doesn’t just collect data, it connects it. It gives you the ability to see your vendor risk in context. It helps you prioritize action and hold vendors and third parties accountable to your standards. To bring this to life, Josh is gonna walk us through a demo. Excellent. Thanks, Reina. So over the course of the next, say, eight or nine minutes, we’ll try to cover the solution really quickly. And and here’s here’s the game plan, right? We’ll start with what’s the information that I see when I log into a tool like Origami Risk for third party risk management. And then we look at the key pillars. What are all the inputs into that process? One being, how do we onboard or initiate a request for new vendors? What does the portfolio of vendors ultimately look like? And then finally, what’s that process for engaging with and evaluating that vendor to come up with a risk profile that then ultimately leads to ongoing monitoring? So to get us started, we’ve landed on a dashboard. And so a dashboard’s intended as a third party risk manager to give you whatever metrics or insights that you need around that particular program. Some examples that you’ll see on the screen here are, you know, how many vendors do we currently manage today? We’ve got certain vendors that have open action plans or tasks or even ones that have aged out. Right? So we know that maybe we put a rule in that says that we must review vendors at some sort of frequency or cadence. So which ones are past due on being reviewed? If we’d like some insights into how many vendors are currently, you know, going through that vendor request process or even our most recently reviewed vendors, this is information that could show up on the dashboard. You also get to see a GIS map here. This is really great because GIS maps represent the opportunity to overlay information from Origami over top of those vendors. So maybe there’s business continuity related information, so there could be weather events that could cause third party supply chain disruptions, or maybe you’ve had incidents that occur that represent some level of risk. These are things that you could plot on a map to tell you that type of insight. As I scroll down, I might also be interested in looking at where we are in what’s the status of evaluating certain vendors. And then if I need to look at pie charts, bar charts, the breakdowns on where are they by risk rating, by tier, or somewhere in that workflow, this gives me that type of information. But let’s fast forward to how do we initiate this process. Right? So this usually begins with a vendor request. So as you can see on the screen here, I’ve got several vendors that have already been approved as part of that request process. Really, I always say there’s two launching points to starting a vendor request, though. So one is, of course, as an administrator of the application, I can come in, we’ll initiate the vendor request process. And what occurs here is I’m I’m asked to supply the information related to that vendor as I know it, and as a at a point in time. So the the basic attributes, who is it that’s doing the requesting? And then you have gated or flagged type of questions. Right? Are we going to be asking for PII type of data? Are they going to be accessing our networks? This information helps us when it comes to the review process on which questionnaires does that particular vendor ultimately get, and then obviously, contact related information. Now it also might be that you ask your vendors to self register or do a a vendor registration through a link or through a portal, we’re asking them to provide this information. So it also could be that I provide a URL to that particular organization, and they can initiate this process on from their end. So from this portal, then they can log all this information, submit it, and then it enters into a workflow to ultimately initiate that vendor review process. So whether you choose to enter in this information yourself or supply a link to a portal to your vendors, more than one way to get to that same result. But let’s jump ahead. Once we’ve gone through the request process, of course, now we’ve got a a list of all the vendors which we’re currently managing. So in this scenario, I might see, you know, common inputs such as what’s the name of the vendor, what’s their status. If we have already evaluated them, some sort of risk level is going to be presented. And then if we’re pulling data from any third party sources, in this case, such as Argos Risk, what is that information telling us? So in this case, let’s go ahead and drill into an individual vendor. And so what I see right out of the gate for this individual vendor is what’s the status? Does this vendor have any current open assignments? So in this case, there is a security questionnaire in some format that is waiting to be evaluated by that particular vendor. And as we scroll down the screen, obviously, we have the ability to see, you know, the attributes of that vendor, and then all of the ratings or classifications or review timelines around this particular vendor. But then we really get into the interconnectivity of this particular vendor, which means from this view, it’s my hub on what are the assessments that are performed for this particular vendor. And then it goes much deeper than that. If we need to track information such as any child or subsidiary companies, if we’re tracking things like certificates of insurance, or if this particular vendor provides us any certain goods or products or services, we have the ability to track those for reporting purposes. And so for example, if I needed to come into Origami and say, show me anybody that provides network security or cleaning solutions or some other type of maintenance, I would be able to pull all the vendors that align with those types of classifications. If this vendor’s run through the vendor engagement request process or even the contracts documented or contract requirements aligned with particular vendor, I can track the information. So maybe, for example, in addition to the security assessments that we run, on an ongoing basis, we’ve got certain SLA requirements and even documents that we need to to collect from that particular vendor. Things like certifications or SOC two reports, which might be collected annually or on some recurring frequency. And then ultimately, we we get into the ability to link the stage to other elements of origami. So maybe I have an action plan that says that I need to collect our action plans around our SOC two bridge letters. Or if we’ve stored contracts in Origami, we would have that type of capability. And then if we go back to what Rayna mentioned, it might even be that I’d link this back to maybe certain regulatory obligations or compliance standards or even risks that could be managed by enterprise or operational risk teams. As I scroll back to the top of the screen and and try to close out our time, then we’ll also think about the security questionnaire. So whether you align with the SIG or Siglight or if you’ve got some sort of hybrid or homeroom questionnaire, managing that in Origami ensures that your vendors are asking the questions in the format and in alignment with the goods, services, or risk posture that they ultimately present to the business. So you may ask things around, you know, risk or a certain, you know, nth party management type of questions or information assurance. You have the ability to design these questionnaires or modify them from the standards, and then even evaluate these questions in different formats. So maybe it’s yes, no. It could be drop down. These could be even conditional. If a client doesn’t answer a question in the affirmative, I may ask for more questions or even ask them to attach evidence or documentation supporting the way that they arrived at that answer. Ultimately, the results of these questionnaires feed into the risk rating, which we track on the at the vendor level, and these are completely configurable. Certainly, understanding that clients have different methodologies for how vendors score answers, and those translate into some sort of risk rating or tier. And then finally, as we close out our time, I mentioned that we could bring in this data from external sources as well. So not only might we perform our security reviews through SIG assessments or your custom assessments, we may vet that against things from sources like Argos Risk or any of any of the other vendors in the space that provide third party type of ratings. So in this scenario, you know, we could look at the health score of the financial terms or the business health index, or maybe you choose to bring in cybersecurity ratings relate related to that vendor, that information has the ability to come in at the at the timeline that is in alignment with your rules for given vendors. And Raina, with that, I’ll turn it back over to you. Awesome. Thank you so much, Josh. This was an excellent overview of the key things that our third party risk management solution does. But I think as you alluded to, it does a lot more than what we’re able to cover in eight minutes. But just to highlight kind of the big takeaways from what you just saw in the demo and reinforce some of the key points that we’re talking about today. Our solution is gonna give you one place for everything. So every vendor record, every assessment, every risk score, it’s all centralized in that one place for complete visibility and to help drive consistent decision making. You get standardization without losing flexibility with the SIG or SIG like questionnaires or completely configurable questionnaires with automatic scores that help eliminate guesswork and reduce variability as Josh said earlier, comparing apples to apples across your third party network. You can move from static assessments to continuous monitoring with third party integrations such as Argos Risk to gain visibility into more vendor data such as financial cyber to help you identify emerging issues early. And most importantly, third party risk management doesn’t live in a silo in Origami Risk. Because it’s all on one platform, you can connect these to your action plans. You can connect them to your enterprise risks, compliance obligations, regulatory obligations, continuity plans, whatever you want. And this is what integrated GRC looks like in action. So if you would like to explore more on how Origami can help support your program or integrate with your existing GRC workflows, we’d love to connect with you. You can reach out to anyone here at Origami Risk and we’ll arrange a deeper dive into your needs. And with that, let’s open it up for Q and A. So if you haven’t already, please drop any questions into the box and we’ll get to as many as we can. All right, let me pull this up here. Okay, great. It looks like our first question, this one’s from Carlos. Thank you, Carlos. He asks, what does origami or how does origami ensure that vendors are evaluated consistently? Josh, you wanna take that one? Yeah. Absolutely, Irina. And this is a great question, Carlos. So, you know, ultimately, origami uses configurable auto calculated scoring models. So you saw a version of the questionnaire earlier. And so, ultimately, based off of the way that I answered those questions, you have the autonomy to define what is the outcome or the output of those responses. How do those translate into certain ratings or tiers or criticalities directly in the system? So so ultimately, every vendor is evaluated against the same criteria, whether that’s things like security controls, financial stability, regulatory alignment, or, or frankly, just even using your own custom domains. Ultimately, this ensures that there’s objectivity and fairness across all of the assessments. Now, what we’re also mindful of is that those assessments can actually be applied in different formats based off of the type of vendor that we’re looking at, but that we applied the same methodology so that we’re looking at the ratings. We can utilize that information to compare it against each other or benchmark it across all of our other vendors. Great, great answer there. Yeah. Our next one is, can we use our own questionnaires or do we have to use SIG? Yeah. That’s a great question. And so really, you could do both. And so Origami supports utilizing the SIG or the SIG lite directly out of the box, but you can also build fully custom questionnaires. You can map them to controls and even tailor the scoring to your specific program. Ultimately, it’s all configurable. What I’d say is that based off of your maturity level and the way that you do it today, it may be something where you have your own homegrown assessment, and we can utilize that and deploy that right out of the gate. It also could be that if you’re on the lower end of the maturity scale and you’re looking to use some pre built standards, Origami can support your organization with the SIG or SIG Lite, and you can ultimately scale or grow into a version of that as you take a broader look at your vendor program. Yeah, fully configurable. That’s the key thing we like to talk about here at Origami Risk. Right. Looks like we’ve got another question. This person is asking, how does the Argos Risk integration help strengthen monitoring? Yeah, I love this question, Rainn. And so Argos, you know, it provides the external intelligence that really complements your internal assessment. So it includes things like financial health indicators, the cyber posture insights, and beyond. By pulling this data directly onto the vendor record, really what it’s doing is you’re gaining early warning signals without those extra manual steps, and can automate follow-up workflows as as that information comes in. So when we think about a standard security assessment, maybe that’s something that we’re doing annually or biannually or at some frequency that is obviously, you know, that there’s large intervals in a period of time. Using this external intelligence, you know a lot more about your vendors on a on a near real time basis. So as information changes, then Origami is updated, and then that can trigger workflows that allow you to take action quicker and limit potentially the risk to your organization by having, you know, greater visibility and then ultimately being able to get ahead or even triage based off of what those effects might mean to your to your business. Absolutely. Yeah. The the value of that being one step ahead, I don’t think we can undersell that. All right. I think we have time for one last question. Looks like they’re asking how often should we be reassessing vendors? Yeah. This is a that’s a good question and and a little loaded too, because we we see varying approaches based off of the clients that we work with. But really, you know, I think Oradami recommends, you know, tying that assessment to the criticality of each of the third party’s relationship with you. Now, I would say if you look at from a schedule standpoint, most commonly, you know, we’re seeing, you know, for high risk type of vendors, that they’re tied to at least an annual assessment, and then for moderate or low risk, you might find them every two years. But with that said, there’s other clients that prefer to do this, you know, where they have requirements with their vendors to engage at more frequent basis. So potentially high risk vendors could be done quarterly or biannually, and then you move it to a minimum of an annual review. I think a lot of this depends on what is your security posture, you know, internally? What types of vendors do you work with? You know, in some cases, certain risk from some vendors, the effect it has on the business can be less. If I work with cyber partners where some sort of breach or downtime materially affects my business, that might be a case where I can’t rely on only looking at that vendor once a year. It definitely needs to be more frequent than that, even regardless of the risk posture level that they represent to our business. Going back to the Argos risk integration, you know, if that score changes, that’s a really great time to do kind of an ad hoc assessment or have a conversation with them about what’s going on. That brings us to the end of our time today. Thank you all, again so much for joining us. On behalf of the entire Origami Risk team, we hope you found this session valuable and we hope you have a wonderful rest of your day. Thank you everybody. Thanks for joining. Take care, bye.