Presentation deck from an RSA-Iceberg seminar on October 19, 2016. Our panel discusses a roll-out of RSA Archer to support a supplier risk management program in the health care sector. More info at http://icebergnetworks.com/srm/
RSA-Iceberg Seminar: Building an effective supplier risk management program
1. WEBINAR • OCTOBER 19, 2016
BUILDING AN EFFECTIVE
SUPPLIER RISK
MANAGEMENT PROGRAM
JESSICA HOOTEN
HCA Healthcare
CHRIS GABEL
HCA Healthcare
JOHN HEUER
Iceberg
Presented By
3. “How Do You Know?”
Who are
your
suppliers?
Who are your
supplier’s
suppliers?
Which
suppliers are
most critical to
your business?
How quickly can you
assess a new
supplier for risk?
Do you trust
your supplier
risk information?
What opportunities
can your vendors
help you achieve?
4. Volume & Complexity
Financial
Counterparties
Consultants
Maintenance
Companies
Raw Material
Suppliers
Software Providers
Couriers
Law
Firms
Hardware
Providers
Landlords
/ Lessors
Parts
Suppliers
Insurers
Employment
Agencies
ISPs
SaaS
Providers
Credit
Bureaus
Utility & Telecom
Companies
Marketing
Companies
Security
Guards
Accountants
Medical
Business Associates
Property
Managers
Partners/Ventures
Integrators
Third-Party Sellers
Identity Protection
Providers
*Source: Shifting Toward Maturity, EY, June 2016
73%
21%
6%
Less than 10,000 10,000-29,999 30,000-49,999
How many third party
suppliers are in your
organization’s inventory
population?
5. Areas of Risk
Financial
Wherewithal
Strategic Risk –
“Concentrating eggs in
one basket” / Failure to
execute
Credit, Liquidity Operational
(incl. Geopolitical)
Regulatory
Compliance
Information
Security
Business
Resiliency
Errors & Fraud
Privacy
Non-
performance /
Poor Quality
Reputation Risk
Inadequate 4th
Party / Supply
Chain
Governance
6. • Founded in 1968, headquartered in Nashville, TN
• World’s largest private operator of healthcare
facilities
• 250+ hospitals and freestanding surgery centers
located in 28 states and the UK
• 26+ million patient encounters and 8.1 million
emergency room visits each year
• Ranked #63 in Fortune 500
• 233,000 employees; 37,000 active physicians;
79,000 nurses
#11 Best Places to Work in IT
Computerworld
World’s Most Ethical Company
(7th consecutive year)
Ethisphere
About HCA
7. Overall Challenge and Goals
Decentralized vendor governance
processes (e.g., tracking findings)
Spreadsheets currently used to gather
data and used for reporting
Ask vendors the same questions over
and over
Limited visibility of vendor inventory
Challenges
8. Overall Challenge and Goals
Centralize vendor functions and
processes across the enterprise
Ensure that process ownership, roles,
and responsibilities are clearly defined
and develop efficient, repeatable
processes
Enable “ask once, use many” approach
to gathering data
Monitor and assess new/potential
vendors and ongoing monitoring of
existing vendors
Provide reporting of vendor security
risk to management
Goals
Decentralized vendor governance
processes (e.g., tracking findings)
Spreadsheets currently used to gather
data and used for reporting
Ask vendors the same questions over
and over
Limited visibility of vendor inventory
Challenges
9. Why Archer?
Currently use Archer for Risk Management, Incident Management, Issue
Management, Policy Management
Assess compliance with company standards using NIST Cybersecurity
Framework
Ability to aggregate all vendor data throughout the enterprise (corporate,
divisions, facilities)
Effectively use the
“Ask once, use many” strategy
Associate existing questionnaires
11. Supplier risk management success
1. Effectively manage large number of vendors via automation
2. Get the entire organization on the same page – break down silos!
3. Confidence that you can meet growing regulatory requirements
4. Greater certainty in an environment of increasing volume and
sophistication of cyber threats
5. Gain agility to respond more quickly to changing environments
and emerging markets.
14. Regulator Focus - Top 5
1. Enterprise-critical third parties
2. Oversight & governance
3. Information security & business continuity assessments
4. Onboarding activities
5. Consumer protection
15. Quotable
…We find the smaller vendors are where our
greatest risk can be. You can’t overlook any of
them. The due diligence required is not just one
time at on-boarding a vendor but ongoing
monitoring must be a key aspect of any risk
management program.
Senior Information Security Analyst at a Major
Canadian Financial Institution