Episode: 566 |
Craig Callé:
Third Party Risk Management and Cyber Security:


Craig Callé

Third Party Risk Management and Cyber Security

Show Notes

Craig Callé talks about third party risk management (TPRM), with an emphasis on cybersecurity. TPRM is a subset of Governance Risk and Compliance (GRC), which aims to help organizations achieve their objectives, address uncertainties, and act with integrity. TPRM is crucial as over half of all data breaches occur through insecure third parties. Companies need to understand their third party relationships and monitor them more carefully, which requires a variety of tools and processes. Craig explains that TPRM can cover a variety of risks, including cybersecurity, but also financial viability, compliance with privacy, sanctions and other regulations, reputation management, supply chain issues, and alignment of ESG and sustainability objectives.


Defining GRC and Third Parties

Craig explains that GRC is a broad category that includes TPRM, but also enterprise risk management (ERM), business continuity or operational resilience, policy management, controls compliance, privacy and ESG. ERM typically includes a risk register, which compiles all the potential threats that can affect a company, and it is crucial to building a more predictable and measurable system to achieve its objectives at the lowest possible risk. He mentions that the term “third parties” should include not just vendors and suppliers, but also often overlooked entities such as outsourced service providers, software as a service (SaaS) apps, cloud hosts, contractors, ecosystem partners, technology partners, and financial counterparties.


GRC Frameworks

He mentions that a lot of the governance aspect of GRC work involves picking a suitable framework and building a program around it. For example, in cybersecurity, a popular standards body would be NIST, and he mentions a few others that give leaders a roadmap apropos to achieving high standards of operation.


Organizational Relationships

The head of GRC is responsible for ensuring that the organization operates within its control frameworks. For example, in a Fortune 500 company, the executive responsible for GRC might report to a Chief Risk Officer, if there is one, with a dotted line to the board audit and risk committee. Since many TPRM programs have an exclusive focus of cybersecurity risk, the head of TPRM often reports to the Chief Information Security Officer (CISO).


Third Party Risk Management Responsibilities

The head of third party risk management is responsible for several processes, such as onboarding new third parties, periodic audits, ongoing real-time monitoring, reporting functions, and investigating and dealing with incidents and responses. However, the responsibilities depend on the organization’s level of maturity and the complexity of the process. Craig offers a few examples to clarify the complexities that have to be taken into consideration, including the fact that risk management processes can be seen as blockers, and additionally, offers a tip on how to overcome this issue.


Software for Third Party Risk Management

Craig talks about the importance of selecting the right software for clients, highlighting the pros and cons of a best of breed approach versus a multi-module suite. Craig mentions examples of TPRM workflow automation platforms, including ProcessUnity, MetricStream, ServiceNow, LogicGate, BitSight, and many others. These platforms facilitate questionnaires and other assessments issuance, response review, routing of issues to specific people or groups within an organization, risk scoring and reporting to stakeholders. Cyber risk ratings, which have been around for over 10 years, are now a natural complement to workflow platforms. Ratings provide objective data that help triage the community of third parties by quantifying vulnerability to data breaches. They provide easy-to-digest results that don’t require an IT certification to understand, based on FICO-like scores or letter grades. He explains that companies may want to share data across modules, although some organizations can be siloed and don’t realize opportunities to collaborate. For example, if a company has both privacy management and TPRM software, there is a natural logic to connect the data map required by privacy regulations to the third parties that might hold customer data. He also emphasizes the need for an advisor to understand the customers’ problems and inherited solutions, as well as the timeframe and budget constraints. Ripping and replacing existing solutions is rarely feasible and desirable. AI has become an important tool for parsing through voluminous data to identify critical facts, although human involvement remains an essential element in the process.


Predicting Improvements in TPRM

Craig believes that over the next decade, the focus of third party risk management will involve high-level orchestration across CISOs, risk officers, and procurement people, perhaps led by what he calls a Chief Third Party Officer, or CTPO, leading to a more comprehensive view of not just risk, but also third party performance. He thinks third parties deserve the same level of scrutiny that a Chief HR Officer would apply to employees and job candidates.



05:15 Third-party risk management and GRC

11:57 GRC roles and responsibilities in a Fortune 500 company

16:10 Third-party risk management processes and responsibilities

21:59 Third-party risk management software and techniques

27:26 Third-party risk management and platform automation

32:21 GRC and third-party risk management



Company Website: https://sourcecalle.com/

LinkedIn: https://www.linkedin.com/in/craigcalle/


One weekly email with bonus materials and summaries of each new episode:


  1. Craig Callé Unleashed


Craig Callé, Will Bachman


Will Bachman  00:02

Hello, and welcome to Unleashed. I’m your host will Bachman. And I’m excited to be here today with Craig Callé Calais, who is a independent consultant running a firm source Calais, and he is an expert on third party risk management, and cybersecurity and privacy categories. Craig, welcome to the show.


Craig Callé  00:24

It’s great to be here. Thanks for having me.


Will Bachman  00:26

So Craig, let’s start with definitions. What is third party risk management.


Craig Callé  00:35

Third party risk management is considered a subset of GRC, or governance risk and compliance. And so in at the highest level, you think of GRC as a set of activities that helps an organization achieve its objectives, address uncertainties, and act with integrity. And frankly, we could have a long conversation just about that. But third party risk management or T PRM is a very important subject all by itself, because for a lot of reasons, particularly because from a cybersecurity standpoint, more than half of all data breaches, are through insecure third parties. And companies need to do a much better job understanding just what kinds of relationships they have throughout their organization and monitor them much more carefully. And so that’s not an area that you can solve with one technology tool, it frankly, takes a village of tools as well as processes. And that’s where we come


Will Bachman  01:43

  1. Okay. And within within third party risk management, I suppose a big element of that, but not the only one is cybersecurity stuff, right. But there could be others. And before we delve into it, like super deep, what would some of those add other categories be? I imagine, like one might be, oh, reputation management, or supply chain issues, like you don’t want to have your supplier offshore be using child labor, or something like that. So because that would be reputational damage, and maybe legal damage and so forth. And so beyond just cybersecurity, what’s the list of other types of risk categories that we might be worried about?


Craig Callé  02:31

Right? Well, you certainly gave some really good examples of other types of risks than just cybersecurity. I got involved in the third party risk management business firsthand, in maybe 20 years ago, when I was at Gateway computer, and we had one of our Asian suppliers go bankrupt. And that kept us from getting all the product we wanted out to, to the retail channels at a very critical point in our turnaround. So I found myself, you know, next day and meeting with our CEO and our head of ops and supply chain, agreeing on a plan to make sure that sort of thing didn’t happen, we didn’t get bitten by the risk of financial viability. And so cybersecurity has become really the gravitational pole because of the number of issues there. But privacy is an important risk, there are all kinds of regulations, be it GDPR, in Europe, or in California, CCPA. And there are many others across the US and around the world, to ensure that companies have a firm grip on the data of its of consumers, and how they’re handling it. And so these regulations give authorities give consumers the rights to have their data deleted, Butan, right to be forgotten and other other rights like that. And you can’t follow through or comply with regulation, privacy regulations, unless you’re able to follow that data to third parties. Another area of scrutiny involves ESG and sustainability. So lots of companies today have very elaborate programs that map out objectives at their own company level. But you just as well need to be meet need to ensure that your third parties are aligned with those same same goals and objectives. You touched on some things that typically fall in the sanctions category. And there are all kinds of laws relating to that around the world. And so, you know, reputation is one area that you mentioned is certainly important. You know, child labor, I think you mentioned as well. You know, anti money laundering is an important objective of such regulation and bribery, you know, the Foreign Corrupt Practices Is act here in the US. So lots of different sanctions regimes all around the world that you have to be attentive to, not just for your own company, but as it relates to the third parties you work with.


Will Bachman  05:15

How is third party risk management different from enterprise third party risk management? Is that just a fancier term to give someone a bigger title? Or is I mean, I imagine that enterprise third party risk management logically would probably be a subset of third party risk management. So what specifically does enterprise third party risk management mean, when someone says that term? Yeah,


Craig Callé  05:41

that I think you might be referring to etrm, or enterprise risk management is opposed to third party risk management, these are all sub components of GRC. And so in?


Will Bachman  05:52

Actually, I am, I actually had a client who was like the head of enterprise third party risk management. So maybe that’s what they call it when you’re doing it for the whole company, like a big corporation.


Craig Callé  06:06

Yeah. I mean, I think other other, you’re talking about sort of title, titles in the lightning was certainly group or global or enterprise that all connote a sense of broader responsibility. But, you know, for for the work I do, with, you know, the largest enterprises in the world as well, as, you know, smaller firms, like private equity firms, when you think about this category tend to just refer to third party risk management. Okay. That’s not to say that we can’t, you know, have deeper conversations that are already exist within companies. And I think your your question about other types of risks are an important component of that. At the same time, I think just defining what we mean by a third party is an area for investigation. So typically, and maybe in a synonymous manner, people might refer to 30 PRM, as vendor risk management, or VRM, those are somewhat synonymous. Third party is meant to be a broader description, because it should, it should include, you know, other parties, like outsource providers, Software as a Service, or SaaS apps and cloud hosts like AWS, Azure, blue, Google Cloud, and the like. Contractors, ecosystem partners, be it you know, a technology partner or, or a channel partner in in finance circles, you refer to counterparties. And they’re the risk is typically, you know, based on gaining an understanding of short term liquidity, you know, can is my counterparty going to be good for the swap at the end of the closeout, of swap at the end of the month, that sort of thing. But you also want to make sure that your counterparties are cyber secure, and here to other forms of risk that we’ve already described. So it’s, it’s, like so many parts of technology, you can get lost in the alphabet soup, if you will. But I think those clients of yours that we’re talking about enterprise third party risk management or just looking to do this work, you know, across the company, as opposed to say, a division or a business unit. I


Will Bachman  08:27

think that must have been I think each business unit had a third party Risk Management Director, and then this was the person across all business units. So could you talk just a minute, before we dive further into third party risk management? You mentioned it’s a category of GRC. If you know if, for the head of GRC, the person responsible for that. Beyond third party risk management, what are the other like, units or things that make up GRC? Beyond third party risk management, just so I have the broader view? Sure.


Craig Callé  09:08

It would include, as I mentioned, enterprise risk management and you know, along with that body of work, you would typically find a risk register, as it’s called, and that’s a compilation of all the things that can bite you. And I suppose, one can be cynical and say that no risk register is ever complete, I mean, who who had COVID on their risk register in 2019, I suppose. But, you know, you have to you have to try and you have to, you know, keep thinking through the issues in order to build a more predictable measurable system to ensure that the company achieves its objectives at the lowest possible risk. So, there are other aspects of of ers. That’s, that’s an important one. Business continuity or operational resilience, you know, is it typically a body of work, you’ll find under GRC. And that’s, you know, a set of controls, and risks that you have in place in order to both understand where you are in the journey, but also, you know, bounce back, when, when bad things happen. And so it’s becoming a very growing area of GRC, you know, with certain sort of cataclysmic cataclysmic events, perhaps attributable to global warming, or climate change. And so, you know, significant weather disruptions in the like, and so, so that’s an important area, I think, a lot of GRC work inevitably revolves around picking a framework of some kind and building a program around it. So in cybersecurity circles, you know, probably the most popular standards body would be NIST and I St. There are other ones like COBIT, and Sans, and a couple others as well, that have been well vetted. And, and, and widely implemented, that give leaders a roadmap as to the sorts of controls that are appropriate to achieving, you know, high standards of operation, and enable teams to call out areas of strength and weakness usually expressed in you know, heat maps and, and in traffic lights, you know, red, yellow,


Will Bachman  11:48

green, that’s in addition to enterprise risk management, third party risk management, business continuity, resilience, what would the other areas under GRC? Be? I mean, we didn’t talk about compliance yet. So imagine just like internal compliance, is that usually a category?


Craig Callé  12:03

Yeah, it’s the compliance aspect, you know, inevitably, you know, create a methodology for ongoing monitoring of your operations, ensuring that you’re complying with with, you know, an ever growing list of rules and regulations around the world. So. So you can see, it’s a very far ranging set of activities.


Will Bachman  12:30

And what’s the what’s the governance piece? What’s the governance piece referred to? I mean, I think of governance, I think of boards of directors and so forth. But mean, I suppose governance goes all the way down, but when, in the context of GRC, in terms of systems, and like, what would the director of governance be, you know, if they’re reporting to the head of GRC? And there’s a four or five directors or VPS? What’s the head of governance mean?


Craig Callé  12:56

Yeah, well, I’m not sure if you’re thinking that there’s, you know, within GRC, that you’ll naturally find someone with a title, you know, of governance separately, risk separately, compliance separately, you know, these are usually teams, you know, within the general GRC umbrella. But, you know, when I think of the governance aspects, it’s, it ties back to those kinds of frameworks that I mentioned, that set forth the controls, within which you, you’re expecting your organization to operate so that you can call out, you know, the risks of, of falling outside of those controls, you know, sort of, you know, being in the red zone, if you will, and figuring out how to get it to the, to the green zone, and under what what kind of timeframe. And so, so it’s really the governance aspects, you know, is embodied in the roadmap that you set forth for yourself, inevitably guided by, you know, a framework, I’ve talked about it, but there can be other other areas as well.


Will Bachman  13:59

Just talk to me a bit about organizations. So, in a fortune 500 company, let’s say, what would the title of the person be who’s responsible for GRC? And who do they report to? Do they report to the Z the CFO, or, or something like what would their title typically be?


Craig Callé  14:16

Yeah, I mean, CEO CFO is not a is certainly a popular C level executive for this to roll up into, but in a fortune 500 company, you know, GRC is important enough for it to report to head of risk a Chief Risk Officer or CRO there may be a solid line to the CRO and a dotted line to the board audit and risk committee for example. But if there’s any Fortune 500 company, I don’t have hard statistics, but you’re likely to see somebody with a title director or VP GRC in and they would they would tree up usually into a CRO certainly could could go to a CFO. Okay. Typically those were maybe finance risk is is a greater concern than some of the other risks like cyber, for example. So


Will Bachman  15:13

we have the chief risk officer reporting to that person is, let’s call it a vice president of GRC. And then reporting to the Vice President GRC. What’s the name? What’s the title of the person who’s responsible for third party risk management?


Craig Callé  15:28

Well, increasingly, you’re finding someone with that title, say, Director of third party risk management. And I think maybe I highlight a deficiency that I see today that I’d like to help correct over time, but you find that when a company has set about establishing a third party risk management program, it’s it’s centered in in cybersecurity, so a seaso would tip a chief information security officer would would own that process. And, you know, a firm like mine can come along and point out some of these other risks that need to be monitored and managed. And, you know, frankly, I think, you know, there’s a bit of siloing out there, it’s, it’s, it’s not natural, you know, for for someone to sit down and put all these risks, you know, under one umbrella, I think they should, there’s certainly good arguments for that, that we’ve touched on here. But you know, the gravitational pull, you know, is cybersecurity. And so the answer your question would be, if there was a director, reporter, or heavy influencer to the process, it would be the chief information security officer and their team, who’s looking who’s tasked to look out for those third parties. And, and then, and then the effort becomes one of, you know, how many does is the team able to assess under what timeframe and so there’s a natural tearing that goes on to focus on those more critical vendors, or third parties in the community. But as I said, before you go in, when I first got into this business 20 years ago, by happenstance, frankly, it was with a financial risk. And so I happen to be a corporate treasurer, as well as CFO of two of the three divisions. It was sort of my second shift, starting at 7pm, with calls to Asia, wasn’t in the original job description, but actually enjoyed it.


Will Bachman  17:43

So let’s talk about what the director of third party risk management actually does in terms of the types of processes that they would do. And I, I’m imagining, it might be something like the following, I’m going to kind of take a guess. And I’d like you to correct me or I imagine that there’s one piece of this is onboarding of new third parties, like a sort of a initial, odd initial sort of, have the person fill out some form signup form and review it, and maybe you’ll give it more scrutiny if it’s very sensitive, or whatever. But there’s certainly some onboarding process number one, number two, there’s probably some sort of periodic audit that happens, either randomly or scheduled. And then three, there might be in some categories of things like cybersecurity, some ongoing real time monitoring, perhaps. And maybe there’s also a reporting function, and maybe there’s five is investigating and dealing with incidents and response. I don’t know. So that’s like, my guess framework. But so that’s kind of the nature of the answer I’m looking for, but but correct, that update that edit that to realize not just my guess?


Craig Callé  18:58

Well, I think that the answer is, you know, it really depends on the organization, their level of maturity. And, you know, getting back to that sort of siloed notion that I raised previously. You know, for example, you can have a procurement department, taking on some of these roles, certainly, onboarding, is is is one of those. And, you know, as I as I point out to the people I work with, usually in the CISOs department, you know, how many I asked him, How many vendors did you take on, but only get to address once they become suppliers? And the answer, sadly, is too many. You know, they, especially given how third party risk people can be perceived as blockers you know, taking too long to You get through their assessments? And so you’re always should be focused on, you know, how do I how do I, how do I provide this service, you know, to the ultimate relationship owner, you know, in a fast yet thorough manner manner, so that I have that ability to opine on the risks that we’re taking on by bringing them in as a third party. So onboarding, frankly, is a bit of a touchy subject, because TRM professionals aren’t always positioned to have that first look, and you’ll you’ll never have, of course, you’ll never have as much influence on a potential third party than you would before you’ve actually signed them up in a contract, your next chance is going to be, you know, on contract renewal that can be a year or more later. But certainly there once once they’re in the community, through one means or another, then yeah, as you as you point out, there is an ongoing monitoring capability, an ongoing monitoring requirement. But the first step usually involves some form of questionnaire, an organization called Shared assessments, tried to solve the problem of, of, of people coming up with into individual assessments, maybe 20 years ago, when they first introduced their, their, their standardized assessment. And there are, of course, varying types of those today, in varying lengths, depending on how deep you need to get.


Will Bachman  21:43

I have not seen that shared, I’ve not seen that shared assessment, but I’ve filled out plenty of these onboarding forms. Some of them are much more annoying than others.


Craig Callé  21:51

Yeah. And I would say some of them can be as long as 1000 questions. And I


Will Bachman  21:57

have seen one of those. Well, maybe that 1000, but it was in the hundreds, it was in the hundreds.


Craig Callé  22:03

And I think I have to say, we should spend some time in this conversation, you know, talking about how things could get better. I said, there are times when I feel like the industry is more wrapped up with coming up with the perfect 999th question than then in perhaps, you know, losing the forest, for the trees, if you will, then in achieving some of the other aspects that can make CPRM, you know, more effective and influential within an organization. So there’s, there’s the questionnaire. And then, maybe 2011, you saw the emergence of a category called cyber risk ratings. This was a category pioneered by BitSight. There are other names in the industry, like security scorecard risk recon, maybe two or three others. And, you know, what they do is monitor in organization, you know, and, and track all of the risk factors that are visible from the outside. So they’re there, they’re non invasive, they’re objective. And the goal is to try to quantify the vulnerability to a data breach breach based solely on what you can see from the outside. So it’s, it’s certainly not a comprehensive assessment, never never purported to be one, but it’s certainly more than a smoke detector. And But importantly, you know, in a sea of third parties that TPR and professional has to sort through it’s a, it’s a way to triage the group and pay more attention. So you can pay more attention to your third parties are in need of more attention. And some of these risk factors can include, you know, their ability to patch software quickly in what we call patching cadence. It determines whether certificates so called SSL certificates are, are valid, haven’t expired, that is, and that they’re configured correctly. And, you know, whether ports that should be closed or open, I mean, those are just three of maybe 24 different risk factors that cyberse ratings firm will continuously monitor. And that also gives the TPR professional an opportunity to compare the responses that they’re getting on these lengthy questionnaires with the objective data that would map to the control elements in the questionnaire itself. You know, maybe maybe, more often than not it’s incompatible response, you know, is merely a result of oversight. Sometimes it could be intentionally be misrepresented. And so it’s a good chance to use ratings to cross check these responses and, and have a deeper or objective discussion with with the, with the respondent. So those are some of the elements you mentioned reporting, certainly, you know, getting getting this communicated up, you know, to the to the relationship owner is all part of, you know, making this an ever more complete process. And, you know, certainly when there are noticeable deficiencies in the security posture, or in the RISK COMPLIANCE, don’t want to harp just on, on cyber, you can call that out and take corrective action. So, so it’s, you know, there’s a lot, a lot of work involved a lot, a lot of, you know, in depth analysis, I forgot to point out with certain of your most critical third parties, you’re going to maybe take even more invasive steps, like a penetration test, and that sort of thing on site inspection, you know, good old shoe leather. It’s, you know, as much as we tried to automate a lot of this, and, you know, AI has become, not surprisingly, an ever more popular tactic to parse through voluminous data to call out, you know, the central facts. You know, having having, you know, human involvement in the processes has been, I think, always will be an important element despite opportunities to, to automate things through AI and other means.


Will Bachman  26:45

All right. Could you talk through the different I know, you’re very, you pay a lot of attention to the different types of software within the world of third party risk management, and one of the things you do is help clients, you know, select the right software. Could you talk through the categories of software within the third party risk management universe?


Craig Callé  27:10

Yeah, sure, there are, as I said, before, there’s a there’s not one silver bullet, but rather a collection of tools that one might use to get their arms around, you know, the third party risk management process. So typically starts with a workflow automation platform. These platforms can come from names like process, unity, metric stream, ServiceNow, logic gate, Archer, Ven, minder, Dilijan, nav x one trust BitSight, the length, the list is long, you know, some are pure play TPR RM platforms, and some treat T PRM as one of several modules usually within a broader GRC or procurement suite. But those are the essential platforms that have facilitated the issuance of assessments in questionnaires and other assessments and have workflows for review of those responses, you know, routing to particular people or groups within an organization to clarify or seek other information, that sort of thing. And, as I mentioned, you know, maybe 10 plus years ago, you started to see the emergence of cyber risk ratings. And so I’d say, I follow that category from literally concept to business to industry, you know, where they’re, you know, to two firms that represent over half the market share. And they’re now a natural complement to those work for flow platforms so that you can triage the community of third parties. And, and then and then importantly, continuously monitor with those tools and with results that are easy to digest, you know, don’t require an IT certification to understand something a board member could follow. It’s not a doesn’t have a cyber background, for example, you know, 250 to 900 point scale, so reminiscent of FICO scores, and the like or letter grades, like like your report card would have had eight F that sort of thing.


Will Bachman  29:40

I’d love to hear a little bit Craig, about your practice. So tell us a little about your firm.


Craig Callé  29:45

My firm is eight years old at this point. It is focused around serving as a channel partner to about 20 best of breed technology then partners, we take pride in, in finding novel yet proven firms that aren’t obvious to, to the rest of the world and importantly, serve as evangelists for those that we think will go on to define a category. And when there’s a Gartner Magic Quadrant, or Forrester Wave or some other research report, you know, they’ll they’ll, they’ll be in the upper right, you know, maybe two or three years down the road. So we’ve had a pretty good track record of finding those, those emerging companies that come on to, to, to dominate a particular category. And so it’s it’s, you know, part reselling party advisory, you know, there we start, of course, trying to understand what what the customer’s problems are, and what, what are the best ways to sell them, you know, perhaps it’s, it’s just a technology tool. But inevitably, there’s a process element to it as well, that we can help people think through. Before starting my firm, I was at a firm called Shi, that’s the second largest value added reseller in North America and the largest reseller of Microsoft, among other things, probably the biggest difference between what I was doing there as Chief Strategy Officer, among other responsibilities is that, you know, we’re going a mile deep in a relatively few number of vendors, whereas that big firm, which is, I think, probably over 12 billion in revenue, now, sometimes called the largest IT services company, and no one’s ever heard of, frankly, but a great place, they tend to be more a mile wide and an inch deep, except in some of the, the large vendors like Microsoft, Cisco, Dell, Lenovo, that sort of thing. So that’s, that’s, that’s the way we differentiate ourselves in a crowded market, you know, picking, picking what I like to call the the large growing at still remarkably under test set of vulnerabilities out of the out there. And I think, third party risk for all that we’ve covered in the last, you know, 10 plus years as an industry, you know, there’s still more still much more to do. And that’s, that’s what gets me up in the morning.


Will Bachman  32:06

All right, you said earlier, some thoughts you have about how third party risk management can be improved? What are some of the common opportunities, you see, you see, to improve that function?


Craig Callé  32:21

Well, as they say, don’t get me started. But say that just I just did. Yeah, I want to thank you, and happy to happy to respond to you, because I find myself as much as I spent, you know, eight years reselling tools of the trade. I, you know, I’m just as likely to point out some of the shortcomings so that, you know, so some of those issues might involve the fact that, you know, T PRM, I think is a is a field, you know, is become something of a cul de sac, within GRC I think it is a practice it, it can tend to rest too low in the organization, I think it suffers from the kind of senior level sponsorship that I think it deserves. You know, I think I imagine the day when, you know, this body of work is not so much a part of GRC. But rather, it’s thought of as a separate body of work, that might cause someone I’ll call a chief third party officer or CTO to to orchestrate the activity across these different risk areas, and throughout the full definition of third parties, and scrutinize those third parties. Just as intensively as the chief HR officer would scrutinize employees and job candidates. So it’s we’ve gotten to that point now where, you know, after say, it’s been 100 years since we celebrated the Ford Motor Company, River Rouge complex, you know, that almost completely vertically integrated organization, to, you know, a world that has a decidedly horizontal bias. You know, think of Thomas Friedman in the world is flat, and how we are so dependent upon third parties for so many of the things that we do today, yet, you know, we’re just scratching the surface when it comes to the risk aspects of those third parties. But just as important, we need to focus ever more so on the performance aspects. So so that’s what that’s why I see over the next 10 years you’re gonna see this work evolved from a risk focus within GRC to its own high elevated level, one of orchestration across CISOs risk officers or GRC officers, procurement people and you have taken more comprehensive view looking not just at risk, but also performance. So that’s a, that’s a fairly loaded, partial answer your question, I could tick off a couple other things if you like. But let me give you a chance to respond to that, since there’s some fairly loaded response, I think


Will Bachman  35:17

that’s helpful. Maybe you could walk us through an example, a case study of how your firm has worked with clients to, you know, select the right software for them. You know, feel free to sanitize it, of course, you don’t need to name the client, but just kind of the describe the general situation?


Craig Callé  35:37

Well, I think the response is really similar to a lot of situations where you’re seeing an organization, even some large, seemingly sophisticated ones, still try to track all this work on spreadsheets. So so whenever somebody tells me, you know, for my different partners, who are their competitors, I always say excel in Excel is a wonderful aspect of the Microsoft Office Suite, of course, but you know, when you consider you know, how lengthy these any assessment can be, how many you have to send the need to respond to impartial or inaccurate responses, you know, route internally, you know, have an audit trail and all that you quickly start seeing the value of a platform. I think that there are certainly pros and cons of taking a best of breed approach, versus a multi module suite and GRC oriented suite. I think there’s certainly arguments for sharing data across modules. I think, in practice, there are some limitations to that. But but there’s, I see, there’s just as much opportunity. So for example, if someone has bought a module to focus on privacy, and then they want to attack, vendor risk, I think there’s a certainly a natural logic to connect your data map, a requirement of privacy of complying with privacy regulations, to the third parties that might also pull data that you need to be aware of. But I think, again, from for most law, even large, sophisticated companies making, making those connections across, say, a group and privacy that might tree up to legal, with a third party program that is more likely than not to be handled by the Chief Information Security Officer. It’s just a it’s a different, it can be a different silo. And you have to take extra effort to, to cross over and share, share information across platforms. But you know, a lot of you walk into any company, and then they inevitably have some solution mean, the notion of ripping and replacing is largely resisted. And so you sort of have to both understand the problem, but also the inherited solutions that are already there. And sometimes you’re having to shoehorn in maybe a near fix, as opposed to, you know, my dream, of course, which would be to take a clean sheet approach to every client. That’s unfortunately, rarely the case. So the answer your question, again, is sort of really depends on where they are, what they, what they want to accomplish, under what timeframe and with what budget. And I spend a lot of my time thinking about those different elements as we try to create solutions.


Will Bachman  38:40

Fantastic, Craig, where can listeners find you online if they want to follow up and get in touch and see more about your work?


Craig Callé  38:47

Well, our website, www dot source kelleigh.com. So that’s so you are CE ca ll e.com. And I’m also on LinkedIn. So Craig Callay. And yeah, those are probably the two the two best ways to reach me. And fantastic.


Will Bachman  39:10

Craig, this was a great intro. Thank you for being so patient with my very novice questions about the world of GRC. And thank you for joining today.


Craig Callé  39:19

Well, they’re no novice questions in this field, believe me, and I appreciate the interest and really, really, thank you for for making time for me

Related Episodes


Automating Tax Accounting for Solopreneurs

Ran Harpaz


Integrating AI into a 100-year-old Media Business

Salah Zalatimo


Author of Second Act, on The Secrets of Late Bloomers

Henry Oliver


Third Party Risk Management and Cyber Security

Craig Callé