Professional Documents
Culture Documents
Project Report on
____________________________________________________________________________________
2023
2
_____________________________________________________________________________________
2023
3
➢ ISO/IEC 2700
▪ The International organization for standardization is an international standard
setting body composed of representatives from various national standards
organizations.
_____________________________________________________________________________________
_____________________________________________________________________________________
2023
4
_____________________________________________________________________________________
Market Research/ Analysis of TPRM
❖ TPRM RISK Addressing
2023
5
➢ Despite the increase in awareness and focus for TPRM, many organizations don’t have
the formal mechanism to assess or prioritize TPRM Risk in the extended enterprise and
don’t trust available internal/external data.
➢ Growing awareness about TPRM is a consistent feature across industry segments. It is
highest in Energy Resources & Industries followed by Financial Services but
comparatively lower in Govt. & Public sector
➢ ASSESMENTS
▪ Most of the industries believe they have a low level of organizational capacity at
present, resulting in an ad hoc approach to assessing and prioritizing TPRM
dimensions.
▪ Few believe that assesment and prioritization of TPRM risk dimension is based
on judgmental evaluation using expert input or other mechanism rather than
forward quantitative process.
▪ Very few companies have established quantitative scoring methods to assess
risk dimensions.
➢ TPRM related data is augmented by two factors mainly first the unavailability of data
and second the lack of awareness of what data should be relied on and how to translate
it into actionable intelligence.
❖ Managing Third-Party Resilience
➢ Organization recognizes the need to improve supply chain resilience; this need is
particularly strong in relation to their critical third parties and lower tier third party
ecosystem (I.e., beyond those with direct contractual relationships).
➢ Organizations from EMEA region claim that resilience and business continuity
management is a strength in their organization compared to America & APAC.
➢ On periodic reviews of third-party business continuity plans, they addressed the need to
“Scenario stress test” existing third-party relationship and their business continuity
plans. This helps to ascertain the points at which this tolerance threshold is broken.
➢ To better understand the ecosystem of material third party relationships, 34% apply
technology solutions, 35% use tools to monitor resilience and trend in real time.
➢ 73% have moderate/high level of dependence on CSPs. That expected to increase to
88% requiring them to consider third party provider resilience even more seriously.
❖ Despite the projection for more comprehensive end-to-end managed service solutions in the
future most organizations usually outsource specific aspects of their TPRM models.
_____________________________________________________________________________________
2023
6
2023
7
➢ In the news report most of the company stated that third party data breaches and
security incidents were top drivers behind increased involvement in third party risk
management.
➢ Nearly half of companies continue to use spreadsheets. According to the report a
‘disappointing trend’ continues in 2023 as a growing number of organizations (48 %) are
using spreadsheets to assess third parties. This percentage is up from 2022 and 2021,
where 45 percent and 42 percent of companies, respectively, said they were using
spreadsheets.
➢ There is a huge gap between tracking and remediating risks across the lifecycle – and on
average 20 percent of companies are doing nothing. Not surprisingly, the offboarding
and termination stage of the third-party relationship lifecycle sees the lowest
percentage of companies tracking (47 percent) and remediating (38 percent) risks, and
the highest percentage of companies doing nothing at all (39 percent)
_____________________________________________________________________________________
MARKET DYNAMICS
2023
9
RISK ANALYSIS
2023
10
• Despite inflation and fearing recession, business across the globe is expected to do better in
2023.
• In 2023, market players might incur losses due to huge gap in currency translation followed by
contracting revenues, shrinking profit margins & cost pressure on logistics and supply chain.
• The interest rates in the U.S. may be less sensitive in 2023 as compared to 2022; sigh of relief for
businesses.
• Spiked spending in the European and major Asia economics including, India, China & Japan to
showcase less impact on the global demand.
_____________________________________________________________________________________
• IBM recently signed an agreement with Siam Commercial Bank, a Thailand based service
providers to improve the security of countless digital transaction on its platform and to provide
better services to its customers.
• Third Party Risk Management Process emerged as ideally suited platform to enhance due
diligence throughout the M&A process.
o https://www.corporatecomplianceinsights.com/wp-
content/uploads/2020/04/SA_BP_UsingTPRMInMA.pdf
_____________________________________________________________________________________
COMPETITOR ANALYSIS
Probable Competitors of Crossbow labs in terms of Extensively in the field of Vendors Risk Management
Software
2023
11
____________________________________________________________________________________
PROCESS UNITY
• Automates vendor onboarding due diligence and ongoing monitoring.
• The price of the Software starts from $ 15000.
• Questions are asked or framed based on the vendor’s previous response.
• They target specific Risk domain expertise like cyber security ratings, Financial Hub score in the
final dashboard.
• Clients can customize and build their own dashboard as required.
2023
12
➢ They have 130 employees and got a total funding of 24.88 million dollars.
❖ Market Strategy
➢ Process Unity’s market strategy includes key partnerships with managed service
providers for assesment as a service and assurance service on third parties.
➢ The vendor hopes to target the midmarket with a bundled pricing model with built-in
services and cyber security ratings.
❖ Some Important Notes and Observations
➢ Process Unity has strong native capability, appealing mostly to FinServ and healthcare.
➢ In 2021 acquisition by Marlin Equity Partners mentions some changes and enabled
“hands free automation” that puts in a position to make major inroads.
➢ Helps to overcome people and data fatigue associated with TPRM with nine-module
SaaS Platform.
➢ The above average cost of implementation services has historically limited
ProcessUnity’s appeal to financial services, healthcare, and big tech firms.
➢ ProcessUnity demonstrates product maturity with scoring that allows decimals,
controls-based scoping, and support for multiple risk domains such as financial,
geographic concentration, and physical security.
➢ The vendor portal supports dialogue between customers and third-party vendors, and
vendors can delegate to internal resources at the assessment, section, or question level.
➢ Reference customers appreciate the ability to automate existing processes without
compromising to fit system limitations but hope for better report visualization and a
multiselect drop-down option for questionnaires for prioritization on the product
roadmap.
2023
13
_____________________________________________________________________________________
❖ Market Research
➢ They have 65% of their client base in North America, 25% in Central Europe and 10% in
Asia pacific.
➢ It targets existing ServiceNow cloud platform customers as well as midmarket
commercials to very large businesses.
➢ It currently serves the following primary markets: retail, manufacturing, banking and
investment services, communications and media, and healthcare providers
➢ The current offering strengths are flexible risk scoring and correlation capability, and
robust workflow.
❖ Some Important Notes and Observations
➢ ServiceNow continues to make headway due to its ability to connect the third-party risk
process with other business functions while garnering executive support and C-suite
visibility.
➢ Platform has a FedRAMP high-impact-level designation, a common data model, and
supports on-prem deployment for federal customers.
➢ The vendor has made some big strategic moves including a robust app store featuring
600-plus integrations and an aggressive product release schedule.
➢ The commercial model that has an annual minimum with additional fees for content,
analytics, and partner-led implementation makes ServiceNow cost-prohibitive for many.
➢ According to reference customers, the highly customizable vendor portal needs to be
more intuitive, upgrading to new versions invariably creates permissions issues, and
admins with developer skills are required for some of the complex configuration.
➢ ServiceNow remains a good fit for firms not bound by budget and those where TPRM is
part of a broader strategy with ServiceNow’s other products.
2023
15
_____________________________________________________________________________________
❖ Software Features
➢ Fourth-party supply chain management to auto-detect and auto-assess sub-processors
that are used by the vendors.
➢ Built-in standardized assessment frameworks in multiple languages from Cloud Security
Alliance (CSA CAIQ), VSA, Share Assessments SIG and SIG-Lite, Google VSAQ, as well as
ability to tailor and create custom assessments
➢ Contract and Data Processor Agreement (DPA) management to track and report on key
contractual clauses such as data breach notification terms
➢ It monitors third-party risk over time and triggers reassessments when changes occur in
that period.
2023
16
➢ The Frameworks used by this software are mainly CSA CCM, CAUQ & GDPR CoC.
❖ Market Research
➢ It is also placed as Leaders in the field of Third-Party Risk Management by Gartner
Report along with Service now and Process Unity.
➢ One Trust dominates 35.5% of the market share of data privacy management software.
➢ The goal of OneTrust is to bring siloed third-party risk management together to make it
easier to share data in areas like ethics, ESG, privacy, security, and resilience.
➢ OneTrust has three pricing models for different sized clients with specific pricing for
clients with fewer than 1,000 staff, and it has different support tiers.
❖ Some Important Notes and Observations
➢ The company differentiates itself with broad jump-start features and infosec vendor
exchange.
➢ Since expanding from privacy to third-party risk in 2018, this vendor has built the largest
third-party risk exchange, raised $920 million in funding, and boasts 2,000-plus
customers.
➢ The Company managed to do this with ambitious growth strategy, a freemium offer for
third party vendors to claim and build their profile and a clear vision to “make Trust a
competitive advantage” they even rebranded its platform as “Trust Management
Cloud.”
➢ OneTrust decided to support the SIG questionnaire only natively within the vendor
exchange, which leaves the door open for competitors offering variety of content.
➢ Recent innovations such as the autocomplete and advanced cell detection using natural
language processing (NLP) pull data from third parties’ completed questionnaires to
respond to new ones, and a confidence score shows the sufficiency of the response.
➢ OneTrust focuses a vast majority of its features on compliance and lags behind others in
risk mitigation and corrective action and risk scoring and analytics.
➢ Reference customers stated the desire to see more native integrations with commonly
used systems and continuous monitoring of third parties.
➢ OneTrust is best for customers replacing spreadsheets and those seeking to leverage the
third-party risk exchange.
2023
17
_____________________________________________________________________________________
❖ Software Features
➢ Capture and store supplemental documents such as SSAE-16s, financial statements, and
PCI assessments, and monitor when refreshed documents are due
➢ Capture declared critical fourth party relationships and understand the quality of
governance of the third party applies to their own third-party relationships.
➢ The software views assessments from all vendors in a single dashboard using vendor
portal.
➢ Self-Service provisioning of third-party accounts reporting on overall third-party risk
profiles, individual problems and remediations.
➢ It can evaluate the resilience of third parties across the five resilience pillars which are
Cyber, IT, Facilities, People, Suppliers.
❖ Market Research
➢ Archer has the biggest market presence among all the competitors listed above.
2023
18
➢ It is categorized as Strong Performers who has an average current offering and good
market strategy by many of the reports.
➢ Archer's current offering strength includes a superior fourth-party risk capability that
includes discovery of fourth parties through integration with RiskRecon and support for
continuous controls monitoring through integration with Panaseer.
➢ Archer is a good fit for large teams with dedicated and certified admins, firms open to
using services to manage the platform or those already using other archer products.
➢ It focuses on medium-sized to large businesses, particularly those in sectors with greater
maturity in risk management and/or significant regulatory compliance requirements.
➢ It currently serves the following primary markets: pharmaceuticals, biotechnology and
life sciences, healthcare providers, government, information technology, and
manufacturing.
❖ Some Important Notes and Observations
➢ Archer offers TPRM “workflow with purpose” if you have its other GRC modules, which
may be categorized as weak point and we can build up a strategy/model which can have
advantage over this.
➢ With Symphony Technology Group’s acquisition of RSA Security in 2020, Archer has
emerged as an independent brand with a new CEO and a renewed focus on its GRC
roots.
➢ Archer has a differentiated vision to help customers make “decisions, not dashboards”
and views TPRM as the connective tissue between business and risk stakeholders. But
execution relies heavily on existing customers that leverage other GRC modules and the
large community of Archer certified administrators to land and expand its TPRM
product.
➢ To make headway in the TPRM market, the Archer will need to overcome being late to
SaaS — which the vendor launched in late 2019 and which currently serves only 30% of
customers — and the lack of supporting products or services that don’t come with an
additional cost.
➢ Archer will also need to attract third party risk buyers who don’t want to invest in a full
GRC suite, already have GRC platforms or had bad Archer experience previously.
➢ Despite an aggressive product roadmap, Archer still struggles with a not so good UI with
limited out-of-the box metrics and reporting.
➢ Reference Customers describes the UI as a “Clicky” and overall difficult solution to
implement and say it takes long time to fix an issue.
Product demo video: Watch the demo to see how RSA Archer Suite can help you take command of
third-party risk
2023
19
Product Snapshot
_____________________________________________________________________________________
2023
20
• Enhance third-party consolidation, rationalization, and visibility across businesses, spend, and
risk exposure.
• Control third-party risk exposure and accelerate responses to risk events with risk alerts from
multiple data feeds.
❖ Software Features
➢ Leverage the intuitive portal to search for third-party profile information, including
products or services provided, financial details, ongoing assessments, contracts, location
issues, certifications, due diligence status, risk rating, and associated business units.
➢ AI-powered risk score recommendations, real time visibility into exceptions in SOC2 and
SOC3 reports by third parties.
➢ Pre-defined questionnaires to assess third-party risks around finance, sustainability,
compliance, legal, IT, anti-bribery, corruption, and business continuity areas.
➢ Conduct ad-hoc assessments based on risk intelligence from external sources, incidents,
performance failures, or business insights.
➢ Automatically validate third-party information and identify “red flags” based on globally
sourced content around cybersecurity, finance, sustainability, regulations, disaster and
hazard, corruption, reputation, sanction lists, Politically Exposed Persons (PEPs), Special
Interest Persons (SIPs), state-owned enterprises, and adverse media listings.
➢ Leverage the NLP based Chatbot to view status updates and follow-up actions. Leverage
AI/ML to quickly identify issues based on relation and recommend issue classification.
➢ Manage risk incidents and losses across multiple organizations in compliance with
regulations such as the Basel Accords
❖ Market Research
➢ According to 6sense reports 0.25% market share MetricStream has in the governance,
Risk, and compliance category.
➢ MetricStream has more customers in United Kingdom, USA and India.
➢ MetricStream is good for firms looking to leverage the product’s native capabilities or
those with the budget and resources to support customization.
❖ Some Important Notes and Observations
➢ MetricStream wants customers to embrace and thrive on risk and approaches TPRM as
a building block for enterprise risk management. But the vendor’s product strategy
focuses on innovation and building “cool” features that are out of sync for 60% to 70%
of TPRM customers who are at a low stage of maturity by MetricStream’s own model.
➢ The vendor goes to market with industry-specific, role-based messaging and notable
partnerships but will need to ramp up native content and integration with threat
intelligence tools to successfully execute on expansion into Asia Pacific.
➢ MetricStream’s scores are better than average with high marks for advanced analytics
such as an AI-powered recommendation engine that classifies issues by category and
recommends remediation and a built-in collaboration capability including a chat feature.
However, the product is not easily configurable and requires customers to license
external content.
2023
21
➢ Reference customers reveal that they use only the out-of-the-box reporting and
artifacts history to avoid the extra cost and want to see more and better integration
options.
Product Snapshot
2023
22
_____________________________________________________________________________________
❖ Software features
➢ It tracks essential third-party data in the center location, including audit findings from
data in a certain location including audit findings from site visits, real time financial data
feeds and service level agreements.
➢ Automate collaboration across all departments connecting data from existing tools to
develop insights.
➢ Compares risk presented by all vendors in an easy-to-use matrix.
➢ It also prioritizes remediation of areas of concern and reduces the potential of costly
security breaches or non-compliance parties.
➢ This tool provides customizable reporting to provide leadership teams with insights they
need to make critical business decisions.
❖ Market Research
➢ 64% of the diligent customers are from United states.
2023
23
➢ 53% of the Diligent clients are from Mid-Sized Companies in terms of employees and
39% are small in terms of Revenue.
➢ Of all the companies that this company serve 9% are in Financial Services and 15% are in
mining and metal services. --Sources: Data Bridge Market research
➢ Financial services, manufacturing, the government, healthcare, and technology are
among its primary industries of interest to midsize and enterprise customers.
➢ It currently serves the following primary markets: insurance, manufacturing, banking
and investment services, the government, including education, healthcare providers,
including pharmaceuticals, biotechnology, and the life sciences, and high technology
❖ Some Important Notes and Observation
➢ This tool was formerly known by the company name Galvanize.
➢ This vendor based in Vancouver; Canada was acquired in April 2021 by Diligent.
➢ HighBond remains the vendor’s primary platform, but the product’s capability for TPRM
has undergone changes.
➢ Diligent HighBond is an enterprise governance software platform that is developed by
Diligent. This platform by the Diligent can be used under Audit management,
Compliance Management, Entreprise Risk Management, Continous monitoring, Third
Party Risk management, ESG Program.
➢ Diligent has made the decision to discontinue the highly configurable and complex
TPRM solution it purchased from Rsam in 2019 and instead launch a simpler, pre-
installed version with improved reporting and visualization but no support for even the
most fundamental configuration modifications.
➢ Diligent has included some Rsam capabilities in future HighBond releases as part of its
roadmap, but the overall impact on TPRM has been minimal. This is beneficial for
startups, but it is discouraging for established users and more seasoned buyers.
➢ HighBond has powerful risk analytics, and the native Storyboards is one of the best
visualizations in the market.
➢ HighBond does not support custom questionnaires or the ability to easily edit
preconfigured workflow. The standard scoring model can only be modified at the
scripting level by professional users with a licensed access level.
➢ Reference Clients revel that capacities and modules are not completely intergrated
inside the stage.
Product Demo Video: Did not got the exact product video but got a video where it explains it's one of
the software similar to VRM tools, Galvanize Demo ControlsBond - part 1
2023
24
Product Snapshots
2023
25
_____________________________________________________________________________________
❖ Software Features
➢ Every action in Aravo is time- and role-stamped with visualized audit trails across all
workflows and full reporting capabilities.
➢ Scopeable assessments, conditional logic and support for multiple respondents.
➢ Business impact assessments, performance management, request for
proposal/information (RFP/RFI)/sourcing activity, and for third-party feedback.
➢ Authorized users can change and create new workflows with simple, visual, drag-and-
drop configuration.
➢ Aravo’s Evaluate scoring engine calculates and aggregates risk scores for a
comprehensive view of the third-party relationship and can drill down to the individual
questions that comprise the scores.
2023
26
-
- Aravo has also demonstrated its capabilities for addressing a broad range of 3PRM-relevant
tasks, typically through dedicated, specialized modules, further contributing to its high scores
for market penetration and business model.
- Aravo has also demonstrated a lot of thought leadership in the 3PRM field by providing research
and discussion on a consistent basis through white papers, events, and webinars.
- Aravo's efforts in TPRM are being diluted by its category expansion journey, which shifts its
strategic focus and roadmap to business resilience and other adjacent areas.
- Aravo, also known as TPRM specialist, targets buyers from procurement, security, GRC, and
operations with a multitenant SaaS platform and solutions packaged in three tiers (express,
standard, and advanced) aligned to customer maturity.
2023
27
- Aravo has a strong customer community, supports self-paced e-learning, and provides an
innovation exchange where customers can vote in support of or against new product features.
- It struggles to deliver additional value-add that doesn’t require additional cost or rely on
partnerships with consulting firms. Conversely, the five-tier pricing model is based on revenue
or assets under management for an annual subscription.
- Its vendor portal replicates the branding of its customers, allows users to submit ideas for
improvement and innovation, and integrates with ticketing systems to automatically generate
tickets whenever vendors report an issue or incident.
- Clients recognized convenience for business clients, absence of adaptability, and difficulties with
new product rollout as regions needing improvement.
Documents/Reports: Chartis-GRC-VA-report-2021_g_ARAVO.pdf
Product Demo Video with Webinar: Product demo video is within this webinar. Time starts 33.36;
_____________________________________________________________________________________
Software Features
2023
28
- Its features include adding users with specific roles and access levels, modifying data structure,
modifying workflows, changing screen layout formats, and add notification.
- It automates repetitive vendor onboarding and reassessments by leveraging tools that the
company has already used like Jira, Slack, and Microsoft 365.
- It helps the company to add even more context by aggregating third-party risk intelligence from
Black Kite or Security Scorecard and due diligence data from providers like Vital4 alongside the
assessment findings.
- Automatically send assessments and questionnaires to any third party based on custom logic,
then invite vendors to access and complete questionnaires inside Risk Cloud with secure, one-
time passcodes.
Market Research
- According to g2.com Logic gate has 50% of the market segment in Enterprise and 41% in the
Mid-Market segment.
- The most valued features by users for this platform have been API, reporting analytics, third
party integration, activity dashboard, Reporting & Statistics.
- It’s a GRC platform that’s good in most of the thing but it lacks differentiation.
- The pricing model is transparent, with five packages ranging from basic to professional, and
bundles the number of modules, users, success plan, and core integrations for a set price.
- This vendor's vision to elevate risk and compliance to a strategic advantage is supported by
Graph database, risk cloud exchange.
- Continuous monitoring, risk contextualization, and prioritization features are prioritized in the
robust roadmap; Additionally, the vendor's pricing strategy is one of the clearest and most
straightforward.
- The vision of LogicGate is largely predicated on finding solutions to problems and offers little
insight into the market's future.
- The in-house content development team, the capacity to consume financial impact scores
through its integration with Black Kite, and the adaptability of questionnaire customization are
LogicGate's strengths.
- LogicGate lags in more sophisticated functionality such as performance analysis, multilevel
assessment, and its predominant focus on infosec.
- Reference customers echo the need for maturity — especially in reports and analytics — and
want to see better version control of workflows and audit trails. They also request more
integration options, active directory integration, and autofill functionality among enhancements
to prioritize.
- Lean teams with few FTEs who don't mind sacrificing platform configurability and control will
find LogicGate to be a good fit.
Product Demo Video: Third-Party Risk Management with LogicGate Risk Cloud®️
2023
29
_____________________________________________________________________________________
Software Features
Market Research
2023
30
- Prevalent anticipates that organizations will look to outsource more, use more data sources, and
gain better insight into the life of third-party relationships as the complexity and scope of third-
party risk programs grow.
- It focuses on large SMBs and global businesses that fall under North American and EMEA
regulatory programs.
- Organizations that are reducing supply chain security threats, do not have a program, or are
replacing manual efforts are additional targets for this company.
- It currently serves the following primary markets: insurance, manufacturing, pharmaceuticals,
biotechnology and life sciences, banking and investment services, and healthcare providers.
- Prevalent’s pricing model is structured by tiers based on the number of vendors and on three
service options: self-service (risk workflow management), managed service (outsourcing) and
network (risk exchange).
- Prevalent recognizes that TPRM requires more time and resources than most firms have
available and so goes to market with a software-plus-managed-services model.
- While Prevalent targets similar buyers as its competitors, its services-forward message
resonates best when prospects have had bad experiences using other TPRM solutions or failed
to get the other vendor products off the ground during implementation.
- There are three licensing options for the multitenant SaaS platform: self-service of just the
software solution; managed services, where the vendor manages the TPRM lifecycle with its
resources; or network services, which includes the solution plus Prevalent’s exchange network
of completed questionnaires.
- Prevalent has an intuitive vendor portal with date and time localization that supports
communication and collaboration between customers and third-party vendors and upload of
previous survey responses from Excel or a preconfigured response library.
- The connector marketplace streamlines integration, and Prevalent supports a rich content
library integration that can be cross mapped against multiple regulations/frameworks.
- However, the scoring is basic, and questionnaire customizations or changes to reporting or
visualization is limited at best.
- Reference customers (taken from customer’s reviews) describe the UI as clunky and workflow as
rigid.
Product Demo Video: https://vimeo.com/438339775 or Go to this webpage to view the product demo
video: https://www.prevalent.net/content-library/prevalent-third-party-marketplace-overview/
2023
31
_____________________________________________________________________________________
2023
32
➢ NAVEX targets first-time TPRM buyers at highly regulated industries with its highly
configurable platform but offers limited out-of-the-box capabilities and little
prescriptive guidance for beginners.
➢ Reference customers appreciate the ability to scale and agility to modify areas to meet
changing requirements, they also highlighted limitations such as questionnaires can only
be assigned to one email address and lack of offline questionnaire completion
capability.
❖ COUPA TPRM
➢ Market Research
▪ Coupa’s vision is to have all critical information about IT suppliers in the context
of spend-related transactions providing the ability to onboard or update
supplier information from various sources and trigger additional activities for
visibility and control.
▪ The main markets it currently serves are: banking and investment services,
including insurance, pharmaceuticals (including biotechnology and life sciences),
retail, manufacturing, and high tech.
▪ AI-based recommendations on how to shift spend to a recommended alternate
provider.
▪ Coupa is a subscription model with a range of packages based on the number of
users and suppliers.
▪ Coupa has an implementation model that is partner-led and supported by
Coupa.
➢ Notes and Observations
▪ Coupa has not fully integrated the Hiperos platform with its Business Spend
Management (BSM) platform in the three years since it acquired the third-party
risk market.
▪ Coupa also offers procurement, payment, and contracting products, which are
ideal for integrating spend and contract-related risks with third-party risk.
▪ This vision is attractive in theory, but it offers a homogeneous partner
ecosystem and has fewer nonfinancial risk management capabilities than others
in this evaluation.
▪ The combination of platform rigidity, hefty price tag, and recent changes in the
product team, that customers have given their review, has adversely affected
the product roadmap.
▪ Additionally, its limited success in attracting TPRM buyers in security and risk
versus procurement is explained by a value proposition based on synergies
among its entire product line.
▪ As a differentiator, Coupa offers publicly supported benchmark data and
insights on supplier risk, performance, and spend.
▪ An engaged community, FedRAMP "moderate-impact" authorization, and the
capacity to integrate with its own products, such as CLM, as well as payment
systems that can support third-party risk processes, are some of the company's
strengths.
2023
33
____________________________________________________________________________________
2023
34
2023
35
developing, maintaining and stress-testing comprehensive continuity and exit strategies and
plans for materials (critical) third party arrangements.
➢ For the Financial services sector regulation with an explicit focus on operational resilience is
forcing organizations to identify third parties that underpin important business services (IBS) to
establish plans that keep disruptions within agree tolerance levels. The use of technology will be
a critical component in this regard to predict and address such what-if scenarios with a more
integrated and holistic approach and reiterated in respondent's priorities.
➢ Identify systemically important third parties and drive consistent resilience standards through
sectoral or geography communities, rather than doing so individually.
➢ Integrated & Holistic third-party management
o Expanding the focus, moving from the narrow spotlight on cost savings to thinking more
broadly about profitable growth delivered with the customer centric approach.
o Become more proactive, passive demand forecasting is no longer enough and seek to
actively improve the supply response.
o Easier for organizations to better understand which segments, distributions channels,
price points, product differentiation, selling propositions and value chain configurations
such as linkages between activities and process that occur within and outside the
company.
➢ Organization is rapidly replacing traditional fixed term, fixed scope partnerships (often
associated with sunk cost) with more flexible consumption and unit or volume-based constructs
that the managed services platforms provide.
➢ Organizations continue to strictly focus on cost reduction, also looking for self-funding models
where savings achieved via external expertise.
SUGGESTIONS
1. Payment Integration
a. In our software we can include and integrated with the payment’s application, so
that clients can automatically stop the vendor payments in the case of elevated risk.
2. Packages Identification
a. We can include a column in the software which can identify the packages that the
company is using and what can be risk associated with it. Like for e.g., logy a supply
chain related package used by the vendors/company mostly, our software can
assess them and analyze any risk associated with that.
3. Pitching Point for Indian Market
a. Basically, for the Indian market we can explain it to our clients that our tool is going
to asses your vendors that weather they are RBI, SEBI & Government rules. For this
we can especially target the banks and financial services because they need to
compliance with all the guidelines of the country.
4. Target for Marketing
a. If we build our software in this year, our target would be to sponsors or give a
presentation on the 7th Third Party Risk Management Survey, May 2024, with the
helps of this we can increase our outreach, also could promote ourselves as
2023
36
company with diverse portfolio and Strong Clients trust we are entering in Third-
Party Risk Management.
5. Additional Assessments
a. In our tool we can feature more assessment like 4th party risk assessment,
geographical Security, can provide the analysis of ethical risk, geopolitical risk as
well, peer to peer group distribution over ratings.
6. Machine Learning for Scoring
a. We can implement machine learning algorithms to analyze the historical vendor
data and identify the patterns that correlate with high-risk vendors. Machine
learning tool can predict the pattern based on the assessment that we are doing,
and can show them in charts.
7. It would be a plus point for our tool if we integrate with the cybersecurity ratings, financial
health score and external expert content, because company are shifting towards cloud-
based services for that they might be considering about the cybersecurity.
2023