There is no such thing as an enterprise that functions without suppliers, and there is no such thing as an enterprise that doesn’t assess risk. The difference between a successful organization and one that is not, is how they govern and manage risk, and in today’s environment, suppliers are a key aspect of any risk profile. There are countless standards, documents, bodies of knowledge and methods in our industry that have their own twist on handing 3rd party risk, but many don’t realize that there is a framework that encompasses all of these into a single framework. That framework is COBIT.
During this presentation we will explore the dynamic world of managing risk, in particular, managing 3rd party risk using COBIT as a framework integrator to the multitude of standards and frameworks out there, as well as dive deep into practices and activities that should be core ingredients to your risk process by using real world examples.
- Understand the application of COBIT risk practices and activities and how they are being used today with respect to 3rd parties
- Select and prioritize scenarios to create a risk register that can be used in multiple enterprise environments
- Link the vendor risk process to industry standards and frameworks to create appropriate and applicable controls
- Recognize good practices to mitigate 3rd party risk
Mark Thomas, CGEIT, CRISC, Certified COBIT Assessor
Mark is an internationally known Governance, Risk and Compliance expert specializing in information assurance, IT risk, IT strategy, service management and digital transformation. Mark has a wide array of industry experience including government, health care, finance/banking, manufacturing, and technology services. He has held roles spanning from CIO to IT consulting and is considered a thought leader in frameworks such as COBIT, NIST, ITIL and multiple ISO standards.
Mark routinely speaks at US and international conferences and earned the ISACA John Kuyers award twice for Best Speaker/Conference contributor of the year. Mark also holds the CGEIT (Certified in the Governance of Enterprise IT) and CRISC (Certified in Risk and Information Systems Control) certifications.