AI and ESG Capabilities for Third-Party Risk Management (TPRM): Interview with Alastair Parr, Executive Director, GRC Solutions at Mitratech

Alastair Parr is a key member of the founding team behind Mitratech’s Prevalent TPRM solution. With a deep background in governance, risk, and compliance (GRC), Alastair has extensive experience in addressing the challenges of modern risk management. His role focuses on ensuring that Mitratech’s solutions evolve innovatively to meet market demands, particularly within the Prevalent platform and the broader Mitratech GRC ecosystem. Prior to joining Mitratech, Alastair served as an operations director at InteliSecure and worked as an auditor, further honing his expertise in building and implementing effective risk management strategies.

In this interview with TechBullion, Alastair shares some insights into Mitratech’s latest advancements in AI and ESG capabilities, the impact of these innovations on third-party risk management, and the company’s vision for the future of GRC and risk technology.

Please tell us more about yourself and what you do at Mitratech.

My name is Alastair Parr and I was part of the founding team that started what became Mitratech’s Prevalent TPRM solution. I am responsible for ensuring that the demands of the market space are considered and applied innovatively within the Prevalent solution and our Mitratech GRC platform overall. With a background in governance, risk, and compliance, I have extensive experience developing and implementing solutions to meet the challenges of the increasingly complex risk management space. Previously, I served as an operations director for the global managed service provider InteliSecure and worked as an auditor.

Mitratech has recently introduced AI and ESG enhancements to its recently acquired third-party risk management platform, Prevalent. Could you elaborate on how these capabilities differentiate Mitratech’s platform from others in the market?

It’s important to note that the latest enhancements are exactly that – enhancements to existing capabilities. We have taken a long-term perspective on the TPRM market so as the market evolves we evolve with it.

We first introduced our ESG capabilities in 2020. Since then, we have added deeper scope 1, 2, and 3 emissions tracking, overall ESG score enrichment, and ESG controversy tracking to our library of ESG questionnaires so that organizations can keep pace with the ever-changing ESG regulatory landscape. As supply chains grow and become more complex, it’s essential that organizations centrally track all of their supply chain risks – from cyber disruptions to operational, ESG, and reputational challenges. Our view is that our solution should become the single source of truth for all third-party vendor and supplier risks, which feeds into the overall GRC solution to manage enterprise risks.

With AI, we have steadily expanded our AI capabilities from ML-based reporting to more sophisticated automations such as automatic assessment completion, document/evidence scanning for suitability, and including an AI risk advisor to help interpret risks and provide guidance on suggested remediations. The goal with our AI capabilities is to simplify the user’s experience, add consistency to assessments and analytics, and improve the visibility into risk advice.

AI-driven risk assessments are becoming more common. Can you explain how Mitratech’s AI-powered automatic questionnaire completion works and the impact this will have on organizations trying to streamline their third-party risk assessments?

Our AI auto assessment completion capability enables users to take a previously completed spreadsheet questionnaire or supporting PDF documentation, upload those artifacts, and have our AI automatically extract answers and relevant details to populate a new third-party risk assessment.

This capability benefits responders who have multiple documents, such as internal policies and audit reports, which could satisfy question requirements but have no way to efficiently extract that information without hours of manual documentation review. Using document details to populate new risk assessments radically reduces the time required to manage the third-party risk assessment process.

As ESG compliance gains momentum among regulators and investors, how does Mitratech’s new ESG monitoring feature assist companies in maintaining sustainability standards across their supply chains?

Environmental, social, and governance (ESG) criteria, such as measuring greenhouse gas (GHG) emissions, have surely emerged as a key priority among companies, investors, and government regulators. Measuring GHG emissions involves focusing on direct emissions and extending attention to indirect emissions throughout the supply chain, where scope 1, 2, and 3 emissions come into play. As more governments legislate ESG and sustainability regulations, companies must sift through mountains of ESG reporting data to meet supply chain compliance requirements.

The Prevalent solution includes new capabilities that enhance ESG and sustainability monitoring and correlate with the results of questionnaire-based ESG risk assessments to standardize and simplify global ESG compliance reporting across your supply chain.

The latest release includes:

• Globally sourced, standards-based data from a recognized leader in ESG and sustainability reporting.

• Advanced sustainability ratings and scores, including scope 1, 2, and 3 emissions and equivalent value in cash (EVIC) intensity, for each supplier to compare over time and against industry averages.

• Analyst-curated emissions scores, negative news and controversies to deliver visibility into potential reputational concerns.

• A comprehensive library of global sustainability questionnaires with built-in remediation guidance to benchmark reporting.

• A centralized risk register of assessment results and sustainability data for investigation, triage, and task and event management.

By comprehensively understanding and managing Scope 1, 2, and 3 emissions, companies can mitigate supply chain and reputational risks, meet stakeholder expectations, improve operational efficiency, and gain a competitive edge.

With the solution, procurement and supply chain teams can improve supply chain visibility and consistency and save time by providing one-stop access to thousands of ESG scores, intelligence, and controversies fully aligned with other enterprise risks.

The introduction of Technology Tags is a notable addition to your platform. How does this new feature enhance visibility into software supply chain risks, and what kind of proactive measures can organizations take as a result?

To assist in understanding which vendors have particular technologies deployed, the Prevalent TPRM solution now includes Technology tags, which provide access to publicly disclosed technologies that can be applied to all entities in the solution based on the technologies the entity uses.

In the event of an incident, built-in ActiveRules automations can trigger actions based on Technology tags including:

• Reporting on impacted third parties.

• Informing internal users of the technology association by issuing email notifications.

• Triggering tasks.

• Distributing an incident response survey to a key contact to understand how they have been impacted, and what remediation efforts are taking place.

• Generating risk items for ongoing management.

This enhancement is invaluable when news of a vulnerability or data breach impacts a specific technology and there is a need to quickly identify which organizations in a vendor ecosystem may be leveraging it. It improves proactivity through visibility and automation.

With this capability, organizations can quickly identify and communicate with vendors potentially at risk of a software supply chain disruption, reducing risk and speeding up time to resolution.

Given recent high-profile supply chain incidents like the July 2024 CrowdStrike outage, what lessons did Mitratech draw in developing these new risk management tools?

The widespread July 2024 CrowdStrike outage was a wake-up call for organizations to better understand the technologies deployed in their vendor ecosystems. Knowing which third parties utilize a particular technology helps to speed up incident response in the case of a critical outage. And that starts with discovery – building a central inventory of the technologies that third parties utilize. The Prevalent solution already included the ability to track technologies, but the latest enhancement pre-loads options to add to the vendor profile to simplify tracking to speed up incident response.

With AI transforming various industries, some organizations express concerns about its potential risks. How does Mitratech ensure that its AI-powered tools are transparent, ethical, and aligned with regulatory compliance?

We have implemented several controls to mitigate the risks of bias, hallucination and to ensure security.

• The LLM that we have incorporated into our solution has been trained on events and leverages our 20 years of experience.

• There is human governance over the model to ensure that results are realistic and represent actual recommendations.

• We anonymized all data and only set the risk and/or event name – no other context.

Sustainability and ESG have become critical metrics for evaluating vendor relationships. Can you share any insights into the specific ESG criteria that Mitratech’s platform uses to assess and score suppliers?

The Prevalent solution provides insights into several ESG metrics.

• Globally sourced, standards-based data from a recognized leader in ESG and sustainability reporting.

• Advanced sustainability ratings and scores, including scope 1, 2, and 3 emissions and equivalent value in cash (EVIC) intensity, for each supplier to compare over time and against industry averages.

• Analyst-curated emissions scores, negative news and controversies to deliver visibility into potential reputational concerns.

 Data is presented over time, and with it, users can compare suppliers against:

• Industry averages

• Their peers

• Other suppliers in the same region

In light of these recent updates, how do you see the role of technology evolving in the context of third-party risk management, especially when it comes to adapting to emerging regulatory requirements?

Technology and process automation should be at the center of third-party risk management. Two of the most significant challenges involved in assessing a third party are completing assessments and gathering external data to formulate a risk score which then informs how the third party should be treated going forward. TPRM solutions address both of those challenges directly by automating questionnaire management, completion, and scoring, and by centralizing external vendor insights across multiple risk domains. Technology then enables the correlation of the questionnaire responses to external data to validate answers, scoring, and automated remediation management and reporting. Without technology, organizations are left with manual, spreadsheet-driven processes or disjointed risk scoring that limits visibility.

Looking ahead, what are the key areas of innovation that Mitratech is focusing on to continue leading in the GRC and third-party risk management space?

Mitratech will continue to innovate in areas such as continuous monitoring enhancements, AI translation and automations, natural language reporting, as well as providing new insights into geographic and firmographic data and analytics.