Search Results

From the National Credit Union Administration

From the Office of Comptroller of the Currency (OCC)

Ransomware Guidance from the National Institute of Standards and Technology (NIST) | National Cybersecurity Center of Excellence

By Heather Kadavy, CERP, CBVM CFSSP (Ret.) Today, organizations rely on the expertise of TPRM Leaders, risk subject matter experts and business lines otherwise known as the TPRM team to understand the insurance coverage carried by the third parties they engage to prepare for transferring loss as warranted. Certificates of Insurance (COI) provide first-level evidence of coverage and provide a sense of security to protect against accidents and lawsuits that are a result of the contractor’s negligence, data breach, or a faulty product, when entering or continuing a working relationship. The 4 P’s of Why To Review Certificates of Insurance Proves Third Party’s Insurance Status. The COI is a summary of an insurance policy and serves as evidence of insurance. Provides Quick Access to Data. The COI constitutes a one page express version of a larger insurance policy, which can save you hours of review work. Prepares Organization to Reduce Liability – By requesting & reviewing COI, you are in fact preparing for a loss transfer (aka Risk Transfer) to the third party’s insurer in the event something goes wrong. Protects Organization When Outsourcing . Ensuring that the third party's insurance aligns to your organization’s requirements, risk tolerance, and risk appetite when it comes to protecting against incidents could help alleviate costly litigation that would ultimately affect your bottom line. The ACORD Form template is the most common certificate of insurance used for businesses in the U.S. and was designed to standardize historical forms. However, note there could be other forms provided that may be specific to insurance purchased through a state rather than through a private insurance broker or carrier. Typically an organization will work with their insurance agent or broker when setting the organizations “bottom-line” when it comes to insurance types, limits and endorsements that they will require from different types of third parties they work with. TPRM teams should focus on building and nurturing the relationships with their insurance agents or brokers so that when they run into questions, they have a known expert partner to reach out to. If a third party is slow or hesitant in providing a COI, it could be an indicator that they are underinsured or not insured at all. A COI is a non-binding document and does not alter coverage. Agents and brokers do their best to ensure that the coverage provided on the COI is accurate because they face legal ramifications for providing false information; however, just because the COI states there is a certain type of coverage, limits, or endorsements (e.g. additional insured, waiver of subrogation, etc.) does not mean the “policy” has that exact same coverage and/or that endorsement changes hands. If the TPRM team or the organization's insurance agent or broker is concerned, they can always request the more detailed evidence – a copy of the third party’s insurance policy.

Authors : TPRA Team & Practitioner Focus Group The way in which organizations leverage third parties has evolved over the years; thereby, increasing the quantity and severity of risks posed by third parties on an organization. Parallel to this evolution is an increase in the regulations surrounding organizations and their relationships with third parties. To ensure third parties are operating securely and effectively, by adequately monitoring and mitigating risks related to the data and/or processes that have been outsourced, an organization must have in place an effective Third Party Risk Management (TPRM) program. At the end of the day, an organization’s ability to effectively detect, manage, and mitigate third party risk is reliant upon the foundation in which an organization has built their TPRM program on. Building the Foundation A TPRM program consists of six phases, which make up the TPRM Lifecycle. This article will focus on the first phase, Planning and Oversight . Program Planning and Oversight supplies an organization with a strong foundation and the requirements needed to develop and steadily support their overall TPRM program. This phase ensures the program can address third party risk at the highest level, while also ensuring governance structures are in place to run the program effectively. If implemented correctly, the Program Planning and Oversight phases will ensure key stakeholders are aware of, support, and help implement program requirements. This phase also ensures your entire organization is on-board as the TPRM program will touch every department within your organization (from Business Owners to Legal and Information Security). Let's review the activities associated with the Planning & Oversight phase. Executive Support The success of your TPRM program depends on the support you receive from your C-Suite, as well as your Board. To gain leadership support, you must first market and sell the need for your program. To assist with this, a strong Business Case should be leveraged. A good business case should include, but not be limited to, the following components: A description of what third-party risk management is, to include definitions, to ensure the program's scope is understood. Essential program features, including leadership support, enterprise-wide implementation, the TPRM framework, budget considerations, the need for a risk committee, transparency and communication, and reporting mechanisms. Avenues for benchmarking to ensure the program leverages processes that already exist, can maintain flexibility when new risks are discovered, grows with the business, and continuously improves. Defining expected program outcomes, or the return on investment for implementing a TPRM program. Such expected outcomes may include, but not be limited to, visibility into third party risk, defining impact third parties pose to your organization, continuous monitoring of third parties to proactively mitigate risk, a reduction in residual risk through mitigation efforts, compliance with specific regulations and policies, and operational resiliency in the event of a disruption due to a third party. The Third Party Risk Association (TPRA), in conjunction with Shared Assessments, created “The Business Case for Third Party Risk Management: A Starting Point for Senior Leadership” in an ongoing effort to support the global community of TPRM practitioners. The document walks through the components above in greater detail and exists for you to leverage within your own program. Policies and Procedures Once leadership is on-board with the program's implementation, it is time to develop comprehensive TPRM program policies and procedures to establish consistent and effective TPRM practices across the organization. Your policies and procedures should align with current internal policies, pertinent regulations, and industry best practices. Gain and use input from key stakeholders throughout the organization to ensure the establishment of your policies and procedures is successful. Your organization should then review the policies and procedures annually and perform updates, if necessary, to align with best practices and respond to emerging risks. Note: Policies should note the terms and expectations of your TPRM program; whereas procedures should detail the actions required to implement your program. At a high level, policies and procedures should: Provide a purpose statement that notes the role TPRM will play within your organization. Include definitions for third party risk management terms to ensure a consistent understanding throughout your organization. List all job functions that play a key role in the implementation and management of your TPRM program, as well as the responsibilities for each . Document each stage of the TPRM lifecycle to ensure the structure and processes of your TPRM program are clear and adoptable. Make clear that third party due diligence requirements must be completed before a contract is executed. Inventory of Third Parties It is imperative that you develop and maintain an up-to-date inventory of your third parties to ensure your TPRM program has sufficient coverage of third party risks. Please keep in mind that based on your organization’s definition of a third party, your inventory may not simply be based off the contracts you have in place with other organizations. There are several sources you can leverage (such as Accounts Payable, software discovery tools, and Business Owner surveys) to better understand the third party relationships your organization has in place. All third parties, whether contracts are in place or monies are exchanged, should be noted within your inventory. You may then choose to note certain third parties as in or out of scope once you move through the TPRM process; however, you will at least be able to evidence that you reviewed all third parties in some capacity. Within this activity, you may find it beneficial to establish sub-service categories for products/services third parties provide to your organization. Categories may include, but not be limited to, Marketing Services, Professional Associations, Software Providers, Hosted Solutions, etc. This ensures you better understand how the business leverages third party products/services, as well as allows you to determine if a third party should be in or out of scope for specific due diligence activities. Once you have an established your third party inventory, you will want to collect and maintain certain data elements related to your third parties within a central repository. Establish a process to add, maintain, and remove third-party information from your inventory regularly to ensure it is always up to date. This will allow you to look across third parties for risk trends, as well as ensure due diligence efforts are conducted for each product/service provided. Organizational Risk Appetite Next, establish risk ratings for your TPRM program and ensure they are in line with your organization’s risk appetite (the risk your organization is or is not willing to accept). Developing an organizational risk appetite is important in that it allows leadership to make enterprise-wide, strategic decisions on how to effectively manage and mitigate risk. It also allows your TPRM program to define risk thresholds for activities and controls that must be in place to ensure your organization meets its business objectives and protects its confidential data. Risk ratings are used to identify the potential impact and likelihood of a third party risk occurring. Once an inventory of third parties is established, the next step is to run them through an inherent risk questionnaire (IRQ) to identify the risk before controls are assessed. This then drives the level of due diligence required for a third party. It also assists with tiering your third parties to ensure your program is risk-based. The risk identified after due diligence is performed (after controls are assessed), is the residual risk rating. This rating then further drives your continuous monitoring efforts and reassessment cycle times. Program Oversight and Governance Senior leadership, as well as Board support, are essential to ensuring your TPRM program is successful by setting the right “tone from the top.” Absent that support, an organization is unlikely to achieve consistent and timely adoption across all business and risk functions. Since third parties support all aspects of a company’s operations and revenue-generating activities, the scope of their risks mirrors every aspect of your organization. As a result, only enterprise-wide implementation will ensure a TPRM program covers all relevant business risks for a firm. In addition, it is important to implement program oversight activities, which may include the establishment of a Risk Committee. The committee should determine the thresholds for risk escalation and risk acceptance, as well as the frequency of reporting on third party risks to leadership (including the Board). Essentially, the oversight (or risk) committee takes the information gained from your TPRM program and uses it to drive risk-informed decisions. Metrics and Reporting Ensure you establish measurable, specific, and relevant metrics for your program. Metrics should guide the development and execution of your program, as well as inform stakeholders of the risk landscape related to your organization’s third parties. Reporting should be tailored to specific target audiences to ensure they make better, data-driven decisions after reviewing the information. Target groups that should receive regular TPRM program updates, can include, but not be limited to: Board – Receives updates on the TPRM program's overall health and the mitigation strategies for higher–risk third parties. Executives – Receive the risk ratings for third parties assessed and updates on risk–mitigation activities for higher–risk third parties. Risk Committee(s) - Receive risk ratings for third parties assessed and updates on risk-mitigation strategies, escalations, and risks requiring acceptance. Business/Relationship Owners - Receive updates on third party due diligence efforts and assessment outcomes. Other Key Stakeholders (such as Compliance Teams) – Receive data on specific risks posed to the organization (such as regulatory/compliance risk). TPRM Managers – Receive updates on program maturity, resource allocation, risk mitigation efforts, process exceptions, escalations, and any risks requiring business acceptance. Education and Training Transparency and communication are key when developing, implementing, and maintaining any TPRM program. All stakeholders must be familiar with TPRM program policies and procedures, as well as their role within the program. Business owners need to understand they are the owners of their third party’s risk and that the TPRM program’s role is to support their risk-based decisions related to said third party. Best practice is to develop a TPRM training and education program and tailor it to your specific business partners. At a minimum, organizational training should be held annually, as well as when a new relationship owner is established. Your education program should also include third parties, to ensure they are aware of your program’s due diligence activities, expectations, risk remediation and follow up processes, and escalation procedures. Regulatory Compliance Regulatory compliance has been a stable item on many board agendas, due to the increase in regulations related to third party oversight. There are a variety of reasons behind this focus, but the main drivers are related to the threat landscape growing in complexity, momentum of digital transformation, political and social unrest, as well as responses to the global pandemic. The regulatory risks your third parties do not address can present both reputational and financial risk for your own firm if your organization’s name comes up as purchasing services from said third party should an issue arise. As a result, regulatory agencies are mandating you to understand the risks associated with doing business with your third parties. Ensuring your third party is complying with pertinent regulations may result in a reduction of regulatory fines on your organization, ensure they are operating with integrity, and actively prevent attempts at bribery, corruption, and other threats. Budgeting Establishing basic or even aspirational objectives under a TPRM framework requires a realistic alignment with available budgets to support risk operations. For example, if a TPRM framework requires diligence for all higher inherent risk third parties before and after a contract is signed, then the budget should be commensurate with activities in support of achieving this objective. Budget considerations can include, but not be limited to: Resources – Current and future employees and/or contractors. Operations – Any cost associated with daily tasks and running the business. Maturity Model – Process enhancements required and what resources are needed to get to the next level of maturity. Travel – Costs associated with onsite visits and training. Training – Fees for conferences, training, and certifications to ensure maintenance of knowledgeable & skilled professionals that are appraised of risk trends. Tools – Budget for TPRM program tools. Consider estimating cost savings a tool(s) will bring by automating certain processes. TPRM is a non-revenue generating discipline; therefore, it is a good idea to also quantify your program’s value by emphasizing what could occur if the program is not established. Also, provide a financial impact questionnaire as proof of the program’s financial impact and/or savings from mitigation of risk. Conclusion Your TPRM program will touch every department within your organization. As such, it is necessary to ensure alignment and support across the enterprise. As you establish your TPRM program, it is important to thoughtfully and strategically implement the above activities to ensure your program can successfully meet its business objectives and effectively mitigate third party risk.

Explore the foundational phase of the TPRM lifecycle— Program Planning & Oversight. This video introduces the core building blocks for establishing a sustainable, enterprise-aligned third-party risk management program. The second video in TPRA's "TPRM 101" series, Program Planning & Oversight, is the first phase of the TPRM Program Lifecycle, which supplies an organization with the requirements needed to develop and steadily support their overall TPRM program.

By: Heather Kadavy, CERP, CBVM CFSSP (Ret.) “Individuals who execute the Third Party Risk Management process for [Enter Your Company Name] are qualified and competent, have clearly defined responsibilities, and are accountable for their actions. They understand our risk culture and appetite. They have a robust understanding and oversight of our core and ancillary activities, third party relationships and the various ecosystems leveraged by our organization to address operational and technical capacities to ensure our TPRM Program is aligned with our strategies, to appropriately balance risk-taking and rewards.” Every businesses board of directors, shareholder or executive team probably wants to hear some variation of this solid assurance statement regarding their TPRM Program’s effectiveness. In reality, it is increasingly more difficult to truly accomplish. Why? The Transitioning of the Workforce is Fast and Furious. Onboarding a new employee typically means they hit the ground running with limited time on the job necessary to acquire the depth and breadth of knowledge to fully understand the complexities of the critical process, services, and activities of the organization let alone the third party relationships, contractual obligations, and internal risk, control and gap decision alignments both internally and externally that each organization faces. TPRM Teams are often physically, or through priorities, siloed in their view and actions. It takes a team of subject matter experts from each line of business, as well as the TPRM team, to fully understand risks associated with third parties and to do so effectively means articulating strategies and priorities; ultimately, everyone rowing in the same direction and everyone pulling their own weigh. Employees are Re-prioritizing, Exhausted or Disengaged. Today’s workforce are either (a) focused on the immediate priorities of making or saving money (e.g. sales, processing and client satisfaction), (b) exhausted and taking short cuts; or (c) disengaged (aka “quiet quitting”). This can potentially lead to sub optional oversight of third party relationships; thereby, increasing the potential for damage to your businesses through reputation or operational loss. Resources are earmarked for Client Facing solutions. TPRM teams are often asked to “get by one more year” with the resources at hand in a growing and complex ecosystem. Third Party, 4th and Nth Parties All Face the Same Problems. Each has an ecosystem that has its own shifting workforce, cultural, operational and technical uniqueness to manage, so proving answers to our TPRM teams sometimes takes a back seat. All of these complexities make it harder to achieve the utopia idea that each TPRM team will have an in-depth knowledge of each relationship, while also managing risks effectively. As a result, key TPRM processes become abstract concepts that our fast paced society with shortened attention spans have to balance. Knowing this, how can TPRM programs operate effectively? It Starts with the Right Team. Engagement and alignment across the three lines of defense is critical to your success. Get Real! By acknowledging the reality of either your starting point or the areas of improvement that your TPRM Program still needs to address, you and your team will be more aligned on the direction and priorities to strategically roadmap your needs. Take a long-term view of the opportunities to incrementally enhance your TPRM Program Effectiveness. It’s a marathon not a sprint. However, that does not mean your TPRM team shouldn't prioritize the areas of improvement needed to mature your program. Begin by breaking your strategic priorities down into incremental sprints. making the overall process less overwhelming. Know Your Third Parties (KYTP) - Create opportunities to develop the relationship between your employees and third parties, building upon collaboration and mutual trust. Many times a third party will provide: A due diligence packet or answers to inherent risk questionnaires. Implement a “If they provide it you need to review it” motto. Receiving and archiving information is NOT risk management. It is only through the review that you can understand, identify, assess and prepare to mitigate risks. A number of interactive touch point meetings , leverage these meetings to incrementally address due diligence concerns and continue learning about the complex eco-systems of your third party. Be purposeful when engaging with them and remember that one size does not fit all. Schedule these discussions on a risk-based frequency and recognize your third party is an extension of your own security program. A set number of free or discounted online working groups, customer forums, webinars, conferences, etc. This is a great way to network and build relationships with the third party’s personnel with the greatest organizational, operational, and technical knowledge regarding their products, services, and ecosystem. When your organization is intentional about improving the effectiveness of the relationships with your third parties, it will indirectly drive better collaboration, allow for the sharing of more information, protect your assets and reputation, maintain compliance with regulations, improve your third party's overall experience, and ultimately better mitigate the impact third parties pose to your organization.

Welcome to the Third Party Risk Association’s signature video series, "Third Party Risk Management (TPRM) 101." This series is informed by our Third Party Risk Management (TPRM) 101 Guidebook , a comprehensive guide for establishing a TPRM program, which is available for free download to all TPRM professionals. This series is meant to be used as a starting point for those that wish to establish, validate, and/or enhance their Third Party Risk Management Program. Each video will walk through one of the six phases of the TPRM Program Lifecycle, which together create a strong TPRM program. But before jumping right into the Lifecycle, it is important we first understand the foundations of third party risk management, including basic definitions, risk types, calculating and evaluating risk, and finally, the basics of addressing risk exposure created by your third parties. "TPRM 101: What is Third Party Risk Management" is Part 1 of this series.

During COVID lockdown, the only option many offshore business processing offices (BPO), as well as every other business, were faced with was to send employees home to work remotely. Whether it was because their facilities could not implement the necessary requirements for a safe working environment, or the local government required them to disperse the workforce, it happened. There was a scramble by many organizations to quickly adapt so that work could continue during pandemic restrictions with minimal interruptions for not only their own organizations, but also the organizations they support. With COVID restrictions now lifted in most countries, the return to the office for Offshore Delivery Centers (ODCs) now has begun in many cases. However, these BPOs face the same challenges their customers face in attracting and retaining talent post-COVID as many workers would prefer to work either hybrid (some days in office, some at home) or fully remote. If organizations want the best talent and service from the BPO vendors, allowing their vendors to operate in a hybrid or remote setting is going to be the requirement. Many customers are concerned with the risk of data leakage in these hybrid/remote options; therefore, are requesting solutions and options to allow this to take place while also mitigating the risk to both organizations. Risk-based approach Why is offshore work considered more risky than onshore work? Many offshore resources have access to sensitive data, and yet, the resources are not direct employees of the customer. The distance makes the risk higher due to the inability to continuously validate that work is happening securely and safely on a daily basis. However, not all data risk is the same; therefore allowing organizations to take a more risk-based approach. The first step in taking a more risk-based approach is educating internal business partners on the risks with certain data sets being sent to or accessed by offshore resources. You can then discuss with business partners what controls need to be in place with each data set to lower the risk as it relates to said data accessed. For example, development work that only interacts with lower environments, such as Development or Test, and has no sensitive data, could be done remotely and offshore (not in an ODC) as it requires less control. On the opposite end of the risk spectrum, access to credit card data or personal health information (PHI) would require additional controls and monitoring to be in place or should never be sent outside an ODC. Enterprise Security for BPO Many customers of BPOs focus only on the security of the service the vendor provides. However, given the interconnectivity they may have with the BPO, they should also review their enterprise and information security controls as well. Starting with connections; dedicated connections between your organization and offshore BPOs require network devices, which presents a weak link. Network device manufacturers often release security patches and maintenance releases. Request from the BPO how often they update their network devices. The question you can ask is noted below. What is their policy for critical security patches and notification to you, as their customer, when these updates and maintenance patches are to be installed? Downtime for these devices must be regularly planned and–when a critical release is required­–installed at the earliest possible moment. You can also ask: What is the BPO's Intrusion Detection/Prevention System and is it adequate? Does the BPO use a security information and event management (SIEM) tool and does it collect information from all critical systems within the network? Does the BPO have a Data Loss Prevention system or tool in place that would detect when an employee or intruder begins to exfiltrate data, or does it only detect a threat actor after they’ve taken gigabytes? Does the BPO perform cybersecurity awareness training, to include an insider threat module? Service-Level Security for Customers of BPOs Once you’ve established the BPO either has adequate enterprise-level controls in place, or is remediating toward your security baseline, ask: how are they securing the service they provide to you as the customer? If the data is remotely accessed via a Virtual Desktop Interface (VDI) on your own network, how have they disabled activities like copy-and-paste, right-click actions, limiting access to only URLs required to perform their work, and preventing access to personal email and chat? If the data is in a shared cloud environment with the BPO, what controls within the cloud are enabled? Is it in a single-tenant or multi-tenant environment? How are access controls managed? Ensure the vendor revocation of access rights meet your requirements. Look at the connections to ensure it is not allowing deprecated version of transport layer security (TLS). End-Point Security for Hybrid/Remote workers One of the most important controls for remote workers is security controls enabled on the endpoints, like laptops or desktops. The level of controls found on laptops can go from the simple to the complex. At a minimum, it should be an ‘always-on’ VPN; meaning as soon as the laptop is switched on and connects to the employee’s home network, it is creating an encrypted tunnel. As the risk becomes greater for the data and connection, there should be more active controls on the endpoint such as heuristic analysis of keyboard strokes, artificial intelligence software that analyzes laptop camera images, and biometric requirements for logins. All endpoints should also be connected to a data loss prevention (DLP), intrusion detection system (IDS)/intrusion prevention system (IPS), and a corporate SEIM to ensure a holistic approach to security. Network Devices and Remote Work A weak link in this remote work approach is the assumption that all home-based routers are secure. Questions you can ask the BPO include: Are employees required to regularly update their home routers and how is this monitored? Is it a router that your corporate network would trust on its own network? If there are thousands of offshore employees working from home, then that is thousands of potential attack points that may be vulnerable. The best option is to require the BPO to issue company-supplied, configured, and controlled routers. As long as the program to issue and control these devices is well-designed and run, then much of the above risks listed are reduced. BPOs can also ramp up that security by only allowing employees to connect to the BPO network with approved devices, to ensure the risk isn't elevated when said employees work from or connect into the WIFI of a local coffee shop or other less secure location. The middle ground would be to have a list of company ‘approved’ devices to ensure they meet minimum standards to lower the risk. The employee can register their device with the company (using serial number, access controls, and other critical information) to allow the BPO to monitor security updates and patches, informing affected employees when their devices are at risk. Zero Trust for BPO A Zero Trust approach can greatly reduce your risk for a breach; however, it will not lower your risk level to zero as nothing can perform that task. This section explains a Zero Trust approach you can take with your BPOs. First would be to investigate how the BPO approaches zero trust. Since only 22% of organizations report being fully at zero trust, it might need to be a risk-based approach, focusing on the highest risk data and connections. Another zero-trust action your organization can take, as the customer, is to implement controls on your own network. Where the BPO connects to your network, have it in a bastion or demilitarized zone (DMZ) that is configured for the level of access that is based on least-privilege . Require biometrics , multi-factor authentication (MFA) , re-logins after every few hours , and a privileged access management (PAM) system to ensure these accounts are better secured. Physical Validation of Security for Remote Work As the ability to travel opens back up, it is important that those who are customers of BPOs begin to perform physical validation of their critical vendors. Previously, a visit to an offshore vendor followed a familiar script: fly to the country of location and meet with the security and operations team to get physical validation of both logical and physical controls. There was a tour of the ODC offices to ensure the expected physical controls were present on the floor: separate spaces, no recording devices (such as phones) allowed in, badges and biometrics for entry, validation of clean room polices, and similar physical checks. With remote work, these checks are not possible at every remote worker’s home. However, that doesn’t mean they can be skipped, nor does it mean they can’t be checked. For example, require the vendor to randomly check, like an audit sampling, some of their employee’s home offices . Physical validation can also include having the BPO connect to a set sampling of remote worker’s cameras and validate specific, physical controls . If your BPO already does this, then ask: Have monitoring controls caught any examples of potentially risky behavior? Ask them to show how they dealt with risky employee behavior to ensure it aligns with their policy and your expectations as their customer. Conclusion COVID changed a lot of things in the business world. It is doubtful the ‘work remote’ genie can be put back into the bottle. The best talent will want the flexibility to work remote or hybrid, which will, in turn, provide them with the ability to deliver better service. It will also allow BPOs to hire and retain talented employees. Regardless of your personal views on remote offshore work, there are ways to allow your BPOs to deliver service remotely while keeping the risk to your data and your network lowered to the risk appetite that aligns with your organization.

A question many Third Party Risk Management and vendor management professionals often find themselves asking is: how do we work in a cohesive, organized way to sufficiently mitigate third party risk while enabling the business to move forward with third party relationships? This video provides insight into how to integrate TPRM into the rest of the business , including common goals & challenges, tips for improving process integration with business stakeholders, key aspects of governance needed to make integration work, and provides a TPRM lifecycle-based framework to enable better integration. This video was made possible by Tom Rogers, CEO & Founder of VendorCentric , for his presentation at TPRA’s July 2022 Practitioner Member Meeting. TPRM Explained is an educational series that focuses on topics related to third party risk management. Topics come directly from our end-of-year survey on the pain points our practitioners are experiencing within their own programs. Remember to like and subscribe!