STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

Transcription

1 STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES September 2017

2 Your presenters Nancy Aubrey Partner Boston, MA Rick Shriner Principal McLean, VA 2

3 Agenda Overview of current trends affecting relationships with third-parties Third-party management lifecycle assessing risk and maintaining control Emerging regulations impacting bioscience companies European Union s new data protection standard 2 3

4 ISSUES / TRENDS

5 Industry trends impacting third-party management Heavy reliance on third parties Increased out-sourced research activity Global clinical trials Single-point-of-failure risks with CMOs Global sales and supply chains Third party data breaches Changing regulations - EU GDPR s impact on bioscience companies in the US 4 5

6 Broader third-party trends Trends noted by the CEB Audit Leadership Council in their 2017 Audit Plan Hot Spots include: 1. Decreased visibility into third-party network Decentralization in decision-making leads to poor visibility Third-parties relationships lead to fourth or even fifth parties 2. Increased third-party access to sensitive company data With organizations digitizing and relying on increasing amounts of data more information will be reaching thirdparties, both accidentally and by design Increased risk of data breaches and non-compliance with data privacy regulations 2017 Audit Plan Hot Spots CEB Audit Leadership Council 5 6

7 THIRD PARTY RELATIONSHIP MANAGEMENT (TPRM) LIFECYCLE

8 Third-Party Relationship Management (TPRM) Lifecycle 8

9 TPRM Maturity Continuum WEAK SUSTAINABLE MATURE INTEGRATED ADVANCED Ad-hoc processes Problem driven Inconsistent outcomes Rework Reactive Individual effort Basic process Processes follow a regular pattern Repeatable practices Reduced rework Processes not standardized Documented processes Standard approval processes Proactive and reactive Request driven Technology utilized Improve productivity Stable processes Proactive Accountable Effective monitoring Formal change management process Service level agreements Continuous improvement Strong business relationships Predictability Quality driven Proactive Optimizing costs and quality Agile Fully automated Complete integration Enterprise-wide knowledge Planned innovations Change management fully implemented Strategic performance metrics

10 Understanding Third-Party Requirements Planning Do not let third-parties define your requirements Establish ownership for the product or service to be provided and the supporting third-party relationships Involve all relevant stakeholders Assign a weight to each requirement Begin thinking about control requirements related to information risk early in planning Present requirements to potential third-parties and include in third-party selection and management process Assess the risks of the product or service the third-party will support Identify specific risks and include how they are mitigated in your third-party evaluations 9

11 Understanding Third-Party Risk Assess the risks of the product or service the thirdparty will support Transaction/ Operational Liquidity/ Financial Credit Reputation Planning Strategic Compliance/ Legal HR Rate/Pricing Identify specific risks and consider how they are mitigated in your third-party evaluations

12 Evaluation of third-party qualifications Existence and corporate history Qualifications, backgrounds, and reputations of company principals, including criminal background checks where appropriate Due Diligence Other companies using similar services from the provider that may contracted for reference Financial status, including reviews of audited financial statements Strategy and reputation Service delivery capability, status and effectiveness 12

13 Evaluation of information risk during due diligence 13

14 Capturing data security requirements 14

15 Capturing data security requirements (cont.) 15

16 Critical elements of agreement Contracting Duration Dispute resolution Indemnification Limitations of liability Termination Assignment Regulatory compliance Scope Performance standards (service-level agreements [SLAs]) Security and confidentiality Controls Audit Reports Business resumption Subcontracting Ownership and licensing 15

17 Common issues with contract clauses Contracting Contain one-sided clauses Inadequately address service levels (with penalties) Silent about regulatory requirement maintenance Multi-year auto renewal term Excessive notification lead time for opt out May require payment for disputed items May ask for payments before delivery Silent about audit rights 17

18 Third-party contract management Maintain a central repository for all agreements Assign responsibility for management and oversight Contracting Manage key dates and ongoing due diligence Periodic performance reviews Insurance Coverage Business Continuity Testing Financials Changes in Leadership Data Breaches Legal filings Notices to the third party to prevent auto renewal 18

19 Monitoring Third-Parties Ongoing Monitoring Monitor your third parties financial position Monitor the user base Stability and growth Type and size of client organizations Monitor R&D indicators Investment in development Industry trends Monitor audit reports Controls reviews Penetration testing results Business continuity test results SSAE 16 SOC 1, SOC 2 (outsourced services) Regulatory sources 19

20 Why organizations conduct Third-Party compliance audits Reactive Proactive Ongoing Monitoring Monetary obligations are nonexistent, late, or trending downward Services or products are not delivered on time Quality issues Public information and press releases are contradictory to the performance of the agreement Organization has developed a thirdparty contract compliance risk management process Fiduciary responsibility to organization stakeholders Agreement is financially material to the organization Organization is looking to restructure the agreement Agreement will be expiring soon Induce future compliance 20

21 Factors impairing ongoing monitoring Ongoing Monitoring Contracts are not centrally located and tracked Employees may not have the underlying contract and/or all corresponding amendments Intimate knowledge of third-party existence and activities are limited to comparatively few employees Nuances between similar agreements with other thirdparties are not understood Clear ownership for monitoring activities does not exist and the monitoring activities are ad-hoc and manual Lack of formal process to assess changes in the thirdparties organization Notifications of non-compliance are not identified as the issues arise 19 21

22 Managing through contract termination Eventually, contract termination is an inevitable phase in the third-party relationship lifecycle. Reasons for contract termination may include: Contract completion Breach of contract Merger or acquisition Assignment to another party Third-party goes out of business Termination Risk considerations Confidential information (e.g. trade secrets) - what happens to data Reputational risk Business continuity - disruption of operations Considerations to manage situations when termination occurs Clearly specified contract termination rights in the contract Internal transition plan (timeline, responsibilities) 23

23 Third-Party relationship compliance red flags Third parties and your agreements that exhibit at least one of the following characteristics have an increased risk of non-compliance with the terms and conditions of the contract: Complexity of agreement Multiple locations or parties involved (related and non-related parties) Changes in accounting and reporting systems Changes in third-party key personnel New products, services or expanded product lines Mergers and acquisitions Third-party reporting/financial obligations are late or cease to exist Performance provided by third-party do not correlate with market/industry trends Contract terms Monitoring efforts Third-party characteristics 23

24 BUILDING A FRAMEWORK TO ASSESS TPRM RISKS

25 Overview of Approach Step 1: 3 rd Party Prioritization Step 2: Refine the 3 rd Party Risk Assessment Framework Step 3: Deploy the 3 rd Party Risk Assessment Survey Continuous Monitoring Develop a framework for the assessment program, not just a questionnaire. Develop a workflow and process for conducting surveys, evaluating responses, weighting responses, compliance audit requirements and having the right information on which business decisions are made. These decisions include which third parties should provide additional information, those that would require an in-depth audit, or spot audit, and those where completion of the survey is satisfactory. The next step is the deployment of the surveys to the third parties in a tiered and practical approach. Risk areas to audit: Operational Performance Security (Information Privacy and Protection) Regulatory Compliance Personnel Step 4: Compliance Audit Financial Total spend analysis Tax analysis Self reporting accuracy Other financial clauses (MFN, SLAs, etc.)

26 Factors for Prioritization Third-party risk areas and third parties themselves can be prioritized based on factors such as: Third-party impact on enterprise-level risks Contract language (specificity, operational versus financial, etc) Evidence of potential errors or manipulation Operational performance including software quality, incident management, etc. Complexity of contracts (number of agreements, calculation of costs, complexity of pricing models) Strength of contract audit clause Third-party access to critical business information State of the relationship (new, ending, shortterm, long-term) Financial strength of vendor Impact to the nature of the relationship (strategic, significant, considerable, insignificant) Geographic considerations (location of Vendor, multiregional agreements) Third-party reliance on sub-contractors or other third parties Regulations

27 Building a Third-Party Risk Assessment Framework Perform the following key tasks in developing the framework for a Third-Party risk assessment: Define roles and responsibilities for project team. Define the project plan, project charter, and communication plan. Determine and agree on the questionnaire format, quantity of questions, target audience, and delivery format. DESIGN 3 RD PARTY RISK FRAMEWORK BEST PRACTICES & STANDARDS INDUSTRY FOCUS REGULATORY REQUIREMENTS BUSINESS NEEDS GEOGRAPHY Develop workflow for risk assessment Develop weighting criteria Develop decision making criteria Develop compliance audit program DESIRED RISK MITIGATION OPTIMIZED FRAMEWORK CURRENT STATE UNDERSTANDING GOVERNANCE & RISK POLICIES & PROCEDURES BUSINESS PROCESSES CRITICAL ASSETS CONTROLS CURRENT STATE

28 Contract Compliance Assessment Scorecard Example Scorecard Responses to survey questions from each selected third-party are assessed and ranked using a scoring model customized for the organization. The example scorecard shows mapping customized by agreement type. Contract Compliance Scores Risk Factors Agreement complexity 2.2 Significance of agreement to the organization 3.3 Number of third-parties involved 1.0 Changes in key third-party 1.5 personnel Changes in third-party accounting systems 4.7 Performance compared to industry/market conditions 3.0 Score Changes in agreement terms Timeliness of compliance by third-party Lack of compliance by third-party Mergers and acquisitions related to the third-party New products or activities related to the third-party agreement

29 Risk Ranking is Key The goal of the third-party risk assessment workflow is to assess the level of risk the third-party relationships present to your organization. The third-party criticality is determined from the Prioritization Data evaluation. The control state is determined from the questionnaire scorecards. These two data points contribute to the combined third-party risk rating, which drives the level of focus and attention the third-party needs to be given.

30 TPRM: Key Recommendations Be very clear about the different types of third party risk you are tracking, and who has responsibility for each Document organizational risk profile, risk tolerance and risk acceptance Involve business stakeholders in the risk acceptance process Conduct due diligence to minimize risks (including regulatory fines and reputation damage) 30

31 TPRM: Key Recommendations (cont.) Create triggers to make sure risk and compliance efforts occur throughout the third party relationship lifecycle Consider ways to open up communication with and among vendors about trends, patterns and best practices Be innovative and flexible; program and processes should allow for incorporation of changes due to business, industry and regulatory drivers 31

32 EMERGING ISSUE: OVERVIEW OF GDPR

33 What is GDPR? European Union General Data Protection Regulation EU GDPR New data protection law adopted by the EU in April 2016, intended to bolster data privacy protections for EU residents. Companies, government agencies, and non-profits interacting with EU residents have until May 2018 to comply. 33

34 Who does GDPR protect? The European Union. Consisting of 28 member states: Spain, UK, Ireland, France, Germany, Italy, and Sweden, among others Some island nations such as the Canary Islands, Azores, and others Organizations storing, transmitting or processing data for individuals residing in any of these countries 34

35 Who does GDPR apply to? To determine if GDPR affects your organization, you need to ask questions such as: Do you offer goods and services to EU residents? Do you rely on third parties that store or transmit data to/from the EU? Do you collect, transmit, or process data pertaining to EU residents? It does not matter whether the services are free It does not matter whether your company operates in the EU 35

36 Five big concepts to understand 1) Accountability 2) Consent 3) Right to be Forgotten 4) Portability 5) Breach Notification 36

37 Accountability Organizations must demonstrate privacy protection by design and by default. Must appoint Data Protection Officer (DPO) if the: Organization processes data of more than 5,000 individuals a year OR Is active in regular and systematic monitoring of individuals OR Processes data which is sensitive Sanctions (more on that later) 37

38 Consent Burden of consent now states that: Organizations must now prove genuine, explicit consent for data gathered Consent must be purpose-limited Must allow withdrawal of consent at any time In some instances, consent must be down to business process level In some instances (or countries), must gather consent for individuals as young as age 13 (through their parents) 38

39 Right to be forgotten Mandatory right to erasure organizations must give individuals the right to request erasure of their data if: Individual withdraws consent Data is no longer needed to achieve the purpose it was collected for Data in question was obtained through unlawful processing 39

40 Data portability Individuals have the right to transport all of their personal data to another organization (even a competitor): Organizations must provide individuals with their data in a machine-readable format Where feasible, the organization must facilitate electronic transfer of personal data 40

41 Breach notification Organizations are now under legal obligation to notify local authorities within 72 hours if EU resident data is lost Only exception is if the data was encrypted Organizations have to inform individuals if adverse impact is determined from the breach Service providers (data processors) now have obligations to data controllers 41

42 Penalties for non-compliance If organizations do not comply, they face a maximum fine of: 4% of their global revenue OR 20million whichever is higher 42

43 QUESTIONS AND ANSWERS

44 THANK YOU FOR YOUR TIME AND ATTENTION

45 This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM and the RSM logo are registered trademarks of RSM International Association. The power of being understood is a registered trademark of RSM US LLP.