Strategies to Mitigate the Cost of a Risky Third-Party Relationship

Transcription

1 Strategies to Mitigate the Cost of a Risky Third-Party Relationship

2 Experts on Panel Linda Tuck Chapman President, Ontala SIG: Sourcing Resource Center Chair, Thought Leaders Council Manu Gopeendran Senior Director MetricStream RMA: Third Party Risk Management Roundtable Facilitator, Trainer, Subject Matter Expert Shared Assessments Group Advisory Board 2017 MetricStream, Inc. All Rights Reserved.

3 Linda Tuck Chapman A recognized expert in third-party lifecycle and risk management. outsourcing governance and third-party optimization Career highlights: CPO, BMO Financial Group President & CEO Education Marketplace CPO, Fifth Third Bank CPO and VP Executive Shared Services, Scotiabank Group Third Party Management Leadership Profile: Linda Tuck Chapman President, ONTALA lindatuckchapman@ontala.com Author: RMA Journal, Wall Street Risk Journal, industry publications Author: Third Party Lifecycle and Risk Management What You Should Know (will be published by RMA in late 2017) RMA: Third Party Management Specialist, Facilitator, Trainer SRC: Chair, SRC Thought Leaders Council SHARED ASSESSMENTS GROUP: Advisory Board member CORE: Lecturer 2016 ONTALA Performance Solutions Ltd.. Proprietary Information. Do not copy or distribute.

4 Third party management something old and something new Companies in every industry, nationally and globally, are making significant strategic and tactical investments in upgrading their third party management. Investments within their business segments, corporate functions, and risk-control specialist functions, with heightened accountability across senior management and boards of directors. The goal is to avoid or minimize the impact of third party issues and incidents that can affect Market their reputation, Trends operations, customers and bottom line. Third party management programs, people, processes and tools senior management and accountable stakeholders mean a deeper and broader understanding of an increasingly complex operating ecosystem and heightened threat landscape by: 1.Targeted, systematic rigor during screening and selection; 2. Sharper focus on third party risks and their controls; 3.Intensified, prescribed management and oversight 2016 ONTALA Performance Solutions Ltd.. Proprietary Information. Do not copy or distribute.

5 What s a third party? The RMA third party risk management Steering Committee developed these definitions to improve communication across the sector and with internal stakeholders. These definitions have been widely adopted. An entity, including an affiliate, that has a business relationship with the firm or its customers and is not itself a customer. Third party relationships include: Vendor third party Non-Vendor third party "Vendor" third parties are service providers that provide a product or service to the firm. These relationships are typically sourced through a sourcing/procurement process. Payment is typically transacted by Accounts Payable. "Non-vendor" third party relationships are typically acquired by a business line/segment directly, not through a sourcing/procurement function. Financial remuneration, if applicable is typically transacted outside of Accounts Payable processes. These relationships may be managed solely by a business line/segment, or managed in conjunction with a corporate risk management function. Source: RMA Third Party Risk Management Roundtable ONTALA Performance Solutions Ltd.. Proprietary Information. Do not copy or distribute.

6 Complementary frameworks. improve clarity and communication Operating Framework Third party management is a team sport that consumes a significant amount of resources Governance Framework Standardized, repeatable processes enable impartial assessments, conclusions and actions. Source: Linda Tuck Chapman (2017) Trying to do this manually is inefficient and ineffective, and will get in the way of predictable risk, cost and performance management of your critical third parties Ontala Performance Solutions Ltd 2016 ONTALA Performance Solutions Ltd.. Proprietary Information. Do not copy or distribute.

7 Some risks are common to most companies and sectors don t waste time reinventing the wheel Information and Cyber Security Business Interruption Financial Strength Performance 2016 ONTALA Performance Solutions Ltd.. Proprietary Information. Do not copy or distribute.

8 Business benefits should outweigh costs Third Party Management is a set of co-dependent people, policies, processes and practices.. that deliver your firm s value proposition, products and services. regardless of whether services are delivered internally or by a third party ONTALA Performance Solutions Ltd.. Proprietary Information. Do not copy or distribute.

9 Is task management superseding risk management? Too many relationships for similar services Activities are too frequent Unnecessary due diligence Unnecessary controls One size fits all Limited re-usability Slow response times Limited insight Third Third Party Third Party Party Third Third Party Third Party Third Party Third Party Third Party Third Party Third Party Party Thousands of relationships. Tens of thousands of man hours. How do we achieve efficiency AND effectiveness? 2016 ONTALA Performance Solutions Ltd.. Proprietary Information. Do not copy or distribute.

10 Third party mgmt. program are expensive to run.. typically ~ $5 and $35 million a year Cost Drivers Estimate ($$ thousands) Technology $ PRM office $ 350-5,000 Risk specialists $ 1,000-10,000 Legal services $ 700-6,000 Compliance/Ops Risk $ 900-4,000 Relationship Mgrs. $ 1,250-7,000 Accountable Execs $ Sr. Mgmt. oversight $ Board involvement $ Risk Oversight $ Issue Management $ 150-1,000 Regulatory & Reporting $ By [[user:]] - Own work, CC BY-SA 3.0, ONTALA Performance Solutions Ltd.. Proprietary Information. Do not copy or distribute.

11 Anything this expensive needs to add value Be careful how and which third parties you let in Select the right relationships that meet business needs within the minimum of risk Mitigate risks using proven expertise in deal structuring, educating your third parties, asking the right questions Build strong defenses: common-sense, risk-adjusted contract terms and conditions that will help control real risks Service and Operating Level Agreements: should be crisp, concise, and measure the right things in the right way Black Box thinking means acting on experience Challenge poor decisions that introduce unacceptable or unnecessary risks but you ll need courage, expertise and support from the top 2016 ONTALA Performance Solutions Ltd.. Proprietary Information. Do not copy or distribute.

12 Be a leader: Observe. Think. Act. Minimize work effort and cycle time Create actionable reporting Deliver thoughtful insight and recommendations Strengthen controls, as needed Analyze trends. Action the bad ones Structure deals and contracts using what you ve learned Be a Black Box thinker Collaborate across the sector Learn from other industries Don t lose your business focus / risk management balance 2016 ONTALA Performance Solutions Ltd.. Proprietary Information. Do not copy or distribute.

13 Strategies to Mitigate the Cost of a Risky Third-Party Relationship Manu Gopeendran Senior Director MetricStream

14 Evolution of Third-Party Management Managed in Siloes Limited to specific risks - Financial, legal etc. Scope Scope Convergence with Cybersecurity and BCM Align with ERM program Holistic view for overall risk exposure Cost, Relationships Unregulated By Sourcing, Procurement Of only third-parties Same approach for all third-parties Drivers Management Technology Then Now Technology Drivers Management Risk, Criticality Tightly Regulated Third and fourth parties Greater focus on most critical and risky third parties Manual (Spreadsheet Based) Siloed, Fragmented On-Premise Automated Workflows GRC Platform Based Cloud Based 2017 MetricStream, Inc. All Rights Reserved.

15 Loss Impact Due To Vendor Risk Exposure Source: MetricStream TPRM Research Report MetricStream, Inc. All Rights Reserved.

16 Understanding Risks in Third Party Relationships Which risk parameters are most important when evaluating third parties? Source: MetricStream Research *Respondents could choose more than one option 2017 MetricStream, Inc. All Rights Reserved. Data protection/privacy Financial viability Ability to maintain service levels Regulatory compliance requirements IT Security Business continuity risks Vendor s management (experience, turnover) Vendor s regulatory and legal environment Additional vendors in the vendor s supply chain Business model compatibility Vendor s employees Geopolitical environment Trustworthiness of public disclosures Architectural compatibility Currency fluctuations 5% 3% 3% 2% 9% 12% 16% 19% 33% 45% 59% 59% 57% 57% 67%

17 Measures Taken By Organizations To Prevent Future Risk Incidents After an incident, what measures have been taken to prevent future risk incidents? Collaborate with the third party 75% Re-assess the risk of the third party 50% Modify contract terms 42% Increase the frequency of assessments 25% Reduce business volume Temporarily suspend business relationship 17% 17% Terminate the business relationship 0% 0% 10% 20% 30% 40% 50% 60% 70% 80% *Respondents could choose more than one option 2017 MetricStream, Inc. All Rights Reserved.

18 Standardize Third Party Management Program with Technology Risk Intelligence Content 2017 MetricStream, Inc. All Rights Reserved.

19 Streamline and Standardize Third- part Management across Enterprise Capture and manage vendor hierarchy Sub-contractor, facility, product, services Facilitate vendor access to information Profile and certification updates Define standard process, checklists across departments Ensure all aspects are being assessed during onboarding (IT, Financial, BCM etc.) Assign risk rating, segment vendors Workflows to review and approve assessments and results Algorithms to automatically score and rate responses Screen your vendors for Sanctions lists Regulatory, law enforcement, and watch lists Adverse Media Politically-exposed persons and stateowned enterprises 2017 MetricStream, Inc. All Rights Reserved.

20 Integrate Risk Analysis & Rating by Combining Insights External Content / Alerts Internal Risk Assessments Consolidated Risk Rating, KRIs Track and Remediate Issues 2017 MetricStream, Inc. All Rights Reserved.

21 Establish closed-loop processes for risk mitigation Track risk mitigation actions Initiate actions based on red flags Ensure timely competition of risk mitigation activities with automated reminder notifications and escalations Collaborate with vendors to resolve issues View and implement actions raised for issues Create actions and assign it to action owner for implementation Improve monitoring of red flags View issue status and issues by type charts Provide reports & dashboards that allow vendors to monitor their status and performance 2017 MetricStream, Inc. All Rights Reserved.

22 Ensure Contract Compliance Contract Compliance Centralized repository for contracts and other certifications Automated alerts and reminders for expiry/renewal Manage contract termination Define performance metrics and scorecards KPIs based on contracts, policies Map scores for KPIs Define KRI for alerts based on thresholds 2017 MetricStream, Inc. All Rights Reserved.

23 Benefits of Adopting a Technology Framework Standardizes on-boarding process across enterprise Selection of vendors, usage across projects and services Provides Real-time visibility on vendor security profile and risks Comprehensive assessment capabilities, real-time monitoring through third-party tools Tracks TP performance & contract compliance risks Define contract SLAs, track vendor performance Enables integrated risk management Flexibility to adopt a federated approach to Enterprise, IT, Third Party Risk Management 2017 MetricStream, Inc. All Rights Reserved. Meets regulatory req. & standards OCC, FFIEC, PCI, etc. Predicts potential vendor risks Maps third-party relationships, co-relates data from multiple sources

24 About MetricStream Vision Integrated Governance, Risk and Compliance for Better Business Performance Solutions Risk Management IT Risk Management Business Continuity Management IT Compliance Management SOX Compliance Management Enterprise Risk Management Internal Audit Management Compliance Management Policy and Document Management Regulatory Change Management Organization Over 1,400 employees Headquarters in Palo Alto, California with offices worldwide Over 400 enterprise customers Privately held Backed by global leading VCs, Sage View Capital, Goldman Sachs Differentiators Technology - GRC Platform 9 Patents Breadth of Solutions Single Vendor for all GRC needs Cross-industry Best Practices and Domain Knowledge ComplianceOnline.com - Largest Compliance Portal on the Web 2017 MetricStream, Inc. All Rights Reserved.

25 GRC for High Performers Days Speakers Sessions Attendees MetricStream GRC Summit 2017 Date: November 6-7, 2017 Location: Lancaster London Hotel, London, UK Register now Use Discount Code WEB200 & Register Now for JUST 599

26 Q&A Linda Tuck Chapman Manu Gopeendran Thank you for joining us! A copy of this presentation will be made available to all participants in next 48 working hours. Contact Us: Website: webinar@metricstream.com 2017 MetricStream, Inc. All Rights Reserved. Phone: USA