Benchmarking Your Third Party Risk Management Program

Transcription

1 Benchmarking Your Third Party Risk Management Program October 26, 2016

2 P R E S E N T E D B Y Randy Stephens Vice President, Advisory Services NAVEX Global Michael Volkov CEO & Owner The Volkov Law Group

3 Agenda Third Party Risk Management in Your Compliance Program NAVEX Global s 2016 Third Party Risk Management Benchmark Report State of Third Party Risk Management Today Approach to Third Party Due Diligence Third Party Risk Management Program Maturity Program Performance and Satisfaction Take-Aways and Recommendations Q&A

4 In This Webinar You Will Learn How your program stacks up against 394 of your peers Top objectives and challenges for third party risk managers Trends in how organizations like yours are screening and monitoring third parties How mature programs approach third party risk management and their performance improvements How to leverage our findings to increase program effectiveness

5 How concerned are you about your third party risk management program? Survey Question

6 Agenda Third Party Risk Management in Your Compliance Program NAVEX Global s 2016 Third Party Risk Management Benchmark Report State of Third Party Risk Management Today Approach to Third Party Due Diligence Third Party Risk Management Program Maturity Program Performance and Satisfaction Take-Aways and Recommendations Q&A

7 The NAVEX Global Compliance Ecosystem NAVEX Global offers a comprehensive suite of solutions that support each element of your ethics and compliance program: Establish and Manage Policy Train and Engage Report and Resolve Assess and Monitor Expert Guidance

8 Agenda Third Party Risk Management in Your Compliance Program NAVEX Global s 2016 Third Party Risk Management Benchmark Report State of Third Party Risk Management Today Approach to Third Party Due Diligence Third Party Risk Management Program Maturity Program Performance and Satisfaction Take-Aways and Recommendations Q&A

9 2016 Third Party Risk Management Benchmark Report Facilitated by a third party research firm in August and September, respondents completed the survey Respondents represent: 21 industries 54% Senior managers and C-level 28% Management 18% Non-managers and other roles Respondents include: 40% Large organizations (5,000+ employees) 31% Medium sized organizations ( employees) 29% Small organizations (<500 employees)

10 BENCHMARKING YOUR THIRD PARTY RISK MANAGEMENT PROGRAM State of Third Party Risk Management Today

11 Survey Question What is your top third party risk management program objective?

12 Top Objective is to Protect the Organization From Risk

13 This Year, the Top Challenge is Conflicts of Interest

14 Top Internal Program Challenges Focused on Resources

15 Budgets Remaining Steady or Growing

16 An Increase in Third Party Legal Action There has been an increase in legal or external regulatory action (32% in 2016 vs. 21% in 2015), representing a 34% increase.

17 Legal and Regulatory Action Frequency Increasing

18 Slight Changes in Priorities Fear of third party failure tops fear of corruption this year. Top objectives reveal a fear that lack of control over third parties can negatively impact the organization Conflicts of interest are top of mind, bribery and corruption in the number two spot. Conflicts of interest can be an indicator of a broader set of issues Cyber security concerns are top of mind, especially in banking and healthcare Internal program concerns focus on a lack of resources and desire to create and deliver comprehensive coverage, yet budgets are not growing to match demand The frequency of legal and regulatory actions related to third parties has increased, adding urgency to program performance

19 BENCHMARKING YOUR THIRD PARTY RISK MANAGEMENT PROGRAM Approach to Third Party Due Diligence

20 How do you evaluate your third parties before you engage with them? Survey Question

21 A Drop in Risk-Based Pre-Engagement Evaluations

22 Less Than Half of Programs Screen and Monitor Well

23 In 2016, An Increase in Screening ALL Third Parties

24 But, Only 22% Monitor All of Their Third Parties

25 Multiple Sources for Discovering Red Flags

26 Approach to Due Diligence is Often Incomplete NAVEX Global strongly suggests a risk-based approach to third party risk management While more companies are screening all of their third parties, too few continuously monitor them The FCPA Resource Guide* suggests organizations should take on some form of ongoing monitoring of third party relationships To cover all your potential third party risks, best practices are to do continuous monitoring of all of your third parties Organizations deploying continuous monitoring can deal with issues immediately and appropriately. It also provides transparency and offers the most defensible position. Tools are available to optimize your third party screening and monitoring program * A Resource Guide to the U.S. Foreign Corrupt Practices Act. See references slide.

27 BENCHMARKING YOUR THIRD PARTY RISK MANAGEMENT PROGRAM Third Party Risk Management Program Automation and Maturity

28 Only 8% Use an Automated and Purpose-Built Solution

29 How do you evaluate your program s maturity? Survey Question

30 Most Programs are Maturing Maturing programs either screen all of their third parties but don t continuously monitor all of them, or screen the majority of their third parties and have some level of structured and continuous monitoring in place.

31 Automation and Maturity Often Overlap Organizations that use automated systems and those with Maturing / Advanced programs tend to have a greater number of FTEs and higher budgets assigned to manage third party risk management. Those that do not use automatic systems and those with Reactive / Basic programs also tend to have one or zero FTEs assigned to manage their third party risk.

32 Mature Programs are More Likely to Screen All Third Parties

33 Mature Programs Also Monitor More Aggressively

34 Program Automation and Maturity Both options enable better risk management Mature programs are more likely to have invested in automation, which extends program capabilities Mature programs tend to screen and monitor all of their third parties. This delivers visibility unavailable in less centralized and consistent programs

35 BENCHMARKING YOUR THIRD PARTY RISK MANAGEMENT PROGRAM Program Performance and Satisfaction

36 Automated Systems Improve Program Satisfaction

37 Mature Programs Show Even More Program Satisfaction

38 Use of Due Diligence Vendors Enhance Satisfaction

39 Use of a Due Diligence Vendor Helps Identify More Red Flags

40 Performance and Satisfaction Tied to Program Investment With an increase in legal and regulatory actions, those with mature programs are better positioned to mitigate risks Maturing programs have operationalized their efforts and are screening and monitoring most or all of their third parties Automated systems enable risk managers to focus on critical tasks rather than basic program management (aka, internal resources or Internet searches) A combination of automation and maturity leads to the best program results

41 Agenda Third Party Risk Management in Your Compliance Program NAVEX Global s 2016 Third Party Risk Management Benchmark Report State of Third Party Risk Management Today Approach to Third Party Due Diligence Third Party Risk Management Program Maturity Program Performance and Satisfaction Take-Aways and Recommendations Q&A

42 Key Take-Aways Most organizations indicate they could be doing a better job managing their risk. 58% indicate they do a good job complying with laws and regulations and less than 25% rate their overall program as Good 30% indicate they expect their organizations will increase third party engagements in the next year Less than half conduct due diligence screening on ALL their third parties 22% continuously monitor ALL their third parties One-third of organizations have faced legal or regulatory issues that involved third parties 50% of these involved average costs of $10,000 or more per incident There are strong indications that programs that screen, monitor and use automated third party management platforms see better program performance

43 Recommendations Program sophistication is the differentiator. As organizations realize the amount of work and resources required to adequately manage their third party engagements, automation can deliver clarity, program completeness, and confidence Program sophistication supersedes organization size, budget, FTEs and the number of third parties managed in terms of program performance and satisfaction Organizations of all sizes should approach third party risk management with purpose and focus: Measurement, milestones, and outcomes Program efficiency, effectiveness, structure and performance

44 Attend the NAVEX Global Virtual Conference

45 Third Party Risk Management Program Third Party Risk Management Tools and Thought Leadership: /Resources WHITEPAPER: How to Automate Third Party Due Diligence Monitoring: Ten Steps to Success WHITEPAPER: A Prescriptive Guide to Third Party Risk Management Visit Our Website to Access More Benchmarking Resources From NAVEX Global: E&C Hotline Benchmark Report E&C Training Benchmark Report E&C Policy Management Benchmark Report Consulting Solutions: Learn how our Advisory Services team can help you identify and address program gaps with risk and culture assessments, in-person training and more. Request a consultation today. Department of Justice Resource Guide

46 Thank You! Randy Stephens Vice President, Advisory Services NAVEX Global Michael Volkov Chief Executive Officer The Volkov Law Group