Advanced Third-Party Risk Issues Now that You've Created a Vendor Management Program, How Do You Keep Vendor Oversight EffecAve and Ongoing?
Agenda Due diligence Contractual requirements Onboarding/ongoing monitoring Contract termina@on (natural term/closure or term for cause) When something goes wrong (breach, bankruptcy, other issues)
Due Diligence Risk Factors General control environment Strength of financial condi@on Turnover of management & employees Redundancy/business con@nuity capability Outsourcing/reliance on subcontractors Push down contract requirements Interac@on with government
Due Diligence What to Review Reputa@on Knowledge of laws & regula@ons Risk management program Effec@veness of controls Documenta@on of procedures Training program
What counts for Due Diligence Assurance that a poten@al vendor is financially stable, ethically sound & has a strong corporate structure. Reviews should be tailored to the risk the vendor may present to your organiza@on. Performed by the Vendor Management Office (VMO). The VMO is responsible for having a non-biased view of vendors and manages the vendor rela@onship.
Risks Auditors and regulators could impose penal@es, revoke licenses to prac@ce or take legal ac@on against your company if the vendor is not compliant to the standards. The press can also damage your company's reputa@on if a vendor's lack of compliance is exposed. This could nega@vely affect investor ra@ngs, ra@ng agency scores, shareholders and more.
Types of Vendors Support Most intense review Review: Handling PII, compliance, legal, financial, corporate structure and stability, annual spend Technology Depends on type of product Handling of PII, security of systems (SSAE 16 or similar audit), financial, legal, corporate structure & stability, annual spend Non-essen@al Financial, legal, corporate structure and stability Google search on all (news )
RFP When to do How to review Devia@ons Advice in advance Follow-through Build into contracts what promise in RFP and presenta@on
CONTRACTS
Depends on Vendor Type: Support, Technology, Non-essen@al, Contractor Loca@on Key regional differences Expansion of services One-@me or build rela@onship Regulatory concerns
Key Provisions Services or goods Payment terms Termina@on Reps and warran@es Confiden@ality Exclusivity IP Limita@on of Liability Indemnifica@on Security protocols Passthrough provisions
Special Contracts Business associate agreements Data processing agreements Employment
Prepare for the End Termina@on end of the contract or issue with the rela@onship Data held by the vendor Informa@on known by the vendor Nonsolicita@on clauses
MONITORING
External Data Sources Watch List Lookup Thomson Reueters World Check tool comprises of over 300 global watchlists worldwide, including OFAC. Watchlist findings can indicate if the vendor is working with any bad players or terrorist organiza@ons. PCI Lookup If the vendor is used to electronically process, store or transmit credit or debit cardholder informa@on they are run through Visa and MasterCard s global registry of organiza@ons compliant with their security standards. Consumer Financial Protec@on Bureau (CFPB) Lookup The CFPB maintains a database of consumer complaints raised against organiza@ons opera@ng in the United States. Reviewing the entries in the CFPB provides insight to public percep@on of a vendor, as well as their ability to properly deliver services. Office of the Comptroller of Currency (OCC) Lookup A review of the data from the independent bureau within the Department of Treasury that periodically issues consent orders against regulated en@@es including cease and desist orders, monetary penal@es, and general findings. Financial Lookups Vendors receive a financial health review from several financial data sources to properly iden@fy any bankruptcy or solvency risk. All issues iden@fied in the external data review are logged within the vendor risk management plaform, decisioned, and tracked.
Vendor Required Updates 3 rd party Service Auditor Reports (SOC 1, SOC 2 or ISAE 3402) Breach No@fica@on Plan Business Con@nuity/Disaster Recovery Program Materials and Test Results Applicable PCI Aiesta@ons of Compliance Financial Package Proof of Insurance Policies and other program documenta@on Any other client requested documenta@on All evidence collected will be reviewed and any issues will be logged.
Internal Data Sources SLA s Have SLAs been consistently met, and/or @mely credits issued where appropriate? Deliverables Have deliverables met expecta@ons or had to be modified due to vendor requirements? Rela@onship How does the vendor interact with internal rela@onship managers?
Findings & Issues All poten@al matches or indica@ons of risk stemming from the external data review, vendor control survey and evidence review are referred to as findings. When a finding meets the appropriate level of control weakness or gap, it becomes an issue. All issues from any external data review, vendor control survey or evidence review will be logged and decisioned. Issues can be decisioned in mul@ple ways: mi@ga@on, terminated vendor rela@onship, risk acceptance. All issues that are risk accepted are periodically reviewed to ensure that risk is s@ll appropriate to accept.
TERMINATION
Alterna@ves to termina@on Change request strategy Limi@ng service (par@al termina@on) Compensa@on Sue for breach
Termina@on of Vendor Contract Normal Termina@on Timing Termina@on for Cause Insolvency/ Trigger Event Breach of contract Elimina@on of the business basis
Ramp Down Olen hos@le or neutral enviroment Periods for handing over / Ramp down + Ramp up Process of handing over Communica@on with new vendor Mo@va@ons for current vendor to cooperate with the new one
Transfer of documenta@on Transfer of processes? Transfer of employees? Transfer of Data + Solware; IP-Rights and NDAs Right to withhold goods stored at loca@on in case of a dispute
Right to data portability Art. 20 GDPR Data subject Structured, commonly used and machinereadable form Right to transfer to third party Directly from one controller to another
WHEN SOMETHING GOES WRONG
Reality Things Go Wrong Seemingly innocuous events, changes, and failures can be symptoma@c of much bigger (but less obvious) third party problems Events can become incidents, and incidents can escalate into inves@ga@ons if not handled promptly and effec@vely (e.g. FCPA!) Be Prepared! Conduct event handling and incident management scenarios Events can become real world opportuni@es to test and improve processes Poten@ally highlights need for alternate third par@es to ensure con@nua@on of cri@cal business / services
Best Prac@ces Establish internal policies for employees, what to do when something goes wrong with third party vendors Clear instruc@ons on who to alert or escalate to (VMO, Risk, IT, Legal?) based on the event or incident Assess type and severity of event, factoring in 3 rd party risk factors (country, type of service, impact on opera@ons, value of business) Does the event expose an unforeseen weakness that necessitates a re-assessment of the vendor s risk, or addi@onal due diligence? Triage and remedia@on processes for more serious incidents (or in higher risk situa@ons)
Are You Ready? 43% of incident management professionals report their organiza@on has a formalized incident management plan. Only 9% deem their program to be very effec@ve. Incident Response: How to Fight Back: A SANS Survey Torres, A. SANS Ins@tute InfoSec Reading Room. August 2014.
Iden@fica@on and Escala@on VMO Legal Compliance IT / IS Risk Finance Event News (reputa@onal risk) l Event No longer receiving services l Event Fail in SLA l Event Law enforcement no@ce Event / Incident Regulatory ac@on l l Event Business changes: staff, model, owner l l Incident Breach l l Incident Bankruptcy l l Incident Natural disaster l l Alert l Escalate
Regulatory Ac@ons 90% of reported FCPA cases involved allega@ons about ac@ons taken by third par@es EY s 12th Global Fraud Survey.
Best Prac@ces - Serious Incidents Design a Triage process for more serious incident types (e.g. 3 rd Party bribery allega@on) Consider a Response Team that can be quickly assembled to coordinate ac@vi@es related to the incident Implement an Incident Management system to capture key facts, establish @meline, provide evidence Establish a defensible communica@ons trail with the third party (who, when, what, where, how, why) Be prepared to involve independent service providers (law firm, auditors, data collec@on) to provide local and global support No@fica@on may need to include CEO, Board, PR, etc
Incident Management Framework During Incident Iden@fica@on Containment No@fica@on Recovery Post Incident Business Resump@on Remedia@on Management Post-Incident Contract Response Recovery
Incident Management System Incident Type Loca@on of Incident Date Reported Reported By Date of Incident Nature of Incident Par@es: Third Party Customer Internal Party Severity A robust Incident Management System should incorporate rules that will be driven by factors such as the Incident Type, Loca@on, and Severity to drive the workflow and ensure relevant data is captured. Tracking the par@es involved in the incident can help ensure not only that the relevant people are no@fied, but also assists in root cause analysis and remedia@on.
Post Incident Management Ending rela@onship Manage transi@on within vendor Move to another vendor Regulatory issues? Contract changes Insurance coverage
Discovering News No longer receiving services Fail in SLA Law enforcement no@ce Regulatory ac@on Business changes: staff, model, owner
Special wrongs Breaches Bankruptcy Natural disasters
Managing Ending rela@onship Manage transi@on within vendor Move to another vendor Regulatory issues? Contract changes Insurance coverage
QUESTIONS