VENDOR RISK MANAGEMENT FCC SERVICES

Similar documents
VENDOR MANAGEMENT 101

Best Practices: Vendor Risk Questionnaires PROCESSUNITY WEBINAR SERIES

STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

Third Party Risk Management ( TPRM ) Transformation

Ensuring Organizational & Enterprise Resiliency with Third Parties

THIRD-PARTY RISK MANAGEMENT

Third Party Vendor Management and FDR Compliance

Vendor Management Challenges and Expectations An Open Discussion April 13, 2017

Lessons Learned in Streamlining the Third-party Risk Assessment Process

IT Service Delivery And Support Week Seven: SLA. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Strengthening Vendor Risk Management Program

Extended Enterprise Risk Management

Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services OBJECTIVES

Risk Assessment - Balancing Risk While Enhancing Controls

ERP Is it for me? American Public Power Association Business & Financial Conference September 17, 2018

Risk Advisory SERVICES. A holistic approach to implementing effective governance, managing risk and maintaining compliance

REGULATORY HOT TOPIC Third Party IT Vendor Management

Q1 Please select the primary industry in which your company operates.

Article from: CompAct. April 2013 Issue No. 47

Internal Audit Challenges & Opportunities Speaker: Laurie Shen, Director, Grant Thornton LLP

An Executive Guide to Third Party Management

Internal audit insights High-impact areas of focus

Hot Topics in Third Party Management. April 5, 2018 MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Outsourcing Transparency Evolution: Creating Value Across the Third-Party Extended Enterprise

A Guide to IT Risk Assessment for Financial Institutions. March 2, 2011

Internal Audit s Role in Third Party Risk Management (TPRM)

HOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT

Vendor Management 101

Effects of GDPR and NY DFS on your Third Party Risk Management Program

Using a Compliance Program Assessment to Elevate Institutional Compliance Effectiveness

Effective Vendor Risk Management. April 21, Mario A. Mosse. This Training is Brought to you by ComplianceOnline. Presenter:

The IIA toolbox.

Implementing and maintaining ISAE 3402

ISACA San Francisco Chapter

Starting a Vendor Assessment Program

Drive Your Business. Four Ways to Improve Your Vendor Risk Program

The Case for Outsourcing Accounts Payable

Why Is Third Party Risk Management Important?

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Model Risk Management (MRM)

Data integrity forensics Bring transparency and trust to third-party data use

Click to edit Master title style

Effective Risk Management With AML Risk Assessment. January 25, 2017

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

Presented by Russ Hissom and Carol Arneson

Certified Identity Governance Expert (CIGE) Overview & Curriculum

Firm Profile TURNING RISKS INTO OPPORTUNITIES

29/11/2017. Risk Management Policy

How to Stand Up a Privacy Program: Privacy in a Box

Evolving Core Tasks for Improved Internal Audit Performance. Copyright 2018 AuditBoard Inc. 1

PMO In A Box. Prepared for UBS

RSA ARCHER INSPIRE EVERYONE TO OWN RISK

Vendor Management Risk Mitigation:

Service Organization Controls (SOC) Reporting Discussion: Perspectives and Opportunities

Internal Audit Department 350 South 5 th Street, Suite 302 Minneapolis, MN (612)

Vendor Management from an Auditor s Perspective

5 Core Must-Haves for Improved Internal Audit Performance. Copyright 2018 AuditBoard Inc. 1

Efficiency First Program

B U S I N E S S R I S K M A N A G E M E N T L T D

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Managing Legal and Operational Risk in IT Agreements

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

Extended enterprise risk management: New perspectives on a growing imperative The Dbriefs Governance, Risk, & Compliance series

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

AML model risk management and validation

This charter defines the purpose, authority and responsibility of News Corporation s (the Company ) Corporate Audit Department.

RFQ ATTACHMENT V: RESPONSE TEMPLATE

CITIBANK N.A JORDAN. Governance and Management of Information and Related Technologies Guide

Optiv's Third- Party Risk Management Solution

7 Key Trends in Enterprise Risk Management

Corporate Law Department Information Governance Survey SURVEY RESULTS. hbrconsulting.com

The Blue Sage Group. Sarbanes-Oxley. 404 Compliance Program. The Blue Sage Group

Customer Support Group (CSG) Invoicing and Monitoring Arrangements. April 2016

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

MANAGE RISK IN THE LEGAL DEPARTMENT

Internal Auditing 101

Intelligent automation and internal audit

Performing a Successful Audit. Fundamentals of Auditing ERO Compliance Audit Process Jim Hughes Manager, Audit Assurance and Oversight

Flying with IT through Market Turbulence

Risk Management: Building an Integrated Program to Drive Business Value

Case Study Webinar: Vendor Risk Management at Global Lending Services

Management Excluded Job Description

IIROC 2015 Financial Administrators Section Conference

2014 Financial Services Supplier Risk Management Survey. Achieving balance

CRISC EXAM PREP COURSE: SESSION 4

CGEIT ITEM DEVELOPMENT GUIDE

Board Audit Committee Training Automation of Audit Function. Anthony Wanyoike TeamMate Consulting East, Central & West Africa

Translate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.

See your auditor clearly. Transparency report: How we perform quality audit engagements

San Francisco Chapter. Presented by Scott Perry - Slalom Consulting

SOLUTION BRIEF RSA ARCHER REGULATORY & CORPORATE COMPLIANCE MANAGEMENT

A PRACTICAL GUIDE TO GDPR BREACH NOTIFICATION AND SECURITY REQUIREMENTS

External Quality Assurance Review of the Office of the Auditor General Proposed Statement of Work for the Audit Sub- Committee.

Managing the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016

CERT Resilience Management Model, Version 1.2

The Role of the VMO in Regulatory Compliance Planning, Due Diligence and Contract Negotiation

Ohio Public Employees Retirement System. Request for Proposal

Collaboration with Business Associates on Compliance

Transcription:

VENDOR RISK MANAGEMENT FCC SERVICES

Introductions Chris Tait, CISA, CFSA, CCSK, CCSFP Principal, Financial Services Baker Tilly Russ Sommers, CPA, CISA Senior Manager, Financial Services Baker Tilly

Agenda Section one Section two Section three The value of vendor management Current state and key drivers for action Vendor risk management (VRM) lifecycle Key stages and activities Implementing a successful program Challenges, best practices and lessons learned

Section one The value of vendor management Current state and key drivers for action

Background Third party: Any business partner that is not under direct control of the organization that engages them. Type Services These entities may include but are not limited to: Vendors or suppliers Providers of service (e.g., advertising / marketing, licensees, document services, administrators or processors) Joint venture or alliance partners Companies utilize third parties in three main ways: To perform functions on the company s behalf (outsourcing) To provide products and services that the company does not originate (makes third party products and services available to customers) To franchise the company s attributes (most risky third party vendors conduct business in company s name)

Audience polling question (PollEverywhere) How mature is your organization's vendor risk management program? A. No formal process established B. Just getting started C. Well defined, not consistently followed D. It s a well-oiled machine

Third party vendor breaches According to Soha Systems survey: Approximately 63 percent of all data breaches can be attributed to a third party vendor Only 2 percent of IT experts consider third party secure access a top priority Respondents believe their own organizations are secure from third party data breaches but think their competitors are vulnerable to them *Soha Systems Survey on Third Party Risk Management

In the news April 6 April 10 March 27

Audience polling question (PollEverywhere) A. Yes B. No Does your organization conduct a formal vendor risk / third party risk management assessment?

In the numbers 63% of companies do not have a fully mature method to control and track sensitive data. In fact, 19 percent don t have a method at all 4 33% of companies have not commissioned a vendor risk assessment4 58% of companies use thirdparties to manage sensitive data, but 48 percent of them do not have a third party management program in place 4 88% of executives are confident that their companies can defend against a cyberattack. Yet, 822 million records were compromised in 2013 5

Key risk factors Information security and privacy Financial reporting IT continuity Regulatory compliance Potential risks Data integrity Customer service Outsourcing business operations or using third parties does not absolve organizations of their responsibilities to manage risk!

Section two Vendor risk management lifecycle Key stages and activities Planning Due diligence and selection Contract negation Ongoing monitoring Termination

Vendor risk management lifecycle When and how does your organization conduct third-party due diligence?

Vendor risk management lifecycle How third-parties are monitored after the initial screening (due diligence)? 40% 6% 13% % of Respondents 6 13% Other We Use an outsourced 3P provider for Continuous Monitoring We do not Monitor 3Ps after an Initial Screening 40% 14% We get Regular KPI Reporting from Our 3Ps We Monitor only Select, High-Risk 3Ps after Initial Screening We Continuously Monitor Our 3P Engagements Ourselves

Vendor risk management lifecycle Planning Due diligence and selection Contract negation Ongoing monitoring Termination Key tasks in planning include: Identify business need (requires stakeholder involvement) Define detailed solution requirements Establish top selection criteria (i.e., vendor evaluation factors that will hold the most weight in the selection process) Develop inherent risk profile based on the services to be provided Obtain appropriate approvals to proceed with request for proposal (RFP) Understand data flow (input process output)

Vendor risk management lifecycle Planning Due diligence and selection Contract negation Ongoing monitoring Termination Key tasks in due diligence and selection include: Identify vendors to solicit for proposal Determine proposal format / content requirements, timeline to submit questions / proposals and issue the RFP Obtain organizational information for each vendor Company history, reputation and financial standing Description of key programs and policies (e.g., risk management, information security, disaster recovery / business continuity) Any use of sub-contractors ( fourth-party vendors ) Evaluate due diligence materials and proposals, select provider

Vendor risk management lifecycle Planning Due diligence and selection Contract negation Ongoing monitoring Termination Key tasks in contract negotiation include: Determine contract composition (e.g., which party s contract template to start with, who will complete initial draft, etc.) Include language to address: Roles and responsibilities Scope, timing and key milestones General business terms (GBTs, also T&C) Fees

Vendor risk management lifecycle Planning Due diligence and selection Contract negation Ongoing monitoring Termination Key tasks in contract negotiation cont.: Include language to address cont.: Confidentiality (e.g., NDA, handling of customer data) Performance measurements Internal control / audit requirements (e.g., SOC) Termination rights Ownership and return of data Negotiate contract language and obtain necessary approvals on revisions Execute agreement

Vendor risk management lifecycle Planning Due diligence and selection Contract negation Ongoing monitoring Termination Key tasks in ongoing monitoring include: Develop a risk based vendor review schedule to guide activities and track progress Define criteria and procedures for escalation for noncompliance Activities to gauge vendor performance may include: Establish performance indicators (similar purpose as top selection criteria) Review of contractual SLAs to performance Leverage existing system data to efficiently generate metrics dashboards Distribute customer satisfaction surveys to organizational stakeholders Keep monitoring simple minimize metrics to most important

Vendor risk management lifecycle Planning Due diligence and selection Contract negation Ongoing monitoring Termination Ongoing monitoring: Internal control options Potential activities to obtain assurance over internal controls may include: Issue vendor questionnaires Perform desktop audits: Key program and policy documentation Third-party reports or certifications: SOC report or equivalent (dependent on industry and inherent risks of vendor s services) Onsite audit: By internal resources or a third party contracted on your behalf

Ongoing monitoring: SOC reporting options SOC 1 SOC 2 SOC 3 AUP Guidance SSAE 16 AT 101 AT 101 AT 101 AT 201 Scope Controls related to client s financial reporting (ICFR) Controls related to IT operations or Controls compliance: related Security, Controls related to IT operations to IT operations confidentiality, or compliance processing or compliance integrity, availability and / or privacy Controls determined by the requesting party Typical report users Internal / external auditors Vendor management internal / external auditors General use Requesting client only Remember: The best option is subjective, and based on the services performed and related third party risks

Vendor risk management lifecycle Planning Due diligence and selection Contract negation Ongoing monitoring Termination Key tasks in termination include: Evaluate reasons for considering termination (e.g., performance issues, wish to bring in-house) Perform cost-benefit analysis: Transition costs vs. benefits of changing Review contract language on original contract term and termination rights Develop plan for termination procedures, responsibilities and timeline Determine appropriate point of contact, designate a liaison for the termination process and deliver termination notice to vendor Manage transfer of assets, data and knowledge

Section three Implementing a successful program Challenges, best practices and lessons learned

What can undermine program effectiveness? % of Respondents Other Organization unwilling to ask on 3Ps if business impact 51% 51% 16% 4% 20% 23% 29% Leaders do not support 3P risk management Lack of internal skill set Employees do not adhere to 3P risk management processes Lack of governance 31% No clear ownership for the program 43% 36% Poorly defined methodology for managing 3P No central repository for documentation related to 3Ps 42% 37% Gathering, integrating, analyzing, making use of 3P data 40% Reporting on 3P issues is inconsistent Limited resources Difficulty monitoring 3P relationships

Role and responsibilities Which model? Decentralized Centralized

Audience polling question (PollEverywhere) Do you have a centralized, decentralized or hybrid VRM model? A. Centralized B. Decentralized C. Hybrid

Role and responsibilities Who? Business lead Internal audit Executive management Compliance ERM IT Legal VMS

Tool sets Which framework? Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook Vendor and third-party management, outsourcing technology services and supervision of technology service providers Office of the Comptroller of the Currency (OCC) OCC Bulletin 2013-29 Shared assessments SIG Toolset Independently built by cross-functional industry group and is updated on a annual basis

Tool sets Which platform? Microsoft Suite SharePoint Vendor management software

Audience polling question (PollEverywhere) What tools does your organization use to track third party /vendor risks and conduct an analysis? A. Microsoft Office Docs B. Shared Assessments Framework (SIG) C. GRC Toolset D. Other tools E. We don t track them

Limited resources Advocate for dedicated budgets and program resources. Improved compliance reduces any fines or penalties that could impact the bottom line. Tighter focus on specific controls associated with those relationships found to pose the greatest risk made possible through vendor stratification. BUDGET SIMPLIFY Limited resource solutions TARGET STANDARDIZE Reduce cost of managing vendor risk through stratification, process simplification and use of technology. Improved efficiency, timeliness and accuracy stemming from streamlined and standardized processes

Create, classify and review How to identify vendors? Follow the money! Look for contracts Meet with business units

Create, classify and review How many tiers and review frequency? Tier 1 Critical Tier 2 Essential Tier 3 Operational Mission critical Minimum level of service No critical data Significant risk Critical data Minimal or no customer impact Tier 1 Critical Tier 2 Essential Tier 3 Operational Semi-annual Annual Biennial

Vendor stratification Remove categories that don t pose risk Stratify third parties into risk categories Prioritize high risk vendors for review Higher risk: On-site reviews Moderate risk: Lower risk: Desktop reviews Vendor self assessments

Questions to ask yourself Are third-party risks considered in the organization s overall approach to enterprise risk management? Do risk managers consider thirdparty risk in their risk assessments? Are appropriate resources allocated to address third-party risks? Are third-party risk management roles and responsibilities clearly defined within the organization? Has an inventory and ranking of third-party risks been performed?

Cited references Tone at the Top, IIA, April 2014, Issue 67.1 Here s who boardrooms are blaming for data breaches, Fortune Magazine, May 29, 2015, http://fortune.com/2015/05/29/boardroom-data-breach-blame/.2 Reputation Risk Leading company Concern in 2015, Forbes, January 5, 2015, http://www.forbes.com/sites/tatianaserafin/2015/01/05/reputation-risk-leading-companyconcern-in-2015/#7def6f184ce53 Trustwave, 2014 State of Risk Report https://www2.trustwave.com/rs/trustwave/images/2014_tw_stateofriskreport.pdf4 http://blog.evantix.com/nine-surprising-stats-about-vendor-risk-management5 Note: Adapted from 2015 Ethics & Compliance Third Party Risk Management Benchmark Report by NAVEX Global, retrieved from http://www.navexglobal.com/sites/default/files/navexglobal_2015_thirdpartyrisk_bench markreport_web.pdf6

Disclosure The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Tax information, if any, contained in this communication was not intended or written to be used by any person for the purpose of avoiding penalties, nor should such information be construed as an opinion upon which any person may rely. The intended recipients of this communication and any attachments are not subject to any limitation on the disclosure of the tax treatment or tax structure of any transaction or matter that is the subject of this communication and any attachments. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2017 Baker Tilly Virchow Krause, LLP

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback