VENDOR RISK MANAGEMENT FCC SERVICES
Introductions Chris Tait, CISA, CFSA, CCSK, CCSFP Principal, Financial Services Baker Tilly Russ Sommers, CPA, CISA Senior Manager, Financial Services Baker Tilly
Agenda Section one Section two Section three The value of vendor management Current state and key drivers for action Vendor risk management (VRM) lifecycle Key stages and activities Implementing a successful program Challenges, best practices and lessons learned
Section one The value of vendor management Current state and key drivers for action
Background Third party: Any business partner that is not under direct control of the organization that engages them. Type Services These entities may include but are not limited to: Vendors or suppliers Providers of service (e.g., advertising / marketing, licensees, document services, administrators or processors) Joint venture or alliance partners Companies utilize third parties in three main ways: To perform functions on the company s behalf (outsourcing) To provide products and services that the company does not originate (makes third party products and services available to customers) To franchise the company s attributes (most risky third party vendors conduct business in company s name)
Audience polling question (PollEverywhere) How mature is your organization's vendor risk management program? A. No formal process established B. Just getting started C. Well defined, not consistently followed D. It s a well-oiled machine
Third party vendor breaches According to Soha Systems survey: Approximately 63 percent of all data breaches can be attributed to a third party vendor Only 2 percent of IT experts consider third party secure access a top priority Respondents believe their own organizations are secure from third party data breaches but think their competitors are vulnerable to them *Soha Systems Survey on Third Party Risk Management
In the news April 6 April 10 March 27
Audience polling question (PollEverywhere) A. Yes B. No Does your organization conduct a formal vendor risk / third party risk management assessment?
In the numbers 63% of companies do not have a fully mature method to control and track sensitive data. In fact, 19 percent don t have a method at all 4 33% of companies have not commissioned a vendor risk assessment4 58% of companies use thirdparties to manage sensitive data, but 48 percent of them do not have a third party management program in place 4 88% of executives are confident that their companies can defend against a cyberattack. Yet, 822 million records were compromised in 2013 5
Key risk factors Information security and privacy Financial reporting IT continuity Regulatory compliance Potential risks Data integrity Customer service Outsourcing business operations or using third parties does not absolve organizations of their responsibilities to manage risk!
Section two Vendor risk management lifecycle Key stages and activities Planning Due diligence and selection Contract negation Ongoing monitoring Termination
Vendor risk management lifecycle When and how does your organization conduct third-party due diligence?
Vendor risk management lifecycle How third-parties are monitored after the initial screening (due diligence)? 40% 6% 13% % of Respondents 6 13% Other We Use an outsourced 3P provider for Continuous Monitoring We do not Monitor 3Ps after an Initial Screening 40% 14% We get Regular KPI Reporting from Our 3Ps We Monitor only Select, High-Risk 3Ps after Initial Screening We Continuously Monitor Our 3P Engagements Ourselves
Vendor risk management lifecycle Planning Due diligence and selection Contract negation Ongoing monitoring Termination Key tasks in planning include: Identify business need (requires stakeholder involvement) Define detailed solution requirements Establish top selection criteria (i.e., vendor evaluation factors that will hold the most weight in the selection process) Develop inherent risk profile based on the services to be provided Obtain appropriate approvals to proceed with request for proposal (RFP) Understand data flow (input process output)
Vendor risk management lifecycle Planning Due diligence and selection Contract negation Ongoing monitoring Termination Key tasks in due diligence and selection include: Identify vendors to solicit for proposal Determine proposal format / content requirements, timeline to submit questions / proposals and issue the RFP Obtain organizational information for each vendor Company history, reputation and financial standing Description of key programs and policies (e.g., risk management, information security, disaster recovery / business continuity) Any use of sub-contractors ( fourth-party vendors ) Evaluate due diligence materials and proposals, select provider
Vendor risk management lifecycle Planning Due diligence and selection Contract negation Ongoing monitoring Termination Key tasks in contract negotiation include: Determine contract composition (e.g., which party s contract template to start with, who will complete initial draft, etc.) Include language to address: Roles and responsibilities Scope, timing and key milestones General business terms (GBTs, also T&C) Fees
Vendor risk management lifecycle Planning Due diligence and selection Contract negation Ongoing monitoring Termination Key tasks in contract negotiation cont.: Include language to address cont.: Confidentiality (e.g., NDA, handling of customer data) Performance measurements Internal control / audit requirements (e.g., SOC) Termination rights Ownership and return of data Negotiate contract language and obtain necessary approvals on revisions Execute agreement
Vendor risk management lifecycle Planning Due diligence and selection Contract negation Ongoing monitoring Termination Key tasks in ongoing monitoring include: Develop a risk based vendor review schedule to guide activities and track progress Define criteria and procedures for escalation for noncompliance Activities to gauge vendor performance may include: Establish performance indicators (similar purpose as top selection criteria) Review of contractual SLAs to performance Leverage existing system data to efficiently generate metrics dashboards Distribute customer satisfaction surveys to organizational stakeholders Keep monitoring simple minimize metrics to most important
Vendor risk management lifecycle Planning Due diligence and selection Contract negation Ongoing monitoring Termination Ongoing monitoring: Internal control options Potential activities to obtain assurance over internal controls may include: Issue vendor questionnaires Perform desktop audits: Key program and policy documentation Third-party reports or certifications: SOC report or equivalent (dependent on industry and inherent risks of vendor s services) Onsite audit: By internal resources or a third party contracted on your behalf
Ongoing monitoring: SOC reporting options SOC 1 SOC 2 SOC 3 AUP Guidance SSAE 16 AT 101 AT 101 AT 101 AT 201 Scope Controls related to client s financial reporting (ICFR) Controls related to IT operations or Controls compliance: related Security, Controls related to IT operations to IT operations confidentiality, or compliance processing or compliance integrity, availability and / or privacy Controls determined by the requesting party Typical report users Internal / external auditors Vendor management internal / external auditors General use Requesting client only Remember: The best option is subjective, and based on the services performed and related third party risks
Vendor risk management lifecycle Planning Due diligence and selection Contract negation Ongoing monitoring Termination Key tasks in termination include: Evaluate reasons for considering termination (e.g., performance issues, wish to bring in-house) Perform cost-benefit analysis: Transition costs vs. benefits of changing Review contract language on original contract term and termination rights Develop plan for termination procedures, responsibilities and timeline Determine appropriate point of contact, designate a liaison for the termination process and deliver termination notice to vendor Manage transfer of assets, data and knowledge
Section three Implementing a successful program Challenges, best practices and lessons learned
What can undermine program effectiveness? % of Respondents Other Organization unwilling to ask on 3Ps if business impact 51% 51% 16% 4% 20% 23% 29% Leaders do not support 3P risk management Lack of internal skill set Employees do not adhere to 3P risk management processes Lack of governance 31% No clear ownership for the program 43% 36% Poorly defined methodology for managing 3P No central repository for documentation related to 3Ps 42% 37% Gathering, integrating, analyzing, making use of 3P data 40% Reporting on 3P issues is inconsistent Limited resources Difficulty monitoring 3P relationships
Role and responsibilities Which model? Decentralized Centralized
Audience polling question (PollEverywhere) Do you have a centralized, decentralized or hybrid VRM model? A. Centralized B. Decentralized C. Hybrid
Role and responsibilities Who? Business lead Internal audit Executive management Compliance ERM IT Legal VMS
Tool sets Which framework? Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook Vendor and third-party management, outsourcing technology services and supervision of technology service providers Office of the Comptroller of the Currency (OCC) OCC Bulletin 2013-29 Shared assessments SIG Toolset Independently built by cross-functional industry group and is updated on a annual basis
Tool sets Which platform? Microsoft Suite SharePoint Vendor management software
Audience polling question (PollEverywhere) What tools does your organization use to track third party /vendor risks and conduct an analysis? A. Microsoft Office Docs B. Shared Assessments Framework (SIG) C. GRC Toolset D. Other tools E. We don t track them
Limited resources Advocate for dedicated budgets and program resources. Improved compliance reduces any fines or penalties that could impact the bottom line. Tighter focus on specific controls associated with those relationships found to pose the greatest risk made possible through vendor stratification. BUDGET SIMPLIFY Limited resource solutions TARGET STANDARDIZE Reduce cost of managing vendor risk through stratification, process simplification and use of technology. Improved efficiency, timeliness and accuracy stemming from streamlined and standardized processes
Create, classify and review How to identify vendors? Follow the money! Look for contracts Meet with business units
Create, classify and review How many tiers and review frequency? Tier 1 Critical Tier 2 Essential Tier 3 Operational Mission critical Minimum level of service No critical data Significant risk Critical data Minimal or no customer impact Tier 1 Critical Tier 2 Essential Tier 3 Operational Semi-annual Annual Biennial
Vendor stratification Remove categories that don t pose risk Stratify third parties into risk categories Prioritize high risk vendors for review Higher risk: On-site reviews Moderate risk: Lower risk: Desktop reviews Vendor self assessments
Questions to ask yourself Are third-party risks considered in the organization s overall approach to enterprise risk management? Do risk managers consider thirdparty risk in their risk assessments? Are appropriate resources allocated to address third-party risks? Are third-party risk management roles and responsibilities clearly defined within the organization? Has an inventory and ranking of third-party risks been performed?
Cited references Tone at the Top, IIA, April 2014, Issue 67.1 Here s who boardrooms are blaming for data breaches, Fortune Magazine, May 29, 2015, http://fortune.com/2015/05/29/boardroom-data-breach-blame/.2 Reputation Risk Leading company Concern in 2015, Forbes, January 5, 2015, http://www.forbes.com/sites/tatianaserafin/2015/01/05/reputation-risk-leading-companyconcern-in-2015/#7def6f184ce53 Trustwave, 2014 State of Risk Report https://www2.trustwave.com/rs/trustwave/images/2014_tw_stateofriskreport.pdf4 http://blog.evantix.com/nine-surprising-stats-about-vendor-risk-management5 Note: Adapted from 2015 Ethics & Compliance Third Party Risk Management Benchmark Report by NAVEX Global, retrieved from http://www.navexglobal.com/sites/default/files/navexglobal_2015_thirdpartyrisk_bench markreport_web.pdf6
Disclosure The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Tax information, if any, contained in this communication was not intended or written to be used by any person for the purpose of avoiding penalties, nor should such information be construed as an opinion upon which any person may rely. The intended recipients of this communication and any attachments are not subject to any limitation on the disclosure of the tax treatment or tax structure of any transaction or matter that is the subject of this communication and any attachments. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2017 Baker Tilly Virchow Krause, LLP