Optimizing an Enterprise Wide Effective Vendor Risk Management Program. Pam Schott Head and VP Enterprise Supplier Governance

Similar documents
Customer Support Group (CSG) Invoicing and Monitoring Arrangements. April 2016

Q1 Please select the primary industry in which your company operates.

US Business Continuity Safeguarding Your Business from a Disaster

Extended Enterprise Risk Management

Ensuring Organizational & Enterprise Resiliency with Third Parties

Vendor Management Risk Mitigation:

Risk Advisory Services Developing your organisation s governance for competitive advantage

Time Topic Responsible

Third Party Risk Management ( TPRM ) Transformation

WELCOME. 1

CITIBANK N.A JORDAN. Governance and Management of Information and Related Technologies Guide

Why Is Third Party Risk Management Important?

Role of Operational Risk in the Product Lifecycle Presented By: Chris Nestore, SVP Head of Operational Risk Management, TD Bank

Real Estate Lifecycle

IT Service Delivery And Support Week Seven: SLA. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Control and testing transformation

Click to edit Master title style

Case Study Webinar: Vendor Risk Management at Global Lending Services

MANAGING RISK AT SUNCORP

Heightened standards for compliance risk management. Lines of defense compliance s role

Bank It: Optimizing the Source to Contract Process to Maximize and Lock in Savings. Cardinal Health Patrick Eckhert Head of Indirect Procurement

7 Key Trends in Enterprise Risk Management

Lessons Learned in Streamlining the Third-party Risk Assessment Process

Risk Management Policy and Framework

5. Effective controls and risk management

Optiv's Third- Party Risk Management Solution

How to Deliver Value Through The Three Lines of Defense

San Francisco Chapter. Presented by Scott Perry - Slalom Consulting

RISK AND COMPENSATION COMMITTEE TERMS OF REFERENCE

Risk management is changing. Act now.

An integrated model approach to improve the management of marketed products

Model Risk Management at FinTech organizations Considerations for bank charter applicants

Strategies to Mitigate the Cost of a Risky Third-Party Relationship

USAA's Supplier Governance Transformation that Optimizes Value and Addresses Risk

Achieve Continuous Compliance via Business Service Management (BSM)

Risk Management: Building an Integrated Program to Drive Business Value

Guidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.

IT Governance Overview

CGI Business Process Outsourcing. for oil and gas companies

Corporate Functions & Business Operations

Outsourcing banking processes: The question is no longer if, but how to effectively manage extended enterprises

Integrating COSO s Fraud Risk Management Guide on an Enterprise Scale

Enterprise Risk Management Survey 2011

IT Executive Programs

Effects of GDPR and NY DFS on your Third Party Risk Management Program

An Executive Guide to Third Party Management

Aligning and Integrating ERM and Business Process. Federal ERM Summit September 9, :00-12:00

Intelligent Procurement from SAP Ariba

Integrating a robust third-party risk management program with the vendor onboarding process

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

Effective Vendor Risk Management. April 21, Mario A. Mosse. This Training is Brought to you by ComplianceOnline. Presenter:

Navigating the New Health Economy

Internal Audit Solutions:

Outsourcing Procurement Services Deliver Higher Performance at a Lower Cost

STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

Risk Management Strategy

Management Excluded Job Description

Supplier risk compliance obligation or source of competitive advantage? Improve supplier reliability to lift business performance

AffirmX. New York Credit Union Association. AffirmX. Linda Bow, CUCE, CRCM Director of Compliance

Managed Governance Services

Client onboarding and Legal Entity Data Solutions from Thomson Reuters

Asset Acceptance Capital Corp.

Dig Deeper. Supply Chain

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL

CORROSION MANAGEMENT MATURITY MODEL

Be a Hero in Boom Times Not Just in Bust Times

THE 8 REPORTS YOU NEED FOR EFFECTIVE AND EFFICIENT VENDOR RISK MANAGEMENT

Internal Auditors and Enterprise Risk Management (ERM) ICPAK Presentation

VENDOR RISK MANAGEMENT FCC SERVICES

Maximizing value from your lines of defense

Enterprise Risk Management Montana State Fund

Audit, Risk and Compliance Committee Terms of Reference. Atlas Mara Limited. (The "COMPANY") Amendments approved by the Board on 22 March 2016

Implementations Advisory Analytics. Unlocking Value in Source-to-Pay. Realize Customer Success through Transformation and Cloud Software

Building a Framework for Effective Third-Party Risk Management (TPRM)

B A L A N C I N G M O B I L I T Y O B J E C T I V E S : TA L E N T V S. B U S I N E S S N E E D S

Using data analytics and continuous auditing for effective risk management

Service Organization Controls (SOC) Reporting Discussion: Perspectives and Opportunities

Procurement Development Programs. Free Powerpoint Templates Page 1

Effective Risk Management With AML Risk Assessment. January 25, 2017

Transforming Internal Audit to Drive Business Performance. 21 June, 2011

Procurement Performance Review

Gain strategic insight into business services to help optimize IT.

Third-Party Risk Management: Driving Enterprise Value. Linda Tuck Chapman

Best Practices for Vendor Risk Profiling

Identifying and Mitigating Third Party Risk Conducting Risk-Based Anti-Corruption, Anti-bribery Due Diligence

ERM 101. Casualty Loss Reserve Seminar, Fall /5/ Practical Enterprise Risk Management (ERM) Agenda ERM 101 2

How to Measure the Value of Your Internal Audit Group

Capgemini s Comprehensive Capital Analysis and Review Services

Agile Risk Assessment Reinventing RCSAs

Governing the cloud. insights for 5executives. Drive innovation and empower your workforce through responsible adoption of the cloud

Bank of Ireland. Service Integration as a means to govern a multivendor. 11 th October 2013

LEADING WITH GRC. The Return of the ERM Extending Beyond It s Past Scope. Brenda Boultwood, SVP Industry Solutions, MetricStream

ERM for Small to Mid-sized Companies

Global Enterprise Model (GEM) for Utilities

White Paper Describing the BI journey

NASCIO 2010 Recognition Award Nomination. Title: Electronic Commerce Task Force Study and Enterprise Implementation

Navigating Changing Dynamics of First Line Risk and Control Functions

FINRA 2090/2111 Solutions & Expertise

Intelligent automation and internal audit

Ingersoll Rand. Jonathan Kamanns Leader, Supplier Relationship Management

Transcription:

Optimizing an Enterprise Wide Effective Vendor Risk Program Pam Schott Head and VP Enterprise Supplier Governance June 1, 2015

Emerging Industry Trends As Procurement organizations mature; their focus needs to be more than just cost savings; they need to be proactively involved in strategic initiatives and creatively protect their organizations Procurement and Finance Alignment Essential partnership between procurement and finance to track and record savings International Expansion Support strategic initiatives in international expansion, licensing, ecommerce growth Innovative Solutions Expand supply market research to include new innovative solutions (i.e. cloud computing, social media, etc.) Talent Develop a procurement team aligned to business needs, organization s strategic priorities and growth areas and focus on building and retaining high-performing teams Affect Revenue New Risk Domains Promote and develop the bank s customer portfolio within our supplier community and maximize value to the bank by being thoughtful about our customer/supplier relationships Extension of the Third Party Risk to manage additional risk domains beyond Information Security and Supplier Performance (e.g., Reputation, Compliance, or Geo-political Risk 4 th Party Risk Inclusion of 4 th Parties in the Risk Program, including inventory, assessment and monitoring of 4 th Parties (Supply Chain ) M&A / Divestitures Ongoing M&A and Restructuring Activities have created new sourcing leverage and necessitated new supply strategies Green Value Chains Increasingly, customers and governments are demanding firms have plans to make their operations more sustainable and from a more diverse supplier base

Proactive risk management and oversight is an imperative for most organizations Third party risk is not a risk unto itself. Rather, it is a combination of other risks with various degrees of severity based on the nature of the relationship with the third party. The potential risk exposure from doing Business with third parties goes well beyond direct financial loss and includes reputational damage, regulatory scrutiny and customer attrition. 10. Business Continuity Risk Third party is unable to continue proving products / services 1. Strategic Risk Third party is not aligned to organization s strategic objectives 2. Information Security Risk Third party is able to access information outside of defined business requirements 9. Financial Stability Risk 3. Reputation Risk Third party cannot meet contractual obligations due to financial difficulties Third Party Risk Domains Third party s issues effect company brand 8. Geo-political Risk Country-specific factors (e.g., government, climate) affect Third party performance 4. Compliance Risk Third party actions are inconsistent with legal, regulatory, or policy requirements 7. Contractual Risk Service / Product provided by the Third party is incompletely defined in the contract 6. Credit Risk Third party is unable to make payments it is obligated to 5. Transaction / Operational Risk Third party is unable to deliver products / services appropriately The Third Party Risk Domains listed above also apply to fourth parties as an extension of third party risk.

Overview: Outsourcing and Supplier Risk Function at BMO Outsourcing and Supplier Risk Our Outsourcing and Supplier Risk Program aims to proactively identify, assess, monitor and mitigate risk associated with our third party suppliers and outsourcers through defined governance practices. Tools & Processes Oversight & Governance Analytics & Reporting 1 2 3 We have controls for identifying, assessing, monitoring and managing outsourcing and supplier risk through a framework and SEMS management tool; a. Established end-to-end Outsourcing and Supplier Risk Framework b. Supplier Engagement system (SEMS) enables supplier intake and risk assessment We have developed the three lines of defense operating model, consistent with BMO s Enterprise framework and instituted a Governance Oversight Committee for the US; a. Roles of three lines of defense identified b. Governance committee in place, initial focus on US, currently expanding to enterprise We have refreshed our risk appetite statement and enhanced our reporting capabilities to monitor our risks; a. Defined risk appetite statement and associated dashboards and KRIs b. Data Analytics and Consumption in SpotFire for drill-down analytics 4

1 Tools & Processes Development of controls for identifying, assessing, monitoring and managing outsourcing and supplier risk through a framework and SEMS management tool. 1a 1b End-to-End Outsourcing and Supplier Risk Framework Supplier Engagement System (SEMS) We have implemented an Outsourcing and Supplier Risk Framework across the enterprise. The framework shows an end-to-end view of the processes, structures, controls and systems that are used to manage outsourcing and supplier risk. This framework is leveraged throughout the Supplier Lifecycle as set out in the Outsourcing and Supplier Risk Corporate Standard. Applies consistent onboarding and management methods for outsourcing and supplier arrangements. All new, renewing and amending supplier arrangements, in addition to significant changes in current agreements must be entered in to SEMS. This centralized tool assesses the associated risks per risk type and in the aggregate resulting in a risk rating that is used to inform supplier management and oversight. Outsourcing and Supplier Risk Framework Strategy Supplier Selection Due Diligence Contract Manage Renew / Terminate Preliminary Assessment Questionnaire (PAQ) Workload Planning Opportunity Strategy Market Intelligence Customer as a Supplier Assessment Supplier Diversity Supplier Engagement Questionnaire (SEQ) Stakeholder and CSA Engagement Sourcing Strategy (e.g. RfX, auction, or sole source) Conditional Award of the Business Deal Summary FirstPrinciples Operational Risk Corporate Policy, Standard, and Framework Effective Challenge Quality Assurance Identification Outsourcing & Supplier Risk (OSRM) Framework Corporate Support Area Due Diligence Program Corporate Support Area Contract Controls Contract Development Negotiation Execution Proof of Concept Execution Conduct Negotiation Post-Contract Supplier Controls Deal Summary Finalized Key Risk Indicators Risk Approval Governance Model Contract Execution and Registration Category Profile Mgmt Supplier Engagement System (SEMS) Governance Measurement Risk Definitions Risk Appetite Statement OSR Corporate Standards SPSG Operational Procedures Residual Risk Assessment (RRA) & Mitigating Residual Risk Reassessment (RRR) Termination or Renewal Strategy Assessment Assessment of Arrangement, Market and Business Requirements Termination and/or Transition Plan Supplier Engagement System (SEMS) licensed from Hiperos SEMS is the enterprise tool to identify, assess, manage and monitor outsourcing and supplier risk throughout the supplier lifecycle. Monitoring & Reporting Workflow Repository for pre-defined artefacts Notifications Track open items Reporting Analysis Change Footer goes here 5

First Principles Operational Risk Corporate Policy, Standard, and Framework Effective Challenge Quality Assurance Governance Risk Definitions Risk Appetite Statement OSR Corporate Standards SPSG Operational Procedures 1a Supplier Lifecycle Framework Key objectives of the framework include: Identification of Risks Measurement of Risk Impact and Mitigation of Risks Monitoring and Reporting of Risks Strategy Preliminary Assessment Questionnaire (PAQ) Workload Planning Opportunity Strategy Market Intelligence Customer as a Supplier Assessment Supplier Diversity Supplier Engagement Questionnaire Supplier Selection Stakeholder and CSA Engagement Sourcing Strategy (e.g. RfX, auction, or sole source) Conditional Award of the Business Deal Summary Supplier Lifecycle Due Diligence Contract Manage Corporate Support Area Due Diligence Program Corporate Supplier Area Contract Controls Contract Development Negotiation Execution Proof of Concept Execution Conduct Negotiation Deal Summary Finalized Risk Approval Contract Execution and Registration Residual Risk Assessment Residual Risk Reassessment Post-Contract Supplier Controls Key Risk Indicators Governance Model Category Profile Mgmt. Renew / Terminate Termination or Renewal Strategy Assessment Assessment of Arrangement, Market and Business Requirements Termination and/or Transition Plan Document and Supplier Engagement System (SEMS) Reporting The enterprise tool to identify, manage, and monitor outsourcing and supplier risk throughout Attestations the supplier lifecycle Workflow Repository for pre-defined artefacts Notifications Track open items Reporting Analysis Change

2a Oversight & Governance Adopt three lines of defense operating model and ensure roles and accountabilities are established across all three lines of defense. Three Lines of Defence to Manage Outsourcing & Supplier Risk First Line of Defense: LOB Supplier Manager/Accountable Executive Own and manage identified Outsourcing and Supplier Risk for their supplier arrangements Maintain overall accountability and oversight of the relationship: Set the strategic direction of the supplier relationship Make key decisions pertaining to the supplier relationship Resolve any escalated issues 1 Second Line of Defence SPSG & Outsourcing and Supplier Risk CSA Provide subject matter expertise, specialist support, and independent risk oversight of Outsourcing and Supplier Risk Quality Assurance and Effective Challenge roles in place Develop and implement the Outsourcing & Supplier Risk Managed through our SEMS tool 2 Second Line of Defence CSAs Provide inherent, residual risk assessment and due diligence for their domain of risks Assess implications of vendor risk to their risk domain Third Line of Defence Corporate Audit Provide an independent assessment of the effectiveness of the internal control environment in 1 st and 2 nd lines Provide timely independent reporting to senior management that assesses whether key control activities are operating effectively and reliably. For example, determining whether there is: Effective supplier risk identification and due diligence Appropriate contract controls Adherence to applicable regulatory guidance Appropriate ongoing supplier management and oversight An effective challenge to the first line and second line that includes escalation processes

VRC Members (Proposed Representation) Focus BMO FG Risk Committee (Cross Enterprise) Members CSAs LOB Head Chair U.S. CISO AML Corp. ERPM P&C U.S. Chicago Secretary U.S. CRO SOX Anti-Corruption Wealth Branch Chief T&O Officer U.S. ORO Corp. Bus. Continuity Capital NY Branch CPO U.S. CCO Compliance. Markets VP T&O Integration U.S. Sourcing Lead Information Outsourcing & MD Business Ops Audit 1 Security Supplier Risk Risk Coverage: Level, Appetite, Tolerance, Type, Methodology Vendor Coverage: Prioritization by Segment, Assessments Targets/Timelines, Reassessment Requirements by Risk Level, Quality Assurance Elements of the Vendor Risk Governance Program: Robust reporting tools/outputs from which VMROC: Will draw meaningful insights to help govern the program Review monthly reports on tier 3, Material, high and/or enterprise critical risk relationships 2b Oversight & Governance Institute a Vendor Risk and Operations Committee to provide oversight on supplier risk across all aspects of the Supplier Lifecycle. Key Governance Model Elements Vendor Risk and Operations Committee The Vendor Risk and Operations Committee ( VMROC ) is accountable for providing oversight and governance on supplier risks Coverage BMO FC U.S. RMC U.S. ORC U.S. VMROC (Cross Enterprise) Chair: Dante DeWitt Vendor Governance Program Reporting Operational Oversight The Enterprise Supplier Governance (ESG) team members and corporate support areas conduct regular effective challenges on the validity, quality and integrity of the data uploaded within SEMS. Hard challenges are then uploaded in to the tool to ensure we demonstrate where we have satisfied areas of concern. ESG developed the Standard Operating Framework that articulates the key components and requirements of effective post-contract governance, oversight, and monitoring of Enterprise Critical Suppliers. The Framework outlines high level responsibilities and the interaction model between Supplier teams, Enterprise Supplier Governance, and Corporate Support Areas. Quality Assurance (QA) Two Quality Assurance roles, were created to monitor and ensure completion of effective challenges by Outsourcing & Supplier Risk CSA to perform risk oversight on outsourcing and supplier risk. Their quarterly assessments are in compliance with the OSRM Corporate Standards and annual review of framework controls. Footer goes here 8

3a Analytics & Reporting Develop a risk appetite statement and enhanced reporting capabilities to allow for increased oversight and governance of the portfolio. 3a Defined Risk Appetite Statement and KRIs Strives to adhere to the letter and spirit of all regulatory obligations relating to vendor risk. We seek to have no significant instances of regulatory breach. We recognize that there is vendor risk inherent in our businesses. Based on our strategy and business practices, we are targeting a moderate* risk appetite. We will mitigate exposures that can adversely impact our critical activities, have a disruption to regular business operations, and negatively impact our customers. We will proactively and continuously improve our vendor / supplier risk framework 3b Data and Analytics We have selected SpotFire, a data visualization program, as our enterprise tool to provide risk reporting across the following dimensions: Portfolio view of risks to identify and monitor high, medium, and low risks. Ability to deep dive into engagement data and KRIs to understand risk drivers. Enhanced Risk Portfolio dashboard provides a comprehensive view on the Bank s current risk exposure across key KRI areas. The dashboards are released to VMROC members monthly and are a key input into the OSR CSA Report. Footer goes here 9

3b Analytics & Reporting This dashboard articulates how we measure risk through key performance indicators (KRIs), our risk tolerance as defined by the risk appetite and where each LOB and geography stands in relation. Vendor Risk Appetite Statement We aim to monitor KRIs across the Enterprise Framework, Engagement and Vendor processes to understand and mitigate the disruption that vendors can cause on the Bank s ability to conduct business Reporting 1 2 3 OSR KRI Dashboard 1 Effectiveness of Control 2 Residual Risk Heat Map 3 Dimensions Risk Trends How a LOB/geography is doing relative to each of the risk dimensions What proportion of a LOB s/geography s vendors are high, medium or low risk How a LOB/geography is trending over time across KRIs

On-going Supplier : Evolution of the SRM Playbook to the Standard Operating Framework Based on input from Supplier Manager Teams during the Pilot in October 2014, ESG distilled the SRM Playbook into a more outcomefocused and user-friendly Standard Operating Framework, which was published in December 2014 Guiding Principles Defined Supplier processes, roles and responsibilities, tools and templates for the post-contract management of BMO s most critical suppliers Aggregation of best practices for postcontract supplier management into specific management activities Emphasis on prescriptive practices for supplier management SRM Playbook (Published August 2014, Retired and replaced by the Standard Operating Framework December 2014) Standard Operating Framework (Published December 2014) Guiding Principles Defined Supplier processes, roles and responsibilities, tools and templates for the post-contract management of BMO s most critical suppliers Distillation of best practices for postcontract supplier management into management outcomes Emphasis on output / interaction across constituents vs prescriptive process steps

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback