Third Party Risk Management ( TPRM ) Transformation

Similar documents
Intelligent Automation and Internal Audit

Digital Labor Analytics

Extended Enterprise Risk Management

Back to School for Business Services how to get it right?

KPMG Smart Controls. Putting you in control of your controls. kpmg.co.uk

KPMG s Advisory Services for Oracle. kpmg.com

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Cyber Security. & GRC Metrics That Tell a Story! Presented by: Swarnika Mehta Manager, KPMG Cyber Security Services

Harnessing data and analytics to transform compliance

VENDOR RISK MANAGEMENT FCC SERVICES

Insights into Mining Issue 12: Unlocking the value of D&A

4/26. Analytics Strategy

Andrea ROSIGNOLI Partner KPMG

Powered by technology, our experts are unlocking the value of your audit. Dynamic Audit

Thomson Reuters SCREENING RESOLUTION SERVICE

CFO Financial Forum Webcast

Enterprise risk management Protecting and enhancing value Advisory

Data, Analytics and Your Audit

Using a balanced scorecard to help measure facilities management performance

Future-Proof Procurement - A Digital Journey

Can the public sector deliver a zero tolerance approach to corruption risk?

It s time to revisit your anti-corruption compliance program How to design an effective and defensible compliance program in response to global trends

SOLUTION BRIEF RSA ARCHER AUDIT MANAGEMENT

Welcome to the 404 Institute Webcast

Effective implementation of COSO s new anti-fraud guidance

A Strategic Approach to Bank Fraud

How to Measure the Value of Your Internal Audit Group

Working better by working together

Risk Advisory Services Developing your organisation s governance for competitive advantage

Taking ERM to a. 6 GRC Today / October 2015

Navigating the New Health Economy

RSA ARCHER MATURITY MODEL: AUDIT MANAGEMENT

Operational Risk Management (#DOpsRisk) Solutions suite

Scenario planning and uncertainty

The Case for the SIO. A guide to navigate the new challenges of Service Management. kpmg.ca

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Trust Your Suppliers, Manage Your Risk The Importance of Third-Party Supplier Visibility About Perfect Commerce

Enhancing value in a disruptive environment

The Case for Outsourcing Accounts Payable

BENEFITS OF AN EFFECTIVE OUTSOURCING STRATEGY. March 1, 2017

An Overview of the AWS Cloud Adoption Framework

Commodity & Energy Risk Management

Leveraging IT risk management to boost competitive advantage

Effective Risk Management With AML Risk Assessment. January 25, 2017

CFO meets M&A: Value creation in the digital age The Dbriefs Driving Enterprise Value series

Competing for growth. Creating a customer-centric, connected enterprise. KPMG Customer Advisory. kpmg.com/customer

Navigating change. KPMG Sustainability Services. kpmg.com/cn

CLAconnect.com/creditunions. Impact the Future of Credit Unions

A Case Study: How Effective Risk Management Drives Global Supply Chain Optimization.

Optimizing an Enterprise Wide Effective Vendor Risk Management Program. Pam Schott Head and VP Enterprise Supplier Governance

Outsourcing transparency evolution

7 Key Trends in Enterprise Risk Management

Planning to win. Deal Advisory / Australia. Driving value growth through competitive, flexible funding and supportive financing relationships.

Commodity & Energy Risk Management. kpmg.com.sg

Excellence in Third Party Risk Management (TPRM)

RegTech, the future of banking beyond IT. In collaboration with

2Q17 analysis KPMG.com

Spend visibility and shared services Strategies to address growing pains for long-term care organizations

Risk Based Approach and Enterprise Wide Risk Assessment Edwin Somers / Inneke Geyskens-Borgions 26 September 2017

Shared Services in the Financial Services Industry: An Operating Model to Reach Strategic Goals

KPMG s Dynamic Audit. Powered by Data+ Analytics. January kpmg.com

Internal Control Questionnaire and Assessment

The Value- Driven CFO. kpmg.com

The client. The challenge. CASE STUDY: From Supply Chain Insights to Value

Seeking value through Internal Audit

COSO Internal Control Integrated Framework Proposed Update

2 TRACE Inc. RISK-BASED DUE DILIGENCE

Services to Local Government

Enterprise risk management Protecting and enhancing value Advisory

Internal Control Questionnaire and Assessment

ERP IMPLEMENTATION RISK

Gaining Advantages through Joint Ventures

Extended enterprise risk management: New perspectives on a growing imperative The Dbriefs Governance, Risk, & Compliance series

PHARMACEUTICALS. Forensic Services. Helping to protect your business from fraud, misconduct and non-compliance ADVISORY

Elevate your organization. To reach the Cloud.

The compliance investment

Key risks for Internal Audit

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

Extended Enterprise Risk Management

Transforming the HR function for high performance. kpmg.com

Corporate Brochure. Elevate Your Flexible Workforce Management and Services Procurement

EHR AND ERP INTEGRATION. January 25, 2018

Retail. IFRS 15 Revenue Are you good to go? May kpmg.com/ifrs KPMG IFRG Limited, a UK company limited by guarantee. All rights reserved.

2017 Oracle EBS Cloud Roadmap

Energy Trading Risk Management (ETRM) System Selection and Implementation Top Challenges

Government Procurement Strategies. May 24, 2011

MERGER & ACQUISITION INTEGRATION SERVICES EXPERTS WITH IMPACT

Navigating the Intersection of Vendor Management and Business Continuity

Solution Track 5. Managing Vendor Risk and Contingency Plans. March 26, Strategic BCP, Inc. All rights reserved. strategicbcp.

Building a Roadmap to Robust Identity and Access Management

The hidden reality of payroll & HR administration costs

Giving you clarity on your change programmes

Capital Markets: IPO Advisory

Enterprise risk management for consumer products companies

CGI Business Process Outsourcing. for oil and gas companies

Deloitte Shared Services, GBS & BPO Conference Indirect Tax: Delivering Best-in- Class Compliance in a GBS Environment

Best of Breed Automation September 2014

Comprehensive Enterprise Solution for Compliance and Risk Monitoring

September 9, 2016 kpmg.ca

Transcription:

Third Party Risk Management ( TPRM ) Transformation September 20, 2017 Internal use only

An introduction to TPRM What is a Third Party relationship? A Third Party relationship is any business arrangement between one organization and another, by contract or otherwise. What is TPRM? Although an organization may reassign a service to a Third Party, it cannot outsource the associated responsibility for managing the risks and regulatory requirements. Additionally, the act of integrating a Third Party to your organization may create additional risks (e.g., country risk, concentration risk, etc.). TPRM is the process of identifying, monitoring, and managing Third Party risks. Who? Vendors Suppliers Affiliates Joint Ventures Alliances Outsourcing Providers Contingent Workers Providing What? Products Services Processes Intellectual Properties Market Presence Goodwill Third Party Relationship How? On-shore Off-shore On-site Off-site Integrated Continuous Cloud Managed BPO 2

Use of a Third Party requires the following risks to be managed Suppler Risk And Performance Management Control spend and reduce risk through improved relationship management Supplier Risk Mitigation and Recovery Prevent loss and service disruption through strategic sourcing and financial turnaround Supply Chain Risk and Performance Management Prevent waste through design of an efficient and resilient program Why is there an increased focus on TPRM? Greater use of third parties by business and increased velocity of risk events due to use of the internet requires clarity of roles and responsibilities in the management of Third Party risks. Isn t TPRM Procurement s job? Procurement may be an integral stakeholder in TPRM but responsibility for initial and ongoing risk management must be shared throughout an organization. This way, risks are monitored by individuals with the proper expertise. What are the challenges? An effective and sustainable TPRM program requires a clear operating model and an integrated approach. This requires coordination across the three lines of defense and clear ownership and accountability at each step. Contract Management/ Compliance Prevent opaque service delivery and monitor compliance with service level agreements Risk Universe Mergers/Acquisitions Prevent overlap and ownership issues through clear due diligence Fraud, Anti-bribery & Corruption/ Sanctions Monitor and prevent improper transactions with PEPs, sanctioned entities, etc. Cyber Security Risk Prevent security incidents, such as unauthorized access or theft of PII; PHI; IP; Sensitive Data Regulatory Compliance Ensure compliance with local and federal regulations 3

KPMG s TPRM Framework to manage Third Party risk To address risk management needs and regulatory requirements, institutions should develop a riskbased program and incorporate a complimentary suite of preventative and detective controls across the three lines of defense. Third Party Identification 1 st Line KPMG s TPRM framework assists institutions with the design and implementation of such a program. KPMG customizes an institution s TPRM program based on the institution s portfolio of Third Parties and works across functions (e.g., Risk Management, Procurement, and Accounts Payable ( AP )) to tailor the controls to the needs of a particular function and business. Governance Strategy Reporting and Technology Policies and Procedures People, skills, and training Monitoring & Testing 4

Key Focus Areas for Internal Audit TPRM Governance and Program Design Operating effectiveness of TPRM Program including Integration with Procurement Exceptions, Escalations Information Security

Internal Audit Challenges IA Resources and Skills Issue Management of Third Party Related Issues Internal Affiliates Vendor specific audits Risk Stratification Credible Challenge Design vs. operating effectiveness TPRM Governance TPRM Audit Planning 6

Stages of TPRM transformation The path to an effective and sustainable TPRM operating model matures along a continuum of three stages: Effective TPRM transformation continuum Comply Integrate Automate Sustainability Comply: The organization is reactionary, addressing risk management needs in response to regulatory changes, findings, and risk events. Integrate: The TPRM framework matures and the organization develops disciplined, coordinated risk assessment and monitoring practices across the enterprise. Automate: An optimal mode, in which the organization achieves greater sustainability by leveraging advanced technology and data science to enhance management of risk at a lower cost to the organization. 7

TPRM - Signs of a lagging program Getting the grit out of the gears What are some signs of a lagging program? Lack of a strategy for the business use and risk management of Third Parties Risks Incomplete inventory of Third Parties (e.g., only medium or higher risk services) or improper risk segmentation Business Cost Reduction Decentralized and redundant risk assessment processes (Compliance Risk Assessments, Risk Control Self Assessments, New Initiatives Assessment etc.), resulting in increased burden for business personnel and increased cost for the organization 3rd LOD 2nd LOD Oversight functions Third parties Insufficient coordination, resulting in overlapping and inconsistent processes as well as unclear roles and responsibilities Lack of an integrated platform and data across risk management domains (e.g., Info. Sec., BCM etc.) to enable oversight and conduct analysis means solving for simultaneous problems 8

Sound third party risk management is good business There are many drivers for a holistic TPRM program. What good looks like is depicted below including KPMG s TPRM framework that was used to conduct the assessment Regulatory compliance Global guidance around the management of third parties and the risks they manage on behalf of the organization Increased information security and data privacy requirements Risk and compliance requirements Increased consumer protection and cost of remediation TPRM Risk management Performance Growth of top line revenue through strategic joint ventures and alliances Management of bottom line costs by outsourcing core and non-core activities Driving greater return on investments through increased margin and operating resiliency Risk management Managing reputational impacts from failures by third parties to manage risk in accordance with client s practices Increasing the quantity and quality of risk management activities by leveraging third parties for skills and resources Greater coordination amongst internal risk management parties 1. Heightened standards (OCC) and enhanced prudential standards (Fed) - Board risk reporting and oversight - 1 st Line ownership of risk - 2 nd Line credible challenge - Data aggregation and reporting 2. Operational risk and compliance risk assessments - Enhanced RCSA, KRI s and Testing 3. Cyber-security preparedness, incident management and resilience - 3 rd Party Cyber incident scenarios must be incorporated into BCP and Disaster Recovery plans to enhance response capabilities - Supplier assurance (third parties), including clear contractual requirements 4. Balanced but effective affiliate risk management - Why? OCC Definition of a Third-Party Relationship includes Affiliates 5. Increased examiner focus on Regulation W (23a and 23b) compliance programs 6. IRS (foreign tax authority) focus on transfer pricing 9

TPRM Transformation benefits The following benefits may be achieved as a result of TPRM Transformation Benefits of a mature TPRM program Clear understanding of which third parties you do business with. Services are ranked according to risk with critical services identified. Risk based approach to ongoing monitoring post contract. Clear roles and responsibilities across lines of defense and risk oversight functions. Alignment of TPRM policy and practices to procurement activities. Reduced redundancy of activities to assess third parties. Enhanced alignment of mitigation tactics with contractual language. Greater use of technology and automation to manage third parties. Greater consistency of practices across the organization with regards to treatment of third parties. Increased understanding of third party risk management activities and policy requirements across the relationship owners. Clearer understanding of the cost benefits analysis factoring in the true cost of oversight for services. Greater understanding of the dependencies your organization has on third parties and their subcontractors. Sustainable approach to Board reporting with comprehensive view of critical third parties, strategy, trends, and issues. Current state environment Target state environment Transformation 10

How KPMG can help clients along the TPRM Transformation path TPRM transformation continuum TPRM transformation continuum TPRM transformation continuum Comply Integrate Automate Effective Effective Effective Comply Integrate Automate Sustainability Comply Integrate Automate Sustainability Comply Integrate Automate Sustainability Key Attributes Minimum requirements have been established for: - On-boarding and contracting - Ongoing monitoring - Off-boarding Roles and responsibilities are established across the lines of defense with some misalignment (e.g., 2 nd line taking on 1 st line duties) Use of Excel and SharePoint-based technology with manual processes TPRM activities are incorporated into enterprise risk governance practices (e.g., RCSA and Compliance Risk Assessment) Roles and responsibilities are clearly delineated across the lines of defense (including roles for Procurement and AP) Technology is leveraged to improve cross-functional workflow (e.g., centralized issue and action items, test reporting) Technology is leveraged to extract and catalogue SLAs and key contractual elements Digital labor is integrated into Third Party oversight (e.g., monitoring and testing) Reporting (e.g., KPIs, KRIs, and executive reporting) is automated Benefits Compliance with regulatory requirements Develop basic understanding of risk portfolio Greater visibility into processes and noncompliance with the program Increased sustainability and cost reduction Focus shifts from doing to analyzing Progress toward optimal resource usage, improving both effectiveness and sustainability while reducing program costs Key KPMG Services Maturity assessment Regulatory enforcement action remediation Independent assurance (due diligence, testing) Target operating model enhancement and implementation Cost optimization (e.g., COE, leveraging Third Party tools and services) Third Party rationalization Technology enablement Contract compliance KPMG Spectrum - Contract Performance Manager 11

The KPMG advantage in TPRM Transformation KPMG has an extensive network of client contacts, diverse network of subject matter professionals, and solutions to help clients mature their TPRM programs. Client network Subject matter professionals Execution enablers and technology solutions Full service firm KPMG has performed TPRM work for many Fortune 500 companies across industries such as financial services, telecommunications, consumer products, energy, and healthcare and life sciences. Through ongoing dialogue with our clients, KPMG has a current, multifaceted view of leading industry practices. KPMG has leveraged past engagements to build a team of TPRM subject matter professionals that covers a variety of industries and risk domains. These professionals have extensive knowledge and expertise to help clients comply with regulations, innovate, and tailor TPRM solutions to their organizational needs. KPMG has a portfolio of engagement enablers and technology solutions that can be deployed to help clients transform their programs in a manner that is both effective and sustainable. KPMG offers crossfunctional support to address needs that extend beyond TPRM. - GRC - Alliance Partners - Forensics - Contract Compliance - Spectrum - Procurement 12

Greg Matthews Advisory Partner KPMG LLP 345 Park Avenue New York, NY 10154-0102 gmatthews1@kpmg.com Tel 212 954 7784 Fax 201 643 2351 Cell 201 621 1156 KPMG is a Delaware limited liability partnership. kpmg.com/socialmedia The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS 654498 The KPMG name and logo are registered trademarks or trademarks of KPMG International.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback