Building a Framework for Effective Third-Party Risk Management (TPRM)

Similar documents
Extended Enterprise Risk Management

Third Party Risk Management ( TPRM ) Transformation

How to Measure the Value of Your Internal Audit Group

Trusted by more than 150 CSPs worldwide.

DUBAL s ISO based ERM Program

Extended Enterprise Risk Management

MEGA S SOLUTIONS FOR GOVERNANCE, RISK, AND COMPLIANCE

Enterprise Compliance Management for Credit Unions

Optimizing an Enterprise Wide Effective Vendor Risk Management Program. Pam Schott Head and VP Enterprise Supplier Governance

A Case Study: How Effective Risk Management Drives Global Supply Chain Optimization.

VENDOR RISK MANAGEMENT FCC SERVICES

Financial Services Compliance

Supplier Risk Management. Do You Really Have the Right Level of Visibility to Minimise Risk?

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Navigating the New Health Economy

Risk Advisory Services Developing your organisation s governance for competitive advantage

RSA Archer Compliance Management 5.2 Webcast

BENEFITS OF AN EFFECTIVE OUTSOURCING STRATEGY. March 1, 2017

Delivering Governed Self-Service BI across the Enterprise

Crowe Caliber. Using Technology to Enhance AML Model Risk Management Programs and Automate Model Calibration. Audit Tax Advisory Risk Performance

Vendor Due Diligence: Keep The Risk Out!

See your auditor clearly. Transparency report: How we perform quality audit engagements

RiskTech Quadrant 2017 Watchlist Monitoring Solutions

What's Shaping the Future of Enterprise Content. Management? JOHN O MELIA

Regulatory Change Management. French Caldwell, Chief

Solution Track 5. Managing Vendor Risk and Contingency Plans. March 26, Strategic BCP, Inc. All rights reserved. strategicbcp.

THIRD-PARTY RISK MANAGEMENT

2 TRACE Inc. RISK-BASED DUE DILIGENCE

Madison Consulting Group. An Introduction to Our Compliance and Regulatory Consulting Services

Risk & Compliance. the way we do it. QualityData Advantage. for Basel Compliance

Portfolio Marketing. Research and Advisory Service

TREASURY. INTEGRITY SaaS

Cloud Computing: HCM SaaS

Actimize Essentials. Cloud-based Solutions for Financial Crime Prevention & Regulatory Compliance

AEC Reimagined. Avanade Digital Connected Services with Microsoft Dynamics 365. For Architecture, Engineering and Construction Firms

TABLE OF CONTENTS THE DEFINITIVE GUIDE TO DUE DILIGENCE AUTOMATION 2

It s time to revisit your anti-corruption compliance program How to design an effective and defensible compliance program in response to global trends

SAP Road Map for Governance, Risk, and Compliance Solutions

The 2014 Guide to SAP Enterprise Performance Management (EPM) Solutions: An excerpt. David Williams SAP

KPMG Smart Controls. Putting you in control of your controls. kpmg.co.uk

USAA's Supplier Governance Transformation that Optimizes Value and Addresses Risk

ACCENTURE & SAP SUCCESS FACTORS INVESTIGATE CAPABILITIES WORKBOOK. Imagine where we will go together...

Improve GRC Maturity through Combined Assurance

Vendor Risk Management Scoring PROCESSUNITY WEBINAR

IBM AML compliance solution

Turn Your Business Vision into Reality with Microsoft Dynamics SL

CIP 2017 Project Outline

Elevate your organization. To reach the Cloud.

Strategic Moves Managing a Global Workforce

Anti Money Laundering Compliance Solutions. Copyright 2016 Allsec Technologies. All rights reserved.

ITM203 Build Your Dashboards in SAP Solution Manager with Focused Insights. Public

IFRS16 - Introduction. Steve Lambillotte, Senior Solution advisor Finance & GRC December 2017

BLOOMBERG MiFID II SOLUTIONS

ExaLink services Pricing and contracts

Financial Services Cloud Administrator Guide

Four Best Practices To Improve Quality In the Supply Chain. Lower supply chain risks and cost of quality

FusionBanking Trade Innovation Software overview. Operational excellence in trade finance. Trade automation to transform service

SAP Performance Benchmarking Human Capital Management Benchmarking Results. Company: ABC Company 6/25/2012

MONITORING YOUR EMPLOYEES SOCIAL MEDIA ACTIVITY

Corporate Brochure. Elevate Your Flexible Workforce Management and Services Procurement

White Paper Modern HR Case Management

KPMG s Advisory Services for Oracle. kpmg.com

Effective Risk Management With AML Risk Assessment. January 25, 2017

Procurement Transformation on the Fast Track: Doing More with Less

TASC: a people solutions company. 1

Workday Financial Management

Information Governance at Work An IGI Case Study Series

Accelerating Change: HR in the Cloud GENERAL SESSION. Rajan Krishnan Group Vice President, Product Development Oracle

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Building a Winning Business Case for HCM SaaS

Cloud Computing Opportunities & Challenges

RiskTech Quadrant 2016

Sanctions screening global developments. ACAMS South Africa Chapter 28 June 2016

Advanced Enterprise Work and Asset Management for Performance-Driven Utilities

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Product Safety Compliance and Testing Programs

Financial Services Cloud: Platform for High-Touch Client Relationships

NETWORKING EVENTS. The SIG Webinar will begin shortly. Once the webinar begins, the sound will come from your computer speakers.

Discover why over 8,000 businesses employ enablehr

JD Edwards EnterpriseOne Financial Management Overview

Actimize Essentials AML. Cloud Based Anti-Money Laundering Solutions

The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,

Five Tips: How to measure the value of your internal audit department

Anti-Bribery & Anti-Corruption Best Practices to Ensure a Compliant Culture

Workday Financial Management

Cisco s Digital Transformation Supply Chain for the Digital Age

Identity and Access Management. Program Primer

RegTech, the future of banking beyond IT. In collaboration with

FIS Global Allegis Global Solutions Compass Rose Advisory

Operational Risk Management (#DOpsRisk) Solutions suite

Implementing ITIL Best Practices

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

Data Governance and Data Quality. Stewardship

IT Strategic Plan Portland Community College 2017 Office of the CIO

2-Step Process to Boost Business Productivity using Real-time Data Virtualization MDM

Risk Based Approach and Enterprise Wide Risk Assessment Edwin Somers / Inneke Geyskens-Borgions 26 September 2017

Reengineering your core processes and service layer A critical digital ecosystem enabler

RiskTech Quadrant 2016

Mitigating compliance risk Implications for global supply chains

Solution Sheet. Profitable Small Business Lending

Transcription:

Building a Framework for Effective Third-Party Risk Management (TPRM) GARP Webcast Series On24 Tech Tips Brenda Boultwood Christopher Thackray APRIL 2016 Make sure your speakers are on Hit F5 any time your console freezes For a LIVE event you should be hearing music now Use the Ask a Question feature to report issues Webcast starts at the top of the hour

Brenda Boultwood Brenda Boultwood, SVP, MetricStream Brenda Boultwood is Senior Vice President of Industry Solutions at MetricStream. Before joining MetricStream, Brenda was Senior Vice President and Chief Risk Officer for Constellation Energy where she led risk management activities for Constellation Energy and its businesses, including defining and assessing enterprise-wide business risks and facilitating proactive decision-making to effectively manage the risks associated with each business line. Prior to joining Constellation Energy, Brenda served in a number of roles at JPMorganChase, including serving as head of risk management for their Treasury Services business. Prior to that, Brenda served as head of market risk, counterparty credit risk and operational risk management at Bank One Corporation. Brenda also worked with PricewaterhouseCoopers as a senior manager in its Financial Risk Management Consulting Practice and was employed with Chemical Bank Corporation as a financial engineering associate. In addition, she spent six years teaching in the University of Maryland s Master of Business Administration program. Brenda was a member of the CFTC Technology Advisory Committee, and serves on the Boards of Committee of Chief Risk Officers (CCRO). She previously served as Board Member of Global Association of Risk Professionals (GARP). She earned a Ph.D. in economics.

Christopher Thackray Christopher Thackray, Enterprise Risk Specialist Leader, Deloitte & Touche LLP Chris is an Enterprise Risk Specialist Leader for Deloitte & Touche LLP, advising companies on the design, implementation and operationalization of enterprise, operational and third party risk management programs. Combining his leadership background in strategic sourcing, supply chain risk management and operational risk management, Chris has demonstrated his ability to engage at all levels of the organization - across Europe, Asia and the US - to design and implement innovative and effective risk management programs tailored to organizational goals, international regulations and industry characteristics.

Agenda Who is a Third Party? Expanding Third-Party Ecosystem across the Enterprise Third Party Due-Diligence On Boarding & Continuous Monitoring Managing Third-Party Risk Critical for an Organization Key Challenges in managing Third-party Risk Complying with OCC s 5 Step TPRM Framework RMA-MetricStream Joint Survey 2015 Key Findings Third Party Risk Management Framework - Key Components Integrating TPRM with an EGRC Framework Mapping Third-Party Risks to Other GRC Objects Third-Party Risk as an Integral Component of Enterprise Risk Management Third-Party Risk Intelligence Benefits of Adopting a Technology Framework Real World Use Cases

Who is a Third Party? A Third Party is pretty much anybody you engage with.. Suppliers Vendors Customers Affiliates Third Party Resellers Distributors Brokers Consultants Law Firms A third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise. - OCC, October (2013)

Expanding Third-Party Ecosystem across the Enterprise Sourcing Tier -1 Suppliers Fourth parties Broker Agents Contractual Technology Software vendors Hardware vendors Infrastructure Disaster Recovery Marketing Advertising Agencies Media Ads Content Writers Human Resources Recruiting Payroll Processing Employee Benefits Facilities Office Products Waste Disposal Cleaning Printing Customer Support Call Center Tech Assistance Distribution & Sales Sales Agents Distributers Partners 6

Third Party Due-Diligence On Boarding & Continuous Monitoring On-Boarding Regulatory Risk Reputatio n Risk Third Party Financial Risk Strategic Risk Information Technology Risk Third Party Risks from Internal Sources Risks from Surveys, Audits, Self Reported Events Provided By Third Party Self Assessments, Metrics Third Party Risks from External Sources Risks from External Sources, PEP, Adverse Media, Sanctions, Lists, etc.

Managing Third-Party Risk Critical for an Organization Engaging a third party - supplier, vendor, agent, distributor, lawyer, accountant, or consultant - comes with many risks cybersecurity risk, business continuity risk, reputational risk, financial risk Regulatory Focus on Third Parties OCC, FCPA, CFPB,FDIC, FRB,FFIEC Significant business and cost impact Ensure Compliance - Companies have to ensure that their third parties protect confidential IT information, comply with regulations, avoid unethical practices, maintain a safe and healthy working environment, mitigate operational risks, and more.

Key Challenges in Managing Third-Party Risk Increased complexity of the third-party intermediaries network Inability to manage the constant changes in organization s third-party network Thousands of third-parties to manage Fourth Parties need to be assessed as well Failure to manage regulatory compliance pressures Increasing scrutiny by regulators OCC, Fed, CFPB, FDIC Varied regulations of countries (Local, National, International) High costs of monitoring third-parties Resource-intensive to manage and monitor third parties Exposure to third-party risks in business operations Third-Party non-compliance with Contract and SLAs Loss of profit and/or higher costs Fines, potential recalls and lawsuits Brand erosion and loss of market share Lack of departmental collaboration Siloed approach to manage different third-party functions High data redundancies

Complying with OCC s 5 Step TPRM Framework Planning Due Diligence Contract Negotiation Ongoing Monitoring Termination Third Party Information Management Third Party Risk Assessments Third Party Contract Management Continuous Monitoring of Third Parties Off-Boarding of Third Parties Centralized, web-based third-party repository Assess, Survey and Score Third-Party Risk Contract Drafting/Uploading Subscribe to External Alerts Initiate Termination Request for Product/Service Create/Add Potential Third Parties Anytime anywhere access to third-parties Design Risk Assessment Questionnaires, Surveys Risk from External and Internal Sources, Self Reported Events Configurable Risk Scoring Logic Centralized Contract Repository Contract Approval Contract Renewal Contract Compliance Review Alerts from External Content/Respond to monitoring assessment Holistic Risk Assessments Termination Checklist Termination Workflow Review and Approve Pre-configured data upload templates Stratify Third Parties based on Criticality and Risk Contract Termination Systematic and Closed Loop Issue Management Log and Manage Issues

Sample third party risk management framework This example framework, developed by one company, provides a basis to develop effective and extensive third party risk management programs by organizing processes and activities that manage risk across the third party lifecycle. Third Party Risk Management Framework Business Objectives Predictable Funding Capital Investment Cost Reduction Risk and Compliance Management Agility Management and Risk Domains (example) Contractual Risk Business Continuity Risk Financial Stability Risk Transaction / Operational Risk Credit Risk Reputation Risk Compliance Risk Geo-political Risk Legal Risk Strategic Risk Operating Model Categories Governance & Oversight The organizational structure, committees, and roles & responsibilities for managing third parties Policies & Standards Management expectations for the management of third parties and related risks Mgmt. Processes Processes to manage risks across the third party lifecycle Tools & Technology Tools and Technology that support third party management processes Risk Metrics & Reporting Reports identifying risks and performance across third parties Risk Culture & Talent Mgmt. Tone at the top, clarity on risk appetite, appropriate training and awareness, etc. to promote positive risk culture Evaluate & Select Contract & On-board Manage & Monitor Terminate & Off-board Management processes cover the third party lifecycle. The third party risk management framework provides a reusable set of key capabilities that can be applied when implementing third party risk programs to manage all types of third parties.

RMA MetricStream Joint Survey 2015* Key Findings 12.5% of the institutions surveyed have more than 2500 vendors to manage 47.6% of the participants have an internal audit function conducting independent reviews of the third-party risk management program 41.3% of the organizations don t have fourth party due diligence as a part of their third-party risk management program Only 35% of the organizations surveyed rate their vendor third-party risk management programs as fully mature 55% of the institutions for which third parties have access to personal and private information have cyber liability insurance. 36% of the organizations are still using manual tools or home grown applications for managing third-party risk A number of institutions leverage data feeds, independent due diligence reports, and automated alerts from third-party data providers like Dow Jones, D&B, LexisNexis, Moody s, and Standard & Poor s. * 80 Financial Institutions of varying asset sizes were surveyed 12

Third Party Risk Management Framework - Key Components Centralized Repository Planning and Process Definition Security & Permissions Workflows Continuous Monitoring TPRM Segmentation & Screening Assessments Reports & Dashboards Risk Mitigation External Risk Alerts Qualification Alerts & Notifications

GRC Platform Applications Solutions Integrating TPRM with an EGRC Framework Risk Analytics & Intelligence Horizontal Solutions (Integrated GRC, Vendor Governance, etc.) Vertical Solutions (Banking, Financial Services, Insurance, etc.) Apps Zaplet AppStore GRC Intelligence Compliance Online Third Party Risk Management Enterprise Risk Management Policy and Document Mgmt. Compliance Mgmt. 3 rd -Party Apps Content Training Audit Mgmt. IT Risk Management. [+] other Apps Operational Risk Management IT Compliance. Community Alerts & Feeds Retail Content AppStudio Forms Data Workflow Data Import Templates Business Configuration Reports & Dashboards GRC Foundation Third-Parties Risks Controls Processes Products/Services Organizations Regulations Policies Cloud Infrastructure Provisioning System Console Rules Engine Infolets Security Event Notifications Collaboration Unstructured Data Relational DB Big Data

Mapping Third-Party Risks to Other GRC Objects Business Objective Business Unit Third-Party Risks Controls Control Tests Profitability Low costs Brand Recognition BU/FU Region Americas EMEA Country Legal Entity Supplier 1 Supplier 2 BPO 1 Contracter 1 Financial Operational Reputational Cybersecurity Geopolitical Legal Business Continuity Policies Procedures Manuals Training Surveillance and Monitoring Governance Committees Supervisory Checklists Test Plan Audit Survey Self-Assessment References Policies/Documents Risk Assessments Issues SEC OCC Fed FDIC CFPB Procedure 1 Document 1 Work Instruction 1 Risk-Based Requirement-Based Business Unit-Based Action Plan Implement Monitor 15

Third-Party Risk as an Integral Component of Enterprise Risk Management GRC Libraries Third-Parties Process Product/Service Commodity Facility Organization Geography Legal Entity Objectives Risk Control Regulatory Body Area of Compliance Standard Requirement Question / Procedure Evidence Exception Reference Metrics KPIs Operational Risk Assessments Perspective Risk Assessment Plan Business Processes Process 3 Process 1 Regulatory Alerts Regulatory Alert Scenario Analysis Scenario KRIs Assessment Factor Risk Assessment Process 2 Process 4 Regulatory Review Scenario Workshop Third-Party Risk Financial Assessment Info Sec Assessment BCM Assessment Issues Issue Action Incidents Incident Investigation Scenario Response 16

Third Party Risk Intelligence Integrated External Content for Screening and Monitoring Anti-Corruption Adverse Media Entities Sanction Alert Watchlist TP Screening Continuous Risk Monitoring TP Information Management Risk Mitigation - Validated Potential/Existing Third Party Info. Access to Global Adverse Media Access to Global sanctions lists Access to Global regulatory, law enforcement, and watch Access to Politicallyexposed persons and stateowned Predefined questionnaires/templates for third-party due-diligence Third Party Risk Management System - Automate Risk Alerts - Continuous TP Monitoring - Screening - Periodic due diligence

Benefits of Adopting a Technology Framework Maintain a centralized repository for third parties Streamline end-to-end third-party risk management Visibility for fourthparty risks Comply with the latest regulatory frameworks

Real World Use Cases International Banking and Financial Services Conglomerate Streamlines and automated third-party onboarding and maintenance across thousands of third-parties Automates the generation of Third-Party Relationship Performance Scorecard Improves transparency around third-party performance monitoring to corporate and senior business management. A Global Insurance Company Headquartered in Europe Helps in centralizing all third-party governance and risk data in a common database for easier tracking and management of third-party risks Increases efficiency by replacing spreadsheet-based processes with tightly streamlined and automated workflows for third-party risk management An Online Brokerage and Financial Services Company Helps to evaluate their business partners/third-parties as per the OCC (Office of Comptroller of Currency) guidelines. Helps in comprehensive third-party due-diligence including - business continuity, contract, country, credit, customer complaints, IT, information security, insurance, and performance quality compliance risks Provides a central, web-based repository to document and maintain information on the complete thirdparty database which includes 200+ vendors

Q & A

Creating a culture of risk awareness Global Association of Risk Professionals 111 Town Square Place 14 th Floor Jersey City, New Jersey 07310 U.S.A. + 1 201.719.7210 2nd Floor Bengal Wing 9A Devonshire Square London, EC2M 4YN U.K. + 44 (0) 20 7397 9630 www.garp.org About GARP The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing professionals and organizations to make better informed risk decisions. Membership represents over 150,000 risk management practitioners and researchers from banks, investment management firms, government agencies, academic institutions, and corporations from more than 195 countries and territories. GARP administers the Financial Risk Manager (FRM ) and the Energy Risk Professional (ERP ) exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of risk management via comprehensive professional education and training for professionals of all levels. www.garp.org 2015 Global Association of Risk Professionals. All rights reserved.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback