Building a Framework for Effective Third-Party Risk Management (TPRM) GARP Webcast Series On24 Tech Tips Brenda Boultwood Christopher Thackray APRIL 2016 Make sure your speakers are on Hit F5 any time your console freezes For a LIVE event you should be hearing music now Use the Ask a Question feature to report issues Webcast starts at the top of the hour
Brenda Boultwood Brenda Boultwood, SVP, MetricStream Brenda Boultwood is Senior Vice President of Industry Solutions at MetricStream. Before joining MetricStream, Brenda was Senior Vice President and Chief Risk Officer for Constellation Energy where she led risk management activities for Constellation Energy and its businesses, including defining and assessing enterprise-wide business risks and facilitating proactive decision-making to effectively manage the risks associated with each business line. Prior to joining Constellation Energy, Brenda served in a number of roles at JPMorganChase, including serving as head of risk management for their Treasury Services business. Prior to that, Brenda served as head of market risk, counterparty credit risk and operational risk management at Bank One Corporation. Brenda also worked with PricewaterhouseCoopers as a senior manager in its Financial Risk Management Consulting Practice and was employed with Chemical Bank Corporation as a financial engineering associate. In addition, she spent six years teaching in the University of Maryland s Master of Business Administration program. Brenda was a member of the CFTC Technology Advisory Committee, and serves on the Boards of Committee of Chief Risk Officers (CCRO). She previously served as Board Member of Global Association of Risk Professionals (GARP). She earned a Ph.D. in economics.
Christopher Thackray Christopher Thackray, Enterprise Risk Specialist Leader, Deloitte & Touche LLP Chris is an Enterprise Risk Specialist Leader for Deloitte & Touche LLP, advising companies on the design, implementation and operationalization of enterprise, operational and third party risk management programs. Combining his leadership background in strategic sourcing, supply chain risk management and operational risk management, Chris has demonstrated his ability to engage at all levels of the organization - across Europe, Asia and the US - to design and implement innovative and effective risk management programs tailored to organizational goals, international regulations and industry characteristics.
Agenda Who is a Third Party? Expanding Third-Party Ecosystem across the Enterprise Third Party Due-Diligence On Boarding & Continuous Monitoring Managing Third-Party Risk Critical for an Organization Key Challenges in managing Third-party Risk Complying with OCC s 5 Step TPRM Framework RMA-MetricStream Joint Survey 2015 Key Findings Third Party Risk Management Framework - Key Components Integrating TPRM with an EGRC Framework Mapping Third-Party Risks to Other GRC Objects Third-Party Risk as an Integral Component of Enterprise Risk Management Third-Party Risk Intelligence Benefits of Adopting a Technology Framework Real World Use Cases
Who is a Third Party? A Third Party is pretty much anybody you engage with.. Suppliers Vendors Customers Affiliates Third Party Resellers Distributors Brokers Consultants Law Firms A third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise. - OCC, October (2013)
Expanding Third-Party Ecosystem across the Enterprise Sourcing Tier -1 Suppliers Fourth parties Broker Agents Contractual Technology Software vendors Hardware vendors Infrastructure Disaster Recovery Marketing Advertising Agencies Media Ads Content Writers Human Resources Recruiting Payroll Processing Employee Benefits Facilities Office Products Waste Disposal Cleaning Printing Customer Support Call Center Tech Assistance Distribution & Sales Sales Agents Distributers Partners 6
Third Party Due-Diligence On Boarding & Continuous Monitoring On-Boarding Regulatory Risk Reputatio n Risk Third Party Financial Risk Strategic Risk Information Technology Risk Third Party Risks from Internal Sources Risks from Surveys, Audits, Self Reported Events Provided By Third Party Self Assessments, Metrics Third Party Risks from External Sources Risks from External Sources, PEP, Adverse Media, Sanctions, Lists, etc.
Managing Third-Party Risk Critical for an Organization Engaging a third party - supplier, vendor, agent, distributor, lawyer, accountant, or consultant - comes with many risks cybersecurity risk, business continuity risk, reputational risk, financial risk Regulatory Focus on Third Parties OCC, FCPA, CFPB,FDIC, FRB,FFIEC Significant business and cost impact Ensure Compliance - Companies have to ensure that their third parties protect confidential IT information, comply with regulations, avoid unethical practices, maintain a safe and healthy working environment, mitigate operational risks, and more.
Key Challenges in Managing Third-Party Risk Increased complexity of the third-party intermediaries network Inability to manage the constant changes in organization s third-party network Thousands of third-parties to manage Fourth Parties need to be assessed as well Failure to manage regulatory compliance pressures Increasing scrutiny by regulators OCC, Fed, CFPB, FDIC Varied regulations of countries (Local, National, International) High costs of monitoring third-parties Resource-intensive to manage and monitor third parties Exposure to third-party risks in business operations Third-Party non-compliance with Contract and SLAs Loss of profit and/or higher costs Fines, potential recalls and lawsuits Brand erosion and loss of market share Lack of departmental collaboration Siloed approach to manage different third-party functions High data redundancies
Complying with OCC s 5 Step TPRM Framework Planning Due Diligence Contract Negotiation Ongoing Monitoring Termination Third Party Information Management Third Party Risk Assessments Third Party Contract Management Continuous Monitoring of Third Parties Off-Boarding of Third Parties Centralized, web-based third-party repository Assess, Survey and Score Third-Party Risk Contract Drafting/Uploading Subscribe to External Alerts Initiate Termination Request for Product/Service Create/Add Potential Third Parties Anytime anywhere access to third-parties Design Risk Assessment Questionnaires, Surveys Risk from External and Internal Sources, Self Reported Events Configurable Risk Scoring Logic Centralized Contract Repository Contract Approval Contract Renewal Contract Compliance Review Alerts from External Content/Respond to monitoring assessment Holistic Risk Assessments Termination Checklist Termination Workflow Review and Approve Pre-configured data upload templates Stratify Third Parties based on Criticality and Risk Contract Termination Systematic and Closed Loop Issue Management Log and Manage Issues
Sample third party risk management framework This example framework, developed by one company, provides a basis to develop effective and extensive third party risk management programs by organizing processes and activities that manage risk across the third party lifecycle. Third Party Risk Management Framework Business Objectives Predictable Funding Capital Investment Cost Reduction Risk and Compliance Management Agility Management and Risk Domains (example) Contractual Risk Business Continuity Risk Financial Stability Risk Transaction / Operational Risk Credit Risk Reputation Risk Compliance Risk Geo-political Risk Legal Risk Strategic Risk Operating Model Categories Governance & Oversight The organizational structure, committees, and roles & responsibilities for managing third parties Policies & Standards Management expectations for the management of third parties and related risks Mgmt. Processes Processes to manage risks across the third party lifecycle Tools & Technology Tools and Technology that support third party management processes Risk Metrics & Reporting Reports identifying risks and performance across third parties Risk Culture & Talent Mgmt. Tone at the top, clarity on risk appetite, appropriate training and awareness, etc. to promote positive risk culture Evaluate & Select Contract & On-board Manage & Monitor Terminate & Off-board Management processes cover the third party lifecycle. The third party risk management framework provides a reusable set of key capabilities that can be applied when implementing third party risk programs to manage all types of third parties.
RMA MetricStream Joint Survey 2015* Key Findings 12.5% of the institutions surveyed have more than 2500 vendors to manage 47.6% of the participants have an internal audit function conducting independent reviews of the third-party risk management program 41.3% of the organizations don t have fourth party due diligence as a part of their third-party risk management program Only 35% of the organizations surveyed rate their vendor third-party risk management programs as fully mature 55% of the institutions for which third parties have access to personal and private information have cyber liability insurance. 36% of the organizations are still using manual tools or home grown applications for managing third-party risk A number of institutions leverage data feeds, independent due diligence reports, and automated alerts from third-party data providers like Dow Jones, D&B, LexisNexis, Moody s, and Standard & Poor s. * 80 Financial Institutions of varying asset sizes were surveyed 12
Third Party Risk Management Framework - Key Components Centralized Repository Planning and Process Definition Security & Permissions Workflows Continuous Monitoring TPRM Segmentation & Screening Assessments Reports & Dashboards Risk Mitigation External Risk Alerts Qualification Alerts & Notifications
GRC Platform Applications Solutions Integrating TPRM with an EGRC Framework Risk Analytics & Intelligence Horizontal Solutions (Integrated GRC, Vendor Governance, etc.) Vertical Solutions (Banking, Financial Services, Insurance, etc.) Apps Zaplet AppStore GRC Intelligence Compliance Online Third Party Risk Management Enterprise Risk Management Policy and Document Mgmt. Compliance Mgmt. 3 rd -Party Apps Content Training Audit Mgmt. IT Risk Management. [+] other Apps Operational Risk Management IT Compliance. Community Alerts & Feeds Retail Content AppStudio Forms Data Workflow Data Import Templates Business Configuration Reports & Dashboards GRC Foundation Third-Parties Risks Controls Processes Products/Services Organizations Regulations Policies Cloud Infrastructure Provisioning System Console Rules Engine Infolets Security Event Notifications Collaboration Unstructured Data Relational DB Big Data
Mapping Third-Party Risks to Other GRC Objects Business Objective Business Unit Third-Party Risks Controls Control Tests Profitability Low costs Brand Recognition BU/FU Region Americas EMEA Country Legal Entity Supplier 1 Supplier 2 BPO 1 Contracter 1 Financial Operational Reputational Cybersecurity Geopolitical Legal Business Continuity Policies Procedures Manuals Training Surveillance and Monitoring Governance Committees Supervisory Checklists Test Plan Audit Survey Self-Assessment References Policies/Documents Risk Assessments Issues SEC OCC Fed FDIC CFPB Procedure 1 Document 1 Work Instruction 1 Risk-Based Requirement-Based Business Unit-Based Action Plan Implement Monitor 15
Third-Party Risk as an Integral Component of Enterprise Risk Management GRC Libraries Third-Parties Process Product/Service Commodity Facility Organization Geography Legal Entity Objectives Risk Control Regulatory Body Area of Compliance Standard Requirement Question / Procedure Evidence Exception Reference Metrics KPIs Operational Risk Assessments Perspective Risk Assessment Plan Business Processes Process 3 Process 1 Regulatory Alerts Regulatory Alert Scenario Analysis Scenario KRIs Assessment Factor Risk Assessment Process 2 Process 4 Regulatory Review Scenario Workshop Third-Party Risk Financial Assessment Info Sec Assessment BCM Assessment Issues Issue Action Incidents Incident Investigation Scenario Response 16
Third Party Risk Intelligence Integrated External Content for Screening and Monitoring Anti-Corruption Adverse Media Entities Sanction Alert Watchlist TP Screening Continuous Risk Monitoring TP Information Management Risk Mitigation - Validated Potential/Existing Third Party Info. Access to Global Adverse Media Access to Global sanctions lists Access to Global regulatory, law enforcement, and watch Access to Politicallyexposed persons and stateowned Predefined questionnaires/templates for third-party due-diligence Third Party Risk Management System - Automate Risk Alerts - Continuous TP Monitoring - Screening - Periodic due diligence
Benefits of Adopting a Technology Framework Maintain a centralized repository for third parties Streamline end-to-end third-party risk management Visibility for fourthparty risks Comply with the latest regulatory frameworks
Real World Use Cases International Banking and Financial Services Conglomerate Streamlines and automated third-party onboarding and maintenance across thousands of third-parties Automates the generation of Third-Party Relationship Performance Scorecard Improves transparency around third-party performance monitoring to corporate and senior business management. A Global Insurance Company Headquartered in Europe Helps in centralizing all third-party governance and risk data in a common database for easier tracking and management of third-party risks Increases efficiency by replacing spreadsheet-based processes with tightly streamlined and automated workflows for third-party risk management An Online Brokerage and Financial Services Company Helps to evaluate their business partners/third-parties as per the OCC (Office of Comptroller of Currency) guidelines. Helps in comprehensive third-party due-diligence including - business continuity, contract, country, credit, customer complaints, IT, information security, insurance, and performance quality compliance risks Provides a central, web-based repository to document and maintain information on the complete thirdparty database which includes 200+ vendors
Q & A
Creating a culture of risk awareness Global Association of Risk Professionals 111 Town Square Place 14 th Floor Jersey City, New Jersey 07310 U.S.A. + 1 201.719.7210 2nd Floor Bengal Wing 9A Devonshire Square London, EC2M 4YN U.K. + 44 (0) 20 7397 9630 www.garp.org About GARP The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing professionals and organizations to make better informed risk decisions. Membership represents over 150,000 risk management practitioners and researchers from banks, investment management firms, government agencies, academic institutions, and corporations from more than 195 countries and territories. GARP administers the Financial Risk Manager (FRM ) and the Energy Risk Professional (ERP ) exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of risk management via comprehensive professional education and training for professionals of all levels. www.garp.org 2015 Global Association of Risk Professionals. All rights reserved.