Case Study Webinar: Vendor Risk Management at Global Lending Services Al Palmer, SVP Compliance, Global Lending Services LLC (GLS) Melissa Brown, Compliance Manager, Global Lending Services LLC (GLS) John Tondreau, Senior Director of Customer Success, ProcessUnity Hosted by Compliance Week s Assistant Director, Events, Tsvetelina Gabin 1
Agenda for Today s Webcast This webcast will last for 60 minutes 2:00 p.m. Introduction 2:05 p.m. Panel Discussion Tsvetelina Gabin Compliance Week Speakers: Al Palmer Global Lending Services LLC (GLS) Melissa Brown Global Lending Services LLC (GLS) John Tondreau ProcessUnity 2:50 p.m. Q&A 3:00 p.m. Closing Tsvetelina Gabin Compliance Week Sponsored by 2
Introduction The Series, Schedule and Instructions Sponsored by 3
Speakers Al Palmer is Senior Vice President, Compliance and Audit at GLS, responsible for the company s Compliance Management System including Corporate Compliance, Compliance Monitoring & QA, Internal Audit and Vendor Management Program. Prior to joining GLS, he worked as a regulatory remediation consultant from 2010 through 2015 assisting client banks by addressing requirements of consent orders and other formal agreements. As Compliance Manager at Global Lending Services, Melissa Brown is responsible for Compliance Policy, Quality Assurance and Vendor Management. Melissa has over 10 years of experience in the auto finance industry. She is a Certified Consumer Compliance Professional and graduated from Strayer University with a BBA in Human Resource Management. John Tondreau is a Senior Director on ProcessUnity Customer Success team. He has been with ProcessUnity for 3 years and has helped more than 50 customers automate their risk and compliance programs. Prior to joining ProcessUnity John worked in a consulting capacity with the Big 4 and stood up the Vendor Risk Management program at Citizens Bank. Sponsored by 4
About ProcessUnity Risk & Compliance Automation Risk & Compliance SIMPLIFIED Third-Party Risk Management Policy & Procedure Management Risk Management Compliance Management HQ: Concord, Massachusetts 2003 FOUNDED 5
Today s Agenda Getting Started: What is TPRM? Why is TPRM important? Standing up an effective program TPRM in action at Global Lending Services Steps to mature your program 6
What is Third-Party Risk? 7
Third-Party Risk Lifecycle Onboarding Establish an enterprise-wide process to introduce potential providers Due Diligence Enforce objectivity within your vendor due diligence process Self-Assessments Streamline the assessment process while reducing potential errors On-Site Control Assessments Systematically conduct and document on-site control assessments Performance Reviews Manage performance reviews in a consistent, manageable process Contract Reviews Create a unified process for contract management SLA Monitoring Documents KPIs, monitor activity and record observations Issue Management Implement a formal process for tracking vendor issues 8
Basic VRM Flow A very simple VRM workflow as it is configured in ProcessUnity is shown below. This represents the skeletal (core) components that are configured and the workflow used for vendor due diligence. This is not intended to represent all aspects of a mature VRM program. 1 Vendor Master* 2 2 Questionnaire Templates 4 Vendor Portal Vendors Profile Data Ratings Risk Tier Other Sections Questions Sub-Questions Preferred Responses Scoring Reference Materials Provide Responses Attach Evidence / Documents Update Vendor Master Data Vendor Services* Skip Rules Email / Instructions Send (Resend) External (Vendor) Access Only Vendor Contacts Attachments Facilities Fourth Parties SLA/Metrics Assessments Vendor Contacts Attachments Facilities Fourth Parties SLA/Metrics Assessments 3 Assessments Internal Due Diligence Inherent Risk Classification Vendor Due Diligence Internal Performance Evaluation FinServ Regulatory Compliance Others Scope Dates People Status Scores Follow-up Workflow* Submit 5 Remediation Close Assessment Internal External Update Profile Data / Risk Tier Raise Issues* 9 6 Vendor Requests* 1. Vendor Request Form 2. Draft Vendors / Approval 3. Externally Managed *subscription ProcessUnity, agreement determines Inc. All Rights which features Reserved. are enabled Upon completion Add Findings Deliver final report(s) Schedule Next Assessment
Why is TPRM Important? 10
Program Maturity Maturity Informal Compliant but at a high cost to business Manual control Adhoc approach No best practices Reactive Risks are documented Manual risk assessment and reporting Tactical approach After the fact reporting Proactive Policies are enforced Automated Process Unified, standardized & strategic approach Regulator Ready Optimized Analyze and trend Automated risk mitigation / Predictive risk assessments Objectives embedded throughout the organization How do you get from here to here? Time 11
TPRM Building Blocks Vendor Identification Service Identification Inherent Risk Methodology 12
Inherent Risk Questions Will this vendor provide products or services essential to the operation of the company? Will this vendor have access to non-public personal information (NPI)? Will this vendor provide customer/borrowerfacing services/products? Will this vendor require exchange of information outside of Company network? Will this vendor require exchange of information outside of Company network? Will this vendor host our information on their system? Will this vendor have access to employee data, customer/borrower data or Company affiliate data? How difficult would it be to replace this vendor with an alternative vendor? 13
Risk-Based Assessment Approach Focus more resources on higher-risk vendors RESOURCES RISK POSED 14
Defining Your Assessment Content Identity Fourth-Party Information Security Reputation Geographic Compliance Financial Business Continuity Conflict of Interest 15
Content Integration 16
Assessment Scoping HIGH RISK VENDORS MEDIUM RISK VENDORS LOW RISK VENDORS 17
Questionnaire Without Automation 18
Questionnaire with Automation 19
Questionnaire Scoring with Automation 20
Automated Due Diligence 21
Rationalized Response - Residual Risk Inherent Risk Last Assessment Rating Residual Risk Review Frequency Satisfactory Medium Biennial High + Needs Attention Unsatisfactory = High High Annual Annual None Prior High ASAP Satisfactory Low Triennial Medium + Needs Attention Unsatisfactory = Low Medium Biennial Biennial None Prior Medium ASAP Low + Not Required = Low Triennial Review 22
Vendor Risk Management at Global Lending Services Building an Effective and Efficient Program Through Automation
Introductions Al Palmer SVP Compliance Corporate Compliance, Internal Audit, Quality Assurance and Centralized Vendor Management Coordination Melissa Brown Compliance Manager Compliance Policy, Quality Assurance and Vendor Management 24
About Global Lending Services Global Lending Services LLC founded in 2012 Indirect Auto Finance Company Subprime Focus Headquartered in Atlanta, with Operations in Greenville SC and Phoenix AZ Purchase Retail Installment Sales Contracts from Auto Dealerships in 47 States Service approximately 45,000 contracts totaling $730 million Vendor Utilization Profile: (100 Vendors) Core System Providers, Telephony Providers, External Call Centers, Statement and Letter Servicers, Repo Forwarders & Agents (4 th Party), Remarketing Servicers, Recovery Agents, Consumer Reporting Agencies 25
The GLS Team The Team 6 Team Members Covering: Compliance, Compliance Monitoring & Independent QA, Internal Audit, and Vendor Management Coordination Vendor Management Coordination is Centralized: the Vendor Management Specialist works with assigned Vendor Managers in the business (Operations, IT, Analytics etc.) as well as our Legal team to manage and report activities. Team Goals: Ensure that-up front risk assessments and appropriate due diligence is performed prior to contracting with new vendors / partners. Have consistent monitoring and oversight processes that are based on the risk profile of the Third Party. Create greater visibility into our third-party service providers and the activities to oversee them and manage related risks. 26
Our Challenges (Pre-Automation) Increasing Regulatory Expectations and Requirements Maintaining a current List of Third Party Service Providers Contracts were not fully centralized Risk Assessments were accurate but not standardized Risk Management and Oversight approaches varied across the organization Relied exclusively on Spreadsheets and Word Documents Vendor Management efforts were not visible 27
Moving to Automation Our selection committee consisted of individuals from across the organization Key Features / Requirements Support Initial Vendor Due Diligence & Ongoing Oversight Customizable Risk Assessments and Questionnaires Vendor Communications (Portal feature) Tracks Actions, Issues and Due Dates Flexible Reporting Capabilities Supports VM Processes that meet Regulatory Expectations We invited four different companies to present demo s. They ranged from simple software to a full, managed service options that would essentially take the vendor management and risk assessments out of our hands. ProcessUnity was recommended by one of the other solution providers 28
The Implementation Process Implementation process took roughly 6 weeks from contract to the first assessment questionnaires going out Pre-Implementation Prep - Final Inventory of Vendors including key contact information - Consolidating Contracts and documentation - Determining Risk Levels Implementation Worked with assigned ProcessUnity implementation specialist Received admin and user training Finalize Risk Assessment Questionnaires combination of our existing with ProcessUnity s Vendor Cloud Standard Questionnaire Provided other required information which was uploaded into the system No issues with the implementation stress free 29
Consistent Program Improvements 2016 Risk Assessments and Vendor Questionnaires Completed for existing Vendors On site assessments continued for highest risk Vendors Implemented formal due diligence process for potential new relationships Tracked identified issues for resolution Regular Reporting to Enterprise Risk Committee and BOD 2017 Annual Risk Assessment updates aligned with Contract Renewals Further Refinement of Vendor Questionnaires Expanded on-site assessments to additional vendors Increase in new vendors pre-contract due diligence is common place Discontinued services with existing vendors that failed to address issues 30
Measurable Results Consistent practices for managing and overseeing Vendors Documentation that fully supports our risk assessments and monitoring activities Streamlined due-diligence process for new Vendors - Partnership with Legal Department involved early in the process More Collaborative risk discussions, issues and viable solutions Greater focus on spend during the contract renewal process Greater visibility 31
Global Lending Services Vendor Risk Dashboard 32
What s Next? Continue to refine risk assessments and vendor questionnaires Build in SLA metrics and tracking Consider external data sources that provide more frequent or continuous risk indicators 33
Automate Third-Party Risk 1 2 3 4 Less Busy Work Automated emails, notifications, electronic questionnaires and scoring reduce tedious, manual tasks. Streamlined Vendor Assessments Automatically determine questionnaire scope and complete assessments for more vendors in less time. Better Reporting Interactive reports and dashboards provide real-time access to the state of third-party risk. Integration with Other Tools Connect external news feeds and enterprise systems for full visibility into vendor risk. 34
Third-Party Risk Management Pre-Assessment Assessment Ongoing Monitoring FINDINGS ASSESSMENT STATUS ISSUES DASHBOARDS Schedule Your Deep-Dive Demonstration www.processunity.com/contact 35
Speakers Al Palmer, SVP Compliance, Global Lending Services LLC (GLS) Melissa Brown, Compliance Manager, Global Lending Services LLC (GLS) John Tondreau, Senior Director of Customer Success, ProcessUnity Moderator Tsvetelina Gabin, Assistant Director, Event, Compliance Week You can submit questions using the Ask a Question button on the left side of your screen.
Thank You for Joining Us CPE Credit information The CPE test will appear in a separate window at the conclusion of the webcast. If you have trouble accessing the test, please email us at info@complianceweek.com. Please note that a passing score of 80% or higher is needed to receive CPE credit. Be sure to disable your pop-up blockers to access the automatic CPE exam presented at the conclusion of the webcast. CPE certificates will be emailed to you separately following completion of the exam. Visit Compliance Week s website for more information on upcoming webcast: www.complianceweek.com/webcast Please send feedback to info@complianceweek.com Sponsored by 37