Lessons Learned in Streamlining the Third-party Risk Assessment Process

Similar documents
Navigating the New Health Economy

Case Study Webinar: Vendor Risk Management at Global Lending Services

VENDOR RISK MANAGEMENT FCC SERVICES

Third Party Risk Management ( TPRM ) Transformation

Outsourcing transparency evolution

Optimizing an Enterprise Wide Effective Vendor Risk Management Program. Pam Schott Head and VP Enterprise Supplier Governance

Extended Enterprise Risk Management

Vendor Risk Management Scoring PROCESSUNITY WEBINAR

HITRUST CSF Assurance Program. The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance

How do we statisfy the information privacy and security assurance requests from our customers?

Hot Topics in Third Party Management. April 5, 2018 MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

HITRUST CSF Assurance Program

Effective Vendor Risk Management. April 21, Mario A. Mosse. This Training is Brought to you by ComplianceOnline. Presenter:

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Identify and Manage Third Party Vendor Risks:

Vendor Management Risk Mitigation:

HOW TO LAUNCH A SUCCESSFUL WORKFORCE PLANNING CENTER OF EXPERTISE (COE)

Hot Topics in the Board Room

Applying a quality systems approach to improve supply chain management

The past, present and future of service organization control reporting

The Next Generation of Local Government: Transforming Non-Emergency and 311 Call Center Solutions to a Complete Constituent Experience

The Future of Internal Auditing:

SOLUTION BRIEF RSA ARCHER AUDIT MANAGEMENT

Leveraging IT risk management to boost competitive advantage

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

Excellence in Third Party Risk Management (TPRM)

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Is your supplier risk management keeping pace with your strategic

Risk Advisory Services Developing your organisation s governance for competitive advantage

Trust Your Suppliers, Manage Your Risk The Importance of Third-Party Supplier Visibility About Perfect Commerce

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

CSR / Sustainability Governance and Management Assessment By Coro Strandberg President, Strandberg Consulting

RSA ARCHER MATURITY MODEL: AUDIT MANAGEMENT

International Finance Corporation

Business Framework Change How You Manage Safety

Building a Framework for Effective Third-Party Risk Management (TPRM)

WHY SUPPLIER MANAGEMENT?

Inventory performance today: Why is it declining?

REGULATORY HOT TOPIC Third Party IT Vendor Management

Vendor Management Challenges and Expectations An Open Discussion April 13, 2017

June PwC s Data and Analytics Survey 2016 Big Decisions

Extended Enterprise Risk Management

Integrated Health and Wellness Advantage. The Anthem Blue Cross health and wellness approach

AVEPOINT RISK INTELLIGENCE SYSTEM

Vendor Due Diligence: Keep The Risk Out!

The compliance investment

White Paper Describing the BI journey

ENTERPRISE RISK MANAGEMENT USING DATA ANALYTICS. Dan Julevich and Chris Dawes April 17, 2015

IT GOVERNANCE. WITH ROBERT GOODSELL, MANAGING DIRECTOR JOE BRUTSCHE, DIRECTOR PwC. April 4, 2013

Procurement Transformation on the Fast Track: Doing More with Less

The SAM Optimization Model. Control. Optimize. Grow SAM SOFTWARE ASSET MANAGEMENT

Article from: CompAct. April 2013 Issue No. 47

ISACA Charlotte Chapter

Managing complex services in SAP and Ariba from a client perspective. Ariba Live 2018

Strengthening Vendor Risk Management Program

Strengthening Your Enterprise Risk Management Process

THE VALUE OF STRATEGIC SOURCING FOR PROCUREMENT PROFESSIONALS

Outsourcing and the Need for Supplier Audits

The future of procurement in the age of digital supply networks The DBriefs Driving Enterprise Value series

Make money, save money and manage risk

Points to Consider When Developing a TMF (Trial Master File) Strategy

HOW HR NEED S TO. By Karen Shellenback, Karen Piercy and Denise LaForte, Mercer Select Intelligence Mercer HR Transformation

Developing a Successful Product

Corporate Brochure. Elevate Your Flexible Workforce Management and Services Procurement

And $100 million in savings.

Future FS Leadership Development Managing Talent to Deliver Value

The Path to Creating and Sustaining Value. The Scorecard. for Selecting, Managing & Leveraging your Services Team:

How to Choose a Winning Supplier Management Solution

Beyond EDI Unlocking new value with transactions enabled by SAP Ariba and the Ariba Network

SOLUTION BRIEF HELPING PREPARE FOR RISK ASSESSMENT & COMPLIANCE CHALLENGES FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

CFO meets M&A: Value creation in the digital age The Dbriefs Driving Enterprise Value series

Emerging Technology and Security Update

Legal Project Management

How to Measure the Value of Your Internal Audit Group

Securitas Global and National Accounts Group

Operational Risk White Paper

Model Risk Management

Corporate renewable energy procurement survey insights

Contract Lifecycle Management

IT Governance Overview

Portfolio Marketing. Research and Advisory Service

ServiceNow Knowledge 2016

Office of Information Technology (OIT) Strategic Plan FY

Bank of Ireland. Service Integration as a means to govern a multivendor. 11 th October 2013

IT Management Maturity. Phase 3: Moving from Proactive to Aligned

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

INFORMATION SERVICES FY 2018 FY 2020

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Looking beyond simple savings

Energy Trading Risk Management (ETRM) System Selection and Implementation Top Challenges

The Firm of the Future How Technology Will Impact and Enable Effective Firm Management. Sponsored By:

Asset Acceptance Capital Corp.

The Road to Shared IT Services. John Gohsman, Vice Chancellor and CIO

The Strategic Potential of Internal Audit

QUICK FACTS. Delivering a Managed Services Solution to Satisfy Exponential Business Growth TEKSYSTEMS GLOBAL SERVICES CUSTOMER SUCCESS STORIES

Enterprise Content Management and Business Process Management

USAA's Supplier Governance Transformation that Optimizes Value and Addresses Risk

SOLUTION BRIEF RSA ARCHER REGULATORY & CORPORATE COMPLIANCE MANAGEMENT

Third Party Information Security Risk Management Programs. Tanya Scott Risk and Controls Program Manager, Autodesk In-Depth Seminars D33

Evaluating Software Development Firms OUTSOURCING CHECKLIST

Transcription:

Lessons Learned in Streamlining the Third-party Risk Assessment Process

Agenda Welcome & Introductions Overview of the Third Party Risk Management Lifecycle Three Unique Perspectives on: Third Party Inventories Due Diligence & Ongoing Monitoring How the HITRUST Assurance Program Helps Third Parties (Service Provider Perspective Q&A & Wrap-up

Introductions Aaron Shapiro PwC Director Cybersecurity & Privacy Jeff Martin Senior Manager Information Security Anthem Debbie Hutchinson Availity Senior Manager Audit and Third Party Assurance

Overview of the Third Party Risk Management Lifecycle A robust Third Party Risk Management (TPRM) program is based on adoption of key building blocks, and successfully linking the program strategy, policies and processes together. TPRM is focused on understanding and managing risks associated with vendors and other third parties with which the company does business and/or shares data. The PwC Third Party Risk Management Program Framework Third parties Vendors Suppliers Joint Ventures Business Channels Marketing Partners Affiliates Subsidiaries Regulated Entities Pre-contract lifecycle activities TPRM Program Components Governance Framework Policy & Procedures Inventory Stratification Issues Management Risk Considerations Reputational Operational Credit/Financial Business Continuity and Resiliency Strategic/Country Subcontractor Technology Info Security & Privacy Compliance Post contract lifecycle activities PwC. Not for further distribution without the prior written permission of PwC. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

PwC THREE UNIQUE PERSPECTIVES

Residual risk maturity ranking Standard risk definition 1 2 3 4 Controls do not exist/are not in place Controls are in place but are not documented appropriately or currently are not reviewed/ tested; controls are not consistently followed Controls are in place and are documented and reviewed; manual or partial automation Controls are in place, are documented appropriately, are reviewed on a periodic basis, have continuous control monitoring and fully automated if available Segment 1 Critical Segment 2 High Risk Inherent risk rating Segment 3 Moderate Risk Nature Timing Extent Nature Timing Extent Nature Timing Extent 1 Onsite Annual 2 Onsite Annual 3 Onsite 4 Onsite 12-16 18 Testing Testing Testing Testing Onsite Onsite Onsite Onsite Annual 12-16 18 24 Testing Testing Testing Testing Onsite Remote Remote Remote 18 Annual 18 24 Testing Inquiry Inquiry Inquiry Segment 4 Low Risk Nature Timing Extent Remote Remote Self- Assess Self- Assess 24 36 Month 36 48 Inquiry Inquiry Inquiry Inquiry Three Unique Perspectives - PwC Third party inventory, stratification, due diligence & on-going assessment model The inventory, risk rating and on-going testing model enables a focus on efforts to establish the third party inventory and oversee services with higher levels of inherent risk. Refine Establish On-board Oversee Govern Existing Third Party Inventory Inherent risk assessment Pre-contract due diligence & residual risk Nature, timing and extent & On-going due diligence Refresh & Re-rank Residual risk rating New Third Parties Metrics & Reporting Third Party Scorecards Program Dashboards PwC. Not for further distribution without the prior written permission of PwC. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

Three Unique Perspectives - PwC Third party inventory This framework will assist the TPRM Program in focusing in on the inventory list by analyzing multiple sources in rapid manner and identifying the third parties that need to be included as part of the program, and rated by inherent risk. Total Third Party Inventory from mul6ple data sources Begin with A/P Spend and LOB files and remove categories that don t pose risk Iden6fy unique third par6es and validate services against exis6ng invoices/data sources. Remove categories that don t pose risk Perform cleansing and enhancement of third party data In-scope third party inventory for risk segmenta6on Inherent risk assessment Inherent Risk Ra6ng Star6ng with commodity categories, we use a process to focus on those products/services that do and do not pose inherent risk and thus to be included as part of the program. We then clean and enhance the exis6ng third party data to be put into the inventory repository. Common Third Party Inventory Data A4ributes Third Party Name Third Party Parent Name/Associated Third Par6es Product/Service Third Party Type (Business Process Outsourcing, Partnership, Technology etc.) Spend Business Lines/Processes Supported by the Third Party Country/Region where Third Party is Based Contract Date (Engagement Date) Results of Third Party Risk Classifica6on Results of s (e.g., Third Party Informa6on Security Assessments) PwC. Not for further distribution without the prior written permission of PwC. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

Three Unique Perspectives - PwC Due Diligence, Ongoing Monitoring & HITRUST Assurance Results of the inherent risk should drive the nature, timing and extent of activities used to monitor, oversee, and re-assess third party relationships. Due to the higher costs associated with more in-depth assessment activities, a risk based approach should be leveraged so that higher risk relationships receive more active risk management than lower risk relationships. Depth of Due Diligence Activities 0% None Very Low 40-50% Request and review third party report (e.g., HITRUST certification, SOC 1/2/3, ISO 27001 certification, etc.) Low 20-30% Inherent Risk Rating Require the completion and evaluation of a due diligence questionnaire Request and review third party report (e.g., HITRUST certification, SOC 1/2/3, ISO 27001 certification, etc.) Moderate 10-15% Perform on-site assessments (1-5 days) Require the completion and evaluation of a due diligence questionnaire Request and review third party report (e.g., HITRUST certification, SOC 1/2/3, ISO 27001 certification, etc.) High 3-5% PwC. Not for further distribution without the prior written permission of PwC. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

Anthem THREE UNIQUE PERSPECTIVES

Third Party Inventories - Anthem Follow the data; not the spend. Requires strong internal partnerships. Risk tiering can be more difficult in a highly regulated space. In-scope inventories can tend to balloon.

Due Diligence and Ongoing Monitoring- Anthem Inefficient pre-contract due diligence processes can impede timely procurement processes. Again, strong internal partnerships are necessary. Especially for larger organizations. Change is constant. Assessments are a point-in-time measurement. Additional pressures for enhancing ongoing monitoring. New regulations, new technologies, global marketplace, maturing client base.

How HITRUST Assurance Program Helps - Anthem Risk assurance activity can create exponential volumes of work. Leveraging the HITRUST Assurance Program helps to ensure a consistent and efficient approach. Anthem Information Security is requiring vendor Business Associates to achieve HITRUST certification on the environment that supports Anthem. Anthem Business Associates can leverage their HITRUST certification across the HITRUST Alliance partners.

Availity THREE UNIQUE PERSPECTIVES

Third Party Inventories - Availity Conduct a complete inventory of all third parties activities ranked by risk factors. Include all types of third party relationships that can include business associates, trading partners, service partners, subcontractors etc. Evaluate the relationships to have a comprehensive understanding of who are your third parties, what services/ functions they provide and what level of access they have to your organization s data/systems.

Due Diligence and Ongoing Monitoring- Availity Conduct due diligence assessments to identify any potential gaps that could create risks or compliance issues prior to contract. Third parties who have completed a HITRUST validated assessment may submit certification letter as part of their due diligence. Continue to monitor relationships to proactively account for any changes that can occur throughout the relationship cycle. Organizations need to move beyond the initial due diligence and annual reviews to proactively address the bigger challenge of monitoring and assessing third-party risks on an ongoing basis.

How HITRUST Assurance Program Helps Availity HITRUST assessment can help to evaluate your third party assurance program. Accepting the HITRUST certification can help due diligence by reducing time and efforts. Leveraging the CSF enables a single assessment to be accepted by many organizations across the industry. Focusing on third party risk management and consistent requirements of our third parties can help drive industry efficiencies.

Third Parties (Service Provider) Perspective Ability to effectively respond varies drastically Customer assessments come in all shapes and sizes and it can be very frustrating and difficult for third parties to respond timely Alignment to a recognized security/privacy framework (e.g., HITRUST CSF) helps organizations respond quickly, with less effort, and with positive results HITRUST certification and SOC 2s can relieve much of the headache associated with responding to customer requests

Q&A

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback