STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

Similar documents
GDPR Compliance Checklist

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Preparing for the General Data Protection Regulation (GDPR)

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

VENDOR RISK MANAGEMENT FCC SERVICES

Effective Vendor Risk Management. April 21, Mario A. Mosse. This Training is Brought to you by ComplianceOnline. Presenter:

Dealing with the EU Data Protection Regulation in Practice. William Long, Partner Sidley Austin LLP February 11, 2016

EU General Data Protection Regulation: are you ready?

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

EU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018

Ready for the GDPR, Ready for the Digital Economy Fast-Track Your Midsized Business for the Digital Economy While Addressing GDPR Requirements

GDPR is coming in 108 days: Are you ready?

EHR AND ERP INTEGRATION. January 25, 2018

PURCHASE ORDER SPEND CONTROL MICROSOFT DYNAMICS AX 2012 R3/ AND DYNAMICS 365

EU General Data Protection Regulation in the digital age: Are you ready?

Third Party Risk Management ( TPRM ) Transformation

Effects of GDPR and NY DFS on your Third Party Risk Management Program

Effective Data Governance & GDPR Compliance for the Nonprofit CFP

CHART OF ACCOUNTS SETUP

SAFECAP PRIVACY POLICY STATEMENT

The General Data Protection Regulation (GDPR): Getting in good shape for the deadline Copenhagen, 19 September 2017 Janus Friis Bindslev Partner,

RSM TECHNOLOGY ACADEMY elearning Syllabus and Agenda RETAIL POS SETUP FOR MICROSOFT DYNAMICS AX

General Data Protection Regulation. Jim Sneddon GDPR-P, CISSP

Preparing Your Vendor Agreements for the General Data Protection Regulation

Internal Audit Report - Contract Compliance Cycle Audit Department of Technology Services: SHI International Corporation Contract Number

PERSPECTIVE. GDPR - An industry and geography agnostic regulation. Abstract

SOLUTION BRIEF HELPING PREPARE FOR RISK ASSESSMENT & COMPLIANCE CHALLENGES FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Extended Enterprise Risk Management

GDPR: What Every MSP Needs to Know

Ready for GDPR? Five steps to turn compliance into your advantage

LOYALTY MANAGEMENT FOR RETAIL

EU General Data Protection Regulation (GDPR) Tieto s approach and implementation

GDPR factsheet Key provisions and steps for compliance

SAP and SAP Ariba Solution Support for GDPR Compliance

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

VENDOR MANAGEMENT 101

EU General Data Protection Regulation ( GDPR ) FAQs External Version - 16 March 2018

Introduction. Key points of the recent ODPC guidance, and the Article 29 working group guidance

GDPR: what you need to know

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

The EU raises the bar on data privacy:

The Sage quick start guide for businesses

December 28, 2018, New Delhi, INDIA

The importance of a solid data foundation

An Introduction to GDPR and How To Prepare

EU General Data Protection Regulation: Are you ready?

Ensuring Organizational & Enterprise Resiliency with Third Parties

General Data Protection Regulation (GDPR)

European Union s General Data Protection Regulation. A guide for APAC companies

General Data Protection Regulation

GDPR Factsheet - Key Provisions and steps for Compliance

Moving ERP Systems to the Cloud

GDPR in SAP. June, Igor Gregurec

How employers should comply with GDPR

External Quality Assessment Review of University of Florida s Office of Internal Audit

GDPR journey: from ready to compliant GDPR survey results

GDPR: Are You Ready? Mapping the Road to GDPR Compliance. March 2018

ERP IMPLEMENTATION RISK

Customer Data Protection. Temenos module for the General Data Protection Regulation (GDPR)

Enterprise Compliance Management for Credit Unions

GDPR: Is it just another strict regulation or a great opportunity for operational excellence?

WHITE PAPER EU General Data Protection Regulation Compliance

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

TWELVE STEP PLAN TO BECOME COMPLIANT WITH THE GENERAL DATA PROTECTION REGULATION

OPTIMIZE YOUR BUSINESS WITH NETSUITE CRM. August 29, 2017

SERVICES AND CAPABILITIES. Technology and Management Consulting

MODERNIZING THE FINANCE FUNCTION

Get ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie

MICROSOFT DYNAMICS 365 FOR TALENT. Rachel Profitt, MVP, MCT Director, RSM Technology Academy November 30, 2017

REGULATORY HOT TOPIC Third Party IT Vendor Management

Vendor Management Challenges and Expectations An Open Discussion April 13, 2017

EU General Data Protection Regulation

Improving the Patient Experience Across the Revenue Cycle

The importance of the right reporting, analytics and information delivery

Data rich and regulation wary

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

RSM ANTI-MONEY LAUNDERING SURVEY BEST PRACTICES AND BENCHMARKING FOR YOUR BSA/AML PROGRAM

HCCA Audit & Compliance Committee Conference. February 29-March 1, Drivers of ERM. Enterprise Risk Management in Healthcare.

Foundation trust membership and GDPR

Minimizing fraud exposure with effective ERP segregation of duties controls

Key TSA provisions your M&A team needs to know now

SAMPLING AND ERROR EVALUATION RSM US LLP. All Rights Reserved.

IBM Emptoris Services Procurement on Cloud

The importance of the right reporting, analytics and information delivery

ISACA San Francisco Chapter

DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

Preparing for the GDPR

Data Protection (internal) Audit prior to May (In preparation for that date)

What you need to know. about GDPR. as a Financial Broker. Sponsored by

EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1

General Data Privacy Regulation: It s Coming Are You Ready?

Vendor Agreements and the New EU GDPR Steps to Take Now

What is GDPR including those with no physical presence in the EU May 25th, 2018

THIRD-PARTY RISK MANAGEMENT

SOLUTION BRIEF HELPING ADDRESS GDPR CHALLENGES WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

IMPACT OF THE NEW GDPR DIRECTIVE ON OUTSOURCING ARRANGEMENTS

Strengthening Vendor Risk Management Program

With financial penalties of up to 4 percent of global annual turnover, are you up-to-date on the General Data Protection Regulation?

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

Transcription:

STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES September 2017

Your presenters Nancy Aubrey Partner Boston, MA Nancy.aubrey@rsmus.com Rick Shriner Principal McLean, VA Rick.shriner@rsmus.com 2

Agenda Overview of current trends affecting relationships with third-parties Third-party management lifecycle assessing risk and maintaining control Emerging regulations impacting bioscience companies European Union s new data protection standard 2 3

ISSUES / TRENDS

Industry trends impacting third-party management Heavy reliance on third parties Increased out-sourced research activity Global clinical trials Single-point-of-failure risks with CMOs Global sales and supply chains Third party data breaches Changing regulations - EU GDPR s impact on bioscience companies in the US 4 5

Broader third-party trends Trends noted by the CEB Audit Leadership Council in their 2017 Audit Plan Hot Spots include: 1. Decreased visibility into third-party network Decentralization in decision-making leads to poor visibility Third-parties relationships lead to fourth or even fifth parties 2. Increased third-party access to sensitive company data With organizations digitizing and relying on increasing amounts of data more information will be reaching thirdparties, both accidentally and by design Increased risk of data breaches and non-compliance with data privacy regulations 2017 Audit Plan Hot Spots CEB Audit Leadership Council 5 6

THIRD PARTY RELATIONSHIP MANAGEMENT (TPRM) LIFECYCLE

Third-Party Relationship Management (TPRM) Lifecycle 8

TPRM Maturity Continuum WEAK SUSTAINABLE MATURE INTEGRATED ADVANCED Ad-hoc processes Problem driven Inconsistent outcomes Rework Reactive Individual effort Basic process Processes follow a regular pattern Repeatable practices Reduced rework Processes not standardized Documented processes Standard approval processes Proactive and reactive Request driven Technology utilized Improve productivity Stable processes Proactive Accountable Effective monitoring Formal change management process Service level agreements Continuous improvement Strong business relationships Predictability Quality driven Proactive Optimizing costs and quality Agile Fully automated Complete integration Enterprise-wide knowledge Planned innovations Change management fully implemented Strategic performance metrics

Understanding Third-Party Requirements Planning Do not let third-parties define your requirements Establish ownership for the product or service to be provided and the supporting third-party relationships Involve all relevant stakeholders Assign a weight to each requirement Begin thinking about control requirements related to information risk early in planning Present requirements to potential third-parties and include in third-party selection and management process Assess the risks of the product or service the third-party will support Identify specific risks and include how they are mitigated in your third-party evaluations 9

Understanding Third-Party Risk Assess the risks of the product or service the thirdparty will support Transaction/ Operational Liquidity/ Financial Credit Reputation Planning Strategic Compliance/ Legal HR Rate/Pricing Identify specific risks and consider how they are mitigated in your third-party evaluations

Evaluation of third-party qualifications Existence and corporate history Qualifications, backgrounds, and reputations of company principals, including criminal background checks where appropriate Due Diligence Other companies using similar services from the provider that may contracted for reference Financial status, including reviews of audited financial statements Strategy and reputation Service delivery capability, status and effectiveness 12

Evaluation of information risk during due diligence 13

Capturing data security requirements 14

Capturing data security requirements (cont.) 15

Critical elements of agreement Contracting Duration Dispute resolution Indemnification Limitations of liability Termination Assignment Regulatory compliance Scope Performance standards (service-level agreements [SLAs]) Security and confidentiality Controls Audit Reports Business resumption Subcontracting Ownership and licensing 15

Common issues with contract clauses Contracting Contain one-sided clauses Inadequately address service levels (with penalties) Silent about regulatory requirement maintenance Multi-year auto renewal term Excessive notification lead time for opt out May require payment for disputed items May ask for payments before delivery Silent about audit rights 17

Third-party contract management Maintain a central repository for all agreements Assign responsibility for management and oversight Contracting Manage key dates and ongoing due diligence Periodic performance reviews Insurance Coverage Business Continuity Testing Financials Changes in Leadership Data Breaches Legal filings Notices to the third party to prevent auto renewal 18

Monitoring Third-Parties Ongoing Monitoring Monitor your third parties financial position Monitor the user base Stability and growth Type and size of client organizations Monitor R&D indicators Investment in development Industry trends Monitor audit reports Controls reviews Penetration testing results Business continuity test results SSAE 16 SOC 1, SOC 2 (outsourced services) Regulatory sources 19

Why organizations conduct Third-Party compliance audits Reactive Proactive Ongoing Monitoring Monetary obligations are nonexistent, late, or trending downward Services or products are not delivered on time Quality issues Public information and press releases are contradictory to the performance of the agreement Organization has developed a thirdparty contract compliance risk management process Fiduciary responsibility to organization stakeholders Agreement is financially material to the organization Organization is looking to restructure the agreement Agreement will be expiring soon Induce future compliance 20

Factors impairing ongoing monitoring Ongoing Monitoring Contracts are not centrally located and tracked Employees may not have the underlying contract and/or all corresponding amendments Intimate knowledge of third-party existence and activities are limited to comparatively few employees Nuances between similar agreements with other thirdparties are not understood Clear ownership for monitoring activities does not exist and the monitoring activities are ad-hoc and manual Lack of formal process to assess changes in the thirdparties organization Notifications of non-compliance are not identified as the issues arise 19 21

Managing through contract termination Eventually, contract termination is an inevitable phase in the third-party relationship lifecycle. Reasons for contract termination may include: Contract completion Breach of contract Merger or acquisition Assignment to another party Third-party goes out of business Termination Risk considerations Confidential information (e.g. trade secrets) - what happens to data Reputational risk Business continuity - disruption of operations Considerations to manage situations when termination occurs Clearly specified contract termination rights in the contract Internal transition plan (timeline, responsibilities) 23

Third-Party relationship compliance red flags Third parties and your agreements that exhibit at least one of the following characteristics have an increased risk of non-compliance with the terms and conditions of the contract: Complexity of agreement Multiple locations or parties involved (related and non-related parties) Changes in accounting and reporting systems Changes in third-party key personnel New products, services or expanded product lines Mergers and acquisitions Third-party reporting/financial obligations are late or cease to exist Performance provided by third-party do not correlate with market/industry trends Contract terms Monitoring efforts Third-party characteristics 23

BUILDING A FRAMEWORK TO ASSESS TPRM RISKS

Overview of Approach Step 1: 3 rd Party Prioritization Step 2: Refine the 3 rd Party Risk Assessment Framework Step 3: Deploy the 3 rd Party Risk Assessment Survey Continuous Monitoring Develop a framework for the assessment program, not just a questionnaire. Develop a workflow and process for conducting surveys, evaluating responses, weighting responses, compliance audit requirements and having the right information on which business decisions are made. These decisions include which third parties should provide additional information, those that would require an in-depth audit, or spot audit, and those where completion of the survey is satisfactory. The next step is the deployment of the surveys to the third parties in a tiered and practical approach. Risk areas to audit: Operational Performance Security (Information Privacy and Protection) Regulatory Compliance Personnel Step 4: Compliance Audit Financial Total spend analysis Tax analysis Self reporting accuracy Other financial clauses (MFN, SLAs, etc.)

Factors for Prioritization Third-party risk areas and third parties themselves can be prioritized based on factors such as: Third-party impact on enterprise-level risks Contract language (specificity, operational versus financial, etc) Evidence of potential errors or manipulation Operational performance including software quality, incident management, etc. Complexity of contracts (number of agreements, calculation of costs, complexity of pricing models) Strength of contract audit clause Third-party access to critical business information State of the relationship (new, ending, shortterm, long-term) Financial strength of vendor Impact to the nature of the relationship (strategic, significant, considerable, insignificant) Geographic considerations (location of Vendor, multiregional agreements) Third-party reliance on sub-contractors or other third parties Regulations

Building a Third-Party Risk Assessment Framework Perform the following key tasks in developing the framework for a Third-Party risk assessment: Define roles and responsibilities for project team. Define the project plan, project charter, and communication plan. Determine and agree on the questionnaire format, quantity of questions, target audience, and delivery format. DESIGN 3 RD PARTY RISK FRAMEWORK BEST PRACTICES & STANDARDS INDUSTRY FOCUS REGULATORY REQUIREMENTS BUSINESS NEEDS GEOGRAPHY Develop workflow for risk assessment Develop weighting criteria Develop decision making criteria Develop compliance audit program DESIRED RISK MITIGATION OPTIMIZED FRAMEWORK CURRENT STATE UNDERSTANDING GOVERNANCE & RISK POLICIES & PROCEDURES BUSINESS PROCESSES CRITICAL ASSETS CONTROLS CURRENT STATE

Contract Compliance Assessment Scorecard Example Scorecard Responses to survey questions from each selected third-party are assessed and ranked using a scoring model customized for the organization. The example scorecard shows mapping customized by agreement type. Contract Compliance Scores Risk Factors Agreement complexity 2.2 Significance of agreement to the organization 3.3 Number of third-parties involved 1.0 Changes in key third-party 1.5 personnel Changes in third-party accounting systems 4.7 Performance compared to industry/market conditions 3.0 Score 0 5 0 5 0 5 0 5 0 5 0 5 Changes in agreement terms 3.2 0 5 Timeliness of compliance by third-party 2.7 0 5 Lack of compliance by third-party 2.0 0 5 Mergers and acquisitions related to the third-party 1.0 0 5 New products or activities related to the third-party agreement 3.0 0 5

Risk Ranking is Key The goal of the third-party risk assessment workflow is to assess the level of risk the third-party relationships present to your organization. The third-party criticality is determined from the Prioritization Data evaluation. The control state is determined from the questionnaire scorecards. These two data points contribute to the combined third-party risk rating, which drives the level of focus and attention the third-party needs to be given.

TPRM: Key Recommendations Be very clear about the different types of third party risk you are tracking, and who has responsibility for each Document organizational risk profile, risk tolerance and risk acceptance Involve business stakeholders in the risk acceptance process Conduct due diligence to minimize risks (including regulatory fines and reputation damage) 30

TPRM: Key Recommendations (cont.) Create triggers to make sure risk and compliance efforts occur throughout the third party relationship lifecycle Consider ways to open up communication with and among vendors about trends, patterns and best practices Be innovative and flexible; program and processes should allow for incorporation of changes due to business, industry and regulatory drivers 31

EMERGING ISSUE: OVERVIEW OF GDPR

What is GDPR? European Union General Data Protection Regulation EU GDPR New data protection law adopted by the EU in April 2016, intended to bolster data privacy protections for EU residents. Companies, government agencies, and non-profits interacting with EU residents have until May 2018 to comply. 33

Who does GDPR protect? The European Union. Consisting of 28 member states: Spain, UK, Ireland, France, Germany, Italy, and Sweden, among others Some island nations such as the Canary Islands, Azores, and others Organizations storing, transmitting or processing data for individuals residing in any of these countries 34

Who does GDPR apply to? To determine if GDPR affects your organization, you need to ask questions such as: Do you offer goods and services to EU residents? Do you rely on third parties that store or transmit data to/from the EU? Do you collect, transmit, or process data pertaining to EU residents? It does not matter whether the services are free It does not matter whether your company operates in the EU 35

Five big concepts to understand 1) Accountability 2) Consent 3) Right to be Forgotten 4) Portability 5) Breach Notification 36

Accountability Organizations must demonstrate privacy protection by design and by default. Must appoint Data Protection Officer (DPO) if the: Organization processes data of more than 5,000 individuals a year OR Is active in regular and systematic monitoring of individuals OR Processes data which is sensitive Sanctions (more on that later) 37

Consent Burden of consent now states that: Organizations must now prove genuine, explicit consent for data gathered Consent must be purpose-limited Must allow withdrawal of consent at any time In some instances, consent must be down to business process level In some instances (or countries), must gather consent for individuals as young as age 13 (through their parents) 38

Right to be forgotten Mandatory right to erasure organizations must give individuals the right to request erasure of their data if: Individual withdraws consent Data is no longer needed to achieve the purpose it was collected for Data in question was obtained through unlawful processing 39

Data portability Individuals have the right to transport all of their personal data to another organization (even a competitor): Organizations must provide individuals with their data in a machine-readable format Where feasible, the organization must facilitate electronic transfer of personal data 40

Breach notification Organizations are now under legal obligation to notify local authorities within 72 hours if EU resident data is lost Only exception is if the data was encrypted Organizations have to inform individuals if adverse impact is determined from the breach Service providers (data processors) now have obligations to data controllers 41

Penalties for non-compliance If organizations do not comply, they face a maximum fine of: 4% of their global revenue OR 20million whichever is higher 42

QUESTIONS AND ANSWERS

THANK YOU FOR YOUR TIME AND ATTENTION

This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM and the RSM logo are registered trademarks of RSM International Association. The power of being understood is a registered trademark of RSM US LLP.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback