Using Metrics to Improve Your Third-Party Risk Management Program Presented by Randy Stephens & Michael Volkov Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 0
Agenda NAVEX Global s 2017 Third-Party Risk Management Benchmark Report Key Findings Using Metrics to Improve your Third-Party Risk Management Program Key Takeaways & Recommendations Q&A + Additional Resources Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 1
The 2017 Third Party Risk Management Benchmark Report Statistical Snapshot Conducted by an independent research company, collected anonymously 427 respondents across more than 22 industries, Including: Job Level: 8% C-Suite & Senior Executives 42% Senior Managers & Directors 28% Other Management 16% Non-Management Job Function: 25% Ethics & compliance 20% Legal 15% Risk Management Company Size: 38% Large Organizations (5,000+ employees) 34% Medium Organizations (500 5000 employees) 28% Small Organizations (<500 employees) Regions Where Respondents Manage Third Parties: 78% United States 54% Europe 50% Asia 42% Latin America 41% Canada 33% Middle East 32% Australia / New Zealand / Pacific Islands 28% Africa 21% Caribbean Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 2
Key Findings Using Metrics to Improve Your Third-Party Risk Management Program Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 3
Key Findings Risk-Based Programs are Evolving Top program concerns this year have shifted from previous years Budget security has improved Mature programs are aligning with evolving regulatory requirements Automation delivers program sophistication and performance Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 4
Survey Question How concerned are you about your third party risk management program? Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 5
Top Issue: Cyber Security and Data Protection A continual shift over the last three years Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 6
Top Objectives Align to Risk Protection Legal concerns top program objectives for the third consecutive year Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 7
A Shift in Issues in 2017 A shift in issues does not likely alter long term trends Cyber security and data protection is a universal market concern Risk management essentials remain the focus of third party risk programs Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 8
Budget Trends Look Positive Consistent challenges for program stakeholders Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 9
Significant Organizational Risk Lies with Third Parties The third party landscape continues to grow Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 10
Budget Improvements Indicate Increasing Understanding & Maturity A realization of the level and nature of risk Increases in anticipated budgets allow for strategic planning and program consistency Understanding your risk factors helps to define program requirements Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 11
At what maturity level do you believe your program currently resides? Survey Question Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 12
We See an Increase in Program Maturity Risk-based program requirements drive program sophistication Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 13
Improvements in the Approach to Risk Management A risk-based approach drives risk mitigation Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 14
Screening and Monitoring Practices Tied to Program Maturity Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 15
Regulatory Alignment Structures Strong Programs Multiple global regulatory agencies are aligning on program best practice recommendations Mature third party risk management programs tend to align to those recommendations, processes and structure Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 16
Survey Question Do you use a purpose-built automated solution to manage your third party risk management? (i.e., not an office management solution) Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 17
Automated Systems Are a Requirement for Program Success Making the commitment to automated third party risk management is obvious Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 18
Automated Systems Are a Requirement for Program Success Automated solutions allow for more complete risk management Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 19
Program Assessment Defined by Maturity Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 20
Automated Systems Are a Requirement for Program Success Automated systems improve program performance Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 21
Mature Programs See Exceptional Performance Those respondents with advanced programs rate their ability to do the following: Implement a risk-based program: 87% Comply with laws and regulations: 87% Conduct deeper dives where needed: 82% Defensibility of program with enforcement agencies: 83% Accurately define risk: 84% Determine the ROI of the program: 50% Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 22
Mature Programs See Exceptional Performance Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 23
Program Maturity as a Performance Driver Those with reactive and basic programs put themselves at risk Those with maturing and advanced programs are most likely to see better results When seeking a third-party risk management program ROI, keep in mind that automated programs typically deliver measurable results upon which you can build additional program elements Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 24
Using Metrics to Improve Your Third-Party Risk Management Program Using Metrics to Improve Your Third-Party Risk Management Program Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 25
Metrics to Know The point at which managing third parties appears to become more challenging is when the number of third parties reaches 100 57% of all respondents indicate that they pursue a risk-based program that corresponds to the nature and level of risk 38% of respondents update their third party due diligence policy once a year In 2016, 25% of respondents identified none of their third parties as high risk. In 2017, only 3% identified none of their third parties as high risk. Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 26
Metrics to Know 69% of respondents identified or discovered red flags or other negative third-party information through their due diligence processes Among those who use third-party due diligence providers to facilitate their programs, those systems typically return: adverse media reports (64%) government investigations or conviction (59%) connections to government officials (55%) adverse financial information (54%) politically exposed persons (52%) individuals or entities on a government or sanctions watch list (51%). Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 27
Key Takeaways and Recommendations Using Metrics to Improve Your Third-Party Risk Management Program Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 28
Key Takeaways Demonstrating third-party risk management program value Benchmarking your program is critical; identify points of improvement Secure an annual budget and executive support Understand where your program lies on the the maturity index strive for improvement Consider how you will measure program effectiveness Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 29
Additional Third Party Risk Management Assets Third Party Risk Management Thought Leadership: http:// White Paper: How to go from Manual to Automated Third Party Due Diligence Monitoring: Ten Steps to Success White Paper: Anti-Bribery & Corruption Risk Assessment Checklist White Paper: What to Ask: Assessing Third Party Risk Management Solutions Guide: A Prescriptive Guide to Third Party Risk Management Guide: Definitive Guide to Third Party Risk Management More Benchmarking Resources From NAVEX Global: o o o 2017 Hotline Benchmark Report & Toolkit 2017 Policy Management Benchmark Report 2017 Ethics & Compliance Training Benchmark Report Become a member of our community-driven resource library: ComplianceNext.com Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 30
Questions Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 31
Thank You Copyright 2017 NAVEX Global, Inc. All Rights Reserved. Page 32