building a framework for effective third-party risk management (tprm)
TRANSCRIPT
GARP Webcast Series
Brenda BoultwoodChristopher ThackrayAPRIL 2016
On24 Tech Tips
• Make sure your speakers are on• Hit F5 any time your console freezes• For a LIVE event you should be hearing music now• Use the “Ask a Question” feature to report issues• Webcast starts at the top of the hour
Building a Framework for Effective Third-Party Risk Management (TPRM)
Brenda BoultwoodBrenda Boultwood, SVP, MetricStreamBrenda Boultwood is Senior Vice President of Industry Solutions at MetricStream. Before joining MetricStream, Brenda was Senior Vice President and Chief Risk Officer for Constellation Energy where she led risk management activities for Constellation Energy and its businesses, including defining and assessing enterprise-wide business risks and facilitating proactive decision-making to effectively manage the risks associated with each business line.
Prior to joining Constellation Energy, Brenda served in a number of roles at JPMorganChase, including serving as head of risk management for their Treasury Services business. Prior to that, Brenda served as head of market risk, counterparty credit risk and operational risk management at Bank One Corporation. Brenda also worked with PricewaterhouseCoopers as a senior manager in its Financial Risk Management Consulting Practice and was employed with Chemical Bank Corporation as a financial engineering associate. In addition, she spent six years teaching in the University of Maryland’s Master of Business Administration program.
Brenda was a member of the CFTC Technology Advisory Committee, and serves on the Boards of Committee of Chief Risk Officers (CCRO). She previously served as Board Member of Global Association of Risk Professionals (GARP). She earned a Ph.D. in economics.
Christopher ThackrayChristopher Thackray, Enterprise Risk Specialist Leader, Deloitte & Touche LLPChris is an Enterprise Risk Specialist Leader for Deloitte & Touche LLP, advising companies on the design, implementation and operationalization of enterprise, operational and third party risk management programs.
Combining his leadership background in strategic sourcing, supply chain risk management and operational risk management, Chris has demonstrated his ability to engage at all levels of the organization - across Europe, Asia and the US - to design and implement innovative and effective risk management programs tailored to organizational goals, international regulations and industry characteristics.
Agenda• Who is a Third Party?• Expanding Third-Party Ecosystem across the Enterprise• Third Party Due-Diligence – On Boarding & Continuous Monitoring• Managing Third-Party Risk – Critical for an Organization• Key Challenges in managing Third-party Risk• Complying with OCC’s 5 Step TPRM Framework• RMA-MetricStream Joint Survey 2015 – Key Findings• Third Party Risk Management Framework - Key Components• Integrating TPRM with an EGRC Framework• Mapping Third-Party Risks to Other GRC Objects• Third-Party Risk as an Integral Component of Enterprise Risk Management • Third-Party Risk Intelligence• Benefits of Adopting a Technology Framework• Real World Use Cases
Who is a Third Party?
Suppliers
Customers
Resellers
Brokers
Affiliates
Vendors
A Third Party is pretty much anybody you engage with..
ThirdParty
Law FirmsDistributors
“A third-party relationship is any business arrangement between a bank and another entity, by contract or otherwise.”
- OCC, October (2013)
Consultants
6
Expanding Third-Party Ecosystem across the Enterprise
SourcingTier -1 SuppliersFourth partiesBroker Agents
Contractual
Technology
Software vendors
Hardware vendors
InfrastructureDisaster Recovery
MarketingAdvertising
AgenciesMedia Ads
Content Writers
Human Resources
RecruitingPayroll
ProcessingEmployee Benefits
FacilitiesOffice ProductsWaste Disposal
CleaningPrinting
Customer SupportCall Center
Tech Assistance
Distribution & SalesSales AgentsDistributers
Partners
Third Party Due-Diligence – On Boarding & Continuous Monitoring
Financial Risk Strategic RiskInformation Technology RiskReputation RiskRegulatory Risk On-Boarding
Third Party Risks from Internal Sources Risks from Surveys, Audits, Self Reported Events
Third Party Risks from External Sources Risks from External Sources, PEP, Adverse Media, Sanctions, Lists, etc.
Provided By Third Party Self Assessments, Metrics
ThirdParty
Managing Third-Party Risk – Critical for an Organization
Engaging a third party - supplier, vendor, agent, distributor, lawyer, accountant, or consultant - comes with many risks – cybersecurity risk, business continuity risk, reputational risk, financial risk
Regulatory Focus on Third Parties
– OCC, FCPA, CFPB,FDIC, FRB,FFIEC
– Significant business and cost impact
Ensure Compliance - Companies have to ensure that their third parties protect confidential IT information, comply with regulations, avoid unethical practices, maintain a safe and healthy working environment, mitigate operational risks, and more.
Key Challenges in Managing Third-Party Risk
•Inability to manage the constant changes in organization’s third-party network•Thousands of third-parties to manage•Fourth Parties need to be assessed as well
Increased complexity of the third-party intermediaries network
•Increasing scrutiny by regulators – OCC, Fed, CFPB, FDIC•Varied regulations of countries (Local, National, International)
Failure to manage regulatory compliance pressures
•Resource-intensive to manage and monitor third parties•Exposure to third-party risks in business operationsHigh costs of monitoring third-parties
•Loss of profit and/or higher costs•Fines, potential recalls and lawsuits•Brand erosion and loss of market share
Third-Party non-compliance with Contract and SLAs
•Siloed approach to manage different third-party functions•High data redundancies Lack of departmental collaboration
Complying with OCC’s 5 Step TPRM Framework
Third Party Information Management
Centralized, web-based third-party repository
Request for Product/Service
Create/Add Potential Third Parties
Anytime anywhere access to third-parties
Pre-configured data upload templates
Third Party Risk Assessments
Assess, Survey and Score Third-Party Risk
Design Risk Assessment Questionnaires, Surveys
Risk from External and Internal Sources, Self
Reported Events
Configurable Risk Scoring Logic
Stratify Third Parties based on Criticality and
Risk
Continuous Monitoring of Third Parties
Subscribe to External Alerts
Review Alerts from External Content/Respond to
monitoring assessment
Holistic Risk Assessments
Systematic and Closed Loop Issue Management
Planning Due Diligence Contract Negotiation
Ongoing Monitoring Termination
Third Party Contract Management
Contract Drafting/Uploading
Centralized Contract Repository
Contract Approval
Contract Renewal
Contract Compliance
Contract Termination
Off-Boarding of Third Parties
Initiate Termination
Termination Checklist
Termination Workflow
Log and Manage Issues
Review and Approve
Sample third party risk management framework
This example framework, developed by one company, provides a basis to develop effective and extensive third party risk management programs by organizing processes and activities that manage risk across the third party lifecycle.
The third party risk management framework provides a reusable set of key capabilities that can be applied when implementing third party risk programs to manage all types of third parties.
Governance& Oversight
The organizational structure, committees,
and roles & responsibilities for
managing third parties
Policies & StandardsManagement
expectations for the management of third parties and related
risks
Risk Culture & Talent Mgmt.
Tone at the top, clarity on risk appetite,
appropriate training and awareness, etc. to promote positive
risk culture
RiskMetrics & Reporting
Reports identifying risks and performance
across third parties
Mgmt.Processes
Processes to manage risks across the third
party lifecycle
Tools & Technology
Tools and Technology that support third
party management processes
Third Party Risk Management Framework
Managementand Risk Domains
(example)
Business Objectives AgilityPredictable Funding Cost ReductionCapital Investment Risk and Compliance
Management
Credit RiskContractual Risk Financial Stability Risk Compliance Risk
OperatingModel
Categories
Evaluate & Select
Contract & On-board
Manage & Monitor
Terminate & Off-board
Management processes cover the third party lifecycle.
Reputation RiskBusiness Continuity Risk
Transaction / Operational Risk Geo-political Risk
Legal Risk
Strategic Risk
12
of the organizations surveyed rate their ‘vendor’ third-party risk management
programs as fully mature
41.3%
12.5% of the institutions surveyed
have more than 2500 vendors to manage
36%
Only 35%
of the organizations don’t have fourth party due diligence as a part of their
third-party risk management program
of the organizations are still using manual tools or home grown applications for
managing third-party risk
RMA MetricStream Joint Survey 2015* – Key Findings
* 80 Financial Institutions of varying asset sizes were surveyed
of the participants have an internal audit function
conducting independent reviews of the third-party risk management program
47.6%
A number of institutions leverage data feeds, independent due diligence reports, and automated alerts from third-party data providers like Dow Jones, D&B, LexisNexis, Moody’s, and Standard & Poor’s.
55%of the institutions for whichthird parties have access to
personal and private information have cyber
liability insurance.
Third Party Risk Management Framework - Key Components
Security & Permissions
Workflows
Reports & Dashboards
Alerts & Notifications
Planning and Process Definition
Segmentation &
ScreeningAssessments
External Risk Alerts
Qualification
Risk Mitigation
Continuous Monitoring
Centralized Repository
TPRM
Integrating TPRM with an EGRC Framework
Event Notifications Security
Reports & Dashboards
InfoletsCloud Infrastructure
GRC FoundationRisks Controls Processes Products/Services Organizations Regulations
Appl
icati
ons
Horizontal Solutions(Integrated GRC, Vendor Governance, etc.)
Vertical Solutions(Banking, Financial Services, Insurance, etc.)
Solu
tions
Third Party Risk Management
Enterprise Risk Management
Policy and Document Mgmt.
ComplianceMgmt.
Audit Mgmt. IT Compliance.IT Risk
Management.Operational Risk
Management
Apps
[+] other Apps
ZapletAppStore
Community
3rd-Party Apps Content
Alerts & Feeds
GRCIntelligence
AppStudioWorkflowForms Data Templates
GRC
Platf
orm
Third-Parties
Relational DB Big DataUnstructured Data
ComplianceOnline
Training
Retail Content
Risk Analytics & Intelligence
Data Import
Rules Engine
Business Configuration
Provisioning Collaboration
Policies
System Console
FinancialOperationalReputationalCybersecurityGeopoliticalLegalBusiness Continuity
Risks
• Policies• Procedures• Manuals• Training• Surveillance and Monitoring• Governance Committees• Supervisory Checklists
Controls
BU/FU
Region• Americas• EMEA
Country
Legal Entity
Business Unit
• Supplier 1
• Supplier 2
• BPO 1
• Contracter 1
Third-Party
• Test Plan
• Audit
• Survey
• Self-Assessment………
Control Tests
• Risk-Based
• Requirement-Based
• Business Unit-Based
Risk Assessments
• Action Plan
• Implement
• Monitor
Issues
• Profitability
• Low costs
• Brand Recognition
Business Objective
• SEC• OCC• Fed• FDIC• CFPB
References
• Procedure 1• Document 1• Work Instruction 1
………
Policies/Documents
Mapping Third-Party Risks to Other GRC Objects
15
Third-Party Risk as an Integral Component of Enterprise Risk Management
16
GRC Libraries
Organization
Risk
Control
Area of Compliance
Requirement
Standard
Regulatory Body
Objectives
Third-Parties
Geography
Question / Procedure
Reference
Process
Product/Service
Commodity
Facility
Evidence
Exception
Operational Risk AssessmentsRisk
Assessment Plan
Risk AssessmentAssessment
Factor
Perspective
IssuesIssue
Action
IncidentsIncident
Investigation
Regulatory Alerts
Regulatory Review
Regulatory AlertMetrics
KPIs
KRIs
Third-Party RiskFinancial Assessment
Info Sec Assessment
Business ProcessesProcess 3
Process 4
Process 1
Process 2
Scenario Analysis
Scenario Workshop
Scenario
Scenario Response
BCM Assessment
Legal Entity
Third Party Risk Intelligence
Anti-CorruptionAdverse Media Entities
Sanction AlertWatchlist
TP Screenin
gTP Information Management
Continuous Risk
MonitoringRisk
Mitigation
Integrated External Content for Screening and Monitoring
• Access to Global Adverse Media
• Access to Global sanctions lists
• Access to Global regulatory, law enforcement, and watch
• Access to Politically-exposed persons and state-owned
• Predefined questionnaires/templates for third-party due-diligence
Maintain a centralized repository for third parties
Comply with the latest regulatory frameworks
Visibility for fourth-party risks
Streamline end-to-end third-party risk management
Benefits of Adopting a Technology Framework
Real World Use Cases
• A Global Insurance Company Headquartered in Europe• Helps in centralizing all third-party governance and risk data in a common database for easier tracking
and management of third-party risks• Increases efficiency by replacing spreadsheet-based processes with tightly streamlined and automated
workflows for third-party risk management
International Banking and Financial Services Conglomerate• Streamlines and automated third-party onboarding and maintenance across thousands of third-parties• Automates the generation of Third-Party Relationship Performance Scorecard• Improves transparency around third-party performance monitoring to corporate and senior business
management.
An Online Brokerage and Financial Services CompanyHelps to evaluate their business partners/third-parties as per the OCC (Office of Comptroller of Currency) guidelines. Helps in comprehensive third-party due-diligence including - business continuity, contract, country, credit, customer complaints, IT, information security, insurance, and performance quality compliance risksProvides a central, web-based repository to document and maintain information on the complete third-party database which includes 200+ vendors
Q & A
Creating a culture of risk awareness®
Global Association ofRisk Professionals
111 Town Square Place14th FloorJersey City, New Jersey 07310U.S.A.+ 1 201.719.7210
2nd FloorBengal Wing9A Devonshire SquareLondon, EC2M 4YNU.K.+ 44 (0) 20 7397 9630
www.garp.org
© 2015 Global Association of Risk Professionals. All rights reserved.
About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing professionals and organizations to make better informed risk decisions. Membership represents over 150,000 risk management practitioners and researchers from banks, investment management firms, government agencies, academic institutions, and corporations from more than 195 countries and territories. GARP administers the Financial Risk Manager (FRM®) and the Energy Risk Professional (ERP®) exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of risk management via comprehensive professional education and training for professionals of all levels. www.garp.org