excellence in third party risk management (tprm) · - centralised and risk-based approach -...
TRANSCRIPT
![Page 1: Excellence in Third Party Risk Management (TPRM) · - Centralised and risk-based approach - Standardised operation - Consideration of shoring and sourcing options Digital Solutions](https://reader035.vdocuments.site/reader035/viewer/2022081517/5f0c89247e708231d435e42e/html5/thumbnails/1.jpg)
Excellence in Third Party Risk Management (TPRM)
www.pwc.ch
![Page 2: Excellence in Third Party Risk Management (TPRM) · - Centralised and risk-based approach - Standardised operation - Consideration of shoring and sourcing options Digital Solutions](https://reader035.vdocuments.site/reader035/viewer/2022081517/5f0c89247e708231d435e42e/html5/thumbnails/2.jpg)
FINMA Circular 2018/3 “Outsourcing – banks and insurers”
Key changes
• The revised circular applies to banks and insurers
• What can be outsourced is now principle-based and under the responsibility of each company
• Additional reporting requirements like inventory of outsourced services and concentration risks
• Data must be accessible in Switzerland in case of restructuring, resolution and liquidation
• Companies must perform an assessment of the opportunities and risks before the outsourcing
![Page 3: Excellence in Third Party Risk Management (TPRM) · - Centralised and risk-based approach - Standardised operation - Consideration of shoring and sourcing options Digital Solutions](https://reader035.vdocuments.site/reader035/viewer/2022081517/5f0c89247e708231d435e42e/html5/thumbnails/3.jpg)
Along with these potential benefits, higher risks in different areas such as compliance, legal, reputational, operational and information security risk need to be managed. As a consequence, regulators have strengthened respective laws and guidelines significantly. In the market, a growing need for an end-to-end TPRM Framework (Fig. 1) can there-fore be observed, especially focusing on regulatory compliance, operational efficiency and a digital solution.
The general trend within the financial services industry is to outsource services to third party providers in order to focus more on core business as well as to increase efficiency, quality and lower costs.
Regulatory ComplianceTPRM is a highly regulated topic with specific requirements and guidelines across different countries (Fig. 2). Being regulatory compliant is crucial and is in general a challenge for financial institu- tions. In addition, it is important to identify upcoming regulations ensuring a timely implementation, e.g. in Switzerland the FINMA Circular 2018/3 “Outsourcing – banks and insurers” and FINMA Circular 2017/1 “Corporate governance”.
In a complex regulatory environment, operational efficiency forms the corner-stone of a holistic TPRM solution.
Fig 1: TPRM framework
On boarding & Due Diligence
Termination & Off boarding
Monitoring & Reporting
Vendor Lifecycle
Excellence in TPRM
Risk Strategy
Governance / Management
Third Party Risk Management Tool
Risk Staff
![Page 4: Excellence in Third Party Risk Management (TPRM) · - Centralised and risk-based approach - Standardised operation - Consideration of shoring and sourcing options Digital Solutions](https://reader035.vdocuments.site/reader035/viewer/2022081517/5f0c89247e708231d435e42e/html5/thumbnails/4.jpg)
Operational EfficiencyAn efficient TPRM framework is required because TPRM is a complex, long and cost-intensive process. This is mainly due to:• increasingly complex regulatory
environment resulting in additional governance, processes and controls
• high number of involved stakeholders (e.g. business, vendors and vendor management) in different locations
• broad variety of third parties and provided services which need a tailored risk assessment
Therefore, a TPRM framework requires a clear governance and process around the third parties’ life cycle. The current trends are to standardise risk assessments and centralise operational tasks in a Centre of Competence (CoC) to reduce costs and gain efficiency (Fig. 3).
The gains in operational efficiency can be maximised with help of a comprehensive and integrated digital solution.
Fig 2: Global regulation
Fig 3: Centralised operating model options
India / RBIGuidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks (2006) Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs (2015)
JFSAInspection Manual and Oversight Policy on Outsourcing (2014)
Australia / APRAPrudential Standard CPS 231; Outsourcing (2017)
Switzerland / FINMACircular 2018/3 Outsourcing – banks and insurers (2017)
EU / EBAGuidelines on Outsourcing (2006) Draft Guidelines on Outsourcing, Consultation Paper (2018)
Singapore / MAS Guidelines on Outsourcing (2016)
Hong Kong / HKMASupervisory Policy Manual SA-2; Outsourcing (2001)
US / FRBSR 13-19 / CA 13-21: Guidance on Managing Outsourcing Risk (2013) OCC BULLETIN 2013-29: Third-Party Relationships Risk Management Guidance (2013)
UK / PRA & FCASYSC 8.1 General outsourcing requirements (2018)
CentralisedRisk basedStandardised
CentralisedOutsourced
Option 2: Bank-external centralisation
ExternalBank
C1
C3
2. LoDLegal & Compliance, IT, etc.
1. LoDBusiness / SVM
3. LoDAudit
CoCC2
Option 1: Bank-internal centralisation
Bank
C1
C3
CoCC2
![Page 5: Excellence in Third Party Risk Management (TPRM) · - Centralised and risk-based approach - Standardised operation - Consideration of shoring and sourcing options Digital Solutions](https://reader035.vdocuments.site/reader035/viewer/2022081517/5f0c89247e708231d435e42e/html5/thumbnails/5.jpg)
Fig 4: Proposed solution capabilities
Digital SolutionBased on the last PwC experience, most companies in the financial services industry use simple manual office solutions, which result in highly manual and non-aligned procedures. A digital TPRM solution offers streamlined workflows, setting clear roles and responsibilities, including the basic functionalities like:
• Risk assessment of individual suppliers
• Reporting of status and risk on individual and portfolio level
• Ongoing monitoring of relationships
Therefore, an integrated end-to-end solution combines all required capabilities (Fig. 4).
Due diligence questionnaires tailored to the needs of your organisation
Option to extend for multiple roles; e.g. procurement, compliance, etc.
Improved governance: Roles & responsibilities embedded in the workflow
Eliminates the need for email communication
Standard monitoring of red flags
Option to tailor red flags to reflect your organisation’s policies and risk appetite
Examples of reports: Concentration risk, team progress etc.
Dashboard with integrated KPIs/KRIs/SLAs
Pipeline management, including expected workload covered
All termination scenarios covered. Option to extend based on your organisation’s processes
Archiving functionality: All terminations archived for 10 years (default retention period)
Monitoring &Reporting
TPRMSolution
On boarding &Due Diligence
Termination & Off
boarding
![Page 6: Excellence in Third Party Risk Management (TPRM) · - Centralised and risk-based approach - Standardised operation - Consideration of shoring and sourcing options Digital Solutions](https://reader035.vdocuments.site/reader035/viewer/2022081517/5f0c89247e708231d435e42e/html5/thumbnails/6.jpg)
How we can support you in achieving your targetsOur Swiss and global PwC TPRM team has extensive experience from multiple projects with similar companies and in other industries and is ready and able to support your organisation. PwC always seeks to find the best solution for clients. The following examplary services can be adjusted to your specific situation and needs.
© 2018 PwC. All rights reserved. “PwC” refers to PricewaterhouseCoopers AG, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.
Michael KussPartner Assurance+41 58 792 15 [email protected]
Dr. Manuel PlattnerDirector Advisory+41 58 792 14 [email protected]
Dr. Thomas BuschLeader TPRM PwC Switzerland+41 58 792 24 [email protected]
Regulatory Compliance• Regulatory Health Check on
the current situation within TPRM and impact assessment of upcoming regulations
• Establish consistent regulatory change governance including radaring to ensure ongoing compliance
Operational Efficiency• Operational Efficiency Health
Check to benchmark current level of efficiency and identify options to lower costs
• Design and implement a simplified operating model including: - Centralised and risk-based approach
- Standardised operation - Consideration of shoring and sourcing options
Digital Solutions• Identify repetitive, high-
volume manual tasks to consider automation opportunities
• Evaluate the appropriate TPRM software solution (int. vs. ext.)
• Project and change management support
Patrick AkikiPartner Advisory+41 58 792 25 [email protected]
Dr. Marcel TschanzPartner Advisory+41 58 792 20 [email protected]