SIG Working Council

Third Party Risk Management

Bernard TruongSenior Director, Third Party Risk ManagementNational Bank of Canada

Linda Tuck Chapman PresidentONTALA

In Action

27 July 2017

2

Click to edit Master title style

Bernard Truong, National Bank

Bernard TruongNational Bank

bernard.truong@nbc.ca514.394.6469

NBC is an integrated provider of financial services to retail, commercial, corporate & institutional clients;

6th largest Bank in Canada with over $230B in assets;

Leading bank in Quebec and partner of choice for the small & medium size enterprises;

Head office in Montreal, Quebec (Canada) and listed on the TSX with 16.2B Market Capitalization;

More than 21,770 employees across Canada, U.S. , Asia and Europe.

| 3

Linda Tuck Chapman

President & CEO, Ontala

416.452.4635 | 917.831.2923lindatuckchapman@ontala.com

Recognized expert in third-party lifecycle and risk management, outsourcing governance and third-party optimization.

Career highlights:• SVP & CPO, BMO Financial Group (twice)• President & CEO Education Marketplace• SVP & CPO, Fifth Third Bank • CPO & Executive Services, Scotiabank • Banker and member senior management

Leadership Profile:• Author: RMA Journal, Wall Street Risk Journal,

industry publications; “Third Party Lifecycle and Risk Management – What You Should Know”, published by RMA fall 2017

• RMA: Subject Matter Expert - Third Party Management, Facilitator, Trainer

• SRC: Chair, SRC Thought Leaders Council• SHARED ASSESSMENTS GROUP: Advisory Board

member• CORE: Lecturer

Linda Tuck Chapman, ONTALA

Focus of today’s discussion

How to build a strong network:

What is the best way to build a reliable network of new and experienced third-party and vendor risk management professionals within SIG?

What would you like to get out the Working Group webinars and meetings?

How would you like to participate?

What’s Top of Mind:

Taking a business-centric approach

A two-pronged approach to managing risk

Three Lines of Defense

Polling Question #1

Which industry are you in?

1. Financial services (banks, insurance, FMUs, etc.)

2. Health care/sciences

3. Energy

4. Technology

5. Manufacturing

6. Consumer Package Goods

7. Food Services

8. Other

Frameworks help with communication

Critical relationships should be managed and monitored throughout their lifecycle

Good governance relies on business owners, risk specialists, pragmatic processes, flexible tools, actionable visibility and senior-level oversight

© 2017 Linda Tuck Chapman & Ontala Performance Solutions Ltd.

Lifecycle

Management Governance Framework

Operating Framework

© 2017 Linda Tuck Chapman & Ontala Performance Solutions Ltd.

Polling Question #2

What is the maturity level of your program?

1. Exploring ideas, not implemented

2. Getting started

3. Processes designed, implementation underway

4. Fully implemented, will be mature in 12 months

5. Will be mature in 24 – 36 months

Take a “business-centric” approach

© 2017 Linda Tuck Chapman & Ontala Performance Solutions Ltd.

Polling Question #3

Does your program have a way to assess both criticality and risk?

1. Yes

2. No

3. Not sure

4. Not there yet

Manage risk with a two-pronged approach

Source: McKinsey & Company: “Top-down ERM: A Pragmatic Approach to Managing Risk from the C-Suite ”

Top

-do

wn

Objectives Benefits

Enable management to make better

decisions based on risk / return

Ensure rigorous 3rd party risk management

throughout the organization in its

day-to-day operations

1. Highlights the risks most likely to affect performance or achievement of objectives (Top 3 - 5 third party risks, in order of priority)

2. A current and accurate view of its control environment allows effective monitoring of the residual risks most likely to affect performance and achievement of objectives

3. Support strategic and business decisions

4. Promote dialogue on current and emerging 3rd party risks between managers in different sectors.

1. Continuous comprehensive 3rd party risk identification

2. Well trained employees who make the right risk/return compromises during daily operations

3. Processes and procedures are in place to enable timely management, monitoring and escalation of 3rd party risks

4. Strong risk culture deployed throughout the organization.Bo

tto

m-u

p

7

Polling Question #4

How well does your program satisfy the needs of senior management and the third-party relationship owners in the business?

1. Fully satisfies both stakeholder groups

2. Somewhat satisfies both stakeholder groups

3. Still working on it

Risk profile by Business Unit (L3 / L4)

Risk profile by process

Profile risks by process and Business Unit

Follow-up on KRIs

Analysis of operational events(internal / external

incl. 3rd parties)

Operational loss reporting

(internal / external incl. 3rd parties)

IT F&T

8

Top

-do

wn

Bo

tto

m-u

p

Mortgage Financing (Branch)

Wholesale Securities Processing (NBCN)

Fixed Income

Interest Rate Derivatives

WM P&C OPS IT RM HR

Source: McKinsey & Company: “Top-down ERM: A Pragmatic Approach to Managing Risk from the C-Suite ”

Mar

ket

Ris

k

Polling Question #5

Does your company have a consistent risk culture, and are employees consciously aware of their role in managing third-party risk as a part of their day-to-day responsibilities?

1. Yes

2. Not exactly

3. We still have a lot of work to do

Three Lines of Defense Framework

Source: IIA Position Paper on the Three Lines of Defense in Effective Risk Management and Control (January 2013);

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

Polling Question #6

Has your company implemented a “three lines of defense”

framework for managing operational risk?

1. Yes

2. No

3. Not sure

4. This is a new concept for me

First line of defenseLOB Relationship Manager / Accountable

Executive & Senior Risk Manager

\\\\

Own and manage identified 3rd party risks for the business unit arrangements;

Monitor performance and risks to efficiently address gaps with standards;

Escalade risks to the proper level for prioritization of action plan;

Maintain overall accountability and oversight of the relationship:

o Set the strategic direction of 3rd party relationship

o Make key decisions pertaining to 3rd party relationship

o Resolve any escalated issues.

Own and proactively manage risks

3 Lines of defense

Second line of defense3PRM / Enterprise Wide Risk (EWR) /

Corporate functions

Develop, Implement and monitor 3PRM framework;

▪ Provide subject matter expertise, support, and independent risk oversight of 3rd party risks;

▪ Quality assurance and Effective challenge;

▪ Analytics and Reporting;

▪ Perform enterprise wide oversight through SIM tool.

Corporate functions:

▪ Provide inherent, residual risks assessment and due diligence;

▪ Assess implications of 3rd party risk to their risk domains.

Third line of defenseInternal Audit

Provide independent assessment on effectiveness of internal control

environment by 1st and 2nd lines;

▪ Provide timely independent reporting to senior management that assesses reliability and operating effectiveness of key control activities, such as:

o Effective 3rd party risk identification and due diligence

o Appropriate contract controls

o Adherence to applicable regulatory guidance

o Appropriate on-going 3rd party management and oversight

o Effective challenge to 1st/2nd lines that includes escalation process

16

Assess/Audit program design and operating effectiveness

Establish risk related policies, provide oversight and challenge

Polling Question #7

Are roles and responsibilities clearly defined for each key stakeholder group in your company’s 3 Lines of Defense?

1. Yes

2. No

3. Still working on this

4. We haven’t implemented a 3 Lines of Defense Framework

What does your RASCI look like?

RASCI: Responsible, Accountable, Support, Consult, Inform

© 2017 Linda Tuck Chapman & Ontala Performance Solutions Ltd.

Polling Question #8

Who is responsible for designing your third-party risk management program?

1. Procurement

2. IT

3. Operational /Enterprise Risk

4. Compliance

5. Each Line of Business has their own program

6. Other

Polling Question #9

Does your company have risk specialists in a centralized function(s)?

1. Yes

2. No

3. Not sure

4. Just setting them up

Bernard Truong: Lessons Learned

• Get support from the senior executives of your organization

• Focus efforts on building criteria that examines true risks to

achievement of business objectives, customer experience and 3rd

parties limitations;

• Governance structure must be designed to eliminate blocks in

information flow from the bottom up and from the top down;

• Critical to this framework is a robust 3PRM group.

Linda Tuck Chapman

• Creating visual frameworks helps with communication and adoption

• Everyone needs to know about third-party management

• It’s not all about risk and compliance. It’s about driving

performance, quality and best value for the lowest costs and risk.

• Different industries have different strengths. This is a team sport.

• Few, if any companies, truly have mature third-party management

programs. This is new, rigorous and a long way from being efficient

and effective

Send us your ideas for future webinars

23

• Monitoring

• Key risk drivers

• Working collaboratively with the 2nd Line of Defense

• KRI’s – which risks to measure, and why

• KPI’s – how to measure the health of your program

• Governance tools:

• Independent Challenge

• Escalation

• Exception Management

• Reporting: who, what, why, when

Future 3PRM Webinars

24

• Monitoring

• Key risk drivers

• Working collaboratively with the 2nd Line of Defense

• KRI’s – which risks to measure, and why

• KPI’s – how to measure the health of your program

• Governance tools:

• Independent Challenge

• Escalation

• Exception Management

• Reporting: who, what, why, when

• Lessons Learned

Contact Information

Bernard Truong

Senior Director

Third Party Risk Management

Enterprise Wide Risk

National Bank

bernard.truong@nbc.ca

514.394.6469

Linda Tuck Chapman

President & CEO

Ontala

lindatuckchapman@ontala.com

416.452.4635 | 917.831.2923

SIG Working Council: Third Party Risk Management

Bernard Truong

Senior Director, Third Party Risk

National Bank of Canada

Linda Tuck Chapman

President & CEO

Ontala

Matt Shocklee

SIG Global Ambassador

Snehal Sindhvad

SIG Member Services

Bob Wilkinson

SIG Ambassador

BFSI/Cybersecurity