third party management in action - sig council_third... · 2017. 8. 2. · not sure 4. not there...
TRANSCRIPT
SIG Working Council
Third Party Risk Management
Bernard TruongSenior Director, Third Party Risk ManagementNational Bank of Canada
Linda Tuck Chapman PresidentONTALA
In Action
27 July 2017
2
Click to edit Master title style
Bernard Truong, National Bank
Bernard TruongNational Bank
NBC is an integrated provider of financial services to retail, commercial, corporate & institutional clients;
6th largest Bank in Canada with over $230B in assets;
Leading bank in Quebec and partner of choice for the small & medium size enterprises;
Head office in Montreal, Quebec (Canada) and listed on the TSX with 16.2B Market Capitalization;
More than 21,770 employees across Canada, U.S. , Asia and Europe.
| 3
Linda Tuck Chapman
President & CEO, Ontala
416.452.4635 | [email protected]
Recognized expert in third-party lifecycle and risk management, outsourcing governance and third-party optimization.
Career highlights:• SVP & CPO, BMO Financial Group (twice)• President & CEO Education Marketplace• SVP & CPO, Fifth Third Bank • CPO & Executive Services, Scotiabank • Banker and member senior management
Leadership Profile:• Author: RMA Journal, Wall Street Risk Journal,
industry publications; “Third Party Lifecycle and Risk Management – What You Should Know”, published by RMA fall 2017
• RMA: Subject Matter Expert - Third Party Management, Facilitator, Trainer
• SRC: Chair, SRC Thought Leaders Council• SHARED ASSESSMENTS GROUP: Advisory Board
member• CORE: Lecturer
Linda Tuck Chapman, ONTALA
Focus of today’s discussion
How to build a strong network:
What is the best way to build a reliable network of new and experienced third-party and vendor risk management professionals within SIG?
What would you like to get out the Working Group webinars and meetings?
How would you like to participate?
What’s Top of Mind:
Taking a business-centric approach
A two-pronged approach to managing risk
Three Lines of Defense
Polling Question #1
Which industry are you in?
1. Financial services (banks, insurance, FMUs, etc.)
2. Health care/sciences
3. Energy
4. Technology
5. Manufacturing
6. Consumer Package Goods
7. Food Services
8. Other
Frameworks help with communication
Critical relationships should be managed and monitored throughout their lifecycle
Good governance relies on business owners, risk specialists, pragmatic processes, flexible tools, actionable visibility and senior-level oversight
© 2017 Linda Tuck Chapman & Ontala Performance Solutions Ltd.
Lifecycle
Management Governance Framework
Operating Framework
© 2017 Linda Tuck Chapman & Ontala Performance Solutions Ltd.
Polling Question #2
What is the maturity level of your program?
1. Exploring ideas, not implemented
2. Getting started
3. Processes designed, implementation underway
4. Fully implemented, will be mature in 12 months
5. Will be mature in 24 – 36 months
Take a “business-centric” approach
© 2017 Linda Tuck Chapman & Ontala Performance Solutions Ltd.
Polling Question #3
Does your program have a way to assess both criticality and risk?
1. Yes
2. No
3. Not sure
4. Not there yet
Manage risk with a two-pronged approach
Source: McKinsey & Company: “Top-down ERM: A Pragmatic Approach to Managing Risk from the C-Suite ”
Top
-do
wn
Objectives Benefits
Enable management to make better
decisions based on risk / return
Ensure rigorous 3rd party risk management
throughout the organization in its
day-to-day operations
1. Highlights the risks most likely to affect performance or achievement of objectives (Top 3 - 5 third party risks, in order of priority)
2. A current and accurate view of its control environment allows effective monitoring of the residual risks most likely to affect performance and achievement of objectives
3. Support strategic and business decisions
4. Promote dialogue on current and emerging 3rd party risks between managers in different sectors.
1. Continuous comprehensive 3rd party risk identification
2. Well trained employees who make the right risk/return compromises during daily operations
3. Processes and procedures are in place to enable timely management, monitoring and escalation of 3rd party risks
4. Strong risk culture deployed throughout the organization.Bo
tto
m-u
p
7
Polling Question #4
How well does your program satisfy the needs of senior management and the third-party relationship owners in the business?
1. Fully satisfies both stakeholder groups
2. Somewhat satisfies both stakeholder groups
3. Still working on it
Risk profile by Business Unit (L3 / L4)
Risk profile by process
Profile risks by process and Business Unit
Follow-up on KRIs
Analysis of operational events(internal / external
incl. 3rd parties)
Operational loss reporting
(internal / external incl. 3rd parties)
IT F&T
8
Top
-do
wn
Bo
tto
m-u
p
Mortgage Financing (Branch)
Wholesale Securities Processing (NBCN)
Fixed Income
Interest Rate Derivatives
WM P&C OPS IT RM HR
Source: McKinsey & Company: “Top-down ERM: A Pragmatic Approach to Managing Risk from the C-Suite ”
Mar
ket
Ris
k
Polling Question #5
Does your company have a consistent risk culture, and are employees consciously aware of their role in managing third-party risk as a part of their day-to-day responsibilities?
1. Yes
2. Not exactly
3. We still have a lot of work to do
Three Lines of Defense Framework
Source: IIA Position Paper on the Three Lines of Defense in Effective Risk Management and Control (January 2013);
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
Polling Question #6
Has your company implemented a “three lines of defense”
framework for managing operational risk?
1. Yes
2. No
3. Not sure
4. This is a new concept for me
First line of defenseLOB Relationship Manager / Accountable
Executive & Senior Risk Manager
\\\\
Own and manage identified 3rd party risks for the business unit arrangements;
Monitor performance and risks to efficiently address gaps with standards;
Escalade risks to the proper level for prioritization of action plan;
Maintain overall accountability and oversight of the relationship:
o Set the strategic direction of 3rd party relationship
o Make key decisions pertaining to 3rd party relationship
o Resolve any escalated issues.
Own and proactively manage risks
3 Lines of defense
Second line of defense3PRM / Enterprise Wide Risk (EWR) /
Corporate functions
Develop, Implement and monitor 3PRM framework;
▪ Provide subject matter expertise, support, and independent risk oversight of 3rd party risks;
▪ Quality assurance and Effective challenge;
▪ Analytics and Reporting;
▪ Perform enterprise wide oversight through SIM tool.
Corporate functions:
▪ Provide inherent, residual risks assessment and due diligence;
▪ Assess implications of 3rd party risk to their risk domains.
Third line of defenseInternal Audit
Provide independent assessment on effectiveness of internal control
environment by 1st and 2nd lines;
▪ Provide timely independent reporting to senior management that assesses reliability and operating effectiveness of key control activities, such as:
o Effective 3rd party risk identification and due diligence
o Appropriate contract controls
o Adherence to applicable regulatory guidance
o Appropriate on-going 3rd party management and oversight
o Effective challenge to 1st/2nd lines that includes escalation process
16
Assess/Audit program design and operating effectiveness
Establish risk related policies, provide oversight and challenge
Polling Question #7
Are roles and responsibilities clearly defined for each key stakeholder group in your company’s 3 Lines of Defense?
1. Yes
2. No
3. Still working on this
4. We haven’t implemented a 3 Lines of Defense Framework
What does your RASCI look like?
RASCI: Responsible, Accountable, Support, Consult, Inform
© 2017 Linda Tuck Chapman & Ontala Performance Solutions Ltd.
Polling Question #8
Who is responsible for designing your third-party risk management program?
1. Procurement
2. IT
3. Operational /Enterprise Risk
4. Compliance
5. Each Line of Business has their own program
6. Other
Polling Question #9
Does your company have risk specialists in a centralized function(s)?
1. Yes
2. No
3. Not sure
4. Just setting them up
Bernard Truong: Lessons Learned
• Get support from the senior executives of your organization
• Focus efforts on building criteria that examines true risks to
achievement of business objectives, customer experience and 3rd
parties limitations;
• Governance structure must be designed to eliminate blocks in
information flow from the bottom up and from the top down;
• Critical to this framework is a robust 3PRM group.
Linda Tuck Chapman
• Creating visual frameworks helps with communication and adoption
• Everyone needs to know about third-party management
• It’s not all about risk and compliance. It’s about driving
performance, quality and best value for the lowest costs and risk.
• Different industries have different strengths. This is a team sport.
• Few, if any companies, truly have mature third-party management
programs. This is new, rigorous and a long way from being efficient
and effective
Send us your ideas for future webinars
23
• Monitoring
• Key risk drivers
• Working collaboratively with the 2nd Line of Defense
• KRI’s – which risks to measure, and why
• KPI’s – how to measure the health of your program
• Governance tools:
• Independent Challenge
• Escalation
• Exception Management
• Reporting: who, what, why, when
Future 3PRM Webinars
24
• Monitoring
• Key risk drivers
• Working collaboratively with the 2nd Line of Defense
• KRI’s – which risks to measure, and why
• KPI’s – how to measure the health of your program
• Governance tools:
• Independent Challenge
• Escalation
• Exception Management
• Reporting: who, what, why, when
• Lessons Learned
Contact Information
Bernard Truong
Senior Director
Third Party Risk Management
Enterprise Wide Risk
National Bank
514.394.6469
Linda Tuck Chapman
President & CEO
Ontala
416.452.4635 | 917.831.2923
SIG Working Council: Third Party Risk Management
Bernard Truong
Senior Director, Third Party Risk
National Bank of Canada
Linda Tuck Chapman
President & CEO
Ontala
Matt Shocklee
SIG Global Ambassador
Snehal Sindhvad
SIG Member Services
Bob Wilkinson
SIG Ambassador
BFSI/Cybersecurity