third party risk management tolga aksoy, cia, cfsa, cpa...
TRANSCRIPT
Third Party Risk Management
Tolga Aksoy, CIA, CFSA, CPA
GLC Berlin, 12 May 2017
1
2
Purpose
Institutions choose to establish third party relationships for a variety of
business reasons to take advantage of the benefits they can provide. Key
motivations for establishing a third party relationship can be:
a. looking for opportunities to outsource non-core activities which can result
in a cost reduction and improved return on investment and focusing internal
resources on core business functions;
b. acquiring a short-term or highly specialized competency that an
organization does not already possess (e.g. hiring an advertising firm) to
achieve certain business objectives;
c. acquiring a utility or basic service that is common or readily available and
(e.g. electric power and telecommunications) that cannot efficiently be
provided by the organization;
3
Purpose (2)
a. enabling business operations in a different geographical location;
b. acquiring new or replacement IT equipment or services (e.g. laptops,
printers, servers, routers, software applications, storage capacity, network
connectivity, IT managing services, etc.) that enable workforce productivity
and other business computing needs.
Commitment to the highest level of ethics and compliance with all
applicable laws, regulations and policies is crucial. The commercial
benefits of outsourcing non-core business functions must be balanced against
the commercial and information security risks. The risks associated with
outsourcing must be managed through the imposition of suitable controls,
comprising a combination of legal, physical, logical, procedural and
managerial controls.
4
Scope
Third party risk assessments and appropriate due diligence controls are
completed for all third parties by the relevant process and product owners,
and determined as falling in-scope for risk based due diligence in accordance
with the initial screening requirement.
The term third party relationship includes business arrangements, by contract
or otherwise, between or among affiliates, or between the company and an
external party. These include but are not limited to the following (e.g. OECD
definition):
a) agent: an individual or entity authorized to act for an on behalf of, or to
otherwise represent the company in furtherance of its business interests.
Agents may be categorized into two types: sales agents (e.g. those needed to
win a contract) and process agents (e.g. travel agent);
5
Scope (2)
c) advisor and other intermediary: an individual or entity providing services
and advice by representing and organizing towards another person, business
and/or authority (legal, tax, financial advisor, consultant, lobbyist, etc.);
d) contractor and sub-contractor: a contractor is a non-controlled individual
or entity that provides services or goods to the entity under a contract. A sub-
contractor is an individual or entity hired by the contractor to perform a specific
task as part of an overall project. Contractors and sub-contractors may be
categorized as:
• supplier(s)/vendor(s): an individual or entity that supplies goods to
the entity;
• service provider: an individual or entity that provides services to
the entity. (e.g. communications, logistics, storage, processing services, etc.).
6
General Considerations for Outsourcing
Ensuring uniform and effective management of the outsourcing activities
within the entity and the risks arising from these activities is the essential
element of this process. However, this delegation shall not imply leaving or
transferring the responsibility, the control or the risk management of
those activities.
Certain services cannot be transferred to the third parties in case of;
• Core business competencies such as corporate planning, organization,
management and control,
• A delegation that may lead to a loss in core business activity,
• A delegation that may undermine the supervision capabilities of
mandatory regulators,
• A delegation that may cause disturbances with respect to the relationships
and obligations of the entity with customers,
7
1. Select ion
2. Due diligence and
risk assessment
3. Contract ing4. Monitoring and
audit ing
5. Terminat ion
TPRM
framework
8
BU
SIN
ES
S IM
PA
CT
HIGH
Tender with written RFP
1. Catering
2. Cleaning
3. Payroll
4. …
Tender with competitive
dialogue
1. ICT outsourcing
2. Legal support
3. …
LOW
Tender bid
1. Office supplies
2. Small computer peripheral
3. …
Negotiation
1. Turnkey projects
2. …
LOW HIGH
STANDARDIZATION OF SERVICE OFFERING
Below matrix can be used to demonstrate the decision framework to select
the right risk intensity level of TP selection:
9
Risk Explanation
StrategicThe risk that the third party’s services do not align to an organizations strategic goals,
objective, or risk appetite
Concentration This risk is created by a lack of diversification within the third party base
CountryThe risk of doing business in a specific country and includes legal / regulatory, geo-
political and socio-economic considerations
ContractualThe risk that agreed services in a the third party contract are not delivered
according to plan
Reputation The impact to an organization’s reputation should an event occur at the third party
PerformanceThe risk that a third party fails to meet your needs as a company form a service
delivery perspective. Common metrics include SLAs, scalability and overall
performance reviews
Bribery and corruptionThe risk that offering and receiving of any services will be performed to influence the
actions of a third party
Regulatory
compliance
The risk to create misalignment with compliance regulations as defined by
external regulators
Business continuity Third party failure on the continuation of business as usual for the organization
Financial The risk of financial loss due to third party failure or non-performance
….. …….
Risks associated with the phases of the TPRM process:
10
Phase Activity Activity objective Related risk
a) Selection
Assess risk and develop
plan to manage the
relationship
Understand the need for third party engagement
and consider the risks and complexity
associated with the potential engagement
All related risks
b) Due diligence and risk
assessment
Perform due diligence on
potential third parties
Analyze responses and
select third party
Conduct sourcing event to obtain third party
proposals and information for evaluation.
Evaluate third party’s ability to meet
expectations, understand third party controls
to manage risks posed by the relationship
and select appropriate third party
All related risks
c) ContractingComplete contract with
third party
Negotiate contract terms that clearly define
expectations and responsibilities, help to ensure
the contract’s enforceability, limit the
institution’s liability, and mitigate
performance disputes
Contractual /
Performance /
Regulatory
d) Monitoring and
auditing
Perform operational,
service and risk
management monitoring
and auditing
Manage and audit performance of operations
and services, validate with contract
specifications; identify and manage risks
All related risks
e) Termination
Execute termination and
manage exposure, risk and
continuity of operations
Develop termination/contingency plan to enable
the transition or termination of activities while
managing exposure, risk and continuity of
operations; execute termination of third party
Performance /
Business continuity /
Financial
TPRM process follows a continuous life cycle for relationships:
11
Phase 1: Selection
Making use of an integrated risk category framework and selecting the
right third parties starts with assessing the level of impact and
standardization of the supplier relationship and solutions. Following this
analysis, the decision is made how intense the selection process and related
risk categories need to be.
Criteria for selecting a third party shall be defined and documented by
taking the following considerations into account:
• company’s reputation and history;
• quality of services provided to other customers;
• number and competence of staff and managers and organizational set-up
of the provider;
• financial stability of the company, audit reports and commercial record;
• quality assurance and security management standards currently
followed by the company (e.g. certified compliance with ISO 9000 and
ISO/IEC 27001);
12
Phase 1: Selection (2)
• existence of litigation or legal procedures against the provider;
• technologies adopted and continuity approach of the provider;
• screening of employees (e.g. background security checks performed by the
provider);
• quality of sub-contractors;
• size of the contract in relation to the size of the provider;
• country of incorporation of the provider;
• location of the servers/infrastructure;
• other factors that could affect the provider’s stability (like geopolitical).
Required actions are also taken to protect sensitive data. An assessment of
the measures for data protection implemented by the service provider before
the subscription to the service is made, which includes among others its
compliance with European Directive 95/46/EC.
13
Phase 1: Selection (3)
Initial screening shall be performed to determine “in scope” third parties; the
engaging department must assess the following in accordance with a third
party due diligence process:
a) is the third party in an industry or geographic location perceived as having
higher corruption risks;
b) will the third party perform services on behalf of the entity or be authorized
to represent the entity vis-à-vis other third parties;
c) is it reasonable to expect that the third party will come into contact with
government officials when representing the entity ;
d) will the third party be in a position to influence the decisions or the conduct
of other third parties for the benefit or to the detriment of the entity ;
e) will the third party have access to confidential information concerning the
entity’s business and/or customers;
f) has the third party been accused of or convicted of violating any laws
(including corruption, bribery, sanctions, money laundering or terrorism
finance) within the past five years.
14
Phase 2: Due Diligence and Risk Assessment
The third party risk assessment form uses key risk indicators to determine the
risk assessment of a third party and identify red flags. The level of risk will
ultimately determine the amount of due diligence that needs to be performed,
high-risk third parties will be subject to a more detailed due diligence process
and require the approval of the compliance officer and managing board.
The following categories of engagements shall also be considered in
evaluating the third party:
• any third party that is identified as a politically exposed person (PEP) and/or
owned and/or controlled by PEP(s);
• any third party who is or may be a relative or close associate of a present or
former PEP;
• any third party accused of or convicted of violating any laws (including
corruption, bribery, sanctions, money laundering or terrorism finance) within
the past five years.
15
Phase 2: Due Diligence and Risk Assessment (2)
The objective of the data collection process is to assemble and document relevant
information about:
• the structure, ownership and operations of the third party (organization and
affiliates);
• the reputation and commitment to integrity (compliance health check);
• the suitability of the type of relationship being considered (necessity and proper
retention, expertise);
• reasonability of the compensation, fees and method of payment.
Data may be collected as part of the due diligence process through the following:
• internet, database and media searches: company websites, policies and
procedures of the third party containing information about the third party’s integrity;
• internal third party risk assessment form: to be completed by the business unit
looking to engage the third party;
• external third party due diligence form: to be completed by the candidate third
party;
• references.
16
Phase 2: Due Diligence and Risk Assessment (3)
Once sufficient data has been collected to complete the risk assessment and
appropriate due diligence of the proposed third party the engagement may be
approved by the different levels of authority in the bank according to the risk
levels. Ongoing or renewed engagements should be reviewed periodically and
monitored in a risk based manner, any adverse finding must be reported to a
higher instance by the business units.
The risk assessment shall take account of the:
• nature of logical and physical access to the entity’s information assets and
facilities required by the outsourcer to fulfill the contract;
• sensitivity, volume and value of any information assets involved;
• commercial risks such as the possibility of the outsourcer’s business failing
completely, or failing to meet agreed service levels or providing services to
the entity’s competitors where this might create conflicts of interest;
17
Phase 2: Due Diligence and Risk Assessment (4)
• aggregate exposure to the provider; insurance coverage;
• potential loss of knowledge in the institution and incident reporting approach
of the provider;
• business continuity approach, organizational set-up and compliance
approach of the provider;
• whether the service provider is contractually obliged towards you to any
sub-contractors they may engage with;
• quality of services provided; monitoring of performances
• availability, expertise and experience of sufficiently competent personnel;
• establishment of the country;
• solvency, market conformity, liability and flexibility of the third party;
• duration of the agreement; contractual / legal aspects including audit
clauses, applicable law and confidentiality clauses;
• dissolving possibilities and exit strategy (including conditions of reversibility)
18
Phase 3: Contracting
A formal contract between the entity and the third party shall exist to protect
both parties. The contract shall clearly define the types of information
exchanged and the purpose for so doing. If the information being exchanged is
sensitive, a binding confidentiality agreement shall be in place between the
entity and the third party, whether as part of the outsource contract itself or a
separate non-disclosure agreement acceptable by the entity.
The contract shall clearly define each party’s responsibilities towards the other
by defining the parties to the contract, effective date, functions or services
being provided (e.g. defined service levels), liabilities, limitations on use of
sub-contractors and other commercial/legal matters, termination details normal
to any contract.
19
Phase 3: Contracting (2)
Depending on the results of the risk assessment, various additional controls
should be embedded or referenced within the contract, such as:
• legal, regulatory and other third party obligations such as data
protection/privacy laws, money laundering etc.;
• information security policies, procedures, standards and guidelines and
information security incident management procedures including mandatory
incident reporting;
• access controls to restrict unauthorized disclosure, modification or
destruction of information, including physical and logical access controls,
procedures for granting, reviewing, updating and revoking access to systems,
data and facilities etc.);
• copyright, patents and similar protection for any intellectual property shared
with the third party or developed in the course of the contract;
• anti-malware, anti-spam and similar controls;
20
Phase 3: Contracting (3)
• specification, design, development, testing, implementation, configuration,
management, maintenance, support and use of security controls within or
associated with IT systems;
• return or destruction of all information assets by the outsourcer after the
completion of the outsourced activity or whenever the asset is no longer
required to support the outsourced activity;
• the right of the entity to monitor all access to and use of the entity facilities,
networks, systems etc., and to audit the outsourcer’s compliance with the
contract, or to employ a mutually agreed independent third party auditor for
this purpose and confirmation on the background checks for the employees
of the third party;
• business continuity arrangements including crisis and incident
management, resilience, backups and IT disaster recovery and third party
management governance on strategic, technical and operational level;
• exit strategy.
21
Phase 4: Monitoring and Auditing
Monitoring and auditing of services and operational activities on a frequent
basis are divided into the following main categories:
a) security audits: if the entity has outsourced a business function to a third
party based at a different location, it shall have the right to appoint an external
audit company to audit the third party.
b) physical access controls:
strongly-constructed facilities;
suitable locks with key management procedures;
access logging though the use of automated key cards, visitor registers etc.
22
Phase 4: Monitoring and Auditing (2)
c) access controls: in order to prevent unauthorized access to the entity’s
information assets by the third party or sub-contractors, suitable security
controls are required as outlined in this section. The details depend on the
nature of the information assets and the associated risks, implying the need
to assess the risks and design suitable controls architecture also subject to
the entity’s remote access and mobile device policy. Procedural
components of access controls shall be documented within procedures,
guidelines and related documents and incorporated into awareness,
training and educational activities.
d) Ongoing monitoring of the activities and performance of the third party as
per the predefined criteria in accordance with the contract and SLAs.
23
Phase 5: Termination
In order to mitigate the risk of unexpected termination of the third party
agreement or liquidation of the service provider, the entity retains an
appropriate level of control over the third party activities and intervene with
appropriate measures to continue its business operations without any break
in the operations of the bank and its services to the customers.
In third party contracts, a termination clause and minimum period to
execute a termination provision, if deemed necessary, should be included.
Also the contract should specify the performance benchmarks, including
default benchmarks. If those benchmarks are not met, this would result in
penalties being applied or, in the extreme; termination of the agreement shall
be considered. Upon termination of the contract, the confidentiality
arrangements shall be revised to determine whether confidentiality has to be
extended beyond the tenure of the contract. In cases of failure to meet
service level agreements, changes in circumstances, and ethical
breaches, contract shall enable early termination/exit clauses.
24
Some services that can be considered as outsourcing
• Application Maintenance, Allocation in third parties (Hosting, HaaS, SaaS,
etc.), Logical security
• Management of Products/Services/Clients, Payroll Processing,
Digitalization Services, Data Validation and Recording Services, Fund
Management and Transportation, Printing and Enveloping,
Personalization and Distribution of Documents, Storage and File
Management
• Outbound Sales Campaign, Outbound Surveys (Satisfaction Surveys
etc.), Help Desk (Employees support, offices, clients), Inbound Services
(Questions, Procedures, Complaints and Customer Support)
• Recruitment Process of Sales Forces Testamentary, Trials, Acknowledge
Credentials of an Attorney (Validation of powers)
• Surveillance and Alarm Connections, Maintenance and Repairs of
Security Facilities
• Solvency Agencies, Recovery Agencies
Thank You
25