Third Party Risk Management

Tolga Aksoy, CIA, CFSA, CPA

GLC Berlin, 12 May 2017

1

2

Purpose

Institutions choose to establish third party relationships for a variety of

business reasons to take advantage of the benefits they can provide. Key

motivations for establishing a third party relationship can be:

a. looking for opportunities to outsource non-core activities which can result

in a cost reduction and improved return on investment and focusing internal

resources on core business functions;

b. acquiring a short-term or highly specialized competency that an

organization does not already possess (e.g. hiring an advertising firm) to

achieve certain business objectives;

c. acquiring a utility or basic service that is common or readily available and

(e.g. electric power and telecommunications) that cannot efficiently be

provided by the organization;

3

Purpose (2)

a. enabling business operations in a different geographical location;

b. acquiring new or replacement IT equipment or services (e.g. laptops,

printers, servers, routers, software applications, storage capacity, network

connectivity, IT managing services, etc.) that enable workforce productivity

and other business computing needs.

Commitment to the highest level of ethics and compliance with all

applicable laws, regulations and policies is crucial. The commercial

benefits of outsourcing non-core business functions must be balanced against

the commercial and information security risks. The risks associated with

outsourcing must be managed through the imposition of suitable controls,

comprising a combination of legal, physical, logical, procedural and

managerial controls.

4

Scope

Third party risk assessments and appropriate due diligence controls are

completed for all third parties by the relevant process and product owners,

and determined as falling in-scope for risk based due diligence in accordance

with the initial screening requirement.

The term third party relationship includes business arrangements, by contract

or otherwise, between or among affiliates, or between the company and an

external party. These include but are not limited to the following (e.g. OECD

definition):

a) agent: an individual or entity authorized to act for an on behalf of, or to

otherwise represent the company in furtherance of its business interests.

Agents may be categorized into two types: sales agents (e.g. those needed to

win a contract) and process agents (e.g. travel agent);

5

Scope (2)

c) advisor and other intermediary: an individual or entity providing services

and advice by representing and organizing towards another person, business

and/or authority (legal, tax, financial advisor, consultant, lobbyist, etc.);

d) contractor and sub-contractor: a contractor is a non-controlled individual

or entity that provides services or goods to the entity under a contract. A sub-

contractor is an individual or entity hired by the contractor to perform a specific

task as part of an overall project. Contractors and sub-contractors may be

categorized as:

• supplier(s)/vendor(s): an individual or entity that supplies goods to

the entity;

• service provider: an individual or entity that provides services to

the entity. (e.g. communications, logistics, storage, processing services, etc.).

6

General Considerations for Outsourcing

Ensuring uniform and effective management of the outsourcing activities

within the entity and the risks arising from these activities is the essential

element of this process. However, this delegation shall not imply leaving or

transferring the responsibility, the control or the risk management of

those activities.

Certain services cannot be transferred to the third parties in case of;

• Core business competencies such as corporate planning, organization,

management and control,

• A delegation that may lead to a loss in core business activity,

• A delegation that may undermine the supervision capabilities of

mandatory regulators,

• A delegation that may cause disturbances with respect to the relationships

and obligations of the entity with customers,

7

1. Select ion

2. Due diligence and

risk assessment

3. Contract ing4. Monitoring and

audit ing

5. Terminat ion

TPRM

framework

8

BU

SIN

ES

S IM

PA

CT

HIGH

Tender with written RFP

1. Catering

2. Cleaning

3. Payroll

4. …

Tender with competitive

dialogue

1. ICT outsourcing

2. Legal support

3. …

LOW

Tender bid

1. Office supplies

2. Small computer peripheral

3. …

Negotiation

1. Turnkey projects

2. …

LOW HIGH

STANDARDIZATION OF SERVICE OFFERING

Below matrix can be used to demonstrate the decision framework to select

the right risk intensity level of TP selection:

9

Risk Explanation

StrategicThe risk that the third party’s services do not align to an organizations strategic goals,

objective, or risk appetite

Concentration This risk is created by a lack of diversification within the third party base

CountryThe risk of doing business in a specific country and includes legal / regulatory, geo-

political and socio-economic considerations

ContractualThe risk that agreed services in a the third party contract are not delivered

according to plan

Reputation The impact to an organization’s reputation should an event occur at the third party

PerformanceThe risk that a third party fails to meet your needs as a company form a service

delivery perspective. Common metrics include SLAs, scalability and overall

performance reviews

Bribery and corruptionThe risk that offering and receiving of any services will be performed to influence the

actions of a third party

Regulatory

compliance

The risk to create misalignment with compliance regulations as defined by

external regulators

Business continuity Third party failure on the continuation of business as usual for the organization

Financial The risk of financial loss due to third party failure or non-performance

….. …….

Risks associated with the phases of the TPRM process:

10

Phase Activity Activity objective Related risk

a) Selection

Assess risk and develop

plan to manage the

relationship

Understand the need for third party engagement

and consider the risks and complexity

associated with the potential engagement

All related risks

b) Due diligence and risk

assessment

Perform due diligence on

potential third parties

Analyze responses and

select third party

Conduct sourcing event to obtain third party

proposals and information for evaluation.

Evaluate third party’s ability to meet

expectations, understand third party controls

to manage risks posed by the relationship

and select appropriate third party

All related risks

c) ContractingComplete contract with

third party

Negotiate contract terms that clearly define

expectations and responsibilities, help to ensure

the contract’s enforceability, limit the

institution’s liability, and mitigate

performance disputes

Contractual /

Performance /

Regulatory

d) Monitoring and

auditing

Perform operational,

service and risk

management monitoring

and auditing

Manage and audit performance of operations

and services, validate with contract

specifications; identify and manage risks

All related risks

e) Termination

Execute termination and

manage exposure, risk and

continuity of operations

Develop termination/contingency plan to enable

the transition or termination of activities while

managing exposure, risk and continuity of

operations; execute termination of third party

Performance /

Business continuity /

Financial

TPRM process follows a continuous life cycle for relationships:

11

Phase 1: Selection

Making use of an integrated risk category framework and selecting the

right third parties starts with assessing the level of impact and

standardization of the supplier relationship and solutions. Following this

analysis, the decision is made how intense the selection process and related

risk categories need to be.

Criteria for selecting a third party shall be defined and documented by

taking the following considerations into account:

• company’s reputation and history;

• quality of services provided to other customers;

• number and competence of staff and managers and organizational set-up

of the provider;

• financial stability of the company, audit reports and commercial record;

• quality assurance and security management standards currently

followed by the company (e.g. certified compliance with ISO 9000 and

ISO/IEC 27001);

12

Phase 1: Selection (2)

• existence of litigation or legal procedures against the provider;

• technologies adopted and continuity approach of the provider;

• screening of employees (e.g. background security checks performed by the

provider);

• quality of sub-contractors;

• size of the contract in relation to the size of the provider;

• country of incorporation of the provider;

• location of the servers/infrastructure;

• other factors that could affect the provider’s stability (like geopolitical).

Required actions are also taken to protect sensitive data. An assessment of

the measures for data protection implemented by the service provider before

the subscription to the service is made, which includes among others its

compliance with European Directive 95/46/EC.

13

Phase 1: Selection (3)

Initial screening shall be performed to determine “in scope” third parties; the

engaging department must assess the following in accordance with a third

party due diligence process:

a) is the third party in an industry or geographic location perceived as having

higher corruption risks;

b) will the third party perform services on behalf of the entity or be authorized

to represent the entity vis-à-vis other third parties;

c) is it reasonable to expect that the third party will come into contact with

government officials when representing the entity ;

d) will the third party be in a position to influence the decisions or the conduct

of other third parties for the benefit or to the detriment of the entity ;

e) will the third party have access to confidential information concerning the

entity’s business and/or customers;

f) has the third party been accused of or convicted of violating any laws

(including corruption, bribery, sanctions, money laundering or terrorism

finance) within the past five years.

14

Phase 2: Due Diligence and Risk Assessment

The third party risk assessment form uses key risk indicators to determine the

risk assessment of a third party and identify red flags. The level of risk will

ultimately determine the amount of due diligence that needs to be performed,

high-risk third parties will be subject to a more detailed due diligence process

and require the approval of the compliance officer and managing board.

The following categories of engagements shall also be considered in

evaluating the third party:

• any third party that is identified as a politically exposed person (PEP) and/or

owned and/or controlled by PEP(s);

• any third party who is or may be a relative or close associate of a present or

former PEP;

• any third party accused of or convicted of violating any laws (including

corruption, bribery, sanctions, money laundering or terrorism finance) within

the past five years.

15

Phase 2: Due Diligence and Risk Assessment (2)

The objective of the data collection process is to assemble and document relevant

information about:

• the structure, ownership and operations of the third party (organization and

affiliates);

• the reputation and commitment to integrity (compliance health check);

• the suitability of the type of relationship being considered (necessity and proper

retention, expertise);

• reasonability of the compensation, fees and method of payment.

Data may be collected as part of the due diligence process through the following:

• internet, database and media searches: company websites, policies and

procedures of the third party containing information about the third party’s integrity;

• internal third party risk assessment form: to be completed by the business unit

looking to engage the third party;

• external third party due diligence form: to be completed by the candidate third

party;

• references.

16

Phase 2: Due Diligence and Risk Assessment (3)

Once sufficient data has been collected to complete the risk assessment and

appropriate due diligence of the proposed third party the engagement may be

approved by the different levels of authority in the bank according to the risk

levels. Ongoing or renewed engagements should be reviewed periodically and

monitored in a risk based manner, any adverse finding must be reported to a

higher instance by the business units.

The risk assessment shall take account of the:

• nature of logical and physical access to the entity’s information assets and

facilities required by the outsourcer to fulfill the contract;

• sensitivity, volume and value of any information assets involved;

• commercial risks such as the possibility of the outsourcer’s business failing

completely, or failing to meet agreed service levels or providing services to

the entity’s competitors where this might create conflicts of interest;

17

Phase 2: Due Diligence and Risk Assessment (4)

• aggregate exposure to the provider; insurance coverage;

• potential loss of knowledge in the institution and incident reporting approach

of the provider;

• business continuity approach, organizational set-up and compliance

approach of the provider;

• whether the service provider is contractually obliged towards you to any

sub-contractors they may engage with;

• quality of services provided; monitoring of performances

• availability, expertise and experience of sufficiently competent personnel;

• establishment of the country;

• solvency, market conformity, liability and flexibility of the third party;

• duration of the agreement; contractual / legal aspects including audit

clauses, applicable law and confidentiality clauses;

• dissolving possibilities and exit strategy (including conditions of reversibility)

18

Phase 3: Contracting

A formal contract between the entity and the third party shall exist to protect

both parties. The contract shall clearly define the types of information

exchanged and the purpose for so doing. If the information being exchanged is

sensitive, a binding confidentiality agreement shall be in place between the

entity and the third party, whether as part of the outsource contract itself or a

separate non-disclosure agreement acceptable by the entity.

The contract shall clearly define each party’s responsibilities towards the other

by defining the parties to the contract, effective date, functions or services

being provided (e.g. defined service levels), liabilities, limitations on use of

sub-contractors and other commercial/legal matters, termination details normal

to any contract.

19

Phase 3: Contracting (2)

Depending on the results of the risk assessment, various additional controls

should be embedded or referenced within the contract, such as:

• legal, regulatory and other third party obligations such as data

protection/privacy laws, money laundering etc.;

• information security policies, procedures, standards and guidelines and

information security incident management procedures including mandatory

incident reporting;

• access controls to restrict unauthorized disclosure, modification or

destruction of information, including physical and logical access controls,

procedures for granting, reviewing, updating and revoking access to systems,

data and facilities etc.);

• copyright, patents and similar protection for any intellectual property shared

with the third party or developed in the course of the contract;

• anti-malware, anti-spam and similar controls;

20

Phase 3: Contracting (3)

• specification, design, development, testing, implementation, configuration,

management, maintenance, support and use of security controls within or

associated with IT systems;

• return or destruction of all information assets by the outsourcer after the

completion of the outsourced activity or whenever the asset is no longer

required to support the outsourced activity;

• the right of the entity to monitor all access to and use of the entity facilities,

networks, systems etc., and to audit the outsourcer’s compliance with the

contract, or to employ a mutually agreed independent third party auditor for

this purpose and confirmation on the background checks for the employees

of the third party;

• business continuity arrangements including crisis and incident

management, resilience, backups and IT disaster recovery and third party

management governance on strategic, technical and operational level;

• exit strategy.

21

Phase 4: Monitoring and Auditing

Monitoring and auditing of services and operational activities on a frequent

basis are divided into the following main categories:

a) security audits: if the entity has outsourced a business function to a third

party based at a different location, it shall have the right to appoint an external

audit company to audit the third party.

b) physical access controls:

strongly-constructed facilities;

suitable locks with key management procedures;

access logging though the use of automated key cards, visitor registers etc.

22

Phase 4: Monitoring and Auditing (2)

c) access controls: in order to prevent unauthorized access to the entity’s

information assets by the third party or sub-contractors, suitable security

controls are required as outlined in this section. The details depend on the

nature of the information assets and the associated risks, implying the need

to assess the risks and design suitable controls architecture also subject to

the entity’s remote access and mobile device policy. Procedural

components of access controls shall be documented within procedures,

guidelines and related documents and incorporated into awareness,

training and educational activities.

d) Ongoing monitoring of the activities and performance of the third party as

per the predefined criteria in accordance with the contract and SLAs.

23

Phase 5: Termination

In order to mitigate the risk of unexpected termination of the third party

agreement or liquidation of the service provider, the entity retains an

appropriate level of control over the third party activities and intervene with

appropriate measures to continue its business operations without any break

in the operations of the bank and its services to the customers.

In third party contracts, a termination clause and minimum period to

execute a termination provision, if deemed necessary, should be included.

Also the contract should specify the performance benchmarks, including

default benchmarks. If those benchmarks are not met, this would result in

penalties being applied or, in the extreme; termination of the agreement shall

be considered. Upon termination of the contract, the confidentiality

arrangements shall be revised to determine whether confidentiality has to be

extended beyond the tenure of the contract. In cases of failure to meet

service level agreements, changes in circumstances, and ethical

breaches, contract shall enable early termination/exit clauses.

24

Some services that can be considered as outsourcing

• Application Maintenance, Allocation in third parties (Hosting, HaaS, SaaS,

etc.), Logical security

• Management of Products/Services/Clients, Payroll Processing,

Digitalization Services, Data Validation and Recording Services, Fund

Management and Transportation, Printing and Enveloping,

Personalization and Distribution of Documents, Storage and File

Management

• Outbound Sales Campaign, Outbound Surveys (Satisfaction Surveys

etc.), Help Desk (Employees support, offices, clients), Inbound Services

(Questions, Procedures, Complaints and Customer Support)

• Recruitment Process of Sales Forces Testamentary, Trials, Acknowledge

Credentials of an Attorney (Validation of powers)

• Surveillance and Alarm Connections, Maintenance and Repairs of

Security Facilities

• Solvency Agencies, Recovery Agencies

Thank You

25