tprm - pov presentation final v2
TRANSCRIPT
Agenda
Executive Summary
Approach
Risk Management Lifecycle
Roles and Responsibilities
Methodology
Demonstration
Solution
2 THIRD PARTY RISK MANAGEMENT
Executive Summary
Ernst Bank lacks third party risk management program
Classify vendors using methodology
Introduce risk scale
Custom risk assessment tool
Implement program
Solution
3 THIRD PARTY RISK MANAGEMENT
Risk Management Program Purpose
Federal regulation requirement
Ensure third parties’ accountability
4 THIRD PARTY RISK MANAGEMENT
Contracted net asset
values
System glitch prevented
BNY Mellon’s investors from
getting their valuations
Outsourced mortgage from
PHH Corporation
Failure to Assess Third Party Risk
5 THIRD PARTY RISK MANAGEMENT
Approach
6 THIRD PARTY RISK MANAGEMENT
Methodology
Introduce risk rating scale
Apply methodology & questionnaire
Establish assessment workflow & roles and responsibilities
7 THIRD PARTY RISK MANAGEMENT
Prioritization of Vendors
Vendor
criticality
Proposed
methodology
8 THIRD PARTY RISK MANAGEMENT
Critical Vendors
Determine criticality of vendor
Reviewed by board if vendor is critical
Establish governance
Relationship approval
9 THIRD PARTY RISK MANAGEMENT
5 – High
4 –
Moderate High
3 – Moderate
2 –
Moderate Low
1 – Low
Semiannual onsite review and completion of questionnaire
Semiannual review of inherent risk
Annual review of inherent risk
Annual completion of questionnaire
Annual onsite review and completion of questionnaire
Categorization of Vendors by Inherent Risk
10 THIRD PARTY RISK MANAGEMENT
Formally Documented Program
Avoid fines for regulatory non-compliance
Risk methodology
11 THIRD PARTY RISK MANAGEMENT
Risk Management Lifecycle
Planning
Due-Diligence and Third Party Selection
Contract Negotiation
Ongoing Monitoring
Termination
Oversight and accountability
12 THIRD PARTY RISK MANAGEMENT
Planning
Determine business needs
Make business decision
13 THIRD PARTY RISK MANAGEMENT
Due Diligence and Third Party Selection
Review potential third party
Understand third party’s strategy and possible risk
Choose third party using risk assessment tool
14 THIRD PARTY RISK MANAGEMENT
Contract Negotiation
Create contract that defines the third party’s responsibilities
Establish KPIs and third party monitoring practices
Mitigate disputes about vendors’ performance
Implement an exit strategy
Limit Ernst Bank’s liability
15 THIRD PARTY RISK MANAGEMENT
Ongoing Monitoring
Monitor vendor after contract has been finalized
Analyze performance
Consistently evaluate criticality of third party’s functions
Provide visibility to senior management
Perform reviews
16 THIRD PARTY RISK MANAGEMENT
Termination
Contract should address terminating relationship
Incorporate back-up plan in case of termination
Transition functions to another vendor, bring in-house, or
discontinue
17 THIRD PARTY RISK MANAGEMENT
Governance
OCC requirement for financial institutions
Third Party Governance Committee within Ernst Bank
Critical Vendors and Critical Relationships
The Risk Management Committee
18 THIRD PARTY RISK MANAGEMENT
Roles Responsibilities
Risk Analyst Identifies and evaluates risk of relationship with
vendor using questionnaire
Relationship Manager Manages relationship and is responsible for risk
Business Line Sr. Management Manages relationship and is accountable for risk
Risk Management Committee Reviews, approves and owns risk management
program and oversees critical relationships
Internal Audit Evaluates program effectiveness
Roles and Responsibilities Workflow Diagram
19 THIRD PARTY RISK MANAGEMENT
Risk Assessment Process
Relationship manager evaluates
inherent risk
Vendor completes questionnaire
Risk analyst interprets response and
identifies findings
Relationship manager monitors and
treats findings
20
0 THIRD PARTY RISK MANAGEMENT
vs.
Inherent vs. Control
Inherent
Risk
Control
Environment
21 THIRD PARTY RISK MANAGEMENT
Residual Risk
=
Inherent
Risk
Control
Environment
Residual Risk
-
22 THIRD PARTY RISK MANAGEMENT
Risk Assessment Tool
23 THIRD PARTY RISK MANAGEMENT
Control Risk Category Description Example
Access Control Controlling who has access to specific
company information
Is a formal logical access policy in
place to manage access requests,
changes, and terminations?
Application and Development Security Using software, hardware, and
procedural methods to protect
applications from external threats
Is the vendor working with a third party
to develop the application?
Asset Management Managing hardware, software, and
client data
Is an asset management program in
place?
Business Continuity and Disaster
Recovery
Continuing to operate in the event of a
disaster
In the event of a failure at the main
facility, how long will it take the vendor
to recover?
Risk Assessment Tool - Domains
24 THIRD PARTY RISK MANAGEMENT
Control Risk Category Description Example
Human Resources Security Protecting data by evaluating
employees
Does the vendor require background
checks including education, criminal,
and credit and drug scores on its
employees?
Incident Event and Communications
Management
Implementing procedures that are used
during and after emergencies
Does the organization have a formally
documented incident management
policy?
Network Security Protecting data through technical
control
Is antivirus software required on all
workstations and servers?
Organizational Security Requiring internal policies in order to
protect the organization
Are formal contracts in place with all
third parties?
Risk Assessment Tool - Domains
25 THIRD PARTY RISK MANAGEMENT
Control Risk Category Description Example
Physical and Environmental Protecting company information onsite Are employee visitors documented and
monitored while onsite?
Privacy Protecting personal information Do employees have access to personal
information?
Risk Assessment Analyzing overall risk Does the organization regularly
perform a risk assessment?
Security Policy Protecting physical and informational
data
Is client data encrypted at rest and in
transit?
Risk Assessment Tool - Domains
26 THIRD PARTY RISK MANAGEMENT
Third Party Risk and Control Assessment Questionnaire
Inherent risk review
Control review
Calculate residual risk using tool
Two main functions
Calculate overall inherent risk
Calculate the controls in place to mitigate risk
Inherent risk scale: 1-5
Control risk scale: 3-0
Residual Risk = Inherent Risk - Control Environment
Result will classify each vendor from 1-5, Low to High
27 THIRD PARTY RISK MANAGEMENT
Demo
28 THIRD PARTY RISK MANAGEMENT
THIRD PARTY RISK MANAGEMENT
Demo
29
Phase I Phase II Phase III
The Solution
30 THIRD PARTY RISK MANAGEMENT
Phase I: Planning
Create a third party risk assessment methodology
Allows Ernst Bank to assess vendors to determine risk
Identify issues that may arise between bank and
vendor
31 THIRD PARTY RISK MANAGEMENT
Phase II: Testing
One-Some-Many Approach
One: Vendor Risk Programs are tested on a single business line
to see how it functions with business operations
Some: Vendor Risk Programs are tested on multiple business
lines to see how the system works across different functions
Many: Vendor Risk Programs are used on majority of business
lines after ensuring the usability
Update program based on feedback
32 THIRD PARTY RISK MANAGEMENT
Phase III: Implementation
Implemented across all entities within organization
Process execution
33 THIRD PARTY RISK MANAGEMENT
34
Questions?
THIRD PARTY RISK MANAGEMENT