TPRM - POV Presentation Final v2

Download TPRM - POV Presentation Final v2

Post on 14-Feb-2017

102 views

Category:

Documents

4 download

Embed Size (px)

TRANSCRIPT

<ul><li><p>Agenda </p><p> Executive Summary </p><p> Approach </p><p> Risk Management Lifecycle </p><p> Roles and Responsibilities </p><p> Methodology </p><p> Demonstration </p><p> Solution </p><p> 2 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Executive Summary </p><p> Ernst Bank lacks third party risk management program </p><p> Classify vendors using methodology </p><p> Introduce risk scale </p><p> Custom risk assessment tool </p><p> Implement program </p><p> Solution </p><p>3 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Risk Management Program Purpose </p><p> Federal regulation requirement </p><p> Ensure third parties accountability </p><p>4 THIRD PARTY RISK MANAGEMENT </p></li><li><p> Contracted net asset </p><p>values </p><p> System glitch prevented </p><p>BNY Mellons investors from </p><p>getting their valuations </p><p> Outsourced mortgage from </p><p>PHH Corporation </p><p>Failure to Assess Third Party Risk </p><p>5 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Approach </p><p>6 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Methodology </p><p> Introduce risk rating scale </p><p> Apply methodology &amp; questionnaire </p><p> Establish assessment workflow &amp; roles and responsibilities </p><p>7 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Prioritization of Vendors </p><p> Vendor </p><p>criticality </p><p> Proposed </p><p>methodology </p><p>8 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Critical Vendors </p><p> Determine criticality of vendor </p><p> Reviewed by board if vendor is critical </p><p> Establish governance </p><p> Relationship approval </p><p>9 THIRD PARTY RISK MANAGEMENT </p></li><li><p>5 High </p><p>4 </p><p>Moderate High </p><p>3 Moderate </p><p>2 </p><p>Moderate Low </p><p>1 Low </p><p>Semiannual onsite review and completion of questionnaire </p><p>Semiannual review of inherent risk </p><p>Annual review of inherent risk </p><p>Annual completion of questionnaire </p><p>Annual onsite review and completion of questionnaire </p><p>Categorization of Vendors by Inherent Risk </p><p>10 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Formally Documented Program </p><p> Avoid fines for regulatory non-compliance </p><p> Risk methodology </p><p>11 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Risk Management Lifecycle </p><p> Planning </p><p> Due-Diligence and Third Party Selection </p><p> Contract Negotiation </p><p> Ongoing Monitoring </p><p> Termination </p><p>Oversight and accountability </p><p>12 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Planning </p><p> Determine business needs </p><p> Make business decision </p><p>13 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Due Diligence and Third Party Selection </p><p> Review potential third party </p><p> Understand third partys strategy and possible risk </p><p> Choose third party using risk assessment tool </p><p>14 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Contract Negotiation </p><p> Create contract that defines the third partys responsibilities </p><p> Establish KPIs and third party monitoring practices </p><p> Mitigate disputes about vendors performance </p><p> Implement an exit strategy </p><p> Limit Ernst Banks liability </p><p>15 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Ongoing Monitoring </p><p> Monitor vendor after contract has been finalized </p><p> Analyze performance </p><p> Consistently evaluate criticality of third partys functions </p><p> Provide visibility to senior management </p><p> Perform reviews </p><p>16 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Termination </p><p> Contract should address terminating relationship </p><p> Incorporate back-up plan in case of termination </p><p> Transition functions to another vendor, bring in-house, or </p><p>discontinue </p><p>17 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Governance </p><p> OCC requirement for financial institutions </p><p> Third Party Governance Committee within Ernst Bank </p><p> Critical Vendors and Critical Relationships </p><p> The Risk Management Committee </p><p>18 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Roles Responsibilities </p><p>Risk Analyst Identifies and evaluates risk of relationship with </p><p>vendor using questionnaire </p><p>Relationship Manager Manages relationship and is responsible for risk </p><p>Business Line Sr. Management Manages relationship and is accountable for risk </p><p>Risk Management Committee Reviews, approves and owns risk management </p><p>program and oversees critical relationships </p><p>Internal Audit Evaluates program effectiveness </p><p>Roles and Responsibilities Workflow Diagram </p><p>19 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Risk Assessment Process </p><p> Relationship manager evaluates </p><p>inherent risk </p><p> Vendor completes questionnaire </p><p> Risk analyst interprets response and </p><p>identifies findings </p><p> Relationship manager monitors and </p><p>treats findings </p><p>20</p><p>0 THIRD PARTY RISK MANAGEMENT </p></li><li><p>vs. </p><p>Inherent vs. Control </p><p>Inherent </p><p>Risk </p><p>Control </p><p>Environment </p><p>21 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Residual Risk </p><p>= </p><p>Inherent </p><p>Risk </p><p>Control </p><p>Environment </p><p>Residual Risk </p><p>- </p><p>22 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Risk Assessment Tool </p><p>23 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Control Risk Category Description Example </p><p>Access Control Controlling who has access to specific </p><p>company information </p><p>Is a formal logical access policy in </p><p>place to manage access requests, </p><p>changes, and terminations? </p><p>Application and Development Security Using software, hardware, and </p><p>procedural methods to protect </p><p>applications from external threats </p><p>Is the vendor working with a third party </p><p>to develop the application? </p><p>Asset Management Managing hardware, software, and </p><p>client data </p><p>Is an asset management program in </p><p>place? </p><p>Business Continuity and Disaster </p><p>Recovery </p><p>Continuing to operate in the event of a </p><p>disaster </p><p>In the event of a failure at the main </p><p>facility, how long will it take the vendor </p><p>to recover? </p><p>Risk Assessment Tool - Domains </p><p>24 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Control Risk Category Description Example </p><p>Human Resources Security Protecting data by evaluating </p><p>employees </p><p>Does the vendor require background </p><p>checks including education, criminal, </p><p>and credit and drug scores on its </p><p>employees? </p><p>Incident Event and Communications </p><p>Management </p><p>Implementing procedures that are used </p><p>during and after emergencies </p><p>Does the organization have a formally </p><p>documented incident management </p><p>policy? </p><p>Network Security Protecting data through technical </p><p>control </p><p>Is antivirus software required on all </p><p>workstations and servers? </p><p>Organizational Security Requiring internal policies in order to </p><p>protect the organization </p><p>Are formal contracts in place with all </p><p>third parties? </p><p>Risk Assessment Tool - Domains </p><p>25 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Control Risk Category Description Example </p><p>Physical and Environmental Protecting company information onsite Are employee visitors documented and </p><p>monitored while onsite? </p><p>Privacy Protecting personal information Do employees have access to personal </p><p>information? </p><p>Risk Assessment Analyzing overall risk Does the organization regularly </p><p>perform a risk assessment? </p><p>Security Policy Protecting physical and informational </p><p>data </p><p>Is client data encrypted at rest and in </p><p>transit? </p><p>Risk Assessment Tool - Domains </p><p>26 THIRD PARTY RISK MANAGEMENT </p></li><li><p> Third Party Risk and Control Assessment Questionnaire </p><p> Inherent risk review </p><p> Control review </p><p> Calculate residual risk using tool </p><p> Two main functions </p><p> Calculate overall inherent risk </p><p> Calculate the controls in place to mitigate risk </p><p> Inherent risk scale: 1-5 </p><p> Control risk scale: 3-0 </p><p> Residual Risk = Inherent Risk - Control Environment </p><p> Result will classify each vendor from 1-5, Low to High </p><p>27 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Demo </p><p>28 THIRD PARTY RISK MANAGEMENT </p></li><li><p>THIRD PARTY RISK MANAGEMENT </p><p>Demo </p><p>29 </p></li><li><p>Phase I Phase II Phase III </p><p>The Solution </p><p>30 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Phase I: Planning </p><p> Create a third party risk assessment methodology </p><p> Allows Ernst Bank to assess vendors to determine risk </p><p> Identify issues that may arise between bank and </p><p>vendor </p><p>31 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Phase II: Testing </p><p> One-Some-Many Approach </p><p> One: Vendor Risk Programs are tested on a single business line </p><p>to see how it functions with business operations </p><p> Some: Vendor Risk Programs are tested on multiple business </p><p>lines to see how the system works across different functions </p><p> Many: Vendor Risk Programs are used on majority of business </p><p>lines after ensuring the usability </p><p> Update program based on feedback </p><p>32 THIRD PARTY RISK MANAGEMENT </p></li><li><p>Phase III: Implementation </p><p> Implemented across all entities within organization </p><p> Process execution </p><p>33 THIRD PARTY RISK MANAGEMENT </p></li><li><p>34 </p><p>Questions? </p><p>THIRD PARTY RISK MANAGEMENT </p></li></ul>