tprm - pov presentation final v2

Agenda

Executive Summary

Approach

Risk Management Lifecycle

Roles and Responsibilities

Methodology

Demonstration

Solution

2 THIRD PARTY RISK MANAGEMENT

Executive Summary

Ernst Bank lacks third party risk management program

Classify vendors using methodology

Introduce risk scale

Custom risk assessment tool

Implement program

Solution


Risk Management Program Purpose

Federal regulation requirement

Ensure third parties’ accountability


Contracted net asset

values

System glitch prevented

BNY Mellon’s investors from

getting their valuations

Outsourced mortgage from

PHH Corporation

Failure to Assess Third Party Risk


Approach


Methodology

Introduce risk rating scale

Apply methodology & questionnaire

Establish assessment workflow & roles and responsibilities


Prioritization of Vendors

Vendor

criticality

Proposed

methodology


Critical Vendors

Determine criticality of vendor

Reviewed by board if vendor is critical

Establish governance

Relationship approval


5 – High

4 –

Moderate High

3 – Moderate

2 –

Moderate Low

1 – Low

Semiannual onsite review and completion of questionnaire

Semiannual review of inherent risk

Annual review of inherent risk

Annual completion of questionnaire

Annual onsite review and completion of questionnaire

Categorization of Vendors by Inherent Risk


Formally Documented Program

Avoid fines for regulatory non-compliance

Risk methodology


Risk Management Lifecycle

Planning

Due-Diligence and Third Party Selection

Contract Negotiation

Ongoing Monitoring

Termination

Oversight and accountability


Planning

Determine business needs

Make business decision


Due Diligence and Third Party Selection

Review potential third party

Understand third party’s strategy and possible risk

Choose third party using risk assessment tool


Contract Negotiation

Create contract that defines the third party’s responsibilities

Establish KPIs and third party monitoring practices

Mitigate disputes about vendors’ performance

Implement an exit strategy

Limit Ernst Bank’s liability


Ongoing Monitoring

Monitor vendor after contract has been finalized

Analyze performance

Consistently evaluate criticality of third party’s functions

Provide visibility to senior management

Perform reviews


Termination

Contract should address terminating relationship

Incorporate back-up plan in case of termination

Transition functions to another vendor, bring in-house, or

discontinue


Governance

OCC requirement for financial institutions

Third Party Governance Committee within Ernst Bank

Critical Vendors and Critical Relationships

The Risk Management Committee


Roles Responsibilities

Risk Analyst Identifies and evaluates risk of relationship with

vendor using questionnaire

Relationship Manager Manages relationship and is responsible for risk

Business Line Sr. Management Manages relationship and is accountable for risk

Risk Management Committee Reviews, approves and owns risk management

program and oversees critical relationships

Internal Audit Evaluates program effectiveness

Roles and Responsibilities Workflow Diagram


Risk Assessment Process

Relationship manager evaluates

inherent risk

Vendor completes questionnaire

Risk analyst interprets response and

identifies findings

Relationship manager monitors and

treats findings

20


vs.

Inherent vs. Control

Inherent

Risk

Control

Environment


Residual Risk

=

Inherent

Risk

Control

Environment

Residual Risk

-


Risk Assessment Tool


Control Risk Category Description Example

Access Control Controlling who has access to specific

company information

Is a formal logical access policy in

place to manage access requests,

changes, and terminations?

Application and Development Security Using software, hardware, and

procedural methods to protect

applications from external threats

Is the vendor working with a third party

to develop the application?

Asset Management Managing hardware, software, and

client data

Is an asset management program in

place?

Business Continuity and Disaster

Recovery

Continuing to operate in the event of a

disaster

In the event of a failure at the main

facility, how long will it take the vendor

to recover?

Risk Assessment Tool - Domains



Human Resources Security Protecting data by evaluating

employees

Does the vendor require background

checks including education, criminal,

and credit and drug scores on its

employees?

Incident Event and Communications

Management

Implementing procedures that are used

during and after emergencies

Does the organization have a formally

documented incident management

policy?

Network Security Protecting data through technical

control

Is antivirus software required on all

workstations and servers?

Organizational Security Requiring internal policies in order to

protect the organization

Are formal contracts in place with all

third parties?




Physical and Environmental Protecting company information onsite Are employee visitors documented and

monitored while onsite?

Privacy Protecting personal information Do employees have access to personal

information?

Risk Assessment Analyzing overall risk Does the organization regularly

perform a risk assessment?

Security Policy Protecting physical and informational

data

Is client data encrypted at rest and in

transit?



Third Party Risk and Control Assessment Questionnaire

Inherent risk review

Control review

Calculate residual risk using tool

Two main functions

Calculate overall inherent risk

Calculate the controls in place to mitigate risk

Inherent risk scale: 1-5

Control risk scale: 3-0

Residual Risk = Inherent Risk - Control Environment

Result will classify each vendor from 1-5, Low to High


Demo


THIRD PARTY RISK MANAGEMENT

Demo

29

Phase I Phase II Phase III

The Solution


Phase I: Planning

Create a third party risk assessment methodology

Allows Ernst Bank to assess vendors to determine risk

Identify issues that may arise between bank and

vendor


Phase II: Testing

One-Some-Many Approach

One: Vendor Risk Programs are tested on a single business line

to see how it functions with business operations

Some: Vendor Risk Programs are tested on multiple business

lines to see how the system works across different functions

Many: Vendor Risk Programs are used on majority of business

lines after ensuring the usability

Update program based on feedback


Phase III: Implementation

Implemented across all entities within organization

Process execution


34

Questions?

THIRD PARTY RISK MANAGEMENT

tprm - pov presentation final v2

Documents