TPRM - POV Presentation Final v2

Download TPRM - POV Presentation Final v2

Post on 14-Feb-2017

102 views

Category:

Documents

4 download

TRANSCRIPT

  • Agenda

    Executive Summary

    Approach

    Risk Management Lifecycle

    Roles and Responsibilities

    Methodology

    Demonstration

    Solution

    2 THIRD PARTY RISK MANAGEMENT

  • Executive Summary

    Ernst Bank lacks third party risk management program

    Classify vendors using methodology

    Introduce risk scale

    Custom risk assessment tool

    Implement program

    Solution

    3 THIRD PARTY RISK MANAGEMENT

  • Risk Management Program Purpose

    Federal regulation requirement

    Ensure third parties accountability

    4 THIRD PARTY RISK MANAGEMENT

  • Contracted net asset

    values

    System glitch prevented

    BNY Mellons investors from

    getting their valuations

    Outsourced mortgage from

    PHH Corporation

    Failure to Assess Third Party Risk

    5 THIRD PARTY RISK MANAGEMENT

  • Approach

    6 THIRD PARTY RISK MANAGEMENT

  • Methodology

    Introduce risk rating scale

    Apply methodology & questionnaire

    Establish assessment workflow & roles and responsibilities

    7 THIRD PARTY RISK MANAGEMENT

  • Prioritization of Vendors

    Vendor

    criticality

    Proposed

    methodology

    8 THIRD PARTY RISK MANAGEMENT

  • Critical Vendors

    Determine criticality of vendor

    Reviewed by board if vendor is critical

    Establish governance

    Relationship approval

    9 THIRD PARTY RISK MANAGEMENT

  • 5 High

    4

    Moderate High

    3 Moderate

    2

    Moderate Low

    1 Low

    Semiannual onsite review and completion of questionnaire

    Semiannual review of inherent risk

    Annual review of inherent risk

    Annual completion of questionnaire

    Annual onsite review and completion of questionnaire

    Categorization of Vendors by Inherent Risk

    10 THIRD PARTY RISK MANAGEMENT

  • Formally Documented Program

    Avoid fines for regulatory non-compliance

    Risk methodology

    11 THIRD PARTY RISK MANAGEMENT

  • Risk Management Lifecycle

    Planning

    Due-Diligence and Third Party Selection

    Contract Negotiation

    Ongoing Monitoring

    Termination

    Oversight and accountability

    12 THIRD PARTY RISK MANAGEMENT

  • Planning

    Determine business needs

    Make business decision

    13 THIRD PARTY RISK MANAGEMENT

  • Due Diligence and Third Party Selection

    Review potential third party

    Understand third partys strategy and possible risk

    Choose third party using risk assessment tool

    14 THIRD PARTY RISK MANAGEMENT

  • Contract Negotiation

    Create contract that defines the third partys responsibilities

    Establish KPIs and third party monitoring practices

    Mitigate disputes about vendors performance

    Implement an exit strategy

    Limit Ernst Banks liability

    15 THIRD PARTY RISK MANAGEMENT

  • Ongoing Monitoring

    Monitor vendor after contract has been finalized

    Analyze performance

    Consistently evaluate criticality of third partys functions

    Provide visibility to senior management

    Perform reviews

    16 THIRD PARTY RISK MANAGEMENT

  • Termination

    Contract should address terminating relationship

    Incorporate back-up plan in case of termination

    Transition functions to another vendor, bring in-house, or

    discontinue

    17 THIRD PARTY RISK MANAGEMENT

  • Governance

    OCC requirement for financial institutions

    Third Party Governance Committee within Ernst Bank

    Critical Vendors and Critical Relationships

    The Risk Management Committee

    18 THIRD PARTY RISK MANAGEMENT

  • Roles Responsibilities

    Risk Analyst Identifies and evaluates risk of relationship with

    vendor using questionnaire

    Relationship Manager Manages relationship and is responsible for risk

    Business Line Sr. Management Manages relationship and is accountable for risk

    Risk Management Committee Reviews, approves and owns risk management

    program and oversees critical relationships

    Internal Audit Evaluates program effectiveness

    Roles and Responsibilities Workflow Diagram

    19 THIRD PARTY RISK MANAGEMENT

  • Risk Assessment Process

    Relationship manager evaluates

    inherent risk

    Vendor completes questionnaire

    Risk analyst interprets response and

    identifies findings

    Relationship manager monitors and

    treats findings

    20

    0 THIRD PARTY RISK MANAGEMENT

  • vs.

    Inherent vs. Control

    Inherent

    Risk

    Control

    Environment

    21 THIRD PARTY RISK MANAGEMENT

  • Residual Risk

    =

    Inherent

    Risk

    Control

    Environment

    Residual Risk

    -

    22 THIRD PARTY RISK MANAGEMENT

  • Risk Assessment Tool

    23 THIRD PARTY RISK MANAGEMENT

  • Control Risk Category Description Example

    Access Control Controlling who has access to specific

    company information

    Is a formal logical access policy in

    place to manage access requests,

    changes, and terminations?

    Application and Development Security Using software, hardware, and

    procedural methods to protect

    applications from external threats

    Is the vendor working with a third party

    to develop the application?

    Asset Management Managing hardware, software, and

    client data

    Is an asset management program in

    place?

    Business Continuity and Disaster

    Recovery

    Continuing to operate in the event of a

    disaster

    In the event of a failure at the main

    facility, how long will it take the vendor

    to recover?

    Risk Assessment Tool - Domains

    24 THIRD PARTY RISK MANAGEMENT

  • Control Risk Category Description Example

    Human Resources Security Protecting data by evaluating

    employees

    Does the vendor require background

    checks including education, criminal,

    and credit and drug scores on its

    employees?

    Incident Event and Communications

    Management

    Implementing procedures that are used

    during and after emergencies

    Does the organization have a formally

    documented incident management

    policy?

    Network Security Protecting data through technical

    control

    Is antivirus software required on all

    workstations and servers?

    Organizational Security Requiring internal policies in order to

    protect the organization

    Are formal contracts in place with all

    third parties?

    Risk Assessment Tool - Domains

    25 THIRD PARTY RISK MANAGEMENT

  • Control Risk Category Description Example

    Physical and Environmental Protecting company information onsite Are employee visitors documented and

    monitored while onsite?

    Privacy Protecting personal information Do employees have access to personal

    information?

    Risk Assessment Analyzing overall risk Does the organization regularly

    perform a risk assessment?

    Security Policy Protecting physical and informational

    data

    Is client data encrypted at rest and in

    transit?

    Risk Assessment Tool - Domains

    26 THIRD PARTY RISK MANAGEMENT

  • Third Party Risk and Control Assessment Questionnaire

    Inherent risk review

    Control review

    Calculate residual risk using tool

    Two main functions

    Calculate overall inherent risk

    Calculate the controls in place to mitigate risk

    Inherent risk scale: 1-5

    Control risk scale: 3-0

    Residual Risk = Inherent Risk - Control Environment

    Result will classify each vendor from 1-5, Low to High

    27 THIRD PARTY RISK MANAGEMENT

  • Demo

    28 THIRD PARTY RISK MANAGEMENT

  • THIRD PARTY RISK MANAGEMENT

    Demo

    29

  • Phase I Phase II Phase III

    The Solution

    30 THIRD PARTY RISK MANAGEMENT

  • Phase I: Planning

    Create a third party risk assessment methodology

    Allows Ernst Bank to assess vendors to determine risk

    Identify issues that may arise between bank and

    vendor

    31 THIRD PARTY RISK MANAGEMENT

  • Phase II: Testing

    One-Some-Many Approach

    One: Vendor Risk Programs are tested on a single business line

    to see how it functions with business operations

    Some: Vendor Risk Programs are tested on multiple business

    lines to see how the system works across different functions

    Many: Vendor Risk Programs are used on majority of business

    lines after ensuring the usability

    Update program based on feedback

    32 THIRD PARTY RISK MANAGEMENT

  • Phase III: Implementation

    Implemented across all entities within organization

    Process execution

    33 THIRD PARTY RISK MANAGEMENT

  • 34

    Questions?

    THIRD PARTY RISK MANAGEMENT