Incorporating a centralized function to form a holistic approach to - - PowerPoint PPT Presentation

incorporating a centralized function to form a holistic
SMART_READER_LITE
LIVE PREVIEW

Incorporating a centralized function to form a holistic approach to - - PowerPoint PPT Presentation

Apr 24, 2023 370 likes •553 views

Incorporating a centralized function to form a holistic approach to vendor & third party risk management Presentation for Operational Risk Management USA 2018 John Rachek, Director of Operational Risk Asset Management October 4, 2018 Table

slide-1
SLIDE 1

Incorporating a centralized function to form a holistic approach to vendor & third party risk management

Presentation for Operational Risk Management USA 2018 John Rachek, Director of Operational Risk Asset Management October 4, 2018

slide-2
SLIDE 2

Table of Content

1. Overview of Third Party Risk Management

– What Is TPRM? – Why Are We Concerned About Third Party Risk? – What Are Examples of Regulatory Drivers?

2. Centralized Approach to TPRM

– Enterprise - Wide Third Party Risk Management Program – Leveraging SMEs to provide support to the business – Capturing all third parties in a single inventory

3. Centralization of Key Governance & Committees

– Governance Steering Committees – Service Provider Management – Bilateral Governance

4. On going Monitoring Framework

– Outsourcing On-going Monitoring Framework

5. Incident/Key Metric Analysis

– Incident Governance

2

slide-3
SLIDE 3
  • 1. Overview of Third Party Risk Management
slide-4
SLIDE 4

What Is TPRM?

An agreement under which a Third Party provides a product and / or service. Multiple Relationships can be associated with a single Supplier. Potential risk that arises from relying on Third Parties to provide products and / or services. TPRM refers to the policies and procedures established to manage risks associated when receiving services or products from Third Parties (including intra-group agreements). The TPRM process is mandated to address global regulatory concerns and to manage our risk when entering into a Third Party Relationship. A person or entity that provides a product and / or service to an entity. Third Party includes external entities and internal entities, such as Intra-Group Agreements and Financial Market Utilities (FMUs). Third Parties are referred to Suppliers in the TPM Tool. What is a Third Party? What is a Third Party Relationship? What is Third Party Risk? What is Third Party Risk Management (TPRM)?

4

Vendor X Corporation

Supplier

Vendor X Global Business Services

Supplier Legal Entity

Vendor X Global Technology Services

Supplier Legal Entity

When assessments are required at the Third Party level, they are completed for each legal

  • entity. A recent assessment for IBM Global

Business Services does not cover other legal entities within IBM Corporation.

Sample Engagement 1

Relationship

Sample IT Services

Relationship

Sample Engagement 3

Relationship

Each individual service contract is a “Relationship” in the TPM Tool. Each Relationship requires an IRQ to be submitted, and may require Due Diligence

  • Assessments. For example, all three of these would

potentially be managed independently from an Ongoing Monitoring perspective.

slide-5
SLIDE 5

Why Are We Concerned About Third Party Risk?

The Global TPRM Framework positions to meet regulatory requirements, to strengthen business operations, and to manage security threats in order to mitigate Third Party risk exposure. Third Parties are a gateway to ever-increasing cyber security breaches, requiring enhanced assessment, monitoring, and management of Third Party risk.

Cyber Security

Business drivers influencing Third Party risk include: Businesses are investing to align with evolving global regulatory requirements through the enhancement of governance, processes, and market intelligence. Regulatory Requirements There is an increased reliance on Third Parties to deliver business value in order to alleviate margin pressure and scale global growth. Cyber Security Business Value

5

slide-6
SLIDE 6

What Are Examples of Regulatory Drivers?

While we can delegate operations to Third Parties, we cannot delegate responsibility and accountability for those operations. Zurich London New York Tokyo Sydney Mumbai Singapore

UK PRA and FCA SYSC 8 Singapore MAS MAS Guidelines Hong Kong HKMA HK SPM SA-2: Outsourcing India RBI Guidelines on Managing Risks and Code

  • f Conduct in Outsourcing of Financial

Services by Bank US FRB SR 13–19 Guidance on Managing Outsourcing Risk Australia APRA Prudential Standard CPS 231

Hong Kong India

Japan JFSA Inspection Manual and Oversight Policy Switzerland FINMA 08/7 Outsourcing-banks

Pune

6

The global regulatory environment is influencing the evolving face of business and scope of services provided by Third Parties. Highlighted below are eight key global regulations specific to outsourcing that were taken into account for the TPRM Framework.

slide-7
SLIDE 7
  • 2. Centralized Approach to TPRM
slide-8
SLIDE 8

Enterprise -Wide Third Party Risk Management Program

IRQ, AIQ, TPMOQ, TPIQ, S&SA

Evaluates the potential Inherent Risk of the product and/or service. Completion of the questionnaires determines which Due Diligence Assessments are

  • required. The Inherent Risk Rating (IRR) is calculated

based on results from the IRQ.

Due Diligence

Support the Bank’s evaluation of a Third Party’s controls in a particular area (completed either by a Third Party and/or SVM-TPMO).

Business Case and Exit Strategy

Identifies the reason behind engaging a Third Party, helping to protect the Bank at the end of the

  • Relationship. Both completed by the Relationship

Owner and approved by the Relationship Sponsor. Only required if the IRR is Very High or High.

Relationship Risk Summary

Documents the results of the IRQ, Due Diligence, and outsourcing issues to provide an overview of the Relationship for the Relationship Sponsor to review and approve. Contract Negotiation and Execution Agrees upon an acceptable contract with the Third Party, in alignment with Bank’s requirements.

Ongoing Monitoring

Encompasses the risk and performance management of the relationship. The IRR for the Relationship and the Relationship Classification (Outsourcing vs. Non- Outsourcing) determines the minimum required monitoring activities. Ongoing Monitoring includes the completion of the Ongoing Monitoring Plan Acknowledgement, the Obligations Matrix, and the Contract

  • Attestation. Ongoing monitoring of the
  • perational outsourcing services is done via

the Pyramid Framework.

Termination

Documents the reason for the termination in the Termination Questionnaire and defines a Strategy for Exit.

IRQ, AIQ, TPMOQ, TPIQ, S&SA Business Risk Case and Exit Strategy Due Diligence Relationship Risk Summary Contract Negotiation and Execution Ongoing Monitoring Termination

Planning Contract Negotiation and Execution Third Party Relationship Management Termination Due Diligence IRQ – Inherent Risk Questionnaire, AIQ – Additional Information Questionnaire, TPMOQ – Third Party Management Office Questionnaire, TPIQ – Third Party Information Questionnaire SVM – Sourcing & Vendor Management, TPMO – Third Party Management Office, TPRM – Third Party Risk Management, S&SA – Sanctions & Sustainability Assessment

8

slide-9
SLIDE 9

Leveraging SMEs to provide support to the business

9

Following is the list of assessments under the Third Party Risk Management (TPRM) program. Depending on the type of services provided, a combination of various assessments can get triggered. These assessments are conducted by various control groups with subject matter expertise:

Anti Bribery & Corruption Anti Fraud Anti Money Laundering Business Continuity Management Cross Border Data Transfer Information Security & IT Risk Compliance Country Risk Financial Viability Negative News Operational Competency Physical Security Health and Safety Risk Management Sanctions Subcontractor Sustainability Model Risk Management

slide-10
SLIDE 10
  • 3. Centralization of Key Governance & Committees
slide-11
SLIDE 11

Governance - Steering Committees

11

Global Service Provider Steering Committee

Business area representation COO, Regional COOs, Heads of Management Companies, Heads of Operations, Oversight Management Team, Head of Global Provider Management Meeting protocols Quarterly meetings, agendas & minutes. Monitoring Service Provider performance metrics (e.g. KPIs); Reviewing escalated issues in respect of Service Provider Management; Strategic Service Provider Management (Fees, AUA, Relationship scope across multiple entities), and Knowledge exchange in regards to best practices for Provider Management

Business Area Risk and Control Oversight Committee

Business area representation COOs, Regional COOs, Heads of Management Companies, Heads of Operations, Regional and Business Heads of Operational Risk Management (ORM), First Line of Defense Support (FLDS), Compliance, Legal, IT, Internal Audit, Oversight Management Team Meeting protocols Monthly meetings, agendas & minutes. Control Related Discussions; Recent Control Incidents/Loss events/Industry items; Regulatory Initiatives; Internal Audit Update; Audit/RCSA/MICOS/New Business past due and coming due items; Monthly Service Provider issues/escalations; KRIs and other metrics

slide-12
SLIDE 12

Service Provider Management – Bilateral Governance

Bilateral governance helps align oversight roles and functions for effective supervision.

Dedicated and accountable personnel

Bilateral Governance

Bank Service Provider

Service Provider Management Steering Committees

Global Business Head COO Supplier Business Head Senior Executive Supplier Senior Executive Executive Supplier Executive

Service Provider Management Team

Subject Matter Managers Supplier Subject Matter Managers

12

slide-13
SLIDE 13
  • 4. On going Monitoring Framework
slide-14
SLIDE 14

Outsourcing On-going Monitoring Framework

  • Internal Control Assessment
  • Risk and Control Indicators
  • Governance
  • RCSA
  • Internal Control Assessment
  • Incident Data
  • Governance and Policies
  • Internal Control Assessment
  • Incident Data
  • Reporting
  • Internal Control Assessment
  • Internal Control

Assessment

  • Response Framework
  • RCSA
  • Input into annual due diligence
  • Service Organization Controls (SOC 1)
  • Governance
  • Top Operational Risk and

Remediation plans

  • Incident Data
  • Incident Data

Annually Quarterly Monthly Weekly Daily

2nd Line of Defense/ORM 1st Line of Defense

14

slide-15
SLIDE 15
  • 5. Incident/Key Metric Analysis
slide-16
SLIDE 16

Incident Governance

16

Issue Hierarchy Issue Capture Issue Management

Hierarchy Definition Issue Matter of concern requiring escalation Incident Breach of Service Level MyIncident Financial, Reputational, Regulatory risk

SEVERITY

Frequency Firm Service Provider Daily quality review data entry to SharePoint BAU Discussions Weekly

  • mgmt. report (all open items)

Weekly Action Logs Monthly Business senior mgmt. meeting Risk and Compliance Committee Report FO meetings (open items) Senior Business/Service Provider mgmt review (open items & metrics) Monthly Service Review Quarterly Steering Committee Quarterly Service Review

Issues summary and escalation items reported to: Business Risk and Control Oversight Committee and COOs