Incorporating a centralized function to form a holistic approach to vendor & third party risk management Presentation for Operational Risk Management USA 2018 John Rachek, Director of Operational Risk Asset Management October 4, 2018
Table of Content 1. Overview of Third Party Risk Management – What Is TPRM? – Why Are We Concerned About Third Party Risk? – What Are Examples of Regulatory Drivers? 2. Centralized Approach to TPRM – Enterprise - Wide Third Party Risk Management Program – Leveraging SMEs to provide support to the business – Capturing all third parties in a single inventory 3. Centralization of Key Governance & Committees – Governance Steering Committees – Service Provider Management – Bilateral Governance 4. On going Monitoring Framework – Outsourcing On-going Monitoring Framework 5. Incident/Key Metric Analysis – Incident Governance 2
1. Overview of Third Party Risk Management
What Is TPRM? A person or entity that provides a product and / or service to an entity. Third Party includes What is a Third Party ? external entities and internal entities, such as Intra-Group Agreements and Financial Market Utilities (FMUs). Third Parties are referred to Suppliers in the TPM Tool. What is a Third Party Relationship ? An agreement under which a Third Party provides a product and / or service. Multiple Relationships can be associated with a single Supplier. What is Third Party Risk ? Potential risk that arises from relying on Third Parties to provide products and / or services. TPRM refers to the policies and procedures established to manage risks associated when What is Third Party Risk receiving services or products from Third Parties (including intra-group agreements). The Management (TPRM) ? TPRM process is mandated to address global regulatory concerns and to manage our risk when entering into a Third Party Relationship. Vendor X When assessments are required at the Third Corporation Party level, they are completed for each legal entity. A recent assessment for IBM Global Supplier Business Services does not cover other legal entities within IBM Corporation. Vendor X Global Vendor X Global Technology Services Business Services Supplier Legal Entity Supplier Legal Entity Each individual service contract is a “Relationship” in the TPM Tool. Each Relationship requires an IRQ to be submitted, and may require Due Diligence Assessments. For example, all three of these would Sample Engagement 1 Sample Engagement 3 Sample IT Services potentially be managed independently from an Relationship Relationship Relationship Ongoing Monitoring perspective. 4
Why Are We Concerned About Third Party Risk? The Global TPRM Framework positions to meet regulatory requirements, to strengthen business operations, and to manage security threats in order to mitigate Third Party risk exposure. Business drivers influencing Third Party risk include: Regulatory Requirements Businesses are investing to align with evolving global regulatory requirements through the enhancement of governance, processes, and market intelligence. Business Value There is an increased reliance on Third Parties to deliver business value in order to alleviate margin pressure and scale global growth. Cyber Cyber Security Security Third Parties are a gateway to ever-increasing cyber security breaches, requiring enhanced assessment, monitoring, and management of Third Party risk. 5
What Are Examples of Regulatory Drivers? The global regulatory environment is influencing the evolving face of business and scope of services provided by Third Parties. Highlighted below are eight key global regulations specific to outsourcing that were taken into account for the TPRM Framework. UK PRA and FCA India SYSC 8 Japan RBI JFSA London Guidelines on Managing Risks and Code Inspection Manual of Conduct in Outsourcing of Financial New York and Oversight Policy Services by Bank Zurich Hong Kong HKMA HK SPM SA-2: Tokyo Outsourcing Switzerland FINMA Hong Kong 08/7 Outsourcing-banks India Singapore MAS US Mumbai MAS Guidelines FRB Pune SR 13–19 Guidance on Managing Outsourcing Risk Sydney Singapore Australia APRA Prudential Standard CPS 231 While we can delegate operations to Third Parties, we cannot delegate responsibility and accountability for those operations. 6
2. Centralized Approach to TPRM
Enterprise -Wide Third Party Risk Management Program Business IRQ, AIQ, Contract Risk Case Relationship Ongoing Due Diligence Termination TPMOQ, Negotiation and and Exit Risk Summary Monitoring TPIQ, S&SA Execution Strategy Planning Due Diligence Contract Negotiation and Execution Third Party Relationship Management Termination Evaluates the potential Inherent Risk of the product Documents the results of the IRQ, Due Relationship IRQ, AIQ, and/or service. Completion of the questionnaires Diligence, and outsourcing issues to provide Risk TPMOQ, determines which Due Diligence Assessments are an overview of the Relationship for the Summary TPIQ, S&SA required. The Inherent Risk Rating (IRR) is calculated Relationship Sponsor to review and approve. based on results from the IRQ. Encompasses the risk and performance management of the relationship. The IRR for Identifies the reason behind engaging a Third Party, Business helping to protect the Bank at the end of the the Relationship and the Relationship Case and Classification (Outsourcing vs. Non- Relationship. Both completed by the Relationship Outsourcing) determines the minimum Owner and approved by the Relationship Sponsor. Exit Strategy Only required if the IRR is Very High or High. Ongoing required monitoring activities. Ongoing Monitoring includes the completion of the Monitoring Ongoing Monitoring Plan Acknowledgement, Support the Bank’s evaluation of a Third Party’s controls the Obligations Matrix, and the Contract Due in a particular area (completed either by a Third Party Attestation. Ongoing monitoring of the Diligence and/or SVM-TPMO). operational outsourcing services is done via the Pyramid Framework. Contract Documents the reason for the termination in Agrees upon an acceptable contract with the Third Negotiation Termination the Termination Questionnaire and defines a Party, in alignment with Bank’s requirements. and Execution Strategy for Exit. IRQ – Inherent Risk Questionnaire, AIQ – Additional Information Questionnaire, TPMOQ – Third Party Management Office Questionnaire, TPIQ – Third Party Information Questionnaire SVM – Sourcing & Vendor Management, TPMO – Third Party Management Office, TPRM – Third Party Risk Management, S&SA – Sanctions & Sustainability Assessment 8
Leveraging SMEs to provide support to the business Following is the list of assessments under the Third Party Risk Management (TPRM) program. Depending on the type of services provided, a combination of various assessments can get triggered. These assessments are conducted by various control groups with subject matter expertise: Business Continuity Anti Bribery & Corruption Anti Fraud Anti Money Laundering Management Information Security & IT Cross Border Data Transfer Compliance Country Risk Risk Physical Security Health Financial Viability Negative News Operational Competency and Safety Risk Management Sanctions Subcontractor Sustainability Model Risk Management 9
3. Centralization of Key Governance & Committees
Governance - Steering Committees Business Area Risk and Control Oversight Committee Business area representation COOs, Regional COOs, Heads of Management Companies, Heads of Operations, Regional and Business Heads of Operational Risk Management (ORM), First Line of Defense Support (FLDS), Compliance, Legal, IT, Internal Audit, Oversight Management Team Meeting protocols Monthly meetings, agendas & minutes. Control Related Discussions; Recent Control Incidents/Loss events/Industry items; Regulatory Initiatives; Internal Audit Update; Audit/RCSA/MICOS/New Business past due and coming due items; Monthly Service Provider issues/escalations; KRIs and other metrics Global Service Provider Steering Committee Business area representation COO, Regional COOs, Heads of Management Companies, Heads of Operations, Oversight Management Team, Head of Global Provider Management Meeting protocols Quarterly meetings, agendas & minutes. Monitoring Service Provider performance metrics (e.g. KPIs); Reviewing escalated issues in respect of Service Provider Management; Strategic Service Provider Management (Fees, AUA, Relationship scope across multiple entities), and Knowledge exchange in regards to best practices for Provider Management 11
Service Provider Management – Bilateral Governance Bilateral governance helps align oversight roles and functions for effective supervision . Bilateral Governance Bank Service Provider Global Business Head COO Supplier Business Head Service Provider Management Senior Executive Supplier Senior Executive Steering Committees Executive Supplier Executive Service Provider Subject Supplier Subject Management Matter Managers Matter Managers Team Dedicated and accountable personnel 12
4. On going Monitoring Framework
Recommend
More recommend
