Vendor Due Diligence- What You Don’t Know about Third Party Risk Can Hurt You!
Managing a Third Party Risk Management Program · •Ongoing monitoring of Vendor performance...
-
Upload
truongkien -
Category
Documents
-
view
223 -
download
0
Transcript of Managing a Third Party Risk Management Program · •Ongoing monitoring of Vendor performance...
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 1 1
Assurance Financial Advisory Performance Risk Consulting Tax
Managing a Third Party Risk Management Program
Jennifer F. Burke
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 2
Goals
• Understanding of Third-Parties and Risks They Present
• A Framework For Managing Third-Party Risk
• Relationship Between Third-Party Risk Management and the Internal Audit Function
• Integration of Third-Party Risk into the Operational Strategy of the Enterprise
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 3
What Do We Mean By ‘Third-Parties’? Suppliers
Customer forms, bank bags, technology
equipment, office supplies
Service Providers Transportation and Logistics,
Business Services, IT
Services/Cloud
Demand-side
Partners Advertising Firms, Sales
Representatives, Social Media
Other Relationships Partnerships, Agents, Regulatory
Agencies, Joint Ventures
The Global Business Environment
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 4
Common Credit Union Vendors and Suppliers
• Information technology
• Consultants
• Attorney
• Auditors
• Appraisers
• Facilities management
• Janitorial services
• Office supplies
• Indirect auto
relationships
• Outside loan originators
• Outsourced loan
servicing
• Third party accounting
and human resources
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 5
Third-Party/Extended Enterprise Risk - Risk that Extends Beyond the Enterprise
Your third-party’s risks are your risks.
Tier 2
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 6
Trends in the Use of Third-Parties Across the Business
Source:”Closing the Gaps in Third-Party Risk Management, Defining a Larger Role for Internal Audit,” December 2013, Sponsored by Crowe Horwath LLP
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 7
Third-Party Risks
Source: ”Working Well Together - Managing Third-Party Risk in a More Integrated World." CFO Research Services 2012
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 8
Key Third-Party Concerns: What We Are Hearing From Executives
Source: "Working Well Together - Managing Third-Party Risk in a More Integrated World." CFO Research Services 2012
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 9
Key Third-Party Concerns: What We Are Hearing From Executives
To what degree are the following issues a concern?
Source: "Closing the Gaps in Third-Party Risk Management, Defining a Larger Role for Internal Audit,” December 2013, Sponsored by Crowe Horwath LLP
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 10
Key Third Party Risks/Concerns
• Cloud risks
• Regulatory compliance (FFIEC)
• Social media
• Supplier viability
• Financial stability
• Capacity
• Reliance on revenue stream or operations
• Supplier resiliency (recovery in a disaster or
failure)
• Acts of nature
• Dependencies on other parties
“The third-party that you think will never fail you … probably will.”
“The supplier’s risks are still our risks.”
“…you probably need more third-party
risk management than you realize.”
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 11
Third-Party Risk Management Framework
A framework to pull together and assist in coordination of all the risk management activities in a company’s third-party risk program
A platform or road map to assist management in improving third-party risk management efforts
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 12
Selection & Due Diligence
Initial Risk Assessment
Controls Assessment/ Prequalification
Initial Remediation & Vendor Management Planning
Ongoing Risk Management & Assurance
Monitoring Service Levels through key risk and
performance indicators
Supplier Assessments, Audits, and Evaluations
Issue Identification & Resolution
Annual Third-Party Risk Assessment
Application of Risk Filter
Risk Assessment and Controls Assessment
Risk Mitigation Plan
Information Management & Reporting
Third-Party Risk Management Process Overview
Governance and Ownership
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 13
Vendor Initial Risk Assessment
Review the following:
• Type of company and products/services offered
• Two years Financial condition, including Better Business Bureau and credit report
• Years in business
• Proof of business
• Professional references
• Website address
• Company bankruptcy
• Company officers or owners under investigation, fined, penalized
• Vendor audit reports
• Vendor insurance
• Vendor licensing and registrations
• Possible onsite visit
• OFAC search
• Contract review
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 14
Specific Vendor Risk Assessment
1. Prepare a complete list of Vendors
2. Identify for each Vendor:
• Inherent risk = Dollars and type of services or products
• Annual service or periodic purchase of products v. recurring
• Technical and industry experience
• Risk of products or services provided, including evaluation of Vendor
Customers and risks impacting Vendor Customers
• Relevant risks impacting Vendor, such as credit, liquidity, financial,
operational, environmental, reputation, business continuity, etc
• Relevant risks impacting Vendors’ Customers and geographies in
which the vendor operates
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 15
Specific Vendor Risk Assessment
3. Determine inherent criticality of each Vendor
4. Determine access to confidential member information
5. Document Vendor controls and security measures implemented
to protect member information
6. Assess effectiveness of Vendor controls and processes based on:
• (For initial assessment) Whether due diligence performed on
each Vendor and whether any issues arose
• Ongoing monitoring of Vendor performance (Vendor Score
Card), third party audit report results
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 16
Ownership of Third-Party Risk Who has primary day-to-day responsibility for evaluating/overseeing third-party risk?
All
Respondents
n=164
All Respondents Financial Sector Respondents
Source: "Closing the Gaps in Third-Party Risk Management, Defining a Larger Role for Internal Audit,” December 2013, Sponsored by Crowe Horwath LLP
Financial
Sector
Respondents
N=47
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 17
Current Role of Internal Audit in Third Party RM
Source: "Closing the Gaps in Third-Party Risk Management, Defining a Larger Role for Internal Audit,” December 2013, Sponsored by Crowe Horwath LLP
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 18
Monitoring Third-Parties
Source: "Closing the Gaps in Third-Party Risk Management, Defining a Larger Role for Internal Audit,” December 2013, Sponsored by Crowe Horwath LLP
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 19
Vendor Performance Monitoring
Annually review the following:
• Financial condition
• Website address
• Company officers or owners under investigation, fined, penalized
• Vendor insurance, licensing and registrations
• OFAC search
• Third party audit reports and document user control considerations
• Vendor business resumption testing
• Vendor performance - Survey
May consider software tool for assessing, evaluating, and
monitoring vendors and retaining contracts
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 20
Vendor Performance Monitoring
Ongoing monitor for:
• Vendor compliance with laws, rules, regulations
• Budget v actual costs
• Vendor performance, including timeliness, quality, knowledge,
volume, pricing, continuity of service provided, other
contractual agreements
• Training provided to credit union personnel
May consider developing vendor score card for each
vendor
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 21
Vendor Management Policy and Procedures
• Policy should be reviewed and approved by Board annually
• Procedures should document the risk assessment, due diligence, monitoring of vendors/suppliers
• Vendor management policy should include at a minimum:
• Third party risks impacting credit union
• Types of vendors credit union will do business with
• Vendor risks, ie strategic, reputation, operational, compliance, security, contingency, credit
• Consideration of vendor customer risks
• Risk management process, including vendor risk assessment, due diligence, contract negotiation/approval, oversight
• Risk assessment
• Risk monitoring
• Independent testing
• Record retention
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 22
Integrating Third-Parties and ERM
Best ERM programs have integrated strategic third-parties into their
overall operational risk management approach. This can include:
• Assessment of risk management capability during due diligence phase
• Negotiated contracts with strategic third-parties with heightened
transparency and information available to manage operational risk
• Use of KRIs and “red flags” to oversee and monitor the risk
management capability of the third-party
• Access provided to third-party representatives to specific company risk
training and ERM program awareness
• Close working relationship between third-party representatives and
operational risk owners to collectively assess, manage, and mitigate
risk
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 23
Vendor Management Checklist for Success
Vendor management policy
Vendor risk assessment
Contract review
Due diligence
Independent Testing
Sufficient documentation
Vendor on-going performance management
Vendor annual and on-going relationship management
Sustainability through Governance and Risk Management
Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 24
Vendor Relationship Management
Well Managed Vendor Relationship =
+ Increased Customer Satisfaction
+ Reduced Costs
+ Better Quality
+ Better Service
“Will Pay Dividends”
The Unique Alternative to the Big Four®
© 2015 Crowe Horwath LLP 25 Audit | Tax | Advisory | Risk | Performance
Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate
and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any
other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or
any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member
of Crowe Horwath International. © 2014 Crowe Horwath LLP
For more information, contact:
Jennifer F. Burke
Direct 859.280.5160
Mobile 859.221.2613
Connect with me on LinkedIn: http://www.linkedin.com/pub/jennifer-burke/3/510/825/
Follow me on twitter: @jenniferfburke
Subscribe to our Risk newsletter: http://www.crowehorwath.com/emailsignup