Managing a Third Party Risk Management Program · •Ongoing monitoring of Vendor performance...

Sustainability through Governance and Risk Management

Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 1 1

Assurance Financial Advisory Performance Risk Consulting Tax

Managing a Third Party Risk Management Program

Jennifer F. Burke


Audit | Tax | Advisory | Risk | Performance © 2015 Crowe Horwath LLP 2

Goals

• Understanding of Third-Parties and Risks They Present

• A Framework For Managing Third-Party Risk

• Relationship Between Third-Party Risk Management and the Internal Audit Function

• Integration of Third-Party Risk into the Operational Strategy of the Enterprise



What Do We Mean By ‘Third-Parties’? Suppliers

Customer forms, bank bags, technology

equipment, office supplies

Service Providers Transportation and Logistics,

Business Services, IT

Services/Cloud

Demand-side

Partners Advertising Firms, Sales

Representatives, Social Media

Other Relationships Partnerships, Agents, Regulatory

Agencies, Joint Ventures

The Global Business Environment



Common Credit Union Vendors and Suppliers

• Information technology

• Consultants

• Attorney

• Auditors

• Appraisers

• Facilities management

• Janitorial services

• Office supplies

• Indirect auto

relationships

• Outside loan originators

• Outsourced loan

servicing

• Third party accounting

and human resources



Third-Party/Extended Enterprise Risk - Risk that Extends Beyond the Enterprise

Your third-party’s risks are your risks.

Tier 2



Trends in the Use of Third-Parties Across the Business

Source:”Closing the Gaps in Third-Party Risk Management, Defining a Larger Role for Internal Audit,” December 2013, Sponsored by Crowe Horwath LLP



Third-Party Risks

Source: ”Working Well Together - Managing Third-Party Risk in a More Integrated World." CFO Research Services 2012



Key Third-Party Concerns: What We Are Hearing From Executives

Source: "Working Well Together - Managing Third-Party Risk in a More Integrated World." CFO Research Services 2012



Key Third-Party Concerns: What We Are Hearing From Executives

To what degree are the following issues a concern?

Source: "Closing the Gaps in Third-Party Risk Management, Defining a Larger Role for Internal Audit,” December 2013, Sponsored by Crowe Horwath LLP



Key Third Party Risks/Concerns

• Cloud risks

• Regulatory compliance (FFIEC)

• Social media

• Supplier viability

• Financial stability

• Capacity

• Reliance on revenue stream or operations

• Supplier resiliency (recovery in a disaster or

failure)

• Acts of nature

• Dependencies on other parties

“The third-party that you think will never fail you … probably will.”

“The supplier’s risks are still our risks.”

“…you probably need more third-party

risk management than you realize.”



Third-Party Risk Management Framework

A framework to pull together and assist in coordination of all the risk management activities in a company’s third-party risk program

A platform or road map to assist management in improving third-party risk management efforts



Selection & Due Diligence

Initial Risk Assessment

Controls Assessment/ Prequalification

Initial Remediation & Vendor Management Planning

Ongoing Risk Management & Assurance

Monitoring Service Levels through key risk and

performance indicators

Supplier Assessments, Audits, and Evaluations

Issue Identification & Resolution

Annual Third-Party Risk Assessment

Application of Risk Filter

Risk Assessment and Controls Assessment

Risk Mitigation Plan

Information Management & Reporting

Third-Party Risk Management Process Overview

Governance and Ownership



Vendor Initial Risk Assessment

Review the following:

• Type of company and products/services offered

• Two years Financial condition, including Better Business Bureau and credit report

• Years in business

• Proof of business

• Professional references

• Website address

• Company bankruptcy

• Company officers or owners under investigation, fined, penalized

• Vendor audit reports

• Vendor insurance

• Vendor licensing and registrations

• Possible onsite visit

• OFAC search

• Contract review



Specific Vendor Risk Assessment

1. Prepare a complete list of Vendors

2. Identify for each Vendor:

• Inherent risk = Dollars and type of services or products

• Annual service or periodic purchase of products v. recurring

• Technical and industry experience

• Risk of products or services provided, including evaluation of Vendor

Customers and risks impacting Vendor Customers

• Relevant risks impacting Vendor, such as credit, liquidity, financial,

operational, environmental, reputation, business continuity, etc

• Relevant risks impacting Vendors’ Customers and geographies in

which the vendor operates



Specific Vendor Risk Assessment

3. Determine inherent criticality of each Vendor

4. Determine access to confidential member information

5. Document Vendor controls and security measures implemented

to protect member information

6. Assess effectiveness of Vendor controls and processes based on:

• (For initial assessment) Whether due diligence performed on

each Vendor and whether any issues arose

• Ongoing monitoring of Vendor performance (Vendor Score

Card), third party audit report results



Ownership of Third-Party Risk Who has primary day-to-day responsibility for evaluating/overseeing third-party risk?

All

Respondents

n=164

All Respondents Financial Sector Respondents


Financial

Sector

Respondents

N=47



Current Role of Internal Audit in Third Party RM




Monitoring Third-Parties




Vendor Performance Monitoring

Annually review the following:

• Financial condition

• Website address

• Company officers or owners under investigation, fined, penalized

• Vendor insurance, licensing and registrations

• OFAC search

• Third party audit reports and document user control considerations

• Vendor business resumption testing

• Vendor performance - Survey

May consider software tool for assessing, evaluating, and

monitoring vendors and retaining contracts



Vendor Performance Monitoring

Ongoing monitor for:

• Vendor compliance with laws, rules, regulations

• Budget v actual costs

• Vendor performance, including timeliness, quality, knowledge,

volume, pricing, continuity of service provided, other

contractual agreements

• Training provided to credit union personnel

May consider developing vendor score card for each

vendor



Vendor Management Policy and Procedures

• Policy should be reviewed and approved by Board annually

• Procedures should document the risk assessment, due diligence, monitoring of vendors/suppliers

• Vendor management policy should include at a minimum:

• Third party risks impacting credit union

• Types of vendors credit union will do business with

• Vendor risks, ie strategic, reputation, operational, compliance, security, contingency, credit

• Consideration of vendor customer risks

• Risk management process, including vendor risk assessment, due diligence, contract negotiation/approval, oversight

• Risk assessment

• Risk monitoring

• Independent testing

• Record retention



Integrating Third-Parties and ERM

Best ERM programs have integrated strategic third-parties into their

overall operational risk management approach. This can include:

• Assessment of risk management capability during due diligence phase

• Negotiated contracts with strategic third-parties with heightened

transparency and information available to manage operational risk

• Use of KRIs and “red flags” to oversee and monitor the risk

management capability of the third-party

• Access provided to third-party representatives to specific company risk

training and ERM program awareness

• Close working relationship between third-party representatives and

operational risk owners to collectively assess, manage, and mitigate

risk



Vendor Management Checklist for Success

Vendor management policy

Vendor risk assessment

Contract review

Due diligence

Independent Testing

Sufficient documentation

Vendor on-going performance management

Vendor annual and on-going relationship management



Vendor Relationship Management

Well Managed Vendor Relationship =

+ Increased Customer Satisfaction

+ Reduced Costs

+ Better Quality

+ Better Service

“Will Pay Dividends”

The Unique Alternative to the Big Four®

© 2015 Crowe Horwath LLP 25 Audit | Tax | Advisory | Risk | Performance

Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate

and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any

other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or

any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member

of Crowe Horwath International. © 2014 Crowe Horwath LLP

For more information, contact:

Jennifer F. Burke

Direct 859.280.5160

Mobile 859.221.2613

[email protected]

Connect with me on LinkedIn: http://www.linkedin.com/pub/jennifer-burke/3/510/825/

Follow me on twitter: @jenniferfburke

Subscribe to our Risk newsletter: http://www.crowehorwath.com/emailsignup

Managing a Third Party Risk Management Program · •Ongoing monitoring of Vendor performance...

Documents

Transcript of Managing a Third Party Risk Management Program · •Ongoing monitoring of Vendor performance...