Third Party Risk Management …Then and Now…

Third Party Risk Management

…Then and Now…

Linda Tuck Chapman

[email protected]

416.452.4635

mailto:[email protected]

© 2020 Third Party Risk Institute Ltd.

Proprietary Information. Do not copy or distribute. 2

Workshop Agenda

1. Introductions and Workshop Overview

2. 3rd party risk management fundamentals

3. Your role in 3rd party risk management

4. Important lessons learned from C-19

5. Strengthening risk controls

6. Risk metrics (KPIs, KRIs)

7. Defining Success


Proprietary Information.Do not copy or distribute. 3

Linda is a leading expert in third-party risk management. As one of the first Chief Procurement Officers

and Head, Third Party Risk Management in the financial services sector Linda lead development of best

practices in strategic sourcing and high-impact third party risk management. As an advisor she is a

collaborative and hands-on, advisor, helping firms assess, strengthen and mature their program and

practices.

Linda’s best-selling book “Third Party Risk Management: Driving Enterprise Value”, now in its second

edition, is mandatory reading for “Certified Third Party Risk Management Professional” (C3PRMP).

C3PRMP is the “gold standard” for risk professionals. Created by Linda Tuck Chapman, this instructor-

led eLearning program is certified by NASBA for 66 CPE credits and GARP for 20 CPD credits.

Career Highlights:

• President, Ontala Performance Solutions Ltd. (current)

• CEO, Third Party Risk Institute (current)

• Strategic Partner, Third Party Management, Bates Group (current)

• Strategic Advisor, Third Party Management, ENGAIZ (current)

• Advisory Board, Sapience Analytics (current)

• Chief Procurement Officer & Head Third Party Risk, BMO Financial Group

• President & CEO, Education Collaborative Marketplace

• Chief Procurement Officer & Head Third Party Risk, Fifth Third Bank

• VP & Chief Procurement Officer & Head Supplier Risk, Scotiabank Group

416.452.4635

[email protected]

[email protected]

Linda Tuck Chapman, C3PRMP Advisor. Educator. Author. Expert.


3rd Party Risk Management Fundamentals

SIG University video clip: Module 1, Lesson 8 (3:56)

Certified Third Party Risk Management Professional (C3PRMP) program



Sing from the same song sheet: Third Parties

To be effective and efficient 3PRM programs must:

• Take a risk-based approach, with risk-adjusted processes and tools

• Deliver intentional lifecycle management, throughout the whole lifecycle

• Embed methodologies and tools that enable informed decisions and

effective risk oversight

All business relationships, excluding those with your customers

“Vendor”

Typically sourced through a center-led sourcing/procurement process.

Paid by Accounts Payable.

“Non-Vendor”

Typically acquired directly by the business line/segment.

Financial remuneration is not rendered by Accounts Payable.

Source: RMA Third Party Risk Management Roundtable – Steering Committee



Speak the same language: Risk Taxonomy

Third Party relationships

A business arrangement between your firm and another entity, by contract or

otherwise… that involves outsourced products and services, use of independent

consultants, networking arrangements, referral arrangement, payment processing,

services provided by affiliates and subsidiaries, joint ventures, and other ongoing

business arrangements. Source: OCC Bulletin 2020-10| March 5, 2020

A risk-adjusted program

Management should determine the risks associated with each third-party relationship

and then determine how to adjust risk management practices for each relationship. The

goal is for the risk management practices for each relationship to be commensurate

with the level of risk and complexity of the third-party relationship.




Inherent Risk

The risks that the third party presents to your company, “in the absence of controls”. The controls

that are evaluated are the third party’s internal risk controls, not yours.

Residual Risk

The type and amount of risk remaining after risk treatment, after considering the third party’s

internal risk controls

Risk Controls

The action firms take to reduce or eliminate threats and potential losses in a company's

operations, such as technical and non-technical aspects of the business, financial policies and

other issues that may affect the well-being of the firm.

Your Role in Third Party Risk Management



3PRM: Group Activity #1 (all)

Where do you fit?

What are you Responsible for? (what must you do)

What are you Accountable for? (what will you approve?)

What should you be Consulted about?

What should you be Informed about?

Important Lessons Learned from C-19



Group Activity #2: (small groups)

Surprises? …. good or bad….

Which relationships are critical, and which aren’t?

Which third parties are revealing vulnerabilities?

Which stakeholders are concerned about third party risk?

Did/should key stakeholder roles and responsibilities change?



Group Activity #3: (all)

C-19:

In your firm/opinion, which third party risk domains

have emerged as the “top line” risks?

Strengthening Risk Controls




What are some realistic risk controls that your firm could/should

implement to address emerging “top line” risks?

What are some realistic compensating controls that the 1st Line of

Defense should/could implement to address existing and emerging “top

line” risks?

What could/should change to strengthen third party risk oversight?

Risk Metrics: KPIs and KRIs

SIG University video clip: M15 L6

Certified Third Party Risk Management Professional (C3PRMP)



Key Performance Indicators (KPIs)

• program-centric performance metrics

• determine how effectively the company is complying with its policies and processes

KPIs measure the health of your third party management program

Key Risk Indicators (KRIs):

• risk-centric metrics

• measure the source, quality and quantity of third party risk

KRIs measure the amount and type of third party risk your firm has accepted




Group Activity # 5: (all)

Key Performance Indicators (KPIs)o program-centric performance metrics

o determine how effectively the company is complying with its policies and

processes

KPIs measure the health of your third party management program

What should we measure?



Key Risk Indicators (KRIs):

o risk-centric metrics

o measure the source and quantity of third party risk

KRIs measure the amount and type of third party risk your firm has accepted

What should we measure?


Defining Success



Sing from the same song sheet: Success

❖ Aligned: risk management practices , across functions and businesses

Informed risk taking aligns action with strategy

❖ Engaged: the right stakeholders, at the right time

Compliant, proactive and reactive management

❖ Efficient: the right activities, with the right amount of rigor

Streamlined, technology-enabled, leverages third party data services

❖ Integrated: prevent, detect and respond to risks and risk events

Breaches, disruptions, deterioration, and other incidents

❖ Enabling: controls, capabilities, action and results

Informed decisions, actionable risk insight, event-driven responses



Linda Tuck Chapman

[email protected]

www.ontala.com

[email protected]

www.thirdpartyriskinstitute.com

Amazon.comhttps://sig.org/sig-

university/certification-programs

Let’s continue the conversation………….


http://www.ontala.com/


http://www.thirdpartyriskinstitute.co/

https://www.amazon.com/Third-Party-Risk-Management-Driving-Enterprise/dp/1570703493

https://sig.org/sig-university/certification-programs

Third Party Risk Management …Then and Now…

Documents

Transcript of Third Party Risk Management …Then and Now…