Third Party Risk Management …Then and Now…
Transcript of Third Party Risk Management …Then and Now…
Third Party Risk Management
…Then and Now…
Linda Tuck Chapman
416.452.4635
© 2020 Third Party Risk Institute Ltd.
Proprietary Information. Do not copy or distribute. 2
Workshop Agenda
1. Introductions and Workshop Overview
2. 3rd party risk management fundamentals
3. Your role in 3rd party risk management
4. Important lessons learned from C-19
5. Strengthening risk controls
6. Risk metrics (KPIs, KRIs)
7. Defining Success
© 2020 Third Party Risk Institute Ltd.
Proprietary Information.Do not copy or distribute. 3
Linda is a leading expert in third-party risk management. As one of the first Chief Procurement Officers
and Head, Third Party Risk Management in the financial services sector Linda lead development of best
practices in strategic sourcing and high-impact third party risk management. As an advisor she is a
collaborative and hands-on, advisor, helping firms assess, strengthen and mature their program and
practices.
Linda’s best-selling book “Third Party Risk Management: Driving Enterprise Value”, now in its second
edition, is mandatory reading for “Certified Third Party Risk Management Professional” (C3PRMP).
C3PRMP is the “gold standard” for risk professionals. Created by Linda Tuck Chapman, this instructor-
led eLearning program is certified by NASBA for 66 CPE credits and GARP for 20 CPD credits.
Career Highlights:
• President, Ontala Performance Solutions Ltd. (current)
• CEO, Third Party Risk Institute (current)
• Strategic Partner, Third Party Management, Bates Group (current)
• Strategic Advisor, Third Party Management, ENGAIZ (current)
• Advisory Board, Sapience Analytics (current)
• Chief Procurement Officer & Head Third Party Risk, BMO Financial Group
• President & CEO, Education Collaborative Marketplace
• Chief Procurement Officer & Head Third Party Risk, Fifth Third Bank
• VP & Chief Procurement Officer & Head Supplier Risk, Scotiabank Group
416.452.4635
Linda Tuck Chapman, C3PRMP Advisor. Educator. Author. Expert.
3rd Party Risk Management Fundamentals
SIG University video clip: Module 1, Lesson 8 (3:56)
Certified Third Party Risk Management Professional (C3PRMP) program
© 2020 Third Party Risk Institute Ltd.
Proprietary Information. Do not copy or distribute. 5
Sing from the same song sheet: Third Parties
To be effective and efficient 3PRM programs must:
• Take a risk-based approach, with risk-adjusted processes and tools
• Deliver intentional lifecycle management, throughout the whole lifecycle
• Embed methodologies and tools that enable informed decisions and
effective risk oversight
All business relationships, excluding those with your customers
“Vendor”
Typically sourced through a center-led sourcing/procurement process.
Paid by Accounts Payable.
“Non-Vendor”
Typically acquired directly by the business line/segment.
Financial remuneration is not rendered by Accounts Payable.
Source: RMA Third Party Risk Management Roundtable – Steering Committee
© 2020 Third Party Risk Institute Ltd.
Proprietary Information. Do not copy or distribute. 6
Speak the same language: Risk Taxonomy
Third Party relationships
A business arrangement between your firm and another entity, by contract or
otherwise… that involves outsourced products and services, use of independent
consultants, networking arrangements, referral arrangement, payment processing,
services provided by affiliates and subsidiaries, joint ventures, and other ongoing
business arrangements. Source: OCC Bulletin 2020-10| March 5, 2020
A risk-adjusted program
Management should determine the risks associated with each third-party relationship
and then determine how to adjust risk management practices for each relationship. The
goal is for the risk management practices for each relationship to be commensurate
with the level of risk and complexity of the third-party relationship.
© 2020 Third Party Risk Institute Ltd.
Proprietary Information. Do not copy or distribute. 7
Speak the same language: Risk Taxonomy
Inherent Risk
The risks that the third party presents to your company, “in the absence of controls”. The controls
that are evaluated are the third party’s internal risk controls, not yours.
Residual Risk
The type and amount of risk remaining after risk treatment, after considering the third party’s
internal risk controls
Risk Controls
The action firms take to reduce or eliminate threats and potential losses in a company's
operations, such as technical and non-technical aspects of the business, financial policies and
other issues that may affect the well-being of the firm.
Your Role in Third Party Risk Management
© 2020 Third Party Risk Institute Ltd.
Proprietary Information. Do not copy or distribute. 9
3PRM: Group Activity #1 (all)
Where do you fit?
What are you Responsible for? (what must you do)
What are you Accountable for? (what will you approve?)
What should you be Consulted about?
What should you be Informed about?
Important Lessons Learned from C-19
© 2020 Third Party Risk Institute Ltd.
Proprietary Information. Do not copy or distribute. 11
Group Activity #2: (small groups)
Surprises? …. good or bad….
Which relationships are critical, and which aren’t?
Which third parties are revealing vulnerabilities?
Which stakeholders are concerned about third party risk?
Did/should key stakeholder roles and responsibilities change?
© 2020 Third Party Risk Institute Ltd.
Proprietary Information. Do not copy or distribute. 12
Group Activity #3: (all)
C-19:
In your firm/opinion, which third party risk domains
have emerged as the “top line” risks?
Strengthening Risk Controls
© 2020 Third Party Risk Institute Ltd.
Proprietary Information. Do not copy or distribute. 14
Group Activity #4: (small groups)
What are some realistic risk controls that your firm could/should
implement to address emerging “top line” risks?
What are some realistic compensating controls that the 1st Line of
Defense should/could implement to address existing and emerging “top
line” risks?
What could/should change to strengthen third party risk oversight?
Risk Metrics: KPIs and KRIs
SIG University video clip: M15 L6
Certified Third Party Risk Management Professional (C3PRMP)
© 2020 Third Party Risk Institute Ltd.
Proprietary Information. Do not copy or distribute. 16
Key Performance Indicators (KPIs)
• program-centric performance metrics
• determine how effectively the company is complying with its policies and processes
KPIs measure the health of your third party management program
Key Risk Indicators (KRIs):
• risk-centric metrics
• measure the source, quality and quantity of third party risk
KRIs measure the amount and type of third party risk your firm has accepted
Speak the same language: Risk Taxonomy
© 2020 Third Party Risk Institute Ltd.
Proprietary Information. Do not copy or distribute. 17
Group Activity # 5: (all)
Key Performance Indicators (KPIs)o program-centric performance metrics
o determine how effectively the company is complying with its policies and
processes
KPIs measure the health of your third party management program
What should we measure?
© 2020 Third Party Risk Institute Ltd.
Proprietary Information. Do not copy or distribute. 18
Key Risk Indicators (KRIs):
o risk-centric metrics
o measure the source and quantity of third party risk
KRIs measure the amount and type of third party risk your firm has accepted
What should we measure?
Group Activity #6: (small groups)
Defining Success
© 2020 Third Party Risk Institute Ltd.
Proprietary Information. Do not copy or distribute. 20
Sing from the same song sheet: Success
❖ Aligned: risk management practices , across functions and businesses
Informed risk taking aligns action with strategy
❖ Engaged: the right stakeholders, at the right time
Compliant, proactive and reactive management
❖ Efficient: the right activities, with the right amount of rigor
Streamlined, technology-enabled, leverages third party data services
❖ Integrated: prevent, detect and respond to risks and risk events
Breaches, disruptions, deterioration, and other incidents
❖ Enabling: controls, capabilities, action and results
Informed decisions, actionable risk insight, event-driven responses
© 2020 Third Party Risk Institute Ltd.
Proprietary Information. Do not copy or distribute. 21
Linda Tuck Chapman
www.ontala.com
www.thirdpartyriskinstitute.com
Amazon.comhttps://sig.org/sig-
university/certification-programs
Let’s continue the conversation………….