3rd Party Risk from a Sourcing and Corporate View -...
Transcript of 3rd Party Risk from a Sourcing and Corporate View -...
3rd Party Risk from a Sourcing and Corporate View
Bernard TruongSenior Director, Third Party
Risk ManagementNational Bank of Canada
National Bank of Canada
Ronald ForgetDirector Principal/Senior Manager
- Governance and Center of Excellence – Sourcing
National Bank of Canada
3rd Party Risk Management
Ronald ForgetBernard TruongApril 2016
CONFIDENTIAL
OBJECTIVES OF THE PRESENTATION
▪ Risk from a Sourcing perspective
▪ What is a RISK?
▪ How to assess RISK?
▪ How to mitigate RISK
▪ 3PRM from a Corporate Management perspective
▪ Risk domains oversight
▪ 3PRM framework
▪ Beyond regulatory requirements
61 Third Party Risk Management
DEFINITION OF A RISK
RISK is about
▪ The probability of loss inherent in
an organization's operations and
environment (such as competition
and adverse economic conditions)
that may impair its ability to
provide returns on investment.
Business risk plus the financial risk
arising from use of debt (borrowed
capital and/or trade credit) equal
total corporate risk.
62 Third Party Risk Management
BUSINESS RISKS
PRESENTATION TITLE63
Who are they?
How to identify them?
How to qualify them?
How to prioritize them?
How to manage them?
Who should manage them / be
responsible?
What is the role of the Sourcing Advisor
versus the other Experts or Business
Partners?
How the RISK is impacting the Business Objectives?
▪ OPERATING COST (RUN the BUSINESS)
▪ CLIENT EXPERIENCE
▪ TIME TO MARKET / COMPETITIVE
▪ COMPLIANCE MANAGEMENT
▪ GROWTH/INNOVATION
64 Third Party Risk Management
Sourcing Framework:
SOURCING MAIN FOCUS (during the Sourcing Cycle)
▪ Due diligence (Best selection for the best return)
▪ Contractual/Strategic and Legal RISK
▪ Financial / Credit RISK
▪ Information Security
▪ Business continuity
▪ Compliance / Regulations
▪ Operational / Reputational /Environmental & Geopolitical
66 Third Party Risk Management
SOURCING / GOVERNANCE GOALS
▪ Build risk appetite and awareness culture
▪ Build metrics and reports
▪ Align with third party policy
▪ Document the inputs (centralized repository)
▪ Share the findings with business, experts and risk partners
▪ Monitor critical risk
▪ Establish a good Governance
67 Third Party Risk Management
Process mapping ‐Questionnaire Criticality
RISK MANAGEMENT CYCLE
69 Third Party Risk Management
Initial State
Program Launch
Current State
70
BNC Consultant Program Evolution
No VMS Decentralized No risk mitigation Vendors margins ranging
between 15%-200%
VMS implementation MSP provider Independent Contractor
payment provider Supplier rationalization
Tenure management Supplier performance
management Executive dashboard Centralized Standard
Process
Consultant Risk Management ‐ Evolution
71
Before Program Implementation Current StateNo visibility on active consultants or on contract infomation
Live snapshot and reporting on everyaspect of contractual workforce
No formal process for independentcontractor Onboarding
All independent contractors are compliantwith requirements and processes
No independent contractorclassification/verification
All independent contractors are screenedand vetted for legal category compliance
No control on consultant bill rates Full disclosure of consultant bill rates
Lack of control for consultant hiring process– no standard procedures
Standardized contracts, proof of insuranceand security verification captured
No formal approval process Documented approval process
No control over contract duration Consultant tenure management and special approvals for contracts over 2 years
No supplier performance management Quarterly business reviews and formalperformance reviews
No control over contract termination Full visibility and procurement/RHassistance on contract termination
Key Risk Management Objectives Achieved
Expertise and Advisory Dedicated and neutral Professional Team MSP team – Canadian Human Capital SME
Visibility and Control Centralized and standardized process with total visibility on spend (Ariba)
Security and Legal Secure, documented and formal on-boarding process (insurance, security check, tenure risk etc…)
Payment and Finance Accurate time entry management with timely and reconciled payments.
Vendor and Contract Vendor performance management through KPI and QBR Management, enforcement and audit of contract terms
72
Framework:3rd Party Risk Management (3PRM)
Proactive risk management and oversight is an imperative
74 Third Party Risk Management (3PRM)
3rd Party Risk Domains
Strategic RiskStrategic Risk
3rd Party is not aligned to NBC’s strategic
objectives
Information Security RiskInformation Security Risk
Access to information outside of defined
business requirements
CSR RiskCSR Risk
Fair labor practices, Environment, Social responsibilities, etc.
Business Continuity Risk
Business Continuity Risk
3rd Party is unable to continue providing products/services
Credit Risk / Financial Stability
Credit Risk / Financial Stability
Cannot meet contractual obligations due to financial difficulties
Geo‐political RiskGeo‐political Risk
Country specific factors (government, climate, etc.) affect performance
Contractual RiskContractual Risk
Performance of Product / Service provided is not completely defined
Reputation RiskReputation Risk
3rd Party’s issues effect NBC’s brand
Compliance RiskCompliance Risk
actions are inconsistent with legal, regulatory, or policies requirements
Execution RiskExecution Risk
3rd Party is unable to deliver products/services
appropriately
Third party risk is a combination of other risks with various degrees of severity based on the maturity of the relationship with the third party. The potential risk exposure from doing business with third parties goes well beyond direct financial loss and includes reputational damage, regulatory scrutiny and customer attrition.
The 3rd Party Risk Domains listed above also apply to 4th parties (sub‐contractors) as an extension of 3rd party risks
The 3rd Party Risk Domains listed above also apply to 4th parties (sub‐contractors) as an extension of 3rd party risks
source: Industry Experts
Overview: 3rd Party Risk Management at NBC
75 Third Party Risk Management (3PRM)
3rd Party Risk Management FrameworkNational Bank 3rd party risk management (3PRM) framework aims to proactively identify, assess, monitor and mitigate risk
associated with our 3rd parties (outsourcers, vendors, suppliers, etc.) through defined governance practices
Tools & Processes
Controls for identifying, assessing, monitoring and managing 3rd parties through a framework and a Supplier Information and Performance Management (SIPM);
a. Established end‐to‐end 3rd party risk management framework
b. SIPM (ARIBA) enables 3rd parties intake andrisk assessment
Oversight & Governance
Three lines of defense operating model, consistent with NBC’s Enterprise framework and instituted a Governance Oversight Committee;
a. Roles of 3 lines of defense identified
b. Governance committee, initial focus on Tiers 1 & 2, progressively expanding to enterprise
Analytics & Actionable Reporting
Enhanced reporting capabilities to monitor 3rd party risks;
a. Defined risk appetite statement and associated dashboards and KRIs
b. Data Analytics and Consumption (platform TBD)for drill‐down analytics
1 2 3
Get an enterprise view on current sourcing portfolio to build an actionable 3rd Party Risk Management (3PRM) program based on leading practices.
First line of defenseLOB Relationship Manager / Accountable
Executive & Senior Risk Manager
▪ Own and manage identified 3rd party risks for the business unit arrangements;
▪ Monitor performance and risks to efficiently address gaps with NBC standards;
▪ Escalade risks to the proper level for prioritization of action plan;
▪ Maintain overall accountability and oversight of the relationship:
o Set the strategic direction of 3rd party relationship
o Make key decisions pertaining to 3rd party relationship
o Resolve any escalated issues.
Own and proactively manage risksOwn and proactively manage risks
Oversight & Governance3 Lines of Defense
Second line of defenseOperational & Reputational Risks (ORR) /
Corporate functions
ORR:▪ Develop, Implement and monitor 3PRM framework;
▪ Provide subject matter expertise, specialist, support, and independent risk oversight of 3rd party risks;
▪ Quality Assurance and Effective Challenge;▪ Analytics and Reporting;▪ Perform enterprise wide oversight through our SIPM tool.
Corporate functions:▪ Provide inherent, residual risk assessment and due diligence for their domain of risks;
▪ Assess implications of 3rd party risk to their risk domain.
Third line of defenseInternal Audit
▪ Provide an independent assessment of the effectiveness of the internal control environment in 1st and 2nd lines;
▪ Provide timely independent reporting to senior management that assesses whether key control activities are operating effectively and reliably. For example, determining whether there is:
o Effective 3rd party risk identification and due diligence
o Appropriate contract controlso Adherence to applicable regulatory guidance
o Appropriate on‐going 3rd party management and oversight
o An effective challenge to the 1st and 2nd lines that includes escalation process
76 Third Party Risk Management (3PRM)
Role
Accoun
tabilities
Assess/Audit program design and operating effectivenessAssess/Audit program design and operating effectiveness
Establish risk related policies, provide oversight and challengeEstablish risk related policies, provide oversight and challenge
1
Risk‐Score 3rd Party Segmentation
Strategic Risk
Information Security Risk
Reputation Risk
Geographical Risk
Compliance Risk
Operational Risk
Financial Stability / Credit Risk
Business Continuity
Risk
Contractual Risk
Strategic Objectives Define / Identify 3rd Party Risks
Define Risk Scenarios / Conduct Assessment
Mitigate Risk with Controls / Monitor
Renew / Terminate
77
Planning & Due Diligence Oversight & Accountability / On‐going Monitoring
Third Party Risk Management (3PRM)
3rd Party Risk ManagementHigh Level Operating Framework
2
Strategy &SelectionStrategy &Selection
Business ContinuityBusiness Continuity
Information Security
Information Security
ComplianceCompliance Agreement Terms
Agreement Terms
Manage &ReportingManage &Reporting
Service / Product Review
Service / Product Review
Financial HealthFinancial Health
Background Checks
Background Checks
Business requirementsMarket intelligence / condition Sourcing Strategy 3rd party diversity
Experience as a provider Review past performance Scan industry news related Relationship risk levelMitigation measures
Review financial statements Compare to industry standards and ratios Credit report and rating
Evaluate overall stability: fraud, physical security, reputation… Risks policies, controls and practices Insurance claims / litigation
Confirm BCP / DRP meet business requirements Contingency planning for repatriation or alternative provider
Evaluate adequate evidence of controls Confirm traceability of dataManage access rights
Risk assessment certification process Compliance checks (OSFI, OCC, IIROC, AMF, AML, Living wills…)
Evaluate terms negotiated to business objectives Review insurance clause for proper protection
Residual risk assessment Defined controls, KPIs, KRIs Analytics & actionable reporting Termination & renewal strategy
3rd Party Risk Assessment3rd Party Risk Assessment Engagement Risk AssessmentEngagement Risk Assessment
On‐going 3rd Party ManagementLeveraging foundation of the standard operating model
78 Third Party Risk Management (3PRM)
Beyond regulatory requirements…
▪ How do you protect your organization’s knowledge/expertise?
▪ Have created a dependency towards your 3rd parties?
▪ Is the quality of your service consistent end‐to‐end?
▪ Have you evaluated the TCE (additional, hidden costs…)?
▪ Did you assess the potential loss of control in your outsourced activities?
▪ Did you take into consideration the increase in operational risks?
79 Third Party Risk Management (3PRM)
Appendices
Emerging Industry TrendsAn integrated approach to 3rd Party Risk Management
• Essential partnership between procurement and Finance (BU CFO) to track and record savings Procurement and Finance
Alignment
• Extension of 3rd Party Risk Management to address additional risks beyond Information Security and Supplier Performance (Reputation, Compliance, or Geo‐political Risk) New Risk Domains
• Inclusion of Sub‐Contractors in the Risk Management Program, including inventory, assessment and monitoring (Supply Chain Management)Sub‐Contractors (4th Party Risk)
• Expand supply market research to include new innovative solutions (i.e. Cloud, social media, etc.)Innovative Solutions
• Promote and develop the NBC’s customer portfolio within our supplier community and maximize value to the Bank by being thoughtful about our customer/supplier relationshipsRevenue Optimization
• Support strategic initiatives in international expansion, licensing, e‐Commerce growthInternational Expansion
• Ongoing M&A and Restructuring activities have created new sourcing leverage and required new supply strategiesM&A / Divestitures
• Increasingly, customers and governments are demanding for plans to make operations more sustainable and from a more diverse supplier base Sustainability
81
As our procurement organization matures, the focus needs to be more than just cost savings; we need to be proactively involved in strategic initiatives and creatively protect the organization.
Third Party Risk Management (3PRM)
source: Industry Experts
3rd Party Definition
82
How 3rd parties are defined
General definition An entity, including individuals and affiliates, that has a business relationship with the institution or its customers, andis not itself a customer. Third party relationships include:
Vendor 3rd Party ‘Vendor’ third party are service providers that deliver a product or service to the institution. These relationships are typically sourced through a sourcing / procurement process. Payment is typically transacted by Accounts Payable.
Non‐ Vendor 3rd Party ‘Non‐Vendor’ third party relationships are typically acquiredby a business line / segment directly, not through a sourcing / procurement function. Financial remuneration, if applicable is typically transacted outside of Accounts Payable processes. These relationships may be managed solely by a business line / segment, or managed in conjunction with a corporate risk management function.
Third Party Risk Management (3PRM)
CATEGORIES (N
on‐Ven
dor) Specialized Analysts and Advisors Counterparties
Affiliates Debt Underwriters / Securitization Firms / Trustees
Affinity Relationships Financial Utilities
Alliances and Partnerships Government Special Purpose Entity (GSE)
Brokers Indirect Lending
Correspondent Banks and Wholesale Banking Joint Marketing Partners
Rating Agencies Tenants
Servicers Trade Associations