March 13, 2017

Global Executive Summit

SIG Working CouncilThird Party Risk Management

National Bank of CanadaBernard TruongSenior Director of Third Party Risk Management

Sourcing Industry GroupMatt Shocklee

SIG Global Ambassador

ONTALALinda Tuck ChapmanCPO Emeritus and President

sig.org/summit

SIG Working CouncilThird Party Risk Management

Today’s Agenda

sig.org/summit

Time Topic Responsible

10:30am Welcome & Introductions

Snehal Sindhvad (SIG)Bernard Truong - NBCMatt Shocklee (SIG)Linda Tuck Chapman (Ontala)

10:35am

Introduce SIG Working Council Concept & Structure- Third Party Risk Management Working Council Charter- Discuss role/responsibilities of the Members of the Leadership Team- Review of last WebEx session

Matt Shocklee (SIG)

10:40amLifecycle Management; Governance and Oversight.How to Create a Supplier Tool Kit

Bernard TruongLinda Tuck Chapman

11:10amReview Council Member Survey Results Matt Shocklee (SIG)

11:15am Topics/Speakers for the next WebEx meeting in April 2017

Matt ShockleeBernard TruongLinda Tuck Chapman

11:20am Other topics of interests and Q&A All

SIG Working CouncilThird Party Risk Management

sig.org/summit

Bernard TruongSenior Director, Third Party Risk

National Bank of Canada

Linda Tuck ChapmanPresident & CEO

Ontala

Matt ShockleeSIG Global Ambassador

Snehal SindhvadSIG Member Services

Bob WilkinsonSIG Ambassador

BFSI/Cybersecurity

SIG Working CouncilThird Party Risk Management

Today’s Agenda

sig.org/summit

Time Topic Responsible

10:30am Welcome & Introductions

Snehal Sindhvad (SIG)Bernard Truong - NBCMatt Shocklee (SIG)Linda Tuck Chapman (Ontala)

10:35am

Introduce SIG Working Council Concept & Structure- Third Party Risk Management Working Council Charter- Discuss role/responsibilities of the Members of the Leadership Team- Review of last WebEx session

Matt Shocklee (SIG)

10:40amLifecycle Management; Governance and Oversight.How to Create a Supplier Tool Kit

Bernard TruongLinda Tuck Chapman

11:10amReview Council Member Survey Results Matt Shocklee (SIG)

11:15am Topics/Speakers for the next WebEx meeting in April 2017

Matt ShockleeBernard TruongLinda Tuck Chapman

11:20am Other topics of interests and Q&A All

SIG Working CouncilThird Party Risk Management

sig.org/summit

The Charter or Purpose of this Working Group is:

• Bring together SIG Members that are interested in collaborating

and sharing best practices in Third Party Risk Management of

their complex business relationships,

• Provide a professional networking and relationship-development

environment; and

• Involve key industry regulatory agencies or other entities that

have a direct and critical bearing on optimizing the business

value the organizations can achieve through effective, efficient

and compliant best practices in Third Party Risk Management.

SIG Working CouncilThird Party Risk Management (3PRM)

sig.org/summit

Working Council Participation and Leadership:

• SIG Working Councils are comprised of “SIG Members” from all of SIG’s Membership

Communities: Buyer, Supplier/Service Provider, Advisor, Academic, Government and Others.

• SIG Working Councils are led by a Working Council Leadership Team that consists of a subset of

the Members from the Working Council. The Leadership Team will consist of the Chair, at least

one Co-Chair from each of SIG’s Membership Communities and a SIG Ambassador Liaison. SIG

may set a limit on Co-Chairs.

• Bernard Truong, Senior Director of Third Party Risk at National Bank of Canada (BNC) is the

inaugural Chair of the Third Party Risk Management Working Council and its Leadership Team.

• The role of Co-Chairs in the Third Party Risk Management Working Council Leadership Team are:

• Support the WC Chair in addressing the Charter and WC Objectives

• Attends all WC Leadership Team Meetings (monthly/quarterly)

• Take co-leadership responsibility to develop/deliver WC programming

• All Working Council Members are asked to participate in quarterly WebEx meetings and on-site

at our semi-annual Global Executive Summits,

• All Working Council Members are required to complete an annual Survey that assists the

Council in identifying topical/functional areas of interests, concerns and job-related issues that

our Sourcing Professional Working Council Members are most interested in addressing through

the Working Council.

SIG Working CouncilThird Party Risk Management (3PRM)

sig.org/summit

What are our Working Council’s Objectives for 2017?

• Identify the key topics of interest to be addressed through quarterly webinars and semi-annual on-site meetings at the SIG Summits as well as through other methods such as research, white papers or special events.

• Identify SIG and guest speakers/thought leaders to address the topics/areas of interest identified above.

• Identify any special initiatives/activities related to SIG’s programming/services suchas education/training, research, tools/technologies or other value added areas the Council should consider for its SIG Members.

Current Schedule of Future Events:

• WebEx Meeting # 3: Friday, April 21st at 2pm EDT via WebEx.

• WebEx Meeting #4: TBD July 2017

• On-site: Fall 2017 Global Executive Summit – Carlsbad, CA

SIG Working CouncilThird Party Risk Management

Today’s Agenda

sig.org/summit

Time Topic Responsible

10:30am Welcome & Introductions

Snehal Sindhvad (SIG)Bernard Truong - NBCMatt Shocklee (SIG)Linda Tuck Chapman (Ontala)

10:35am

Introduce SIG Working Council Concept & Structure- Third Party Risk Management Working Council Charter- Discuss role/responsibilities of the Members of the Leadership Team- Review of last WebEx session

Matt Shocklee (SIG)

10:40amLifecycle Management; Governance and Oversight.How to Create a Supplier Tool Kit

Bernard TruongLinda Tuck Chapman

11:10amReview Council Member Survey Results Matt Shocklee (SIG)

11:15am Topics/Speakers for the next WebEx meeting in April 2017

Matt ShockleeBernard TruongLinda Tuck Chapman

11:20am Other topics of interests and Q&A Matt/Bernard/Linda?

Third party risk managementlifecycle management + governance

Relationships should be managed through their lifecycle

Good governance begins with insight and oversight

Business Need and

Requirements Initial Inherent

Risk Assessment

Sourcing and Pre-Selection

Activities

Risk-Centric

Due Diligence

Risk-Adjusted Controls and Contracting

Residual Risk Assessment

and Risk Tiering

Deal Summary ; Risk

Acceptance

Finalize Execute Contract

Appoint Relationship

Manager

Onboard; Implement

Controls

Manage Performance,

Costs Risks and Issues

Periodic Reviews and

Reassessment(s)

Renew, Amend or Terminate

Companies can have

Business Need and Requirements

Initial Inherent

Risk Assessment

Sourcing and Pre-Selection Activities

Risk-Centric

Due Diligence

Risk-Adjusted Controls and Contracting

Residual Risk Assessment and Risk

Tiering

Deal Summary ; Risk Acceptance

Finalize & Execute Contract

Appoint Relationship Manager

Onboard; Implement Controls

Manage Performance, Costs Risks and Issues

Periodic Reviews and Reassessment(s)

Renew, Amend or Terminate

New or substantially

different

Lifecycle management… a substantial increase in rigor and controls

Companies can haveGovernancesubstantial increase in sr. level engagement

Ransomware a pervasive cyber issue

Source: NIST Special Publication 800-184; Guide for Cybersecurity Event Recovery http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf

Computer malware that covertly installs in systems and devices. It either mounts the crypto viral extortion attack that holds the victim's data hostage, or mounts a leakware attack that threatens to publish the victim's data. Relatively small ransom amounts are demanded, making it easier to pay than to expend expensive resources trying to isolate and eradicate malware that is constantly changing.

Information Security: workload fatigue

sig.org/summit

Common challenges:

1. Attracting and retaining top talent

2. Investment resources

3. Lack of standardization for mainstream due diligence

4. Site visits: when, how frequently?

5. Relentless attacks

6. New threats on a daily basis

7. Regulatory pressure

8. Global operations with different legal/regulatory standards/requirements

9. No safe harbours

SIG Working CouncilThird Party Risk Management

Today’s Agenda

sig.org/summit

Time Topic Responsible

10:30am Welcome & Introductions

Snehal Sindhvad (SIG)Bernard Truong - NBCMatt Shocklee (SIG)Linda Tuck Chapman – ONTALA

10:35am

Introduce SIG Working Council Concept & Structure- Third Party Risk Management Working Council Charter- Discuss role/responsibilities of the Members of the Leadership Team- Review of last WebEx session

Matt Shocklee (SIG)

10:40amLifecycle Management; Governance and Oversight.How to Create a Supplier Tool Kit

Bernard Truong/Linda Tuck Chapman

11:10amReview Council Member Survey Results Matt Shocklee (SIG)

11:15am Topics/Speakers for the next WebEx meeting in April 2017

Matt ShockleeBernard TruongLinda Tuck Chapman

11:20am Other topics of interests and Q&A Matt/Bernard/Linda

SIG Working CouncilThird Party Risk Management

sig.org/summit

Working Council Survey Results:

Responses Finance Insurance Healthcare Utilities Technology Retail Total

23 43% 35% 9% 4% 4% 4% 100%

61%

39%

8%

35%

48%

9%

1.) Please check the statement below that best describes the state of Third Party Risk Management at your organization:

A.) We are currently considering putting in place formal Third Party Risk Management program(s) or initiatives in our organization

B.) We have a formal Third Party Risk Management program(s) in place in our organization.

2.) The level of maturity of our organization's approach to Third Party Risk Management can be best described as:

A.) We're advanced; we screen and continuously monitor all third parties,

B.) We are maturing; we perform initial screenings with all third parties with minimal monitoring,

C.) We have a basic level of maturity; we're doing initial screenings on high risk without continuous monitoring,

D.) We are reactive; we address issues as they arrive.

3RD PARTY RISK MANAGEMENT WORKING COUNCIL - MEMBER POLL ON AREAS OF INTEREST

SIG Working CouncilThird Party Risk Management

sig.org/summit

High Medium Low

13% 35% 52%

26% 48% 26%

0% 43% 52%

4% 30% 61%

4% 43% 52%

48% 22% 30%

13% 39% 48%

17% 57% 26%

4% 61% 35%

39%

31%

30%

0%

30%

57%

9%

4% D.) Our organization will not be able to participate in initiatives or research with other Working Council Members

F.) How to best work with the Industry Regulators

3.) Please indicate your organization’s level of interest with the following topics related to Third Party Risk Management: 

H.) How to Create a Culture of Compliance

I.) What the best Assessment Tools to use?

4.) Our organization is willing and able to share best practices, insights and key learning regarding our Third Party Risk Management

programs. Please check the statement that best applies.

A.) I completely agree with the statement above,

Topical Areas

A.) 3rd Party Risk Management Education & Training

B.) How to build a 3rd Party Risk Management Competency Center

C.) I'm interested in Industry Specific Topics and Issues

D.) Cybersecurity related topics

E.) How to Launch a 3rd Party Risk Management Program

B.) It is possible that our organization may wish to participate in initiatives or research with other Working Council Members

C.) It Is unlikely that our organization will be able to participate in initiatives and/or research with other Working Council Members

B.) I somewhat agree with the statement above,

C.) I am neutral or unsure

D.) I disagree with the statement.

A.) It is highly likely that we would be willing to participate in initiatives or research with other Working Council Members,

5.) Working Council Members may have the opportunity to collaborate and participate in initiatives and/or research activities

involving other members of the Working Council. Participating Working Council Members may be asked to share the costs/resources

associated with an initiative or research activity as well as be asked to share insights, best practices and other gains or returns from

the initiative. Which statement best describes your organization’s most likely position:

G.) How to best engage our suppliers and providers

SIG Working CouncilThird Party Risk Management

Today’s Agenda

sig.org/summit

Time Topic Responsible

10:30am Welcome & Introductions

Snehal Sindhvad (SIG)Bernard Truong - NBCMatt Shocklee (SIG)Linda Tuck Chapman – ONTALA

10:35am

Introduce SIG Working Council Concept & Structure- Third Party Risk Management Working Council Charter- Discuss role/responsibilities of the Members of the Leadership Team- Review of last WebEx session

Matt Shocklee (SIG)

10:40amLifecycle Management; Governance and Oversight.How to Create a Supplier Tool Kit

Bernard Truong/Linda Tuck Chapman

11:10amReview Council Member Survey Results Matt Shocklee (SIG)

11:15am Topics/Speakers for the next WebEx meeting in April 2017Matt ShockleeBernard TruongLinda Tuck Chapman

11:20am Other topics of interests and Q&A Matt/Bernard/Linda

SIG Working Council

sig.org/summit

More Information:

Snehal Sindhvad

Sr. Director of Global Member Services

SIG

904.310.9560

ssindhvad@sig.org