SIG Working Councilsig.org/docs2/Council_3PRM_March_16_2017_Meeting_2017_03_11.pdf · SIG Working...
Transcript of SIG Working Councilsig.org/docs2/Council_3PRM_March_16_2017_Meeting_2017_03_11.pdf · SIG Working...
March 13, 2017
Global Executive Summit
SIG Working CouncilThird Party Risk Management
National Bank of CanadaBernard TruongSenior Director of Third Party Risk Management
Sourcing Industry GroupMatt Shocklee
SIG Global Ambassador
ONTALALinda Tuck ChapmanCPO Emeritus and President
sig.org/summit
SIG Working CouncilThird Party Risk Management
Today’s Agenda
sig.org/summit
Time Topic Responsible
10:30am Welcome & Introductions
Snehal Sindhvad (SIG)Bernard Truong - NBCMatt Shocklee (SIG)Linda Tuck Chapman (Ontala)
10:35am
Introduce SIG Working Council Concept & Structure- Third Party Risk Management Working Council Charter- Discuss role/responsibilities of the Members of the Leadership Team- Review of last WebEx session
Matt Shocklee (SIG)
10:40amLifecycle Management; Governance and Oversight.How to Create a Supplier Tool Kit
Bernard TruongLinda Tuck Chapman
11:10amReview Council Member Survey Results Matt Shocklee (SIG)
11:15am Topics/Speakers for the next WebEx meeting in April 2017
Matt ShockleeBernard TruongLinda Tuck Chapman
11:20am Other topics of interests and Q&A All
SIG Working CouncilThird Party Risk Management
sig.org/summit
Bernard TruongSenior Director, Third Party Risk
National Bank of Canada
Linda Tuck ChapmanPresident & CEO
Ontala
Matt ShockleeSIG Global Ambassador
Snehal SindhvadSIG Member Services
Bob WilkinsonSIG Ambassador
BFSI/Cybersecurity
SIG Working CouncilThird Party Risk Management
Today’s Agenda
sig.org/summit
Time Topic Responsible
10:30am Welcome & Introductions
Snehal Sindhvad (SIG)Bernard Truong - NBCMatt Shocklee (SIG)Linda Tuck Chapman (Ontala)
10:35am
Introduce SIG Working Council Concept & Structure- Third Party Risk Management Working Council Charter- Discuss role/responsibilities of the Members of the Leadership Team- Review of last WebEx session
Matt Shocklee (SIG)
10:40amLifecycle Management; Governance and Oversight.How to Create a Supplier Tool Kit
Bernard TruongLinda Tuck Chapman
11:10amReview Council Member Survey Results Matt Shocklee (SIG)
11:15am Topics/Speakers for the next WebEx meeting in April 2017
Matt ShockleeBernard TruongLinda Tuck Chapman
11:20am Other topics of interests and Q&A All
SIG Working CouncilThird Party Risk Management
sig.org/summit
The Charter or Purpose of this Working Group is:
• Bring together SIG Members that are interested in collaborating
and sharing best practices in Third Party Risk Management of
their complex business relationships,
• Provide a professional networking and relationship-development
environment; and
• Involve key industry regulatory agencies or other entities that
have a direct and critical bearing on optimizing the business
value the organizations can achieve through effective, efficient
and compliant best practices in Third Party Risk Management.
SIG Working CouncilThird Party Risk Management (3PRM)
sig.org/summit
Working Council Participation and Leadership:
• SIG Working Councils are comprised of “SIG Members” from all of SIG’s Membership
Communities: Buyer, Supplier/Service Provider, Advisor, Academic, Government and Others.
• SIG Working Councils are led by a Working Council Leadership Team that consists of a subset of
the Members from the Working Council. The Leadership Team will consist of the Chair, at least
one Co-Chair from each of SIG’s Membership Communities and a SIG Ambassador Liaison. SIG
may set a limit on Co-Chairs.
• Bernard Truong, Senior Director of Third Party Risk at National Bank of Canada (BNC) is the
inaugural Chair of the Third Party Risk Management Working Council and its Leadership Team.
• The role of Co-Chairs in the Third Party Risk Management Working Council Leadership Team are:
• Support the WC Chair in addressing the Charter and WC Objectives
• Attends all WC Leadership Team Meetings (monthly/quarterly)
• Take co-leadership responsibility to develop/deliver WC programming
• All Working Council Members are asked to participate in quarterly WebEx meetings and on-site
at our semi-annual Global Executive Summits,
• All Working Council Members are required to complete an annual Survey that assists the
Council in identifying topical/functional areas of interests, concerns and job-related issues that
our Sourcing Professional Working Council Members are most interested in addressing through
the Working Council.
SIG Working CouncilThird Party Risk Management (3PRM)
sig.org/summit
What are our Working Council’s Objectives for 2017?
• Identify the key topics of interest to be addressed through quarterly webinars and semi-annual on-site meetings at the SIG Summits as well as through other methods such as research, white papers or special events.
• Identify SIG and guest speakers/thought leaders to address the topics/areas of interest identified above.
• Identify any special initiatives/activities related to SIG’s programming/services suchas education/training, research, tools/technologies or other value added areas the Council should consider for its SIG Members.
Current Schedule of Future Events:
• WebEx Meeting # 3: Friday, April 21st at 2pm EDT via WebEx.
• WebEx Meeting #4: TBD July 2017
• On-site: Fall 2017 Global Executive Summit – Carlsbad, CA
SIG Working CouncilThird Party Risk Management
Today’s Agenda
sig.org/summit
Time Topic Responsible
10:30am Welcome & Introductions
Snehal Sindhvad (SIG)Bernard Truong - NBCMatt Shocklee (SIG)Linda Tuck Chapman (Ontala)
10:35am
Introduce SIG Working Council Concept & Structure- Third Party Risk Management Working Council Charter- Discuss role/responsibilities of the Members of the Leadership Team- Review of last WebEx session
Matt Shocklee (SIG)
10:40amLifecycle Management; Governance and Oversight.How to Create a Supplier Tool Kit
Bernard TruongLinda Tuck Chapman
11:10amReview Council Member Survey Results Matt Shocklee (SIG)
11:15am Topics/Speakers for the next WebEx meeting in April 2017
Matt ShockleeBernard TruongLinda Tuck Chapman
11:20am Other topics of interests and Q&A Matt/Bernard/Linda?
Third party risk managementlifecycle management + governance
Relationships should be managed through their lifecycle
Good governance begins with insight and oversight
Business Need and
Requirements Initial Inherent
Risk Assessment
Sourcing and Pre-Selection
Activities
Risk-Centric
Due Diligence
Risk-Adjusted Controls and Contracting
Residual Risk Assessment
and Risk Tiering
Deal Summary ; Risk
Acceptance
Finalize Execute Contract
Appoint Relationship
Manager
Onboard; Implement
Controls
Manage Performance,
Costs Risks and Issues
Periodic Reviews and
Reassessment(s)
Renew, Amend or Terminate
Companies can have
Business Need and Requirements
Initial Inherent
Risk Assessment
Sourcing and Pre-Selection Activities
Risk-Centric
Due Diligence
Risk-Adjusted Controls and Contracting
Residual Risk Assessment and Risk
Tiering
Deal Summary ; Risk Acceptance
Finalize & Execute Contract
Appoint Relationship Manager
Onboard; Implement Controls
Manage Performance, Costs Risks and Issues
Periodic Reviews and Reassessment(s)
Renew, Amend or Terminate
New or substantially
different
Lifecycle management… a substantial increase in rigor and controls
Ransomware a pervasive cyber issue
Source: NIST Special Publication 800-184; Guide for Cybersecurity Event Recovery http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf
Computer malware that covertly installs in systems and devices. It either mounts the crypto viral extortion attack that holds the victim's data hostage, or mounts a leakware attack that threatens to publish the victim's data. Relatively small ransom amounts are demanded, making it easier to pay than to expend expensive resources trying to isolate and eradicate malware that is constantly changing.
Information Security: workload fatigue
sig.org/summit
Common challenges:
1. Attracting and retaining top talent
2. Investment resources
3. Lack of standardization for mainstream due diligence
4. Site visits: when, how frequently?
5. Relentless attacks
6. New threats on a daily basis
7. Regulatory pressure
8. Global operations with different legal/regulatory standards/requirements
9. No safe harbours
SIG Working CouncilThird Party Risk Management
Today’s Agenda
sig.org/summit
Time Topic Responsible
10:30am Welcome & Introductions
Snehal Sindhvad (SIG)Bernard Truong - NBCMatt Shocklee (SIG)Linda Tuck Chapman – ONTALA
10:35am
Introduce SIG Working Council Concept & Structure- Third Party Risk Management Working Council Charter- Discuss role/responsibilities of the Members of the Leadership Team- Review of last WebEx session
Matt Shocklee (SIG)
10:40amLifecycle Management; Governance and Oversight.How to Create a Supplier Tool Kit
Bernard Truong/Linda Tuck Chapman
11:10amReview Council Member Survey Results Matt Shocklee (SIG)
11:15am Topics/Speakers for the next WebEx meeting in April 2017
Matt ShockleeBernard TruongLinda Tuck Chapman
11:20am Other topics of interests and Q&A Matt/Bernard/Linda
SIG Working CouncilThird Party Risk Management
sig.org/summit
Working Council Survey Results:
Responses Finance Insurance Healthcare Utilities Technology Retail Total
23 43% 35% 9% 4% 4% 4% 100%
61%
39%
8%
35%
48%
9%
1.) Please check the statement below that best describes the state of Third Party Risk Management at your organization:
A.) We are currently considering putting in place formal Third Party Risk Management program(s) or initiatives in our organization
B.) We have a formal Third Party Risk Management program(s) in place in our organization.
2.) The level of maturity of our organization's approach to Third Party Risk Management can be best described as:
A.) We're advanced; we screen and continuously monitor all third parties,
B.) We are maturing; we perform initial screenings with all third parties with minimal monitoring,
C.) We have a basic level of maturity; we're doing initial screenings on high risk without continuous monitoring,
D.) We are reactive; we address issues as they arrive.
3RD PARTY RISK MANAGEMENT WORKING COUNCIL - MEMBER POLL ON AREAS OF INTEREST
SIG Working CouncilThird Party Risk Management
sig.org/summit
High Medium Low
13% 35% 52%
26% 48% 26%
0% 43% 52%
4% 30% 61%
4% 43% 52%
48% 22% 30%
13% 39% 48%
17% 57% 26%
4% 61% 35%
39%
31%
30%
0%
30%
57%
9%
4% D.) Our organization will not be able to participate in initiatives or research with other Working Council Members
F.) How to best work with the Industry Regulators
3.) Please indicate your organization’s level of interest with the following topics related to Third Party Risk Management:
H.) How to Create a Culture of Compliance
I.) What the best Assessment Tools to use?
4.) Our organization is willing and able to share best practices, insights and key learning regarding our Third Party Risk Management
programs. Please check the statement that best applies.
A.) I completely agree with the statement above,
Topical Areas
A.) 3rd Party Risk Management Education & Training
B.) How to build a 3rd Party Risk Management Competency Center
C.) I'm interested in Industry Specific Topics and Issues
D.) Cybersecurity related topics
E.) How to Launch a 3rd Party Risk Management Program
B.) It is possible that our organization may wish to participate in initiatives or research with other Working Council Members
C.) It Is unlikely that our organization will be able to participate in initiatives and/or research with other Working Council Members
B.) I somewhat agree with the statement above,
C.) I am neutral or unsure
D.) I disagree with the statement.
A.) It is highly likely that we would be willing to participate in initiatives or research with other Working Council Members,
5.) Working Council Members may have the opportunity to collaborate and participate in initiatives and/or research activities
involving other members of the Working Council. Participating Working Council Members may be asked to share the costs/resources
associated with an initiative or research activity as well as be asked to share insights, best practices and other gains or returns from
the initiative. Which statement best describes your organization’s most likely position:
G.) How to best engage our suppliers and providers
SIG Working CouncilThird Party Risk Management
Today’s Agenda
sig.org/summit
Time Topic Responsible
10:30am Welcome & Introductions
Snehal Sindhvad (SIG)Bernard Truong - NBCMatt Shocklee (SIG)Linda Tuck Chapman – ONTALA
10:35am
Introduce SIG Working Council Concept & Structure- Third Party Risk Management Working Council Charter- Discuss role/responsibilities of the Members of the Leadership Team- Review of last WebEx session
Matt Shocklee (SIG)
10:40amLifecycle Management; Governance and Oversight.How to Create a Supplier Tool Kit
Bernard Truong/Linda Tuck Chapman
11:10amReview Council Member Survey Results Matt Shocklee (SIG)
11:15am Topics/Speakers for the next WebEx meeting in April 2017Matt ShockleeBernard TruongLinda Tuck Chapman
11:20am Other topics of interests and Q&A Matt/Bernard/Linda
SIG Working Council
sig.org/summit
More Information:
Snehal Sindhvad
Sr. Director of Global Member Services
SIG
904.310.9560