Bethell, Leslie - Historia de America Latina - Cap.6 La Independencia de Brasil - Bethell, Leslie
Third Party Governance and Risk Management Bethell... · broader GRC solutions, ... Extended...
Transcript of Third Party Governance and Risk Management Bethell... · broader GRC solutions, ... Extended...
2
Agenda
Today’s discussion topics
• Third Party Ecosystem
• Insights from the Deloitte Global Third Party Risk Management Survey
• Third party risk management frameworks
• Evolution of third party audits: from third party audits to real time assurance
3
Introductions
Deloitte facilitator
Mark Bethell
Director, Extended Enterprise Risk Management
+44 20 7007 5913 | +44 7917 183787
8
Organizational progress in TPGRM since last year appears modest although increasing awareness of risks is expected to prime 2017 and 2018 as years for accelerated maturity
• Survey responses collected during heightened uncertainty (Brexit vote in UK and presidential elections in US).
• Report based on 536 responses, a significant increase from 170 last year.
• Covers 11 countries across the Americas, Europe Middle East and Africa (EMEA) and Asia/Pacific across all key industry segments.
• Respondents typically include those responsible for TPGRM:
• Chief Finance Officers,
• Heads of Procurement/Vendor Management,
• Chief Risk Officers,
• Heads of Internal Audit, and
• Compliance and Information Technology (IT) Risk Heads.
9
Despite increasing executive awareness of risks and some associated improvements in TPGRM, five key areas exist where further effort is required by most organizations
10
Dependency and vulnerabilityDespite high dependency on third-parties, organizations are not fully equipped to manage the risks in a holistic and coordinated manner, including those arising from external uncertainties
53.3 percent of respondent organizations have a “high or critical level of dependence”
40.5 percent of respondents reported “some” increase in dependence on third-parties in the last one year with a further 4.5 percent experiencing “significant” increase
However, only 20.1 percent have integrated or optimized their EERM mechanisms with others aspiring to do so within the next 1-3 years
53.3%
Significant
increase 4.5%
Some increase
40.5%
11
Dependency and vulnerabilityDespite high dependency on third-parties, organizations are not fully equipped to manage the risks in a holistic and coordinated manner, including those arising from external uncertainties
26.3 percent of respondents have faced non-compliance with regulatory requirements (compared to 23.0 percent in 2016). 16.7 percent have suffered reputation damage.
Just 11.6 percent of respondents are “fully prepared” to deal with the increased uncertainty in the external environment. A significant majority of 72.3 percent of respondents are only “somewhat prepared
74.1 percent of respondents have faced at least one third-party related incident in the last three years. As many as one in five respondents have faced a complete third-party failure or an incident with major consequences in the last three years.
Relationship managementUnderstanding of third-parties is increasing but comprehensive, data-driven risk management and capability to predict emerging risks is still developing
55.4 percent of respondents have
a reasonable to excellent
understanding of third parties, with
the other 44.6 percent having
only low or some level of
understanding
46.6 percent do
not have any
organisation
initiatives to
enhance maturity
of contractual data
to increase the
understanding of
their third parties.
Just 13.6 percent of respondents have forward-looking
vigilance capabilities to identify imminent risks and
performance issues of third parties that are well integrated
into their processes of managing their extended enterprise,
while 78.9 percent are at various stages of development of
such capabilities
53.8 percent
consider their
level of knowledge
of third party
contract terms
and related data
to be limited,
including
respondents who
recognize this is
inadequate
13
Governance and risk management processesDespite executive sponsorship there is still a long way to go to get processes and technology working effectively
Ultimate responsibility for third-party risk management rests with the Board, CEO, CFO, CPO or other
members of the C-suite in 74.6 percent of responses
Third-party risk features consistently or periodically on the Board agenda in 53.2 percent of
respondent organizations
The proportion of respondents sceptical
about TPGRM technology in their organizations is
90.6 percent
A similar lack of confidence relating to the
quality of TPGRM processes is also only
marginally up from 82.5percent to 86.4
percent, indicating a slight improvement and increased focus in this
area.
14
Technology platformsAn integrated TPGRM technology platform that addresses the needs of every organization has not emerged
19.9 percent of respondents are
using TPGRM relevant modules of
broader GRC solutions, while 17
percent are using specific TPGRM
solutions
Using features of an existing ERP
system is still the most popular
solution as a technology platform for
TPGRM, as outlined by 43.9
percent of respondents. Only 9.1
percent of respondents supported
this by the use of bespoke solutions
to achieve integration needs.
At least one out of two survey
respondents now combine
more than one technology
platform to address TPGRM
requirements.
15
Emerging delivery modelsNew delivery models are emerging to bring consistency and sought-after skills, enable collaboration, and address decentralization challenges in the wider organization
As many as 62.4 percent of
respondents are equally or
more decentralised than they
are centralised.
Over 59
percent of
respondents
are moving to
increasingly
centralised in
house
functions to
support
TPGRM.
12.8 percent of respondents are moving to an
external service provider based “managed
service” model for third party management
which also reflects an emerging trend.
40.9 percent of respondents are already utilising
information hubs (community models) on third party risk
available as market utilities or intending to do so in the
near future. However, 51.3 percent of respondents are
unaware of this emerging trend
12.8 51.3%
17
Focus on Third Party Risk Management
Third Party Risk Management Frameworks: Core components
Scop
ing
Delivery
19
Over the past 15 years, third party risk reviews have evolved from a heavily manual process to a technology-enabled solution with a focus on strategic impact rather than compliance aspects. Further, leading practice is focused upon a proactive approach to limit cash leakages before the occur, compared to the more traditional reactive approach.
Evolution of third party risk reviewsFrom reactive to proactive
20
Supplier assurance frameworkA tiered approach
Under the leading model, a tiered approach organizes suppliers into risk thresholds based on a combination of annualized spend and operational risk factors, and assurance activities become risk-based, focused, and optimized. Suppliers that are deemed the highest risk should be subject to continuous monitoring.
Operational risk/complexity
An
nu
al sp
en
d
Real-Time Assurance
Review of expenditures on an ongoing basis to prevent cost leakage before it occurs and enhance decision making through the use of advanced data analytics
Standardized Testing
Traditional supplier reviews are performed on a defined frequency as established by the organization. Leverage use of advanced data analytics and standardized testing to attain maximum coverage over spend and expedite review process
Ad Hoc Reviews
Horizontal reviews across multiple contracts to be completed in order to gain coverage over specific clauses (e.g. early payment discounts, volume discounts, most favoured pricing)
22
Extended Enterprise Risk Management Standardized testing
The BenefitsThe Challenges
Standardized testing enables businesses to mitigate risk, minimize costs, and increase operational efficiency by leveraging the power of data analytics to review 100% of available data. This refined process helps minimize operational disruption, and typically yields recoveries and cost savings in the range of 3-5% of total spend reviewed.
Uncertainty over supplier spend and ambiguous contract clauses
Extrapolated findings are difficult to recover from suppliers
High volume of transactions reviewed via non-standardized attest processes, resulting in lengthy reviews and payment cycles
Lack of standardized rate tables
Increase transparency and establish an audit culture amongst operators. Enable businesses to drill down in areas where they have experienced supplier issues in recent years
Review 100% of spend in scope and minimize need for extrapolation of findings
Reviews are self-funding and realized cash recoveries can be reinvested in the program to fund remediation activities and additional reviews
Enable faster review and payment of invoices, enabling businesses to take advantage of early payment discounts
Lack of robust central repository to maintain contracts and templates that do exist are not leveraged as intended
Support creation of a supplier database to enable benchmarking comparisons across the supplier basis (e.g. rates, productivity)
Ability to scale up and expand coverage across the supplier base with minimal incremental effort
Inconsistent understanding of contract terms between businesses and their suppliers
24
Real-Time Assurance is a leading edge, end-to-end, technology based approach that allows for efficient and effective review of expenditures on an ongoing basis to prevent cost leakage and enhance decision making through the use of advanced data analytics.
Leveraging an RTA approach will dramatically improve many of the contract set-up and invoice review challenges that face organizations throughout the procure-to-pay lifecycle.
Real-Time Assurance (RTA)What is it?
Data is collected on a weekly basis and reconciled against known, site-level data (e.g. swipe card records). Using data analytics, any unsupported charges are immediately identifiable and can be sent back to the supplier for validation. The supplier can only invoice for validated charges, meaning overpayments are prevented.
The process is tailored to achieve Key Performance Indicators that are crucial to the business, such as early pay discounts achieved and overpayments prevented.
25
Results of a Typical Assurance Program Accretive value to be realized through RTA
Traditional assurance programs ONLY identify cash
leakages of 3-5% of contract spend.
Assurance activities cost millions of dollars globally with limited ability to increase coverage
Increase spend coverage up to 5x and enhance
program scalability
Realize full value of leakage prevention of
Enable significant reduction in cost of attest (~30-50%) due to process automation, saving millions of dollars
Data analytics expedite review periods, minimizing operational disruption and enabling realization of early payment discounts!
Through RTA, organizations can realize a return up to 5X greater than traditional assurance models!
Resource and data limitations result in only 2/3’sof in scope spend actually being reviewed.
5-10%
Only 50% of findings identified are actually
recovered following settlement negotiations.
Reviews are operationally disruptive and can deteriorate commercial relationshipswith suppliers
Real-Time exception reporting prevents cash leakages before they occur, resulting in 90-100% collection of billing errors.
Real-Time Assurance (RTA)The benefits
RTA supports the creation of a global supplier database that can be used to inform decision making (e.g. strategic sourcing, benchmarking) while also facilitating the ability to scale up and expand coverage across the supplier base with minimal incremental effort.
SMARTER
RTA prevents leakages before they occur, minimizing operational disruption for suppliers and preserving commercial relationships by eliminating the need for costly settlement negotiations. Further, automated assurance reduces the reliance and administrative burden on local FTEs, enabling employees to focus efforts on higher value activities.
BETTER
Real-Time exception reporting and analytics enhances the control environment, while also enabling the faster invoice payment cycles and realization of early payment discounts!
FASTER
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.
Deloitte LLP is the United Kingdom member firm of DTTL.
This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.
© 2017 Deloitte LLP. All rights reserved.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.