Third-Party Risk Management

Audit | Tax | Advisory | Wealth Management Audit | Tax | Advisory | Financial Advice

Colour Scheme for Charts and Banner Bars

R = 4

G = 30 B = 65

R = 253 G = 185 B = 19

Tones of grey

R = 129 G = 142 B = 160

Secondary Colour Palette

Audit R = 174 G = 158 B = 59

Tax R = 118 G = 107 B = 97

Financial Advice R = 136 G = 53 B = 77

Advisory R = 93

G = 126 B = 149

Audit | Tax | Advisory | Financial Advice

Managing Third Party Risk Robyn Cooper and Mark Scales

29 January 2015



R = 4

G = 30 B = 65

R = 253 G = 185 B = 19

Tones of grey

R = 129 G = 142 B = 160


Audit R = 174 G = 158 B = 59

Tax R = 118 G = 107 B = 97


Advisory R = 93

G = 126 B = 149

Don’t get yourself in the headlines!

“Outsourcing and procurement in

Audit Commission crosshairs”

“Horror stories of gov’t outsourcing to greedy

private companies”

“Taxpayers are getting fleeced”

“Government exposed to fraud after serious failings on managing outsourcing contracts”

“Australia: Outsourcing responsibility: risks of giving government contractors too much autonomy”

“National Audit Office finds five contracts are being investigated and warns there could be

more cases of overbilling”



R = 4

G = 30 B = 65

R = 253 G = 185 B = 19

Tones of grey

R = 129 G = 142 B = 160


Audit R = 174 G = 158 B = 59

Tax R = 118 G = 107 B = 97


Advisory R = 93

G = 126 B = 149

Third Party Risk Research Study Results – CFO Magazine

3%

14%

17%

17%

19%

24%

36%

51%

Other

Providing on the ground resources in new markets or geographies

Providing inputs to support our own production or operations

Reducing or managing my company's risk

Providing goods/ services that are unrelated to our core business

Adding capacity to expand the business

Providing core service capabilities or expertise that we currently lack

Reducing costs

What do you expect to be the top business drivers for your company’s use of third parties over the next two years?



R = 4

G = 30 B = 65

R = 253 G = 185 B = 19

Tones of grey

R = 129 G = 142 B = 160


Audit R = 174 G = 158 B = 59

Tax R = 118 G = 107 B = 97


Advisory R = 93

G = 126 B = 149

Case Study – Department of Defence

“Collins Class submarines put

Australian defence in ‘dark place’

not being able to deploy for five

months.”

“Royal Australian Navy is facing a

massive cost blowout of about

$800 million for three powerful Air

Warfare Destroyers.”



R = 4

G = 30 B = 65

R = 253 G = 185 B = 19

Tones of grey

R = 129 G = 142 B = 160


Audit R = 174 G = 158 B = 59

Tax R = 118 G = 107 B = 97


Advisory R = 93

G = 126 B = 149

Lateline Report on Air Warfare Destroyer Project http://www.abc.net.au/lateline/content/2014/s3952302.htm



R = 4

G = 30 B = 65

R = 253 G = 185 B = 19

Tones of grey

R = 129 G = 142 B = 160


Audit R = 174 G = 158 B = 59

Tax R = 118 G = 107 B = 97


Advisory R = 93

G = 126 B = 149

Consequences

Air Warfare Destroyer:

§  Project 2 years behind schedule and $350M over budget, an improvement from

the $800M midway through the project.

§  Key contractor ASC replaced by BAE Systems.

Collins Class Submarines:

§  Australia to buy submarines, likely from Japan, rather than utilising Australian

manufacturing industry.



R = 4

G = 30 B = 65

R = 253 G = 185 B = 19

Tones of grey

R = 129 G = 142 B = 160


Audit R = 174 G = 158 B = 59

Tax R = 118 G = 107 B = 97


Advisory R = 93

G = 126 B = 149

Lessons Learned

§  “A more commercial approach to contracting, risk management and risk transfer

is required”

§  More comprehensive due diligence and risk assessment

§  More clearly articulated service level expectations

§  More investment in monitoring third party performance to identify issues in a

timely manner



R = 4

G = 30 B = 65

R = 253 G = 185 B = 19

Tones of grey

R = 129 G = 142 B = 160


Audit R = 174 G = 158 B = 59

Tax R = 118 G = 107 B = 97


Advisory R = 93

G = 126 B = 149

Perform Monitor

Managed Third Party Risk

Initiate Formalise

Managed Third Party Risk

§  Need identified §  Evaluation of

relationships §  Due diligence &

risk assessment

§  Performance §  Risk §  Organisational

changes

§  Contracts and agreements reviewed

§  Service levels and expectations set

§  Exchange of data, goods and services

§  Invoicing and payment



R = 4

G = 30 B = 65

R = 253 G = 185 B = 19

Tones of grey

R = 129 G = 142 B = 160


Audit R = 174 G = 158 B = 59

Tax R = 118 G = 107 B = 97


Advisory R = 93

G = 126 B = 149

Initiate

§  Needs identification (e.g. technical specification, information requirements,

resource skills and expertise, budget)

§  Due diligence (e.g. financial, historical and legal records of incidents and issues)

§  Risk Assessment (e.g. defined risk appetite, inherent risk of third party, risk

mitigation activities / controls)

§  Evaluation of relationships (e.g. conflicts of interests, links to criminal or terror

groups)



R = 4

G = 30 B = 65

R = 253 G = 185 B = 19

Tones of grey

R = 129 G = 142 B = 160


Audit R = 174 G = 158 B = 59

Tax R = 118 G = 107 B = 97


Advisory R = 93

G = 126 B = 149

Formalise

§  Training your Third Party (e.g. code of conduct, policies and procedures, etc.)

§  Undertaking an upfront systems review to assess internal control environment of

the third party

§  Health Check over systems and processes to ensure alignment between parties

§  Contracts and agreements established in consultation with experts where

required (e.g. legal)

§  Service levels and expectations set and reflected in the contract



R = 4

G = 30 B = 65

R = 253 G = 185 B = 19

Tones of grey

R = 129 G = 142 B = 160


Audit R = 174 G = 158 B = 59

Tax R = 118 G = 107 B = 97


Advisory R = 93

G = 126 B = 149

Perform

§  Monitoring of changes to legal and regulatory environments

“Even successful business relationships experience issues and incidents.”

§  Mechanisms for reporting issues or incidents

§  Processes and systems for investigation and resolution of issues that arise

§  Collaboration and communication between both sides of the relationship

§  Collection and management of all communications to provide a historical record



R = 4

G = 30 B = 65

R = 253 G = 185 B = 19

Tones of grey

R = 129 G = 142 B = 160


Audit R = 174 G = 158 B = 59

Tax R = 118 G = 107 B = 97


Advisory R = 93

G = 126 B = 149

Monitor

§  Performance of independent audits on an ongoing basis

§  Regular reviews performed by the Commercial team to ensure compliance with

the contract

§  Annual attestation by Third Party of compliance with code of conduct and

established policies

§  Ongoing monitoring of risk indicators (e.g. scoring of risks, tracking of risk action

plans)



R = 4

G = 30 B = 65

R = 253 G = 185 B = 19

Tones of grey

R = 129 G = 142 B = 160


Audit R = 174 G = 158 B = 59

Tax R = 118 G = 107 B = 97


Advisory R = 93

G = 126 B = 149

Build Risk Expertise

Defined Responsibilities

Perform Health Checks

Monitor and Test

Compliance

Standardised Processes and

Agreements

Better Practice – Third Party Risk Management

Train your Third Party

Extend your ‘speak-up’

culture

Audit | Tax | Advisory | Financial Advice

For further information

Disclaimer Crowe Horwath (Aust) Pty Ltd is a member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath is a separate and independent legal entity. Liability limited by a scheme approved under Professional Standards Legislation (other than for the acts or omissions of financial services licensees) in each State or Territory other than Tasmania. ABN 84 006 466 351

Robyn Cooper Principal, Internal Audit Brisbane Tel +61 7 3233 3496 [email protected]

Mark Scales Associate Principal, Internal Audit Brisbane Tel +61 7 3233 3500 [email protected]

Tel 1300 856 065 www.crowehorwath.com.au

The relationship you can count on

Third-Party Risk Management

Documents

Transcript of Third-Party Risk Management