3rd Party Risk from a Sourcing and Corporate View -...

3rd Party Risk from a Sourcing and Corporate View

Bernard TruongSenior Director, Third Party

Risk ManagementNational Bank of Canada

National Bank of Canada

Ronald ForgetDirector Principal/Senior Manager

- Governance and Center of Excellence – Sourcing

National Bank of Canada

3rd Party Risk Management

Ronald ForgetBernard TruongApril 2016

CONFIDENTIAL

OBJECTIVES OF THE PRESENTATION

▪ Risk from a Sourcing perspective

▪ What is a RISK?

▪ How to assess RISK?

▪ How to mitigate RISK

▪ 3PRM from a Corporate Management perspective

▪ Risk domains oversight

▪ 3PRM framework

▪ Beyond regulatory requirements

61 Third Party Risk Management

DEFINITION OF A RISK

RISK is about

▪ The probability of loss inherent in

an organization's operations and

environment (such as competition

and adverse economic conditions)

that may impair its ability to

provide returns on investment.

Business risk plus the financial risk

arising from use of debt (borrowed

capital and/or trade credit) equal

total corporate risk.


BUSINESS RISKS

PRESENTATION TITLE63

Who are they?

How to identify them?

How to qualify them?

How to prioritize them?

How to manage them?

Who should manage them / be

responsible?

What is the role of the Sourcing Advisor

versus the other Experts or Business

Partners?

How the RISK is impacting the Business Objectives?

▪ OPERATING COST (RUN the BUSINESS)

▪ CLIENT EXPERIENCE

▪ TIME TO MARKET / COMPETITIVE

▪ COMPLIANCE MANAGEMENT

▪ GROWTH/INNOVATION


Sourcing Framework:

SOURCING MAIN FOCUS (during the Sourcing Cycle)

▪ Due diligence (Best selection for the best return)

▪ Contractual/Strategic and Legal RISK

▪ Financial / Credit RISK

▪ Information Security

▪ Business continuity

▪ Compliance / Regulations

▪ Operational / Reputational /Environmental & Geopolitical


SOURCING / GOVERNANCE GOALS

▪ Build risk appetite and awareness culture

▪ Build metrics and reports

▪ Align with third party policy

▪ Document the inputs (centralized repository)

▪ Share the findings with business, experts and risk partners

▪ Monitor critical risk

▪ Establish a good Governance


Process mapping ‐Questionnaire Criticality

RISK MANAGEMENT CYCLE


Initial State

Program Launch

Current State

70

BNC Consultant Program Evolution

No VMS Decentralized No risk mitigation Vendors margins ranging

between 15%-200%

VMS implementation MSP provider Independent Contractor

payment provider Supplier rationalization

Tenure management Supplier performance

management Executive dashboard Centralized Standard

Process

Consultant Risk Management ‐ Evolution

71

Before Program Implementation Current StateNo visibility on active consultants or on contract infomation

Live snapshot and reporting on everyaspect of contractual workforce

No formal process for independentcontractor Onboarding

All independent contractors are compliantwith requirements and processes

No independent contractorclassification/verification

All independent contractors are screenedand vetted for legal category compliance

No control on consultant bill rates Full disclosure of consultant bill rates

Lack of control for consultant hiring process– no standard procedures

Standardized contracts, proof of insuranceand security verification captured

No formal approval process Documented approval process

No control over contract duration Consultant tenure management and special approvals for contracts over 2 years

No supplier performance management Quarterly business reviews and formalperformance reviews

No control over contract termination Full visibility and procurement/RHassistance on contract termination

Key Risk Management Objectives Achieved

Expertise and Advisory Dedicated and neutral Professional Team MSP team – Canadian Human Capital SME

Visibility and Control Centralized and standardized process with total visibility on spend (Ariba)

Security and Legal Secure, documented and formal on-boarding process (insurance, security check, tenure risk etc…)

Payment and Finance Accurate time entry management with timely and reconciled payments.

Vendor and Contract Vendor performance management through KPI and QBR Management, enforcement and audit of contract terms

72

Framework:3rd Party Risk Management (3PRM)

Proactive risk management and oversight is an imperative

74 Third Party Risk Management (3PRM)

3rd Party Risk Domains

Strategic RiskStrategic Risk

3rd Party is not aligned to NBC’s strategic

objectives

Information Security RiskInformation Security Risk

Access to information outside of defined

business requirements

CSR RiskCSR Risk

Fair labor practices, Environment, Social responsibilities, etc.

Business Continuity Risk

Business Continuity Risk

3rd Party is unable to continue providing products/services

Credit Risk / Financial Stability

Credit Risk / Financial Stability

Cannot meet contractual obligations due to financial difficulties

Geo‐political RiskGeo‐political Risk

Country specific factors (government, climate, etc.) affect performance

Contractual RiskContractual Risk

Performance of Product / Service provided is not completely defined

Reputation RiskReputation Risk

3rd Party’s issues effect NBC’s brand

Compliance RiskCompliance Risk

actions are inconsistent with legal, regulatory, or policies requirements

Execution RiskExecution Risk

3rd Party is unable to deliver products/services

appropriately

Third party risk is a combination of other risks with various degrees of severity based on the maturity of the relationship with the third party. The potential risk exposure from doing business with third parties goes well beyond direct financial loss and includes reputational damage, regulatory scrutiny and customer attrition.

The 3rd Party Risk Domains listed above also apply to 4th parties (sub‐contractors) as an extension of 3rd party risks

The 3rd Party Risk Domains listed above also apply to 4th parties (sub‐contractors) as an extension of 3rd party risks

source: Industry Experts

Overview: 3rd Party Risk Management at NBC


3rd Party Risk Management FrameworkNational Bank 3rd party risk management (3PRM) framework aims to proactively identify, assess, monitor and mitigate risk

associated with our 3rd parties (outsourcers, vendors, suppliers, etc.) through defined governance practices

Tools & Processes

Controls for identifying, assessing, monitoring and managing 3rd parties through a framework and a Supplier Information and Performance Management (SIPM);

a. Established end‐to‐end 3rd party risk management framework

b. SIPM (ARIBA) enables 3rd parties intake andrisk assessment

Oversight & Governance

Three lines of defense operating model, consistent with NBC’s Enterprise framework and instituted a Governance Oversight Committee;

a. Roles of 3 lines of defense identified

b. Governance committee, initial focus on Tiers 1 & 2, progressively expanding to enterprise

Analytics & Actionable Reporting

Enhanced reporting capabilities to monitor 3rd party risks;

a. Defined risk appetite statement and associated dashboards and KRIs

b. Data Analytics and Consumption (platform TBD)for drill‐down analytics

1 2 3

Get an enterprise view on current sourcing portfolio to build an actionable 3rd Party Risk Management (3PRM) program based on leading practices.

First line of defenseLOB Relationship Manager / Accountable

Executive & Senior Risk Manager

▪ Own and manage identified 3rd party risks for the business unit arrangements;

▪ Monitor performance and risks to efficiently address gaps with NBC standards;

▪ Escalade risks to the proper level for prioritization of action plan;

▪ Maintain overall accountability and oversight of the relationship:

o Set the strategic direction of 3rd party relationship

o Make key decisions pertaining to 3rd party relationship

o Resolve any escalated issues.

Own and proactively manage risksOwn and proactively manage risks

Oversight & Governance3 Lines of Defense

Second line of defenseOperational & Reputational Risks (ORR) /

Corporate functions

ORR:▪ Develop, Implement and monitor 3PRM framework;

▪ Provide subject matter expertise, specialist, support, and independent risk oversight of 3rd party risks;

▪ Quality Assurance and Effective Challenge;▪ Analytics and Reporting;▪ Perform enterprise wide oversight through our SIPM tool.

Corporate functions:▪ Provide inherent, residual risk assessment and due diligence for their domain of risks;

▪ Assess implications of 3rd party risk to their risk domain.

Third line of defenseInternal Audit

▪ Provide an independent assessment of the effectiveness of the internal control environment in 1st and 2nd lines;

▪ Provide timely independent reporting to senior management that assesses whether key control activities are operating effectively and reliably. For example, determining whether there is:

o Effective 3rd party risk identification and due diligence

o Appropriate contract controlso Adherence to applicable regulatory guidance

o Appropriate on‐going 3rd party management and oversight

o An effective challenge to the 1st and 2nd lines that includes escalation process


Role

Accoun

tabilities

Assess/Audit program design and operating effectivenessAssess/Audit program design and operating effectiveness

Establish risk related policies, provide oversight and challengeEstablish risk related policies, provide oversight and challenge

1

Risk‐Score 3rd Party Segmentation

Strategic Risk

Information Security Risk

Reputation Risk

Geographical Risk

Compliance Risk

Operational Risk

Financial Stability / Credit Risk

Business Continuity

Risk

Contractual Risk

Strategic Objectives Define / Identify 3rd Party Risks

Define Risk Scenarios / Conduct Assessment

Mitigate Risk with Controls / Monitor

Renew / Terminate

77

Planning & Due Diligence Oversight & Accountability / On‐going Monitoring

Third Party Risk Management (3PRM)

3rd Party Risk ManagementHigh Level Operating Framework

2

Strategy &SelectionStrategy &Selection

Business ContinuityBusiness Continuity

Information Security

Information Security

ComplianceCompliance Agreement Terms

Agreement Terms

Manage &ReportingManage &Reporting

Service / Product Review

Service / Product Review

Financial HealthFinancial Health

Background Checks

Background Checks

Business requirementsMarket intelligence / condition Sourcing Strategy 3rd party diversity

Experience as a provider Review past performance Scan industry news related Relationship risk levelMitigation measures

Review financial statements Compare to industry standards and ratios Credit report and rating

Evaluate overall stability: fraud, physical security, reputation… Risks policies, controls and practices Insurance claims / litigation

Confirm BCP / DRP meet business requirements Contingency planning for repatriation or alternative provider

Evaluate adequate evidence of controls Confirm traceability of dataManage access rights

Risk assessment certification process Compliance checks (OSFI, OCC, IIROC, AMF, AML, Living wills…)

Evaluate terms negotiated to business objectives Review insurance clause for proper protection

Residual risk assessment Defined controls, KPIs, KRIs Analytics & actionable reporting Termination & renewal strategy

3rd Party Risk Assessment3rd Party Risk Assessment Engagement Risk AssessmentEngagement Risk Assessment

On‐going 3rd Party ManagementLeveraging foundation of the standard operating model


Beyond regulatory requirements…

▪ How do you protect your organization’s knowledge/expertise?

▪ Have created a dependency towards your 3rd parties?

▪ Is the quality of your service consistent end‐to‐end?

▪ Have you evaluated the TCE (additional, hidden costs…)?

▪ Did you assess the potential loss of control in your outsourced activities?

▪ Did you take into consideration the increase in operational risks?


Appendices

Emerging Industry TrendsAn integrated approach to 3rd Party Risk Management

• Essential partnership between procurement and Finance (BU CFO) to track and record savings Procurement and Finance

Alignment

• Extension of 3rd Party Risk Management to address additional risks beyond Information Security and Supplier Performance (Reputation, Compliance, or Geo‐political Risk) New Risk Domains

• Inclusion of Sub‐Contractors in the Risk Management Program, including inventory, assessment and monitoring (Supply Chain Management)Sub‐Contractors (4th Party Risk)

• Expand supply market research to include new innovative solutions (i.e. Cloud, social media, etc.)Innovative Solutions

• Promote and develop the NBC’s customer portfolio within our supplier community and maximize value to the Bank by being thoughtful about our customer/supplier relationshipsRevenue Optimization

• Support strategic initiatives in international expansion, licensing, e‐Commerce growthInternational Expansion

• Ongoing M&A and Restructuring activities have created new sourcing leverage and required new supply strategiesM&A / Divestitures

• Increasingly, customers and governments are demanding for plans to make operations more sustainable and from a more diverse supplier base Sustainability

81

As our procurement organization matures, the focus needs to be more than just cost savings; we need to be proactively involved in strategic initiatives and creatively protect the organization.


source: Industry Experts

3rd Party Definition

82

How 3rd parties are defined

General definition An entity, including individuals and affiliates, that has a business relationship with the institution or its customers, andis not itself a customer. Third party relationships include:

Vendor 3rd Party ‘Vendor’ third party are service providers that deliver a product or service to the institution. These relationships are typically sourced through a sourcing / procurement process. Payment is typically transacted by Accounts Payable.

Non‐ Vendor 3rd Party ‘Non‐Vendor’ third party relationships are typically acquiredby a business line / segment directly, not through a sourcing / procurement function. Financial remuneration, if applicable is typically transacted outside of Accounts Payable processes. These relationships may be managed solely by a business line / segment, or managed in conjunction with a corporate risk management function.


CATEGORIES (N

on‐Ven

dor) Specialized Analysts and Advisors Counterparties

Affiliates Debt Underwriters / Securitization Firms / Trustees

Affinity Relationships Financial Utilities

Alliances and Partnerships Government Special Purpose Entity (GSE)

Brokers Indirect Lending

Correspondent Banks and Wholesale Banking Joint Marketing Partners

Rating Agencies Tenants

Servicers Trade Associations

3rd Party Risk from a Sourcing and Corporate View -...

Documents

Transcript of 3rd Party Risk from a Sourcing and Corporate View -...