Blurred Lines - SIGsig.org/docs2/S11_Blurred_Lines_Maximizing_Enterprise... · 2016-10-17 ·...
Transcript of Blurred Lines - SIGsig.org/docs2/S11_Blurred_Lines_Maximizing_Enterprise... · 2016-10-17 ·...
Maximizing Enterprise Value by
Integrating Finance, Procurement and
Risk Functions in a Financial Services
Environment
Blurred Lines:
BB&T
Rohan RanadiveSVP and Third Party
Program Group Manager
Hiperos
Sam MeleVice President Sales
sig.org/eval
Case Study: Managing Third Parties Across the EnterpriseSeamless Integration and Alignment between Finance, Procurement and Risk functions in Financial Services to maximize Enterprise Value
Today’s Speakers
Rohan RanadiveSVP and Third Party Program Group Manager
Sam MeleVice President Sales
About Hiperos
The leading SaaS platform for managing third parties
Purpose-built to minimize third party risk and maximize their value
Manages third parties and third party relationships
Accelerates / automates third party…
Onboarding
Risk Segmentation / Scoring
Due Diligence
Risk / Performance Monitoring
Protects against reputational harm, regulatory exposure and revenue loss
Reduces the cost of third party management
© Hiperos. All rights reserved.4
About BB&T
Financial Industry Challenges Low Margins from continued lower interest rates
Increased cyber threat
Data Breaches
Ransomware
Malware etc.
Increased Regulatory Costs
MRA, Board Resolution, Consent Orders, Fines, Censures etc.
Increased competition from non traditional players
Startups, Fintechs, other established players
Responsible Innovation (OCC)
Incentive Compensation under microscope
Executive claw back
Blurred lines between Vendors, Third Parties, Clients
Prudent Risk Management practices across all risk domains
How do we manage risk and continue to create value?
Compliance Risk
4th Party Risk
Third Party Management
Finance(Savings, M&A, JVs, Alliances)
Information Technology (Information
Security / BCP / DR)
Operations
(RCSA, Ops Risk Loss
Scenarios, BASEL etc.)
Compliance (Consumer Protection
Laws)
Living Will
Recovery and Resolution
Planning (RRP)
Everyone is looking at Third Party Management
Clients
Regulators
Third Party Management Program Timeline
2012 2013 201620152010 20172014
On-boarding of Vendors via Hiperos to
SAP
Centralization(Sourcing thru
Settlement)
Vendor Risk Management
Inherent Risk
Spend / Savings
Vendor Risk Management
program evolution
Start of alignment
(Procurement and Risk)
Tighter alignment and Integration (all stakeholders)
Vendor Risk
Committee moved
to Operational Risk
Full alignment and integration (all control groups)
Continuous Improvement
Program fine tuning, integration
of Hiperos with eGRC tool
Goal: Utilize one system for effective Third Party Management while integrating with other systems
Category Mgt. Structure
Third Party Risk Management
Risk Considerations
Operational
Compliance
Reputational
Financial / Credit
Business Continuity
/ Resiliency
Information Security
and Privacy
Technology
Subcontractor / 4th
Party
Offshore / Country
Physical Security
Concentration
Third Parties
Vendors /
Suppliers
Business
Partners
Government
Agencies and
Utilities
Non Vendor
Payees
• Policies and Standards
• Program Governance
• 3rd Party Inventory
• Risk Stratification
• Reporting and Dashboards
• Issue Management
• Complaint Management
• Training and Communication
• Ongoing Process Improvement
Program Elements
Third Party Management Operating Model
Third Party Management Program
Chief Financial Officer Chief Risk Officer
Business Units (Vendor Managers)
Sourcing, Procurement ,
Contracts, Vendor Management
IT Risk and Information
Security
BCP/DRFinancial Risk Assessment
Cloud
Offshore (Country Risks, Geopolitical
Risks)
Vendor Control Group: SME or risk expert in evaluating risks and corresponding controls throughout the lifecycle
Strawman
Privacy/Compliance
TPM Risk Framework
Vendor Monitoring
Responsibilities
BB&T Risk
Framework
Regulatory
Guidelines
Risk Assessment
Questionnaire and Responses
Vendor
Usage
Planning
Tailored Due
Diligence (initial
and ongoing)
LOB Operational Controls
Master
Agreement
Transactional
Agreement
Tailored Contract
Controls Vendor Contractual
Duties
Vendor Performance Expectations
(SLA/KPI)
Vendor Monitoring
Program
3rd party system
Additional Contract Controls
Additional Business Unit Controls
Approach to Analyzing / Reporting Vendor Risk
Vendor Monitoring Plan
1st Line Templates Vendor Control Group Templates
Vendor Service Organizational Control (SOC) Review
Vendor IT Risk Assessment
Vendor Business and Performance Reviews
Cloud Adequacy Assessment
Vendor Consumer Compliance Review Offshore Control Adequacy
Vendor Usage Planning Vendor Business Continuity
Vendor Contingency and Termination Planning
Vendor Compliance Testing
Vendor Key Indicator (SLA/KPI/KRI) Template
Vendor Compliance Due Diligence
Standard Due Diligence Template Contract Control Adequacy Template
Standardized Assessment Results
1. Corporation’s Highest Risk Rated Vendors
2. Board Report Critical Vendors having Issues
3. High Risk Cloud Vendors
Vendor Management Procedures
Vendor Risk Dashboard
Vendor Risk Reports (e.g.)
Standard templates to evaluate vendor risk
Action Plans / Remediation / Exceptions tracking
Note: Sample Only
Business Unit Level
Vendor Relationship Level(Based on inherent risk characteristics)
Ass
essm
ent
Leve
l
Effective Challenge / Overrides
Ag
gre
ga
ted
Rep
ort
ing
3rd Party System
Policies and Standards Enterprise Level
BU Compliance Scorecards
Relationship Structure
Business Process Vendor
Business Process
Vendor
Relationship
Master or Standalone Agreement
ContractContractsTransactional Agreements
One Many
Contracts
SOW, Schedules etc
Business UnitOne
Many
3rd party system
Business Unit Vendor Portfolio
Co-managed by
BU and TPM to
drive Value and
Manage Risk pend
Sample Dashboards
RiskProfile Pipeline
Vendor Residual
Risk
Business Unit
Perform-ance
Vendor Scorecard - SampleABC Company Overall Risk Status: Less Than Satisfactory MM/YYY
Supplier Lifecycle: Contracted Company Description:ABC Company provides software, outsourcing, and IT consulting for the financial services industry. For banks, ABC offers processing, decision and risk management, and retail channel operations, as well as payment services, such as electronic funds transfer, check and ticketprocessing, and credit card production and activation.
Aggregate Vendor Inherent Risk Rating High
Financial Solvency: Effective
Insurance Coverage Adequacy: Effective
Material Subcontractor Evaluation: Effective
Previous Year Spend: $ 58,204,186
YTD Spend: $ 38,204,186 Legal Entities (Subordinate Suppliers): Material Subcontractors (4th Parties):
Active Business Process Relationships: 3 Legal Entity 1 Sub Contractor 1: Effective
Total Vendor Issues Logged in last 12 months: 8 Legal Entity 2 Sub Contractor 2: Effective
Open Vendor Issues: 4 Legal Entity 3 Sub Contractor 3: Effective
Escalated Vendor Issues 2 Legal Entity 4
Total # of Active Contracts: 15
Total # of Subordinate Suppliers: 5
Escalated Customer Complaints: None Logged
Business Processes or Relationships
Vendor Risk Score
Vendor Tier
Internal Control
Adequacy (SOC)
Contract Control
Adequacy
Vendor Compliance Adequacy
Vendor Continuity Adequacy
Offshore Control
Adequacy
Vendor Performance Assessment
Information Security Controls
SLA/KPI Key Indicator
Cloud Adequacy
Rating
Transition Plan
Adequacy
Approved Exceptions
Overall Control
Effectiveness Rating
Overall Residual Risk
Rating
Credit Card Servicing
65 Tier 1 Unsatisfactory
Effective Effective Unsatisfactory
Unsatisfactory
Needs Improvement
N/A Effective Moderately Effective
Moderately Effective
3 Unsatisfactory
High
Debit Card Servicing
72 Tier 1 Moderately Effective
Effective Moderately Effective
Needs Improvement
Moderately Effective
Needs Improvement
N/A Effective Needs Improvement
Needs Improvement
1 Needs Improvement
High
Loan Syndication
12 Tier 3 N/A Effective N/A N/A N/A Needs Improvement
N/A Effective Moderately Effective
Moderately Effective
0 Moderately Effective
Low/Strong
Conclusions: Company’s aggregate risk exposure to ABC Company continues to grow. Remediation actions are being taken ….Biggest change to the risk profile over the previous quarter came as a result of Information Security Adequacy worsening from the data breaches over the Sunrise platform for debit cards. Company is taking active measures to improve manage and mitigate risk .......Action Plans: 3 main action plans are in place; #1: CIS is evaluating ….
Aggregate Risk Reporting - Sample
Business Process Vendor Inhrent
Risk
Vendor
Tier
Internal
Control
Adequacy
(SOC)
Contract
Control
Adequacy
Compliance
Monitoring
BCP/DR
Adequacy
Infosec
Adequacy
Perf.
Rating
Offshore
Controls
Rating
Overall
Rating
Residual
Risk Rating
Auto Loan Account Servicing DealerTrack Holdings, IncH Tier 1 ME E ME ME ME S N/A ME MH
Data Sciences & Sales
Analytics
Salesforce.com, Inc
H Tier 1 ME ME N/A E NI S N/A NI H
Credit Card Processing Fidelity Information
Services H Tier 1 E E ME E E S E E M
Client Employee Benefits
Consulting & Administration
Mobile Health Consumer
H Tier 1 ME ME IP IP ME S N/A ME MH
High Risk Cloud Relationships (Vendor has >50K Unique Client Records)
Inherent Risk Rating
Tier 1 (High)
Tier 2 (Moderate)
Tier 3 (Low)
Control Effectiveness Rating
E: Effective
ME: Moderately Effective
NI: Needs Improvement
U: Unsatisfactory
Residual Risk Rating Scale
H: High
M: Moderate
MH: Moderate High
ML: Moderate Low
L: Low
Qualitative Ratings
SS: Strong Satisfactory
S: Satisfactory
LT: Less Than Satisfactory
U: Unsatisfactory
Vendor XYZ
Vendor ABC
Vendor 123
Vendor 900
Third party management isn’t about compliance – it’s about good business practices driving good results
The only constant is change – flexibility is key to success
This is bigger than just your suppliers or vendors – its all of the third parties with whom you interact
Automation enables you to drive consistency, execution and auditability across the entire portfolio
This isn’t about data – it’s about transforming data into actionable intelligence
Real-time information from tools provides continuous oversight through a closed loop process
Effective third party management is not an “option” – it is a must –driven straight from the Board
17
Key Takeaways
14
Thank you
Rohan RanadiveSVP and Third Party Program Group ManagerBB&[email protected]
Sam MeleVice President Sales [email protected]
Evaluation How-to:
Your feedback drives
SIG Event content
By signing and
submitting your
evaluation, you are
automatically entered
into a prize drawing
Why?
Option 1: App
1. Select Schedule2. Select Schedule by Day3. Select Day4. Select Session5. Scroll to Description
6. Click on the Evaluation link
Option 2: Browser
1. Go to www.sig.org/eval2. Select Session (#11)
How?
COMPLETE &SUBMIT EVAL
Tweet: #SIGfall16
Session #11
Blurred Lines: Maximizing Enterprise Value by Integrating Finance, Procurement and Risk Functions in a Financial
Services Environment
Speakers:
www.sig.org/eval
Download the App: bit.ly/SIGfall16
Rohan Ranadive
SVP and Third Party
Program Group Manager
BB&T
Sam Mele
Vice President Sales
Hiperos