Managing third party risks and rewards
Embed Size (px)
This presentation discusses current trends and challenges companies are facing in managing third parties risks and leading practices in several areas including, but not limited to, stakeholder interaction, risk stratification, vendor reviews, and ongoing monitoring. Presented at the Creating value and trust: Navigating risk and meeting customer expectations, PwC's Internal Audit Ethics and Compliance Retail and Consumer Roundtable for internal audit and ethics and compliance executives, April 2014. For more information, please visit: http://pwc.to/1rbVnlY
Transcript of Managing third party risks and rewards
- Internal Audit, Ethics & Compliance roundtable Third Party Risk Management How can companies effectively manage the risks of Third Party relationships? April 22, 2014 www.pwc.com
- PwC 2 With you today Rob Stouder Director, Third Party Risk Management Midwest Region Leader Rob.Stouder@us.pwc.com (317) 940-7501
- PwC 3 Agenda What is Third Party Risk Management? Why is it Important? What we are seeing in organizations Benefits of a Third Party Risk Management program Insights and Lessons Learned Q&A
- What is Third Party Risk Management?
- PwC 5 Third Party Risk Management Activities Vendor Evaluation & Selection Contract Signing / Service Initiation Vendor Service Contract / Service Termination Third Party risk profiling: Evaluate risk profile of third party based on company and nature of services to be provided. Due diligence assessments: Perform due diligence assessments based on the initial risk profile. Contract language and exception management: Support the management and tracking of exceptions to standard contract language and requirements. Ongoing risk profiling Assess vendors risk profiles as their environments and nature of services change. Ongoing monitoring: Evaluate relevant controls, with the frequency of assessment based on the risk profile. Typically, these assessments include one or more of the following: On-site assessment Remote assessment Self-assessment Contract Termination Management: Manage and track vendor / service termination process to confirm vendors meet obligations in their contract and that all client data is removed per the vendors contractual obligations. Program Oversight Policies, Standards and Guidelines Training and Awareness Program Strategy, Governance and Roles & Responsibilities VRM Operational Processes Systems and Technology - Metrics and Reporting Continuous Improvement
- PwC Foundations for an effective Third Party Risk Management program 6 Methodology Data & Information Governance Linkages between contracting and payables/general ledger Comprehensive contracts management system and contract data Well defined and maintained third-party repositories (vendor master, etc.) Third party / vendor usage data Strong organizational and employee data for identifying third-party linkages across the organization Issues and incidents repositories to track third-party issues Recovery and resiliency back-up of key/critical third parties Know your third parties/due diligence Standard operational risk methodologies and defined risk levels Standard controls effectiveness assessment methodology Escalation, exception, and exemption processes Customer complaint handling Third party risk management office Operational risk governance body Critical Third party Oversight
- PwC 7 Pop Quiz Planning / Governance Do you have an inventory of Third Parties? Is it by service? Is it risk ranked? Do you have current contracts related to the service being provided? Are there standardized risk profiling methodologies with defined assessment frequencies and types in place? Due Diligence and Third Party Selection Are due diligence assessments performed prior to contracting? Are they around privacy? Are they around security? Do you know which of your vendors have access to data? Do you know which subcontractors are used by your third parties, and what work they are performing for you? Contract Negotiation Do contract clauses include the authority to audit the Third Parties processes over the service provided? Are contracts for similar services consistent and contain Service Level Agreements? Ongoing Monitoring Do monitoring processes include both risk AND performance concerns? Termination Do you have exit strategies in place for significant Third Party relationships?
- PwC 8 Common TPRM risks Regulatory: The risk of an organization being out of compliance due to a third-partys failure to comply with laws/regulations. Service Delivery: The risk that a third-party fails to meet your needs based on the delivery of their products/services. Exit Strategy: The risk that the organization will have an inability to service its clients based on the termination or exit from a third- party relationship. Financial: The risk of financial loss to the organization due to the third-party being unable to operate due to financial instability. Information Security and Privacy: The risk of unauthorized loss of data or that an organizations data security has been breached at your third-party. Business Continuity and Resiliency: The risk of third- party failure on the ability of the organization to serve its clients. Reputational: The risk and impact to the organizations reputation based on services provided by your third-party. Global Geographic Location: The political, geographic, regulatory, legal, and economic risks of outsourcing to a country or region. Third- Party Risk Spectrum Reputational Service Delivery Financial Business Continuity and Resiliency Global Geographic Location Information Security and Privacy Regulatory Exit Strategy
- PwC Audience Question: Governance Do you have a formal Third Party Risk Management function at your organization? ?
- Third Party Risk Management Program Structure 10 Governance Enterprise Risk Committee Third Party Management Office Management & Oversight Business Unit Third Party Risk Manager (High & Critical Risk Services) Subject Matter Specialists Third Parties Legal & Compliance Reputational Due Diligence InfoSec Business Unit Sponsor Sourcing Contracts ManagementProcurement Financial Due Diligence Bank Management Privacy BCM Operational Risk Oversight Third Line of Defense PhySec Technology Internal Audit Second Line of Defense First Line of Defense Board of Directors Subcontractors Third Party Risk Management roles and responsibilities impact each aspect of the three lines of defense model
- Why is Third Party Risk Management important?
- PwC 12 Why is Third Party Risk Management relevant? Based on the results of PwCs 2013 Global State of Information Security Survey (GSISS), our clients continue to experience an increased number of third party related breaches and very few have programs in place which effectively manage vendor risk. Additionally, there is an increasing view by many regulators that best efforts around TPRM are not good enough. 15% 17% 13% 11% 12% 11% 8% 10% 9% 0% 5% 10% 15% 20% Partner or supplier Customer Service providers/ consultants/contractors 2010 2011 2012 26% of respondents have an inventory of vendors who handle sensitive information 32% of respondents require vendors to comply with their policies 26% of respondents conduct compliance assessments of third parties who handle personal data of their customers and employees Many of our clients do not have vendor risk management programs or the programs are very immature The number of breaches resulting from vendors and other third parties is steadily increasing
- PwC 13 What we are telling boards Third-party compliance landscape A subcomponent of overall risk management Legal compliance is outside companys direct control and has its own unique control environment The number of third party relationships are typically significant Companies can be held accountable for acts of agents, resellers, distributors, partners, suppliers, etc. Compliance aspects also include protection of intellectual property, environmental laws, labor laws, health and safety
- PwC 14 Customer Churn Research shows that companies experience customer turnover following a security breach, and some industries are more susceptible than others. * Symantec and Ponemon Institute, 2013 Cost of Data Breach Study United States, May 2013 0.3% 1.3% 1.5% 2.0% 2.5% 2.6% 2.7% 2.9% 3.3% 3.8% 4.2% 4.5% 4.5% Public Retail Communications Media Hospitality Technology Industrial Consumer Transportation Services Pharmaceutical Healthcare Financial Services Customer Churn following a security breach by industry
- Changing Regulatory Drivers Force Businesses to Focus on Third Party Risk Management 15 In the last 10-15 years, multiple new regulations in all industries have demanded increased focus on how organizations monitor third parties. To enable compliance, each organization should validate existing processes against current regulatory guidance through a gap analysis. Health Insurance Portability and Accountability Act, HIPPA August, 1996 July, 2001 GLBA, Gramm-Leach Bliley Act OCC Bulletin 2001-47 , Oversight and Management of Third-Party Relationships November, 2001 May, 2002 OCC Bulletin 2002-16, Foreign 3rd-Party Service Providers HITECH Act November, 2007 May, 2007 H.F. 1758, MN Plastic Card Security Act January, 2010 NRS 603A, NV Data Security Law July, 2010 Wash. H.B. 1149, WA Data Security Law March, 2012 CFPB Bulletin 2012-03 201 Mass. Code Regs. 17 MA, Data Security Law March, 2010 PCI-DSS v2.0 Payment Card Industry Data Security Standard January, 2011 CFPB Bulletin 2013-02 March, 2013 1996 20132001 2007 20102003 October,