Significant others: How financial firms can manage third party risks

How financial firms canmanage third party risks

Significant others:

2 13 16 24

Point of view AppendixA framework for responseCompetitive intelligence

Using third partyservice providers canbe a risky business. Getfewer headaches bygetting on top of theproblem.

FS Viewpoint1

Executive summaryThird parties have been thesource of countless problemsfor financial institutions. Butwith the right approach tomanaging risk, firms can turnthird parties into strategicassets.

Third parties: a growing burden

In today’s environment, it would be nearlyimpossible to find a financial institution thatdoesn’t contract with third parties to performmany essential functions. Over the last decade,use of third parties has indeed helpedinstitutions to grow revenues, cut costs, andimprove the customer experience.

However, these proven upsides have come withequally apparent downsides: more frequentoperational setbacks such as major serviceinterruptions, mishandling of customer oremployee data, and non-compliance with lawsand regulations. Many of these issues haveoriginated with third party service providers.

The costs include not only monetary losses, butalso loss of reputation and market share. Addto that the potential for regulatory enforcementactions and hefty regulatory fines, and thenumbers begin to climb.

Turning liabilities into assets

Do the benefits of using third parties outweighthe downside risks, as well as the extra costsand time needed to manage and oversee them?PwC’s experience and our 2014 Third PartyRisk Management Survey indicate that theycan—if a firm has a robust third party riskmanagement (TPRM) program in place. Such aprogram can help a firm fulfil its obligations tocustomers, shareholders, and regulators.Ultimately, it may even make using thirdparties less risky than keeping those functionsin-house.

Significant others: How financial firms can manage third party risks

45%of financial servicesCEOs plan toenter into at leastone new joint ventureor strategic alliance over thenext 12 months.

Source: PwC, “18th Annual Global CEO Survey,” January 2015.

How are financial institutionsresponding to demands forstronger oversight of third parties?

To find out, we surveyed financialinstitution leaders to betterunderstand how their third partyrisk management functions operateand where they’re makinginvestments. PwC’s 2014 ThirdParty Risk Management Surveydraws on insights from executivesand managers across the UnitedStates to identify key trends andleading practices in the industry.

Point of view

FS Viewpoint | Point of view3

The evidence is piling up: it’s time for financialinstitutions to take a more systematic approach tomanaging third party risk.

1 PwC, “18th Annual Global CEO Survey,” January 2015.

Increased use of third parties

Over the past several years, financial institutionshave increased their collaboration with third partiesto perform a growing number of functions—not justprinting checks, collecting payments, andprocessing data. This is partly in response to highercustomer expectations for service.

As customers increasingly demand morecustomized, real-time experiences that areaccessible through multiple digital channels, firmshave looked to outside providers with the requisiteresources and expertise. The 18th annual PwCGlobal CEO survey shows that more than 40% ofbanking CEOs see joint ventures, strategic alliances,and informal collaborations as an opportunity tostrengthen innovation and gain access to newcustomers and new technologies.¹

More adverse incidents

However, it is not always easy to ensure thatservices provided through third parties remainseamless and aligned with brand standards andstrategies. As the use of third parties has grown, sohave the number and severity of publicized securitybreaches, compliance issues, and serviceinterruptions traceable to them. Boards of directorsare increasingly worried about the number and typeof activities their firms outsource and how well theirfirms manage the risks arising from these thirdparty relationships (see Figure 1).


The spectrum ofthird party risk

Business continuityand resiliency

Credit/financial

Operational

Compliance

Strategic

Informationsecurity

Reputational

Figure 1: Using third parties comes with a broad spectrum of risks.


Regulators have takensteps to help ensure thatfinancial institutionskeep third party risksfirmly in check.

1 These include the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), the Consumer Financial ProtectionBureau (CFPB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Federal FinancialInstitutions Examination Council (FFIEC), New York State Department of Financial Services (NYDFS), the Securities and ExchangeCommission (SEC), and the Financial Industry Regulatory Authority (FINRA).

2 The OCC refers to these as “critical activities” in its OCC 2013-29 advice bulletin.

3 These include the New York State Department of Financial Services, “Report on cyber security in the banking sector,” April 2015.

Stricter regulations over how financialinstitutions manage third party risk

Regulators are also concerned. Several USregulatory agencies have significantly raisedstandards for oversight of third parties inrecent years.1 Moreover, they have reiteratedthe range of third party relationships that theregulations cover to eliminate categoricalexemptions.

These regulators particularly target business-critical functions such as payments, clearing,settlements, custody, and IT.2 They alsorequire that oversight and due diligence—aswell as the involvement of a firm’s board ofdirectors—be commensurate with the risk andcomplexity of the third party relationship.

Beyond third party risk

Regulators have made it clear that financialinstitutions cannot outsource their controls,and that they expect firms to hold their thirdparties to the same high standards that firmsthemselves must meet.

Firms need to consider how their third partiesare handling a wide range of issues:

• Customer complaints—The ConsumerFinancial Protection Bureau in the US, aswell as foreign regulators such as theFinancial Conduct Authority in the UnitedKingdom, have increased their scrutiny ofthe programs that firms use to addresscustomer complaints.

• Cybersecurity—Regulators have citedbanks, broker-dealers, investment advisers,and insurance companies for weakcybersecurity controls at their third parties.One report found that nearly one in threebanks surveyed did not require their thirdparty providers to notify them ofcybersecurity breaches.3

• Resiliency—Regulators are also intent onimproving the resiliency of financialinstitutions and their third parties. Theywant to see processes in place not only tolower the risk of failure, but to reduce theimpact of a failure on the broader economyby sustaining critical operations during theresolution process.


57%of survey respondentshave an accurateinventory of all thirdparties that handlesensitive firm, employee,and customer data.

Source: PwC, “2014 Global State of Information Security Survey,”September 2014.

FS Viewpoint | Point of view

1 OCC, “Third Party Relationships,” October 2013.

5

Even after years ofgrowing reliance on thirdparties and increasingregulation, oversight atmost financial institutionsstill has far too manygaps.

PwC’s 2014 Third Party RiskManagement Survey results show thatmost firms have not updated their TPRMprograms to address tougherregulations.

While one of the main requirements in recentlyupdated regulatory guidance bulletins isidentifying business-critical functions, nearlytwo out of every five of our survey respondentshave not completed this essential first step.

Similarly, our research indicates that financialinstitutions are not adequately monitoring“fourth parties”—the subcontractors of theirthird parties. A full 45% of respondents saidthat they rely on third parties to monitor theirsubcontractors—without performing additionalchecks to review the results. Another 6% eitherdon’t know if their third parties usesubcontractors, or have no visibility into howsubcontractors are monitored.

Even the scope of many TPRM programsseems problematic. In its most recent guidancebulletin, the OCC particularly highlighted itsdefinition of third party relationships, which is“any business arrangement between a bankand another entity, by contract or otherwise.”1

As seen in Figure 2, however, barely half of oursurvey respondents said that their oversightprograms include affiliates. New regulationsrelating to business continuity arising from theDodd-Frank Wall Street Reform and ConsumerProtection Act underscore the importance ofhaving backup plans for all business-criticalfunctions, not just those provided by thirdparties.

We also found that boards of directors are notsufficiently involved in oversight andgovernance of third party risk management.Only 55% of respondents said a boardcommittee participates in TPRM oversight andgovernance, while some regulators explicitlyexpect the board to perform these functions forall third party relationships involving business-critical functions.


Vendors Affiliates Subsidiaries Brokerdealers

Captives(wholly ownedoff-shore entity)

98% 51% 36% 32% 13%

Figure 2: Many respondents include only vendors in their TPRM programs.

Q: What is the scope of your TPRM program?

Source: PwC, “2014 Third Party Risk Management Survey.” December 2014.


A surprising number offinancial institutions arestill relying on an ad hocapproach to manage theirthird party relationships.

Our survey also showed that many firmsstill do not have an enterprise-wide,standardized framework for third partyrisk management. In some cases, thesedeficiencies have resulted in compliance issues,security breaches, or problems for customers.

Consider these survey findings:

• 33% of respondents that performed regularon-site visits of third parties experienced aservice disruption or breach. Forrespondents that did not perform on-sitevisits or performed them only on an ad hocbasis, the percentage of disruptions rose to50%.

• 37% of respondents that regularlymonitored third parties with ongoing duediligence activities experienced a servicedisruption or breach. For respondents thatdid not perform this regular monitoring, thepercentage of disruptions rose to 58% (seeFigure 3).

Limited reporting was another common issuethat survey participants reported. Manyrespondents used scorecards to monitorservice quality and manage issues, but did notas consistently monitor other important factorssuch as risks, costs, and customer complaints.

Which TPRM program structureshould you adopt?

As seen in Figure 4, financial institutionsuse a variety of TPRM program structures.Culture and geography are two majorfactors that often influence anorganization’s decisions when selecting amodel.

For example, a global company operatingacross multiple regions may find that adecentralized or hybrid model suits itspurposes better than a centralized one.However, even with a decentralizedmodel, a centralized TPRM office can helpensure that policies, procedures, andtraining are implemented consistentlyacross the organization. A centralizedTPRM office can also provide integratedreporting across third party relationships.

45%Hybrid

32%Centralized

Figure 4: What model does yourorganization use for its TPRM program?

17%Decentralized/Federated

Monitored thirdparties on an ad

hoc basis

58%

Figure 3: Financial institutions that did notperform regular monitoring of third partiesexperienced more disruptions or breaches.

Regularlymonitored

third parties

37%

6%Other

Source: PwC, “2014 Third Party Risk Management Survey.”December 2014.

Percentage ofrespondents thatexperienced aservice disruptionor breach from thirdparties



What leading practiceshave we seen financialservices firms use toimprove their TPRMpractices?

Focus on the riskiest services

We consider stratification—analysis of thirdparty relationships to identify those servicesrequiring more extensive oversight—aparticularly important first step on which otherprocesses will depend. By focusing on theinherently riskiest relationships involving themost critical functions, firms can both controltheir TPRM costs and direct valuable andlimited resources to where they are mostneeded.

Many institutions automatically assign thesame risk to all services a third party performs,even though services may vary considerably fordifferent business units and functions. Webelieve a firm should look at individual servicesa third party performs to make sure the riskassessment is in accordance with the natureand complexity of the products or servicesprovided. This would include factors such ascriticality, data sensitivity, concentration risk,and the number of business units involved.

Don’t forget about subcontractors

An effective third party risk managementprogram needs to have insight into “fourthparty” subcontractors that third parties arethemselves using and managing, in order toensure that the firm understands how thesubcontractors are delivering their products orservices. They may find, in some cases, thatthere are contractual issues that keep themfrom fully applying their risk policies tosubcontractors.

For example, a firm may not be able to insert a“right to audit” clause for fourth parties into anoutsourcing agreement if the third party doesnot have such rights in its subcontractorrelationships.

Establish a central office to administerand oversee the program

We believe that a central third party riskmanagement office is another key ingredient ina successful TPRM program, particularly asfirms expand nationally and globally. Thiscentral office should administer the oversightprocess, ensuring standardization and centralreporting, together with a thoughtful approachto training and change management.

Leading firms are also using offshore andonshore delivery models to help standardizeassessments and extend the office’s reach tothird parties by providing services in remotelocations. They can also greatly reduce overallprogram costs by providing a monitoring andreporting utility service to the “three lines ofdefense” (business unit operations, riskmanagement/compliance functions, internalaudit).

Track TPRM issues and customercomplaints in central databases

As part of the process, the TPRM office shoulduse a central repository or database for initialdue diligence, ongoing monitoring, and re-assessments. This helps maintain properidentification, management, tracking,reporting, and oversight of issues related tothird parties.


While the TPRM framework willvary from firm to firm, somecommon elements are critical tosuccess. These include thirdparty stratification, insight intosubcontractors, a centralizedissues and complaintsmanagement database, and acentralized TPRM office tooversee the program.


We suggest financialinstitutions adopt acoherent, well-thought-out third party riskmanagement program toreduce risk exposure andhelp contain operationalcosts.

Leading practices like stratification anda central TPRM office should be part ofan overarching TPRM framework. Firmsshould integrate this framework with theiroperational risk policies. We suggest that theTPRM framework incorporate three mainelements: governance, processes and tools, andwhat we call “enablers.”

Governance helps define the operating modelfor the TPRM program, which should include acentral TPRM office as well as policies,procedures, and standards for day-to-dayprogram management and businessoperations. The TPRM program applies acrossthe entire lifecycle of each third partyrelationship—from the planning and due

diligence phases through contract negotiation,ongoing monitoring, and termination.

A single third party inventory, riskstratification, monitoring plans, scorecards,and assessment are processes and tools thatcapture and monitor the inherent and residualrisk of the services third parties provide.

To make the entire TPRM program work, werecommend that institutions adopt threeessential enablers. The first two, changemanagement and training andcommunications, promote stakeholder buy-in.An effective program also needs the rightsupporting technology, which can includecontracting, risk assessment, and other toolsthat facilitate documentation and reporting.


TPRM lifecycle

Planning Due diligenceContractnegotiation

Ongoingmonitoring

Termination

Governance Process and tools Enablers

• Policy and procedures

• Management, oversight, andorganization

• Alignment with operational risk

• Operating model

• Program management

• Change management

• Training and communications

• Technology

• Inventory

• Risk stratification

• Risk assessment execution

• Issues management

• Complaints management

• Reporting, metrics, andscorecards


Beyond better riskmanagement, effectiveTPRM programs can alsodeliver valuable insightsthat inform strategicdecisions.

Use TPRM to gain strategic insights

Many financial institutions are shocked whenthey realize how many third parties they haveon their rosters. Thirty-eight percent of oursurvey respondents had between 1,000 and10,000 active third party relationships, andnearly one-quarter of them had more than10,000.

An effective TPRM program improvestransparency for a firm—not only regardinghow much its third parties cost, but also whichbusiness units use them and which marketsand customer segments they serve. Armedwith a more thorough, accurate view of therole third parties play across the organization,financial institutions can use data analytics tosupport strategic business decisions. Theinsights they gain can help to:

Improve the customer experience

More proactive monitoring and managementof third party service quality can help firmsimprove the customer experience. It can alsohelp reduce service disruptions and databreaches.

Identify new strategic partnerships

By analyzing how third parties are used acrossproducts, markets, and channels, firms maypotentially identify new strategic partnershipsthat extend their sales and servicingcapabilities.

Drive down costs

Our survey shows not only improved third partyperformance, but also clear financial results(see Figure 5). Better visibility helps firmsbecome more strategic about which thirdparties they engage. They may be able toconsolidate services with fewer providers,negotiate more competitive pricing, and identifyless costly alternatives for low-value activities.

A TPRM program can also reduce oversightcosts by focusing due diligence and monitoringefforts on the most critical and risky services,rather than using a “one-size-fits-all” approach.

Improve market agility

Regulators, including the OCC and the Fed, nowrequire financial institutions to have acontingency plan for their most criticalfunctions. In addition to expeditingreplacement of third parties if needed, thesebackup plans can improve a firm’s ability toseize opportunities quickly—such as launchingnew services with existing third parties.

Enhance shareholder value

In the end, the right framework can helpimprove the bottom line in a number of ways,including reduction in compliance-relatedpenalties, fewer service disruptions, less intenseregulatory scrutiny, a smaller number of thirdparties, higher customer confidence, and moreappropriately trained and placed resources.


Figure 5: What is the estimated valueof benefits received?

27% up to $1m

13% $1m-$5m

19% of respondents have

experienced benefits greater than

$1 million.

6% $5m-$10m+



Financial institutions canexpect plenty of obstacleswhen building a strongTPRM program. We’veidentified key successfactors that can helpovercome thesechallenges.


Obstacles we’ve observed Approaches for overcoming challenges

Difficulty getting businessbuy-in

Any change can encounterresistance from stakeholders,particularly if the process is notsmooth.

• Ensure visible executive sponsorship and strong leadership at afunctional and program level. Make effective use of business unitleaders as “change agents” to drive adoption.

• Collaborate with all functional and operating group stakeholders toimprove transparency into the process. A designated liaison canhelp build relationships, increase awareness, and integrate thirdparty risk management practices into day-to-day businessprocesses.

• Keep the TPRM program simple by leveraging existing processes,prioritizing the most critical TPRM objectives, automating wherepossible, and avoiding creation of special third party categories.This supports ease of use and encourages adoption. Once astrong foundation is in place, firms can evolve the program tosupport more sophisticated needs.

Defining the scope and focusof the TPRM program

It is not always clear which thirdparties and partners a programshould include, or which shouldtake priority.

• Cast a wide net when deciding what types of third parties andrelationships should be in-scope. For some financial institutions,regulatory guiding principles mandate inclusion of correspondentbanks or indirect lending partners (such as auto or consumerfinance companies).

• Adopt third party stratification to save costs, minimize operationalimpact, and define where to place resources.


Financial institutions canexpect plenty of obstacleswhen building a strongTPRM program. We’veidentified key successfactors that can helpovercome these challenges(continued).


Obstacles we’ve observed Approaches for overcoming challenges

Overstretched operationalresources

Many financial institutions havepared costs in back office andother operations, making itdifficult to monitor compliancewith TPRM requirements.

• Focus on having the third parties do as much of the “heavy lifting”as possible to comply with TPRM policies. Shifting responsibilityfor administrative activities, such as completing questionnaires andmaintaining current insurance certificates, can reduce the burdenon the institution.

• Use automated workflow technology and other strategic ITsolutions to link third party information across functions such asprocurement, accounts payable, finance, risk, and legal. ITsolutions can also serve as a repository for third partydocumentation, route notifications and approvals, centralizetracking of issues, and enable dashboard reporting.

Inconsistent understandingof third party risks

Not all parts of a financial firmwill have an equal grasp of theissues involved in third partyrisk management. And unlessthey receive guidance, differentdepartments will develop theirown approaches.

• Agree upon a common set of terms and definitions; this helpscreate a consistent method for defining, managing, and measuringthird party risks.

• Focus on delivering consistent messages through both top-downand bottom-up communications (such as success stories andfeedback) across business units, enterprise functions, and theboard of directors.

• Use multiple channels to provide information updates to programstakeholders. For example, a centralized website can hostcommonly requested tools and templates, while monthlynewsletters can alert staff to updates.


Without a consistent andcomprehensive TPRMframework, firms riskreputational damage,incomplete monitoringefforts, and increasedprogram costs.

Operational and reputational damage

Failure to implement the right third party riskmanagement program may hamper a financialinstitution in many ways. The most worrying,of course, is the potential damage that a thirdparty’s non-compliance, mishandling ofsensitive information, and operationalmissteps can cause to a firm’s customers,business, reputation, and bottom line. Theconsequences can include impaired customerservice and loss of market share, as well asregulatory fines and penalties. Without a goodTPRM program, situations like these becomemore likely.

Incomplete monitoring efforts

Without a comprehensive inventory of thirdparties and the products and services theyprovide, a firm may be exposed to risks it maynot even be aware of—either directly throughundocumented third party relationships, orindirectly through undocumented relationshipsthat third parties may have with theirsubcontractors.

Unsustainable TPRM program costs

The lack of a proper framework means that afirm will probably spend more time andresources on managing third party risk than itneeds to. Without processes such asstratification to identify priorities, costs maybecome unmanageable for an effort that islargely ineffective.

Institutions can no longer rely on anad hoc approach to keep track of alltheir third party relationships andassume that all will end well.

In today’s rapidly changing financial landscape,it may be hard for financial institutions toavoid using third party partners to provideever-more sophisticated services to customers.

A robust TPRM program can help a financialinstitution fulfil its obligations to customers,company stakeholders, shareholders, andregulators. In the long run, we believe a strongprogram has the potential to drive down risksto levels equal to or lower than those forperforming the functions in-house.


Competitive intelligence

Our observations of industrypractices.

FS Viewpoint | Competitive intelligence14

Current third party risk management infrastructure varies considerably amongfinancial institutions. While some are on the forefront of leading practice, otherslag behind and need to do considerable catch-up work.


Leading On par Lagging

Area of focus Financial Institution A Financial Institution B Financial Institution C

Governance:

Third party riskmanagementframework

• The firm maintains a central third party riskmanagement (TPRM) office, whichmonitors and oversees each programfunction and stakeholder group.

• The lines of business (LoB) oversee criticalthird parties within each business. Riskmanagers have been assigned forsignificant relationships.

• Structured groups within the LoB overseeperformance of TPRM testing.

• The TPRM program aligns with theoperational risk program.

• The institution has LoB governance overcritical third parties specific to eachbusiness. Risk managers have beenassigned for significant relationships.

• A central TPRM offices oversees thisprocess with the assistance of distributedrisk operation functions across theenterprise.

• TPRM program oversight is informal. Thefirm has limited or no governance overcritical third parties, and may or may notassign third party risk managers forsignificant relationships.

Processes and

tools:

Inventory of thirdparties

• The firm develops a comprehensive list ofthird party services through data analysisof accounts payable, contract, and risk-related information. It reviews third partysource systems and amends the list toreflect accurate and complete informationbased on data analysis and businessvalidation.

• It maintains data quality through a thirdparty risk management system.

• The firm maintains a list of third parties thatreceive sensitive internal or customerinformation, as well as those with thelargest contracts. It does not conduct anyprocedures to determine whether or notthe list is complete.

• The firm focuses its assessments on thosethird parties with the largest contracts.However, it does nothing to determinewhether the list is complete or that itincludes smaller third parties that haveaccess to sensitive data.

Processes and

tools:

Due diligence

assessments

• The firm conducts and documents duediligence assessments for significant thirdparty relationships prior to onboarding newservice providers. Assessments typicallyinclude country, financial, and reputationalrisk, business continuity planning (BCP)and disaster recovery (DR) arrangements,information security, privacy, technology,legal, and compliance analysis.

• The firm conducts and documents duediligence assessments for significant thirdparty relationships prior to onboarding newservice providers. This assessmentconsistently includes financial,reputational, BCP/DR, and securityanalysis, but no other type of analysis.

• The firm may conduct an assessment forsome new third parties (or rely on a thirdparty self-assessment) prior to onboardingnew service providers. These assessmentsmay cover financial and security analysis.

FS Viewpoint | Competitive intelligence15

Current third party risk management infrastructure varies considerably amongfinancial institutions. While some are on the forefront of leading practice, otherslag behind and need to do considerable catch-up work (continued).

Leading On par Lagging


Area of focus Financial Institution A Financial Institution B Financial Institution C

Processes and

tools:

Monitoring

• The firm monitors third parties using adefined, documented, and technology-supported approach that includesmonitoring plans, scorecards,assessments, and quality assurancereviews.

• The firm monitors third parties using adefined, documented, and technology-supported approach that includesperformance management and ongoingdue diligence assessments.

• The firm monitors third parties only on anad hoc basis. The monitoring may beperformed sporadically, but consistentlyincludes risk management, ongoing duediligence assessments, and issuestracking.

Processes and

tools:

Central issues andcomplaintsdatabase

• The firm maintains a centralizedrepository for third party issues,remediation actions, assessment results,contracts, scorecards, and resultsfrom surveillance.

• The firm leverages a standard approachfor issues and complaints management,including escalation and exceptionmanagement processes.

• The firm maintains a centralized repositoryfor third party issues, assessment results,and contracts.

• The firm maintains several repositories invarious business silos that only partiallycover issues, remediation plans,assessment results, contracts, andscorecards.

Enablers:

Central TPRM

technology

solution

• The firm has a central enterprise systemthat supports third party uploads; performssome automated due diligence; createsdashboards, scorecards, and otherreporting; and includes two-way links toenterprise systems of record.

• The firm has a central enterprise systemthat performs contract management, initialdue diligence and some reporting, and hasa one-way link to enterprise systems ofrecord.

• The firm has several technology solutionsand systems that may cover due diligence,some reporting, and include informalmanual links to enterprise systems ofrecord.

Enablers:

Third party legaland regulatorychange process

• As part of its regulatory change process,the institution collaborates with its thirdparty providers to modify activities,controls, and approaches, as needed, toremain in compliance with legal andregulatory changes.

• The firm has no system for determiningwhether third parties are adapting tochanges in regulations.

• The firm has no system for determiningwhether third parties are adapting tochanges in regulations.

A framework for response

Our recommended approachto the issue.

FS Viewpoint | A framework for response17

Effective third party riskmanagement (TPRM)requires the integration ofmultiple components.

We believe that to be successful, a TPRM program needs the right governance, the right processesand tools, and the right enablers in place.

• Governance incorporates guiding principles from senior management and regulatoryguidance from federal authorities that help define a common approach to due diligence and riskmanagement. It also assigns responsibilities for key TPRM activities.

• Processes and tools include the key functions that a TPRM program carries out to managethird party risk, and the mechanisms it uses to effectively perform those functions.

• Enablers such as technology help you run the TPRM program efficiently. Other examples suchas change management, training, and communication help you gain the buy-in and support youneed to meet the TPRM program’s goals.

All of these components fall within the overall third party lifecycle from planning through duediligence, contract negotiation, ongoing monitoring, and termination. However, they do not have aone-to-one relationship with these phases. Governance, for example, is an important part ofplanning, but also part of contract negotiation and ongoing monitoring.


TPRM lifecycle

Planning Due diligenceContractnegotiation

Ongoingmonitoring

Termination

Governance Process and tools Enablers

• Policy and procedures

• Management, oversight, andorganization

• Alignment with operational risk

• Operating model

• Program management

• Change management

• Training and communications

• Technology

• Inventory

• Risk stratification

• Risk assessment execution

• Issues management

• Complaints management

• Reporting, metrics, andscorecards


Governance TPRM governance helps you provide overall direction for the program’s operating model and policies andprocedures for day-to-day functioning. The model should lay out program management and organization,assigning specific roles and responsibilities.

In addition, the governance approach should consider how TPRM activities integrate with your other riskmanagement functions—particularly the three lines of defense (business units; risk, compliance and legal;internal audit)—to promote consistency and quality in program activities.


Figure 6: Illustrative governance model


Processes and tools A successful TPRM program includes anumber of processes and tools for managingand monitoring third parties throughout thefive phases of each third party’s lifecycle. In ourexperience, it’s crucial for these processes andtools to include a third party inventory, riskstratification, risk assessment, issuesmanagement, reporting, metrics, andscorecards.

Inventory and risk stratification

Risk stratification focuses resources on thethird party relationships that matter most,limiting unnecessary work for lower-risk relationships (see Figure 7). The first stepis to create a thorough inventory of all thirdparties and the services they provide. It’simportant to have adequate checks andbalances to verify the list is complete—for

example, through periodic comparisons to theprocurement and accounts payable systems.

Once the inventory has been established, filterthe list based on the nature and complexity ofthe products or services provided, includingfactors such as criticality, data sensitivity,concentration risk, and the number of businessunits involved. Keep in mind that some thirdparties may provide a range of services, withvarying degrees of risk, to different businessunits.

In addition, stratification analysis shouldconsider concentration risk. For example, toomany third parties clustered in onegeographical area could intensify businesscontinuity risk, or a firm might rely heavily ontoo few third parties.


Figure 7: Tailor due diligence and monitoringprocesses based on the levels of inherent andresidual risk.

Use stratification criteria to prioritize higher-risk relationships based on inherent risk.

Third parties with weak control environmentswill require more due diligence andmonitoring, while those with strongerenvironments will require less.

Tailor risk assessment and monitoringactivities based on the controlenvironment and residual risk.


Processes and tools Risk assessment execution

Once a firm has identified third partiesperforming high-risk services, the next step isto perform due diligence assessments for eachof those third parties. The results of theseassessments help establish the appropriatelevel and frequency for monitoring andoversight for each third party.

Firms should execute risk assessments at twostages during the third party’s lifecycle:

• During the due diligence process.

• Periodically after on-boarding to verify thata third party continues to meet the firm’sneeds.

In both of these stages, avoid using a “one-size-fits-all” approach when performing the riskassessment. Only those controls that apply tothe services a third party provides requireassessment.

The depth and frequency of the follow-upassessments will depend on the results of thestratification analysis. You might decide thatthe most inherently risky third parties willrequire an on-site audit twice a year, forexample. Use of offshore and onshore deliverymodels can also standardize assessments,extend geographical reach, and reduceassessment costs.

Issues management

How an organization identifies, reports, andresolves issues is another critical componentfor a TPRM program. We suggest that you usea central third party issues repository withstandardized processes for identifying,categorizing, remediating, and reportingissues. The repository should include issuesidentified not only through the TPRMprogram’s risk assessments, but also throughother sources such as internal audit andregulators.

For third parties that interact directly withcustomers, maintain consistent procedures formanaging customer complaints. For example,third parties should have standardizedprotocols for identifying, classifying,escalating, and reporting customer complaints.Complaints that reach a certain severity shouldalso be included in your customer complaintrepository.

Third party relationship managers, riskmanagers, subject matter specialists (such asfrom legal or compliance), and third partyrepresentatives should collaborate toappropriately remediate all issues.

Examples of third party duediligence assessments:

• Reputational• Operational competency• Subcontractor• Technology• Financial• Business continuity and

resiliency• Country risk• Human resource risk• Concentration risk• Physical security• Information security and privacy• Compliance

Leading financial institutions areusing social listening tools, offshoredelivery models, and othermethods to improve the accuracyand scope of their risk assessments.



Processes and tools Reporting, metrics, and scorecards

Reporting, scorecards and metrics—particularly key risk indicators and keyperformance indicators—are vital tools inmanaging both third party performance andthe health of the TPRM program itself.Reporting should address the needs of yourTPRM office, management, and business units(see Figure 8).

Third party metrics measure the performanceof individual third parties in such areas as:

• Quality—low defects, compliance withstandards.

• Customer support—effectivecommunication, complaint management.

• Service and delivery—on-time delivery,flexibility.

• Human capital—competent staff, ongoingtraining.

Management-level reporting may also provideinsight into how third parties are performing asa group. This aggregate reporting highlightsexceptions (for example, service providers thatprovide similar services to others but are morecostly) and trends over time (for example,whether customer complaints fall afterimplementation of new customer handlingprotocols).

TPRM program metrics measure such internalprogram-related progress and issues as:

• Number of third parties with access tosensitive information.

• Number of third parties supporting criticalprocesses; percentage of critical activitiesperformed by third parties.

• Number of issues by third party.

• Percentage of staff trained in third party riskmanagement processes.

• Remediation plans by status.

Sample measurement activitiesfor risk appetite metrics:

• Percent of critical activitiesperformed by third parties

• Number of suppliers of criticalactivities that are in distress

TPRM scorecardsfor management

Program dashboardsfor TPRM office

Operational third partyreports for business units

Figure 8: Reporting should address the needs ofthe TPRM office, management, and business units.



Enablers As with any major undertaking, havingthe right support structures in place willhelp you implement the TPRM programand keep it current with business needs.In our view, all TPRM programs shouldprovide for three enablers: changemanagement, training and communications,and technology.

Change management

A sound change management plan provides theright level of structure and discipline tomanage the complex relationships anddependencies in a TPRM program (see Figure9). It engages the right leaders andstakeholders from the start, soliciting theirinput to develop guiding principles for theTPRM program. It gives them a voice inplanning the program rollout so thatcompeting priorities can be reconciled andaligned. Lastly, it identifies the process changesand deliverables needed to fosteraccountability and deliver business benefits.

Training and communications

Start your TPRM training and communicationsprogram by evaluating who the stakeholdersare, how they will be impacted by the TPRMprogram, and the level of support they willneed to understand and implement newrequirements. By tailoring the approach andscope of training (both materials and delivery)based on location, roles, and existing trainingstrategy, you can improve adoption byintegrating the program with day-to-dayactivities of employees.

Measuring training effectiveness also helpsorganizations find out if employees areadapting well to changes. If they’re not,measurement data will give the firm valuablefeedback in adapting the program.

Figure 9: Training and communications should be linked to thebroader change management program.

Change management program

• Engage stakeholders from the beginning to developguiding principles for the TPRM program.

• Design processes to ease the transition.• Acknowledge issues and adapt program as needed.

Training & communications

• Communicate with agents to build commitment.• Provide training that is simple, short, and relevant.• Build feedback loops to identify areas for improvement

and share success stories.



Enablers Technology

Technology is a core enabler at every stage of aTPRM program. It is key to supporting andeven completely automating workflows of allkinds, including third party risk assessments,analyzing and collating risk data, reporting,and issues management. Some programs adoptself-service portals that third parties can usefor reporting, documentation, and completionof required surveys.

In general, it’s important to consider your thirdparty risk management objectives and adoptthe right technology to support thoseobjectives. When designing TPRM processes,make sure they are flexible enough to workwith whatever technology platform youultimately select.


TPRM technology leading practices

• Appropriate consideration andprioritization of business, functional, andtechnical requirements (see Figure 10).

• Accurate and complete organizationalrecord of third party relationships acrossthe organization, including the employeesresponsible for managing them. This helpsfacilitate transitions as employees changeroles or leave the company.

• Comprehensive contracts managementsystem and third party master datarepository.

• Consistent taxonomies for servicecategories and entity naming conventionsbetween TPRM, contracting, and accountspayable systems. Interfaces between thesesystems help ensure that the inventory ofthird parties is comprehensive and up-to-date.

• Issues, complaints, and incidentsrepositories to track third party relateditems.

Figure 10: Business, functional, and technicalrequirements should be adequately considered.

23

Appendix

Select qualifications.

FS Viewpoint | Appendix25

PwC offers a range ofservices across the thirdparty risk managementlife cycle tailored toclients’ needs.


Program diagnostic We perform a high-level assessment of your firm’s current TPRM functionagainst leading practices, identifying gaps and potential needs.

Transformationalroadmap

We perform an in-depth analysis, collaborating with key stakeholders todevelop a new TPRM program design that fits your business and riskmanagement goals. We also build a roadmap that identifies the key steps,anticipated level of effort, costs, and timing for getting there.

TPRM officeimplementation

We assist in both building and implementing a new TPRM office, includingthe operating model, governance and structure, policies and procedures,processes and controls, and reporting framework.

Technologyenablement

We help firms assess their TPRM technology needs and identify businessand technical requirements. We also support firms during the vendorselection and implementation phases, and help integrate processes into newor existing technology platforms.

Third partystratification

We help firms build a thorough inventory of their third parties and theservices they provide. This includes assessing risk, determining a risk scorefor outsourced third parties and services, and developing a strategy torespond to that risk.

Third partyassessments

Using our global network of firms and service delivery centers, we assistwith on-site or remote assessment of third parties and their risk and controlenvironments. We also help develop self-assessments for use by thirdparties.

Third party monitoring Using our global network of firms and service delivery centers, we assistwith on-site and remote monitoring activities (for example, data mining andanalytics, monitoring external sources, and performing data aggregation andexception reporting) to support each of the three lines of defense within anorganization.

Program managementoffice (PMO)

We provide TPRM program support to firms interested in outsourcing or co-sourcing their programs. This includes, but is not limited to, project planning,execution, and reporting.

Sample services

FS Viewpoint | Appendix26

Project and client Issues Approach Benefits

Integration of a new TPRMapproach—Global financialservices provider

This global financial services firmneeded to upgrade its third party riskmanagement program after a regulatoryreview identified numerous areasrequiring attention. The firm also neededto better integrate its standalone TPRMprogram with the rest of its operationalrisk management infrastructure,including the information security,business continuity, legal, andcontracting functions.

PwC helped the client assess its existing TPRMprogram and identify and design severalenhancements, including:

• Third party service stratification and risk ranking.

• Questionnaires, standards, and training.

• Issues capture, monitoring, escalation, andexception tracking tools and processes.

• Service level agreements for third partiesworking with particular business lines.

• Reporting metrics and key risk indicators,management, and oversight processes.

PwC helped the client to better link the TPRMprogram with other operational risk assessmentfunctions, including business continuity, informationsecurity, legal, and contracting.

The client benefited from the engagement inseveral respects. These benefits included:

• A substantial reduction in the time andeffort needed to manage a much smallernumber of significant third partyrelationships, which decreased from morethan 35,000 to less than 500.

• A more thorough understanding of its thirdparties.

• An improved methodology for identifyingand monitoring high-risk third parties andservices.

Creation of a third partycompliance program toaugment existing TPRMprograms—Global financialservices firm

In response to increased regulatoryrequirements, the client, a globalfinancial services firm, established newstandards for compliance managementof third party service providers. Theclient needed help with:

• Comparing the program with those ofother large, complex bankingorganizations.

• Implementing the newly developedprocess and procedures.

• Developing a staffing model formanaging the program.

• Estimating costs for supplementalstaff to perform the compliancefunction’s third party, on-site visits.

PwC worked with the client to meet the newlyestablished compliance standards. We helpeddevelop appropriate guidance and procedures, andenhance existing tools to:

• Identify relevant regulations based on theproducts or services provided by third parties.

• Assess and document the third party’s controlenvironment.

• Determine the appropriate nature and frequencyof ongoing monitoring activities.

In addition, PwC helped the client develop a staffingmodel by reviewing roles and responsibilities andhelping to align them with standard industrypractices.

Finally, PwC collaborated with the client to developa model for estimating costs for third party, on-sitevisits.

The client benefited from the engagement inseveral respects: These benefits included:

• A more thorough understanding of thecompliance and control environment atthird party service providers.

• More efficient and thorough compliancemonitoring of third parties with potentialcost reduction.

• Improved compliance staffing modelconsistent with industry leading practices.

Appendix—selected qualifications


© 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwCrefers to the US member firm, and may sometimes refer to the PwC network. Each member firm is aseparate legal entity. Please see www.pwc.com/structure for further details. This content is for generalinformation purposes only, and should not be used as a substitute for consultation with professionaladvisors.

“Significant others: How financial firms can manage third party risks,” PwC FS Viewpoint, May 2015.www.pwc.com/fsi.

www.pwc.com/fsi

To have a deeper conversation, please contact:

Richard Altham [email protected]+1 617 530 7188

TR Kane [email protected]+1 216 875 3038

Jeff Trent [email protected]+ 1 646 471 7343

Darin Wettengel [email protected]+1 704 350 7923

Andy Toner [email protected]+1 646 471 8327

Jason Chan [email protected]+1 214 754 5142

Garit Gemeinhardt [email protected]+1 704 344 7757

Dean Spitzer [email protected]+1 646 313 3606

About our Financial Services practice

PwC’s people come together with one purpose: to build trust in societyand solve important problems.

PwC serves multinational financial institutions across banking andcapital markets, insurance, asset management, hedge funds, privateequity, payments, and financial technology. As a result, PwC has theextensive experience needed to advise on the portfolio of businessissues that affect the industry, and we apply that knowledge to ourclients’ individual circumstances. We help address business issuesfrom client impact to product design, and from go-to-market strategyto human capital, across all dimensions of the organization.

PwC US helps organizations and individuals create the value they’relooking for. We’re a member of the PwC network of firms in 157countries with more than 184,000 people. We’re committed todelivering quality in assurance, tax, and advisory services.

Gain customized access to our insights by downloading our thoughtleadership app: PwC’s 365™ Advancing business thinking every day.

Follow us on Twitter @PwC_US_FinSrvcs

A publication of PwC’s Financial Services Institute

Marie Carr

Principal

Cathryn Marsh

Director

Emily Dunn

Senior Manager

Kristen Grigorescu

Senior Manager

Significant others: How financial firms can manage third party risks

Documents

Transcript of Significant others: How financial firms can manage third party risks