Marc S Sokol Brian C Loutrel Steve Attias 030915 "A person may cause evil to others not only by his actions but by his inaction, and in either case he is justly accountable to them for the injury .” — John Stuart Mill (On Liberty) "Sometimes doing your best is not good enough. Sometimes you must do what is required." — Winston S. Churchill "One ought never to turn one's back on a threatened danger and try to run away from it. If you do that, you will double the danger. But if you meet it promptly and without flinching, you will reduce the danger by half.” — Winston S. Churchill "Remember teamwork begins by building trust. And the only way to do that is to overcome our need for invulnerability .” — Patrick Lencioni "If you take out the team in teamwork, it's just work. Now who wants that?” — Matthew Woodring Stover IMPLEMENTING AN EFFECTIVE THIRD PARTY RISK MANAGEMENT PROGRAM
16
Embed
2015 LOMA Conference - Third party risk management - Session 20
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Marc S Sokol
Brian C Loutrel
Steve Attias 030915
"A person may cause evil to others not only by his actions but by his inaction, and in
either case he is justly accountable to them for the injury.” — John Stuart Mill (On Liberty)
"Sometimes doing your best is not good enough. Sometimes you must do what is
required." — Winston S. Churchill
"One ought never to turn one's back on a threatened danger and try to run away from it.
If you do that, you will double the danger. But if you meet it promptly and without
flinching, you will reduce the danger by half.” — Winston S. Churchill
"Remember teamwork begins by building trust. And the only way to do that is to
overcome our need for invulnerability.” — Patrick Lencioni
"If you take out the team in teamwork, it's just work. Now who wants that?” — Matthew Woodring Stover
IMPLEMENTING AN EFFECTIVE THIRD PARTY
RISK MANAGEMENT PROGRAM
Diverse and Dynamic Environmental Challenges
• Low interest rate yields
• Turmoil in Europe
• Stagnant U.S. economy
• Growing tax burden
• Volatility in certain investment markets
• Growing threat of terrorism by ideological extremists
• Stronger regulatory intervention,
• Increased scrutiny by rating agencies
• Increasing velocity, breadth, and capability of cyber-attacks - a single micro
agent from anywhere in the world can have a macro impact to any
company/sector – it’s not a matter of if, but a matter of when
• Natural disasters concurrently affect multiple geographical regions and
• Phase Two: Evaluate key controls and safeguards effectiveness
• Phase Three: Determine residual risk that and evaluate gap with risk appetite
• Perform for 12 key categories of risk (derived from OCC 2013-29):
• Financial Condition
• Insurance Coverage
• Legal and Regulatory Compliance
• Conflicting Contractual Arrangements with other parties
• Human Resource Management
• Screening, Qualifications, and Segregation of Duties
• Reliance on Sub-Contractors
• Risk Management
• Resilience/Continuity of Operations
• Security/Privacy (Identify, Protect, Detect)
• Incident Response, Management, and Reporting
• Management of IT/Architecture
10
Inherent Risk Key Controls
and Safeguards
Residual Risk vs.
Risk Appetite
Optimized Due Diligence Tools
11
Multi-Dimensional
Risk Review Team
Risk Areas Questions
Finance 2 12
Legal/Compliance 2 11
Human Resources 1 5
Security & Risk Management 6 74 (105 if SaaS)
Information Technology & Architecture 1 19 (21 if SaaS)
TOTALS 12 121 (154 if SaaS)
Due Diligence Questionnaire
Approach To Assessing Third Parties Should be Risk Based…
12
12
Critical Inability to continue business operations, substantial harm to company’s reputation, downgrade of rating, material errors in financial reporting, possible closure of business by regulatory bodies, and/or cause material financial losses or fines (at Profit Center and/or Corporation)
Significant Substantial degradation in business operations, notable harm to reputation and brand, threat of ratings downgrade, financial reporting errors, significant regulatory sanctions, and/or financial losses (at Profit Center and/or Corporation)
Moderate Degraded business operations, limited harm to reputation and brand, financial reporting errors, moderate regulatory sanctions, fines and/or financial losses (at Profit Center and/or Corporation)
Low Minimal Impact to business operations, no material affect on reputation or brand, minor financial reporting errors (e.g., less than, fines, or financial losses (at Profit Center and/or Corporation)
>$10M $5M - $10M $1M - $5M <$1M
Full Risk Assessment & Monitoring Standard Contract Terms w/ Annual Attestations
• Financial Condition
• Insurance Coverage
• Legal and Regulatory Compliance
• Conflicting Contractual
Arrangements
• Human Resource Management
• Screening, Qualifications, and
Segregation of Duties
• Reliance on Sub-Contractors
• Risk Management
• Resilience/Continuity of Operations
• Security/Privacy (Identify, Protect,
Detect)
• Incident Response, Management,
and Reporting
• Management of IT/Architecture
Communicating Results using the STAR Method
• Situation: Present opportunities across multidimensional
view prioritized in terms of gap between residual risk
consequence(s) and business defined risk appetite
• Task: What can be done to overcome any material gaps
and better align with defined risk appetite (mitigation,
acceptance*, show stopper)
• Action: Based on task chosen, what action steps
(including accountability/responsibility) must be assured
• Results: Pre/post contract monitoring: Did you achieve
objectives and alignment with risk appetite? Sustaining
level of residual risk through monitoring? Is there Risk
Acceptance Concentration?
13
* It is ESSENTIAL for the business owner of the third party relationship to
understand that, by accepting the risk, they are taking responsibility for that
loss or impact to materialize.
What Are the Critical Steps For an Effective 3rd
Party Management System?
• Identify>Measure > Analyze
• Know your assets!!! • Can you identify “all” your vendor relationships”?
• Follow the money!
• Survey
• Multiple risk constituencies must be involved – work together, not in silos • Legal
• Procurement
• Security
• Business Resiliency
• Enterprise Risk
• Lines of Business
• Make decisions to review risk-based • Data Toxicity
• Data Volume
• Geographic/Geopolitical issues
• Criticality to business operations
• Ongoing management (compliance to contracts)
14
What About the “Cloud”?
• Well, what about it?
• Lots of security and privacy hysteria!
• We think of it as another form of outsourcing
• Due diligence is very similar
• The catch: Contracting!!
• T&C’s aren’t always negotiable (Microsoft)
• Right to Audit – can be difficult – and you can understand why
• Looking for more certification from reputable 3rd parties (ex: CSA)