TPRM - POV Presentation Final v2
- 2. Agenda Executive Summary Approach Risk Management Lifecycle Roles and Responsibilities Methodology Demonstration Solution 2THIRD PARTY RISK MANAGEMENT
- 3. Executive Summary Ernst Bank lacks third party risk management program Classify vendors using methodology Introduce risk scale Custom risk assessment tool Implement program Solution 3THIRD PARTY RISK MANAGEMENT
- 4. Risk Management Program Purpose Federal regulation requirement Ensure third parties’ accountability 4THIRD PARTY RISK MANAGEMENT
- 5. Contracted net asset values System glitch prevented BNY Mellon’s investors from getting their valuations Outsourced mortgage from PHH Corporation Failure to Assess Third Party Risk 5THIRD PARTY RISK MANAGEMENT
- 6. Approach 6THIRD PARTY RISK MANAGEMENT
- 7. Methodology Introduce risk rating scale Apply methodology & questionnaire Establish assessment workflow & roles and responsibilities 7THIRD PARTY RISK MANAGEMENT
- 8. Prioritization of Vendors Vendor criticality Proposed methodology 8THIRD PARTY RISK MANAGEMENT
- 9. Critical Vendors Determine criticality of vendor Reviewed by board if vendor is critical Establish governance Relationship approval 9THIRD PARTY RISK MANAGEMENT
- 10. 5 – High 4 – Moderate High 3 – Moderate 2 – Moderate Low 1 – Low Semiannual onsite review and completion of questionnaire Semiannual review of inherent risk Annual review of inherent risk Annual completion of questionnaire Annual onsite review and completion of questionnaire Categorization of Vendors by Inherent Risk 10THIRD PARTY RISK MANAGEMENT
- 11. Formally Documented Program Avoid fines for regulatory non-compliance Risk methodology 11THIRD PARTY RISK MANAGEMENT
- 12. Risk Management Lifecycle Planning Due-Diligence and Third Party Selection Contract Negotiation Ongoing Monitoring Termination Oversight and accountability 12THIRD PARTY RISK MANAGEMENT
- 13. Planning Determine business needs Make business decision 13THIRD PARTY RISK MANAGEMENT
- 14. Due Diligence and Third Party Selection Review potential third party Understand third party’s strategy and possible risk Choose third party using risk assessment tool 14THIRD PARTY RISK MANAGEMENT
- 15. Contract Negotiation Create contract that defines the third party’s responsibilities Establish KPIs and third party monitoring practices Mitigate disputes about vendors’ performance Implement an exit strategy Limit Ernst Bank’s liability 15THIRD PARTY RISK MANAGEMENT
- 16. Ongoing Monitoring Monitor vendor after contract has been finalized Analyze performance Consistently evaluate criticality of third party’s functions Provide visibility to senior management Perform reviews 16THIRD PARTY RISK MANAGEMENT
- 17. Termination Contract should address terminating relationship Incorporate back-up plan in case of termination Transition functions to another vendor, bring in-house, or discontinue 17THIRD PARTY RISK MANAGEMENT
- 18. Governance OCC requirement for financial institutions Third Party Governance Committee within Ernst Bank Critical Vendors and Critical Relationships The Risk Management Committee 18THIRD PARTY RISK MANAGEMENT
- 19. Roles Responsibilities Risk Analyst Identifies and evaluates risk of relationship with vendor using questionnaire Relationship Manager Manages relationship and is responsible for risk Business Line Sr. Management Manages relationship and is accountable for risk Risk Management Committee Reviews, approves and owns risk management program and oversees critical relationships Internal Audit Evaluates program effectiveness Roles and Responsibilities Workflow Diagram 19THIRD PARTY RISK MANAGEMENT
- 20. Risk Assessment Process Relationship manager evaluates inherent risk Vendor completes questionnaire Risk analyst interprets response and identifies findings Relationship manager monitors and treats findings 20 0 THIRD PARTY RISK MANAGEMENT
- 21. vs. Inherent vs. Control Inherent Risk Control Environment 21THIRD PARTY RISK MANAGEMENT
- 22. Residual Risk = Inherent Risk Control Environment Residual Risk - 22THIRD PARTY RISK MANAGEMENT
- 23. Risk Assessment Tool 23THIRD PARTY RISK MANAGEMENT
- 24. Control Risk Category Description Example Access Control Controlling who has access to specific company information Is a formal logical access policy in place to manage access requests, changes, and terminations? Application and Development Security Using software, hardware, and procedural methods to protect applications from external threats Is the vendor working with a third party to develop the application? Asset Management Managing hardware, software, and client data Is an asset management program in place? Business Continuity and Disaster Recovery Continuing to operate in the event of a disaster In the event of a failure at the main facility, how long will it take the vendor to recover? Risk Assessment Tool - Domains 24THIRD PARTY RISK MANAGEMENT
- 25. Control Risk Category Description Example Human Resources Security Protecting data by evaluating employees Does the vendor require background checks including education, criminal, and credit and drug scores on its employees? Incident Event and Communications Management Implementing procedures that are used during and after emergencies Does the organization have a formally documented incident management policy? Network Security Protecting data through technical control Is antivirus software required on all workstations and servers? Organizational Security Requiring internal policies in order to protect the organization Are formal contracts in place with all third parties? Risk Assessment Tool - Domains 25THIRD PARTY RISK MANAGEMENT
- 26. Control Risk Category Description Example Physical and Environmental Protecting company information onsite Are employee visitors documented and monitored while onsite? Privacy Protecting personal information Do employees have access to personal information? Risk Assessment Analyzing overall risk Does the organization regularly perform a risk assessment? Security Policy Protecting physical and informational data Is client data encrypted at rest and in transit? Risk Assessment Tool - Domains 26THIRD PARTY RISK MANAGEMENT
- 27. Third Party Risk and Control Assessment Questionnaire Inherent risk review Control review Calculate residual risk using tool Two main functions Calculate overall inherent risk Calculate the controls in place to mitigate risk Inherent risk scale: 1-5 Control risk scale: 3-0 Residual Risk = Inherent Risk - Control Environment Result will classify each vendor from 1-5, Low to High 27THIRD PARTY RISK MANAGEMENT
- 28. Demo 28THIRD PARTY RISK MANAGEMENT
- 29. THIRD PARTY RISK MANAGEMENT Demo 29
- 30. Phase I Phase II Phase III The Solution 30THIRD PARTY RISK MANAGEMENT
- 31. Phase I: Planning Create a third party risk assessment methodology Allows Ernst Bank to assess vendors to determine risk Identify issues that may arise between bank and vendor 31THIRD PARTY RISK MANAGEMENT
- 32. Phase II: Testing One-Some-Many Approach One: Vendor Risk Programs are tested on a single business line to see how it functions with business operations Some: Vendor Risk Programs are tested on multiple business lines to see how the system works across different functions Many: Vendor Risk Programs are used on majority of business lines after ensuring the usability Update program based on feedback 32THIRD PARTY RISK MANAGEMENT
- 33. Phase III: Implementation Implemented across all entities within organization Process execution 33THIRD PARTY RISK MANAGEMENT
- 34. 34 Questions? THIRD PARTY RISK MANAGEMENT