Download - Managing third party risks and rewards
Internal Audit, Ethics & Compliance roundtable Third Party Risk Management How can companies effectively manage the risks of Third Party relationships? April 22, 2014
www.pwc.com
PwC 2
With you today
Rob Stouder Director, Third Party Risk Management Midwest Region Leader
[email protected] (317) 940-7501
PwC 3
Agenda
What is Third Party Risk Management?
Why is it Important?
What we are seeing in organizations
Benefits of a Third Party Risk Management program
Insights and Lessons Learned
Q&A
What is Third Party Risk Management?
PwC 5
Third Party Risk Management Activities
Vendor Evaluation & Selection
Contract Signing / Service Initiation
Vendor Service Contract /
Service Termination
• Third Party risk profiling: Evaluate risk profile of third party based on company and nature of services to be provided.
• Due diligence assessments: Perform due diligence assessments based on the initial risk profile.
• Contract language and exception management: Support the management and tracking of exceptions to standard contract language and requirements.
• Ongoing risk profiling Assess vendors’ risk profiles as their environments and nature of services change.
• Ongoing monitoring: Evaluate relevant controls, with the frequency of assessment based on the risk profile. Typically, these assessments include one or more of the following:
On-site assessment
Remote assessment
Self-assessment
• Contract Termination Management: Manage and track vendor / service termination process to confirm vendors meet obligations in their contract and that all client data is removed per the vendor’s contractual obligations.
Program Oversight
Policies, Standards and Guidelines
Training and Awareness
Program Strategy, Governance and Roles & Responsibilities
VRM Operational Processes
Systems and Technology - Metrics and Reporting – Continuous Improvement
PwC
Foundations for an effective Third Party Risk Management program
6
Methodology
Data & Information
Governance
• Linkages between contracting and payables/general ledger • Comprehensive contracts management system and contract data • Well defined and maintained third-party repositories (vendor master, etc.) • Third party / vendor usage data • Strong organizational and employee data for identifying third-party linkages across the
organization • Issues and incidents repositories to track third-party issues • Recovery and resiliency – back-up of key/”critical” third parties
• Know your third parties/due diligence
• Standard operational risk methodologies and defined risk levels
• Standard controls effectiveness assessment methodology
• Escalation, exception, and exemption processes
• Customer complaint handling
• Third party risk management office
• Operational risk governance body
• Critical Third party Oversight
PwC 7
Pop Quiz
Planning / Governance • Do you have an inventory of Third Parties?
• Is it by service? • Is it risk ranked? • Do you have current contracts related to the service being provided?
• Are there standardized risk profiling methodologies with defined assessment frequencies and types in place?
Due Diligence and Third Party Selection • Are due diligence assessments performed prior to contracting?
• Are they around privacy? • Are they around security?
• Do you know which of your vendors have access to data? • Do you know which subcontractors are used by your third parties, and what work they are performing for
you?
Contract Negotiation • Do contract clauses include the authority to audit the Third Parties processes over the service provided? • Are contracts for similar services consistent and contain Service Level Agreement’s?
Ongoing Monitoring • Do monitoring processes include both risk AND performance concerns?
Termination • Do you have exit strategies in place for significant Third Party relationships?
PwC 8
Common TPRM risks
Regulatory: The risk of an organization being out of compliance due to a third-party’s failure to
comply with laws/regulations.
Service Delivery: The risk that a third-party fails to meet
your needs based on the delivery of their products/services.
Exit Strategy: The risk that the organization will have an inability to service its clients based on the termination or exit from a third-
party relationship.
Financial: The risk of financial loss to the
organization due to the third-party being unable to
operate due to financial instability.
Information Security and Privacy: The risk of
unauthorized loss of data or that an organization’s data
security has been breached at your third-party.
Business Continuity and Resiliency: The risk of third-
party failure on the ability of the organization to serve its clients.
Reputational: The risk and impact to the organizations reputation based on services provided by your third-party.
Global Geographic Location: The political, geographic, regulatory, legal, and economic risks of outsourcing to a country
or region.
Third-Party Risk Spectrum
Reputational
Service Delivery
Financial
Business Continuity
and Resiliency
Global Geographic
Location
Information Security and
Privacy
Regulatory
Exit Strategy
PwC
Audience Question: Governance
Do you have a formal Third Party Risk Management function at your organization?
?
Third Party Risk Management Program Structure
10
Governance
Enterprise Risk Committee
Third Party Management Office
Management & Oversight
Business Unit
Third Party Risk Manager (High & Critical Risk Services)
Subject Matter Specialists
Third Parties
Legal & Compliance
Reputational Due Diligence
InfoSec
Business Unit Sponsor
Sourcing
Contracts Management Procurement
Financial Due Diligence
Bank Management
Privacy BCM
Operational Risk Oversight
Third Line of Defense
PhySec Technology
Internal Audit
Second Line of Defense
First Line of Defense
Board of Directors
Subcontractors
Third Party Risk Management roles and responsibilities impact each aspect of the three lines of defense model
Why is Third Party Risk Management important?
PwC 12
Why is Third Party Risk Management relevant?
Based on the results of PwC’s 2013 Global State of Information Security Survey (GSISS), our clients continue to experience an increased number of third party related breaches and very few have programs in place which effectively manage vendor risk. Additionally, there is an increasing view by many regulators that “best efforts” around TPRM are not good enough.
15%
17%
13%
11%
12%
11%
8%
10%
9%
0% 5% 10% 15% 20%
Partner or supplier
Customer
Service providers/consultants/contractors
2010 2011 2012
• 26% of respondents have an inventory of vendors who handle sensitive information
• 32% of respondents require vendors to comply with their policies
• 26% of respondents conduct compliance assessments of third parties who handle personal data of their customers and employees
Many of our clients do not have vendor risk management programs or the programs are very immature
The number of breaches resulting from vendors and other third parties is steadily increasing
PwC 13
What we are telling boards
Third-party compliance landscape
• A subcomponent of overall risk management
• Legal compliance is outside company’s direct control and has its own unique control environment
• The number of third party relationships are typically significant
• Companies can be held accountable for acts of agents, resellers, distributors, partners, suppliers, etc.
• Compliance aspects also include protection of intellectual property, environmental laws, labor laws, health and safety
PwC 14
Customer Churn
Research shows that companies experience customer turnover following a security breach, and some industries are more susceptible than others.
* Symantec and Ponemon Institute, “2013 Cost of Data Breach Study United States,” May 2013
0.3%
1.3%
1.5%
2.0%
2.5%
2.6%
2.7%
2.9%
3.3%
3.8%
4.2%
4.5%
4.5%
Public
Retail
Communications
Media
Hospitality
Technology
Industrial
Consumer
Transportation
Services
Pharmaceutical
Healthcare
Financial Services
Customer Churn following a security breach by industry
Changing Regulatory Drivers Force Businesses to Focus on Third Party Risk Management
15
In the last 10-15 years, multiple new regulations in all industries have demanded increased focus on how organizations monitor third parties. To enable compliance, each organization should validate existing processes against current regulatory guidance through a gap analysis.
Health Insurance Portability and Accountability Act, HIPPA August, 1996
July, 2001 GLBA, Gramm-Leach Bliley Act
OCC Bulletin 2001-47 , Oversight and Management of Third-Party Relationships November, 2001
May, 2002 OCC Bulletin 2002-16, Foreign 3rd-Party Service Providers
HITECH Act November, 2007
May, 2007 H.F. 1758, MN Plastic Card Security Act
January, 2010 NRS 603A, NV Data Security Law
July, 2010 Wash. H.B. 1149, WA Data Security Law
March, 2012 CFPB Bulletin 2012-03
201 Mass. Code Regs. 17 MA, Data Security Law March, 2010
PCI-DSS v2.0 Payment Card Industry Data Security Standard January, 2011
CFPB Bulletin 2013-02 March, 2013
1996 2013 2001 2007 2010 2003
October, 2013 OCC Bulletin 2013-29
PCI-DSS v3.0 Payment Card Industry Data Security Standard August, 2013
FRB SR 13-19 December, 2013
PwC
June, 2013 CFPB Bulletin 2013-06
Comments organizations have shared with us regarding their Third Party Risk challenges
PwC 17
Here are some of the comments organizations have shared with us regarding their Third Party Risk challenges
We were told by our vendor that their SOC 1 or 2 is enough. Is that sufficient?
We have inadequate resources to assess our high risk population on an ongoing basis.
Where do we start? We have no pre-contract TPRM process in place.
We don't centrally manage our TPRM.
I have operational staff focused on TPRM and they aren't risk and controls specialists.
My vendors have vendors. How do we address the risks associated with those, “Fourth party” vendors?
PwC 18
Implementing a third party risk management program Assess vendor operations – example assessment model
Self-Assessments
Reviews of existing
Reports (i.e. SOC-2)
Remote assessments (documentation reviews with third party)
Desktop assessments (telephone/WebEx)
Onsite assessments
Spectrum of Review
Am
ou
nt
of
Eff
ort
& C
ost
Ass
essm
ent
Met
ho
d
Qu
an
titi
es
10%
80%
No Action
0%
5% 5%
The results of the risk profiling should drive the method used to assess the vendors. During the first year of implementation, the onsite assessment may be used for a majority of third parties, but as the program matures, the amount of third parties requiring onsite assessments can decrease.
PwC
Audience Question: Stratification
Do you currently have a process to stratify vendors into different risk categories (e.g., Critical, High, Moderate, and Low)?
?
PwC 20
Gather product/service
information
Calculate Inherent Risk
Factor
For Vendors deemed of high
or moderate Inherent Risk,
complete questionnaires /assessments
Perform control effectiveness
evaluation
Provide effectiveness
ratings indicating
results of each assessment of the product /
service
Residual Risk Score and Rating is
Calculated
Conclude on whether to
proceed with Vendor
Risk modeling framework – Inherent risk
Higher risk
Vendors
identified for
review
To
tal V
en
do
r In
ve
nto
ry
Begin with
general ledger
and remove
categories
that don’t
pose risk
Identify and
remove
services that
will have risk
management by
other means
Prioritize
higher risk
services
provided by
third-parties
Vendor Controls
Own Controls
Higher Risk
Vendor Relationships
More due
diligence
Less due
diligence
PwC 21
We have observed that most organizations have not yet adopted stratification—a leading practice in managing Third Party risk
Adding to the challenge of effectively managing vendor-related risk, we see today’s companies also struggling with:
• Managing inbound requests from service organizations • Implementing formal enterprise-wide TPRM governance (Compliance
and Enterprise risk management, etc.) • Maintaining an accurate and complete inventory of vendors • Incorporating other third-party relationships into their TPRM
programs (e.g., business partners, joint ventures, distribution channels, attorneys, utilities, etc.)
• Establishing standard operational risk methodologies and policies • Identifying/using TPRM key risk indicators • Implementing and using technology to adequately support the TPRM
program, taking some of the burden from the business • Staying ahead of, and effectively complying with, changing
regulatory requirements
Our observations are underscored by the results of PwC’s Global State of Information Security Survey 2013:
• Only 69% of the surveyed companies lack an accurate inventory of locations or jurisdictions where data is stored1
• 74% of companies do not have a complete inventory all third parties that handle personal data of its employees and
customers
• 73% of companies lack incident response processes to report and manage breaches to third parties that handle data1
Types of data that typically need to be protected:
• Intellectual Property (IP)
• Personally Identifiable Information (PII)
• Payment Card Industry (PCI)
• Protected Health Information (PHI)
Insights and Lessons Learned
PwC
Protect Information and Manage Compliance
Aligning to a common risk language and
process
Leveraging effective processes and technologies
Disciplined information flow
You can outsource a process but you cannot outsource the risk or liability. Regulations are applying
enhanced vendor risk management requirements. Additionally, protecting the brand requires a
close look at vendor risk management.
Agreeing upon a common set of terms and definitions is necessary to create a consistent process for
defining, managing and measuring third party risks. Once done, it is easier to develop new processes
to address changes to regulatory and business requirements.
Leading tools and technology drive groups to use common risk management processes, which
enhances the effectiveness and efficiency of the TPRM program. This will allow management to
have a better view of metrics and enables them to make better decisions around governance, risk
and compliance management and corresponding communications.
Communication to stakeholders, employees and business partners is critical throughout the entire
third party risk management program process. Managing these communications throughout the
development of the program is critical for success.
Clear business engagement
Working in a transparent and integrated fashion with all functional and operating group
stakeholders is required to develop a solution that delivers against the needs of the organization.
Many companies have a designated liaison in the business to build relationships, increase awareness
and harmonize business needs with third party risk capabilities.
Insights and Lessons Learned
“Work Smarter NOT Harder”
When designing a third party risk management program, focus on having the third parties do as
much of the “heavy lifting” as possible, to recue the operational burden of program to the enterprise.
This can be accomplished through the use of automated workflow and leveraging third party
accessible tactical and strategic technology solutions.
“Start Smart”
By focusing on the target operating model when designing a third party risk management program,
significant cost saving and minimal operational impact to business operations may be achievable.
Areas that help include third party stratification, leveraging of existing risk processes and
governance structures, focus on products/services, leverage three-lines-of-defense model, etc.
23
PwC
Q&A
The information contained in this document is shared as a matter of courtesy and for information or interest only. PwC has exercised reasonable professional care and diligence in the collection, processing, and reporting of this information. However, data used may be from third-party sources and PwC has not independently verified, validated, or audited such data. PwC does not warrant or assume any legal liability or responsibility for the accuracy, adequacy, completeness, availability and/or usefulness of any data, information, product, or process disclosed in this document; and is not responsible for any errors or omissions or for the results obtained from the use of such information. PwC gives no express or implied warranties, including, but not limited to, warranties or merchantability or fitness for a particular purpose or use. In no event shall PwC be liable for any indirect, special, or consequential damages in connection with use of this document or its content. Information presented herein by a third party is not authored, edited or reviewed by PwC and PwC is not endorsing third parties or their views. Reproduction of this document or recording of its presentation, in whole or in part, in any form, is prohibited except with the prior written permission of PwC. Before making any decision or taking any action, you should consult a competent professional adviser.
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.