enhance your tprm due diligence process with third-party · 2019-05-31 · of large, global...

Enhance your TPRM due diligence process with third-party utilities

kpmg.com

The time is right to transform

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 843212

Table of contentsThe time is right to transform 2

Streamlining the TPRM due diligence process 4

The promise of third-party industry utilities 5

How third-party utilities affect the TPRM operating model 8

Key integration points for optimal use of third-party utilities 9

Making it happen 11

Bringing it all together: Strategies for efficiency and effectiveness in TPRM 12


1

The time is right to transformA decade after the financial crisis brought renewed attention to the risks posed by third-party relationships in financial services, most institutions have entered the “business as usual” phase of third-party risk management (TPRM). Unfortunately, TPRM programs are often complex and clunky. They continue to focus time and energy on the initial onboarding of third parties, with insufficient effort being spent on interpreting the results of the assessments and proactively managing third-party risk.

TPRM programs have explored a variety of options for streamlining the TPRM process and decreasing costs. One approach that is gaining traction across financial services is the concept of shared due diligence assessments in which multiple firms leverage the same risk assessments of a third party, rather than conducting due diligence individually. Initial approaches to shared due diligence assessments experienced roadblocks with respect to liability in the event that there are errors in the due diligence assessment.

Third-party utilities have solved for these concerns around liability with shared assessments by focusing on gathering due diligence information for the third party (and in some cases validating this information) and then allowing multiple financial services firms to access and use this to support components of their internal TPRM due diligence processes. In 2019, the majority of financial services firms1 are actively analyzing how utilities can reduce resource-intensive TPRM due diligence processes. In this white paper, we offer perspectives for how financial services firms should use third-party utilities to gain efficiencies and preserve effectiveness of their TPRM programs.

1 Figure based on KPMG analysis from projects and conversations with clients.


Where are financial services firms on their TPRM journey?

— Lack of industry consensus on target operating model for TPRM programs

1. Pre financial crisis

— Regulatory-driven remediation

— Headcount and volume of risk assessments increase dramatically

— TPRM programs reach business as usual status

— Integration efforts with the broader enterprise risk management and operational risk priorities

2. Initial program build subsequent to regulatory guidance (2013–2019)

— Consensus builds to streamline and right-size TPRM programs

— Experimentation with new operating models

— Regulatory focus shifts to operational resiliency and affiliate risk management

— Industry adoption of third-party utilities

3. Tuning and streamlining (2019 and beyond)


3Enhance your TPRM due diligence process with third-party utilities

Streamlining the TPRM due diligence process

In our estimation, as much as 50 percent of the time and effort2 related to the TPRM lifecycle can be attributed to the due diligence process, both during initial onboarding and reassessment, across:

— Creating and maintaining the due diligence questionnaires

— Chasing third parties to complete questionnaires or submit documentation

— Reviewing/assessing the completed questionnaires

— Issues management to remediate, risk accept, or identify, implement, and test compensating controls for any deficiencies that are identified during due diligence.

Due diligence process costs increase exponentially as the volume of due diligence assessments for each third-party service increases (e.g., compliance, business continuity and disaster recovery, information security, cybersecurity, privacy, physical security, financial viability, etc.). The fact that each service from a third party may require different permutations of due diligence requirements can add additional layers of complexity and cost to the TPRM due diligence process. Financial services institutions that leverage standardized due diligence question sets or utilities could see a 25 percent reduction3 in onboarding costs. As a result, the majority of financial institutions are looking at and joining managed services and utilities as a means to reduce costs across the TPRM lifecycle, with a particular focus on due diligence.4

2, 3, 4 Figure based on KPMG analysis from projects and conversations with clients.


The promise of third-party industry utilities

5 IHS Markit, “Twelve Regional Banks Invest in KY3P to Advance Best Practices for Managing Third-Party Risk” (March 27, 2019)6 As of March 27, 2019, original design partners were joined by 12 leading regional and digital financial institutions: Ally Bank, BBVA Compass, Citizens Bank, Comerica Bank, Fifth Third Bank, The Huntington National Bank, KeyBank, M&T Bank, Regions Bank, Santander US, SunTrust Bank, and U.S. Bank.7 Trusight Solutions, “BNY Mellon Joins Trusight as Key Investor and Client to Transform Third-Party Risk Management” (April 24, 2018)

KY3P® and TruSight have emerged as the leading third-party utilities. They have differentiated business models and varying services, but they both aim to greatly reduce the volume of time and effort spent by both financial institutions and third parties on completing and analyzing repetitive and duplicative questionnaires.

“KY3P is a third party risk platform built by and for the financial industry for the purpose of improving the quality of risk data, standardizing the due diligence process, and bringing efficiency to the effort of gathering and assessing vendor risks. We have created a community which brings together clients and vendors onto the same platform for information sharing. The market has signaled that collaboration is critical as evidenced by our regional banks consortium joining the platform.”

— Ellen Schubert, Chief Executive Officer, KY3P, IHS Markit

“TruSight was founded and built by the industry for the benefit of the industry. Industry-driven governance is enshrined in our operating model, including commitment from our founding members to use TruSight for a significant portion of their TPRM programs. This makes TruSight unique among third-party industry utilities and best suited to advancing a single best practices standard and bringing the industry together to elevate third party risk management.”

— Chris Watson, Chief Operating Officer, TruSight

Proponents of third-party utilities advocate that they will help financial services firms across the following five areas:

A better questionnaireBoth KY3P and TruSight developed their due diligence questionnaires based on the industry-leading programs of large, global financial services institutions (see below) as well as industry standards (e.g., National Institute of Standards and Technology, Payment Card Institute, and International Standards Organization, etc.).

KY3P original design partners: Barclays, Goldman Sachs, HSBC, Morgan Stanley, and UBS5,6

TruSight founding members: American Express, Bank of America, Bank of New York Mellon, JPMorgan Chase, and Wells Fargo7

Third-party utilities have regular review cycles to incorporate changes or new risk management priorities. Many financial services firms struggle to develop comprehensive due diligence questionnaires, and having a perfect questionnaire does not present a significant competitive advantage. TPRM programs that do not yet have comprehensive due diligence questionnaires may benefit from leveraging questionnaires from a third-party utility that have been reviewed and approved by the firm’s risk and compliance subject matter professionals for satisfaction of firm and regulatory requirements. The firm is responsible for making sure their risks are assessed appropriately.

1



Quicker third-party onboardingThird-party utilities may be able to solicit due diligence responses from third parties that have historically not been responsive to the requests of some financial services firms. Certain prominent third parties that are used throughout the financial services industry (e.g., market data providers, large technology companies, etc.) refuse to respond to requests for due diligence questionnaires outright, while other third parties may take weeks to respond. The time lag in receiving completed third-party due diligence questionnaires can account for three weeks, representing 25 percent of the total onboarding time for a new moderate risk third-party service.8

For third parties that do comply with financial services due diligence requests, the quality of the responses has declined, prompting risk and compliance subject matter professionals (e.g., information security, compliance, business continuity, etc.) to reject the due diligence questionnaires or engage in a long back-and-forth process with the third party. Centralization of due diligence requests through the use of third-party utilities could reduce the quantity of requests and remove duplicate requests for the same information, which may decrease time to onboard third parties, improve due diligence response consistency, and reduce redundancy in the due diligence process.

2

More accurate and efficient management reportingThe effects of long onboarding times, nonresponses, and rejections of due diligence questionnaires by risk and compliance subject matter professionals trickle into management reporting as “issues” and cause the total volume of due diligence issues to balloon due to “third-party nonresponse.” Many financial services firms eventually risk-accept the nonresponding third parties, which inflates the TPRM program exception metrics and may unduly increase a firm’s reported operational risk. Third-party utilities offer the potential to alleviate third-party questionnaire fatigue and may encourage more robust and consistent due diligence responses from third parties. Removing these “nonresponse” due diligence issues from reporting drives a clearer understanding of risk and provides more accurate risk data to promote better decision making from senior management and the board.

3

8 Figure based on KPMG analysis from projects and conversations with clients.


Reducing costs for on-site assessments of third partiesOn-site reviews require meticulous planning and are time-intensive and expensive. Additionally, they require coordination between the three lines of defense to check that right-to-audit clauses are not exhausted prematurely. Further, certain third parties9 have begun charging fees for on-site audits. Other third parties10

have decreed only one or two time windows annually for reviews on-site or refuse to allow the reviews altogether. Third-party utilities provide on-site reviews as part of their assessment services. The combination of a third-party-utility review and supplementary remote assessments (such as conference calls, reviewing video footage, etc.) can provide a similar result as an on-site review in a more sustainable and cost-effective manner.

5

Refocusing attention on interpreting due diligence responses and issues managementMany immature and even moderately mature TPRM programs are dedicating risk and compliance expertise to designing and collecting due diligence questionnaires, to the point that many programs have a long backlog of risk and compliance due diligence questionnaires that have not been evaluated and scored. Third-party utilities may help firms free up these resources and empower TPRM programs to shift their focus from chasing third parties to addressing issues identified during due diligence along with increased remediation efforts that include compensating controls and customized monitoring plans.

4

9, 10 Figure based on KPMG analysis from projects and conversations with clients.



How third-party utilities affect the TPRM operating modelSuccessful TPRM programs will be realistic about what third-party utilities will and will not solve for in the TPRM process. See below for an illustration of where third-party utilities will affect the TPRM process (based on the key capabilities of third-party utilities today).

1. Planning and third party identification

2. Risk assessment and Due Diligence

3. Contracting

Assess business need and select third party

Obtain required approvals

Complete inherent risk questionnaire Determine due

diligence requirements

Complete applicable due diligence questionnaires (DDQs)

QA of DDQs

Assign inherent risk rating

Conduct on-site assessments

Issue remediation/risk

acceptance, identify special contract

provisions

Negotiate business terms

Verify legal terms and conditions

and obtain approvals

Execute and maintain contract

4. Ongoing Monitoring andre-performance of Due Diligence

Facilitate performance monitoring

Track, monitor, report, and remediate issues and

conduct quality assessment testing for critical and high

risk services

Complete applicable DDQs

QA of DDQs

Conduct on-site assessments

5. Off-boarding Program-level oversight (quarterly

Determine if this is a new or existing third party service and if risk assessment is

required

and annual reporting, 2nd line testing)

Review DDQs

Store contracts and due diligence audit trail

Initiate risk-based re-assessment

Review DDQs

Assign residual risk rating

Issue remediation/risk

acceptance, identify special contract

provisions

If risk assessment is required, determine if the third party is part of the third-party utility

Fulfillment of contract terms, execute against termination strategy, obtain approvals

In the future, additional capabilities offered by third-party utilities may include:

— Creating TPRM portfolio dashboarding and reporting for the board and senior management

— Housing the audit trail for TPRM lifecycle forms and templates (including planning, inherent risk questionnaire, ongoing monitoring scorecards)

— Providing an end-to-end technology platform to automate the TPRM lifecycle

— Solutions for affiliate risk management and fourth parties

— Leveraging emerging technologies like blockchain for efficiency and effectiveness

Potential third-party utilities integration points

Third-party utilities integration in the TPRM lifecycle process


Key integration points for optimal use of third-party utilitiesThere are various actions that TPRM programs must undertake across their process, technology, and workforce to realize the full potential of third-party utilities in the TPRM operating model. We highlight five key initial integration steps below:

1

Implement a work-around for third parties that are not members of the firm’s chosen third-party utility

Particularly in the next few years, as third-party utility platforms continue to mature and gain traction with third parties, many third parties will not be on the financial institution’s chosen third-party utility. Even in the future state of mass industry adoption for third-party utilities, there will likely be some third parties that are not present on the platform. Therefore, firms need to have a work-around strategy to evaluate these third parties. In instances where the firm uses in-house-developed due diligence questionnaires for this work-around, there will need to be a mapping between their proprietary due diligence questionnaires and the third-party utility’s questionnaires to confirm consistency in the risk tiering between the two approaches.

2

Upskill TPRM staffHow will TPRM staff spend their time once they are liberated from the third-party chasing and document gathering that occupies much of their day-to-day currently? The adjustment will be particularly pronounced within the centers of excellence that have been established at many financial services firms to orchestrate the onboarding process. Rather than being task-oriented workers, TPRM staff of the future will complete higher-value functions, such as: (1) aggregating and interpreting due diligence results to explain the risk profile of third-party services to the business, (2) identifying total cost of outsourcing functions to validate the business receives the payoff from investments, (3) proactively monitoring third-party risks to anticipate breaches and services disruptions, and (4) enabling product development and business model innovation by empowering the business to partner with nontraditional third parties.



5Determine how to utilize third-party utility on-site reviewsThe possibility of leveraging third-party utilities for on-site reviews is a powerful driver for adopting these platforms. However, some of the known deficiencies for SOC reports (i.e., that the controls tested may not be specific to the firm but rather for another customer) are potentially still present with a generalized on-site review report from a third-party utility. Guidelines for supplemental approaches (such as conference calls, surveillance video, etc.) should be standardized and documented for consistency across the on-site reviews.

3

Integrate third-party utilities with existing governance, risk, and compliance (GRC) technology for due diligence and reassessment triggers, workflow visibility, and reportingImplementations of third-party utilities require precise integrations across the TPRM lifecycle, particularly the four areas highlighted below:

1. Risk-based due diligence review for each third-party service Risk-based TPRM programs require risk oversight functions to execute different levels of due diligence based on the inherent risk assessment of the third-party service. Firms that use third-party utilities will need to coordinate with the utility to determine which due diligence reports should be activated for the firm’s risk and compliance subject matter professionals, so that the entire suite of available due diligence questionnaires is not reviewed for third-party services that pose insufficient risk in a given area (e.g., compliance, business continuity, information security, etc.).

2. Visibility into the due diligence review process for overall TPRM lifecycle tracking Leading TPRM programs have tracking mechanisms to show where the third party is within the onboarding process, in the event that the onboarding is delayed. There will need to be an automated interface that identifies which third parties require due diligence reviews and sends a notification when the appropriate risk or compliance group has downloaded the due diligence questionnaire from the third-party utility to begin their assessment. Since this step may be outside of the GRC environment, it will be important to be able to time stamp the moment that the risk or compliance group is notified to begin their review.

3. Export functionality for reporting Similarly, TPRM programs often aggregate the results from due diligence questionnaires to derive population-level metrics and Key Risk Indicators (KRIs) for aggregate risk across their third-party portfolio. Data feeds need to be in place to aggregate metrics and KRIs from due diligence responses that may reside inside the third-party utility in order to generate TPRM committee and board reports efficiently and accurately.

4. Reassessment scheduling Based on the risk tier of the third-party service, ongoing monitoring requirements may include meetings with the third party, performance scorecards, transaction testing, SLA monitoring, etc. There will also be a requirement for reperforming due diligence on a risk-based frequency documented within the firm’s TPRM policy and procedures. Ideally, GRC tools will automatically retrieve the most up-to-date due diligence report from the third-party utility for the given third party and initiate the due diligence process with the firm’s risk and compliance subject matter professionals. Firms will need to reconcile the timeliness of the utility’s reassessment schedule with their internal requirements for third-party reassessment frequency. Similarly, overdue reperformance of due diligence metrics and notifications will need to be collected and distributed automatically as part of the comprehensive ongoing monitoring of the third party.

4

Educate due diligence subject matter professionals on how to ingest the answers from the third-party utility to conduct due diligence reviewsThere will likely be an adjustment period for risk and control groups within the firm who are conducting third-party reviews to adjust their control evaluation ratings to align to the questions and answer choices within the third-party utility due diligence questionnaires. Appropriate subject matter professionals from risk and compliance will need to verify the validity of the due diligence questionnaire and its alignment with firm and regulatory expectations. Third-party utilities update questionnaires periodically based on member input, and firms should be aware of and involved in these reviews. As third-party utility questionnaires are not specifically tailored to each firm, the firm will need to conduct a rationalization exercise of their current question set to the question set of the third-party utility. If there are multiple discrepancies between question sets, a firm may prefer a third-party utility that allows for supplemental “delta” questions. For firms that opt for a third-party utility that allows the firm to add supplemental “delta” questions to the due diligence questionnaire, the TPRM office will need to work with due diligence groups to determine which additional questions to ask. Internal Audit should review this process in its test of design for TPRM program governance.


Making it happenAs firms begin to integrate third-party utilities into their TPRM programs, it is important that they are aware of the key activities and challenges throughout the process.

Key activitiesTPRM programs should consider the following activities for effective integration of third-party utilities into their program:

— Rationalize existing due diligence questionnaires to align to those of the third-party utility

— Obtain sign-off from the firm’s risk and compliance subject matter professionals on the third-party utility due diligence questionnaires

— Determine how to use the various levels of the third-party utility’s data validation services

— Analyze the third-party population that is already registered with the third-party utility against the firm’s existing third-party inventory

— Determine if the partnership with a third-party utility is an opportunity for the firm to rethink their service delivery model for TPRM (e.g., moving the execution of the third-party lifecycle process activities out of the second-line TPRM function and into a first-line Center of Excellence)

— Conduct a pilot to iterate and test while the firm continues current-state third-party lifecycle activities

What could impede your progress?1. Poor adoption of the third-party utility among the firm’s third-party

inventory

2. Joining a third-party utility as part of a large group, such as a consortium, may create dependencies on the other consortium members, including timing for notifying shared third parties or requested modifications to the due diligence questionnaires, etc.

3. Dependencies on the progress of the third-party utility against its product roadmap

4. Stakeholders within the firm not accepting the new third-party utility operating model

5. Lack of improvements to the firm’s TPRM technology may limit the firm’s ability to realize benefits from integrating with the third-party utility

6. Insufficient executive support and funding for the initiative to demonstrate commitment to regulators



Bringing it all together: Strategies for efficiency and effectiveness in TPRMThird-party utilities provide the potential to enhance what is often the most inefficient part of the TPRM process: due diligence. See below for key takeaways for optimal third-party utility integration into the TPRM operating model.

While these offerings have amazing potential, they are not yet mature and will take some time to reach mass adoption in the market. We recommend the following actions for streamlining TPRM programs in addition to integrating with a third-party utility.

1

2

3

4

5

Potential benefits

Reducing costs for on-site assessments of third-parties

Refocusing attention on interpreting due diligence responses and issues management

More accurate and efficient management reporting

Quicker third-party onboarding

A better questionnaire

Integration points

Integrate third-party utilities with GRC technology for due diligence and reassessment triggers, workflow visibility, and reporting

Educate due diligence subject matter professionals on how to ingest the answers from the third-party utility to conduct due diligence reviews

Determine how to utilize third-party utility on-site reviews

Upskill TPRM office staff from process experts to higher-value risk management professionals

Implement a work-around for third parties that are not members of the firm’s chosen third-party utility


Embrace automation and technology enablementInvesting in automation and technology can help streamline multiple aspects of the TPRM process, from onboarding to contract management, resulting in significant cost savings for a TPRM program. An area of top focus and investment for TPRM programs in financial institutions is technology enablement, especially since 66 percent of organizations currently rely on manual processes or spreadsheets to track third-party risk processes.10 Firms that have invested in emerging technologies such as artificial intelligence, robotic process automation, and natural language processing have seen a 10 to 15 percent decrease in TPRM program costs.11

Rationalize the third-party inventoryFirms need to review how they implement preferred supplier processes to reduce their total number of third parties (while balancing the potential to add concentration risk), since TPRM program costs increase exponentially with the growth of the third-party portfolio. Additionally, another source of inefficiencies in managing the third-party inventory is the lack of a single central inventory. Today, 75 percent of organizations do not have a single inventory of their third parties, resulting in duplication and unnecessary added time and effort.11

Explore remote options for on-site reviewsLeading TPRM programs are redefining the scope of on-site assessments to leverage surveillance cameras and video conferencing in lieu of a physical trip to the third party. These remote options still satisfy the purpose of on-site reviews and do so at decreased cost and time commitments. Remote “on-site” reviews are conducted across the three lines of defense based on a variety of triggers, including when a new critical third party is onboarded and/or when a critical third party experiences a risk incident that is beyond the firm’s stated risk tolerance. Review and analysis of exams/audits (e.g., SOC 2) and self-assessments against industry standards may serve as alternative options to conducting an on-site review.

We are actively speaking with clients about how best to enhance their TPRM programs, both through the use of third-party utilities and the additional methods articulated above. We welcome the opportunity to meet with you and discuss ways to help your TPRM program reach peak efficiency and effectiveness.

11 Center for Financial Professionals, “Third Party Risk: A Journey Towards Maturity” (July 10, 2018)



kpmg.com/socialmedia

Contact usGreg MatthewsKPMG in the U.S.Partner, Financial ServicesOperations & Compliance RiskT: 201-621-1156 E: [email protected]

Jon DowieKPMG in the U.K.Partner, Financial ServicesT: +44 2073 115 295 E: [email protected]

Jeff LeeKPMG in the U.S.Director, Financial ServicesOperations & Compliance RiskT: 646-322-2268 E: [email protected]

Contributing editor Nicole TrawickKPMG in the U.S.Financial ServicesOperations & Compliance Risk T: 214-949-3335 E: [email protected]


The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

mailto:gmatthews1%40kpmg.com?subject=

mailto:jon.dowie%40kpmg.co.uk?subject=

mailto:jclee%40kpmg.com?subject=

mailto:ntrawick%40kpmg.com?subject=

enhance your tprm due diligence process with third-party · 2019-05-31 · of large, global...

Documents