managing third party risks and rewards

24
Internal Audit, Ethics & Compliance roundtable Third Party Risk Management How can companies effectively manage the risks of Third Party relationships? April 22, 2014 www.pwc.com

Upload: pwc

Post on 23-Aug-2014

272 views

Category:

Retail


3 download

DESCRIPTION

This presentation discusses current trends and challenges companies are facing in managing third parties risks and leading practices in several areas including, but not limited to, stakeholder interaction, risk stratification, vendor reviews, and ongoing monitoring. Presented at the Creating value and trust: Navigating risk and meeting customer expectations, PwC's Internal Audit Ethics and Compliance Retail and Consumer Roundtable for internal audit and ethics and compliance executives, April 2014. For more information, please visit: http://pwc.to/1rbVnlY

TRANSCRIPT

Page 1: Managing third party risks and rewards

Internal Audit, Ethics & Compliance roundtable Third Party Risk Management How can companies effectively manage the risks of Third Party relationships? April 22, 2014

www.pwc.com

Page 2: Managing third party risks and rewards

PwC 2

With you today

Rob Stouder Director, Third Party Risk Management Midwest Region Leader

[email protected] (317) 940-7501

Page 3: Managing third party risks and rewards

PwC 3

Agenda

What is Third Party Risk Management?

Why is it Important?

What we are seeing in organizations

Benefits of a Third Party Risk Management program

Insights and Lessons Learned

Q&A

Page 4: Managing third party risks and rewards

What is Third Party Risk Management?

Page 5: Managing third party risks and rewards

PwC 5

Third Party Risk Management Activities

Vendor Evaluation & Selection

Contract Signing / Service Initiation

Vendor Service Contract /

Service Termination

• Third Party risk profiling: Evaluate risk profile of third party based on company and nature of services to be provided.

• Due diligence assessments: Perform due diligence assessments based on the initial risk profile.

• Contract language and exception management: Support the management and tracking of exceptions to standard contract language and requirements.

• Ongoing risk profiling Assess vendors’ risk profiles as their environments and nature of services change.

• Ongoing monitoring: Evaluate relevant controls, with the frequency of assessment based on the risk profile. Typically, these assessments include one or more of the following:

On-site assessment

Remote assessment

Self-assessment

• Contract Termination Management: Manage and track vendor / service termination process to confirm vendors meet obligations in their contract and that all client data is removed per the vendor’s contractual obligations.

Program Oversight

Policies, Standards and Guidelines

Training and Awareness

Program Strategy, Governance and Roles & Responsibilities

VRM Operational Processes

Systems and Technology - Metrics and Reporting – Continuous Improvement

Page 6: Managing third party risks and rewards

PwC

Foundations for an effective Third Party Risk Management program

6

Methodology

Data & Information

Governance

• Linkages between contracting and payables/general ledger • Comprehensive contracts management system and contract data • Well defined and maintained third-party repositories (vendor master, etc.) • Third party / vendor usage data • Strong organizational and employee data for identifying third-party linkages across the

organization • Issues and incidents repositories to track third-party issues • Recovery and resiliency – back-up of key/”critical” third parties

• Know your third parties/due diligence

• Standard operational risk methodologies and defined risk levels

• Standard controls effectiveness assessment methodology

• Escalation, exception, and exemption processes

• Customer complaint handling

• Third party risk management office

• Operational risk governance body

• Critical Third party Oversight

Page 7: Managing third party risks and rewards

PwC 7

Pop Quiz

Planning / Governance • Do you have an inventory of Third Parties?

• Is it by service? • Is it risk ranked? • Do you have current contracts related to the service being provided?

• Are there standardized risk profiling methodologies with defined assessment frequencies and types in place?

Due Diligence and Third Party Selection • Are due diligence assessments performed prior to contracting?

• Are they around privacy? • Are they around security?

• Do you know which of your vendors have access to data? • Do you know which subcontractors are used by your third parties, and what work they are performing for

you?

Contract Negotiation • Do contract clauses include the authority to audit the Third Parties processes over the service provided? • Are contracts for similar services consistent and contain Service Level Agreement’s?

Ongoing Monitoring • Do monitoring processes include both risk AND performance concerns?

Termination • Do you have exit strategies in place for significant Third Party relationships?

Page 8: Managing third party risks and rewards

PwC 8

Common TPRM risks

Regulatory: The risk of an organization being out of compliance due to a third-party’s failure to

comply with laws/regulations.

Service Delivery: The risk that a third-party fails to meet

your needs based on the delivery of their products/services.

Exit Strategy: The risk that the organization will have an inability to service its clients based on the termination or exit from a third-

party relationship.

Financial: The risk of financial loss to the

organization due to the third-party being unable to

operate due to financial instability.

Information Security and Privacy: The risk of

unauthorized loss of data or that an organization’s data

security has been breached at your third-party.

Business Continuity and Resiliency: The risk of third-

party failure on the ability of the organization to serve its clients.

Reputational: The risk and impact to the organizations reputation based on services provided by your third-party.

Global Geographic Location: The political, geographic, regulatory, legal, and economic risks of outsourcing to a country

or region.

Third-Party Risk Spectrum

Reputational

Service Delivery

Financial

Business Continuity

and Resiliency

Global Geographic

Location

Information Security and

Privacy

Regulatory

Exit Strategy

Page 9: Managing third party risks and rewards

PwC

Audience Question: Governance

Do you have a formal Third Party Risk Management function at your organization?

?

Page 10: Managing third party risks and rewards

Third Party Risk Management Program Structure

10

Governance

Enterprise Risk Committee

Third Party Management Office

Management & Oversight

Business Unit

Third Party Risk Manager (High & Critical Risk Services)

Subject Matter Specialists

Third Parties

Legal & Compliance

Reputational Due Diligence

InfoSec

Business Unit Sponsor

Sourcing

Contracts Management Procurement

Financial Due Diligence

Bank Management

Privacy BCM

Operational Risk Oversight

Third Line of Defense

PhySec Technology

Internal Audit

Second Line of Defense

First Line of Defense

Board of Directors

Subcontractors

Third Party Risk Management roles and responsibilities impact each aspect of the three lines of defense model

Page 11: Managing third party risks and rewards

Why is Third Party Risk Management important?

Page 12: Managing third party risks and rewards

PwC 12

Why is Third Party Risk Management relevant?

Based on the results of PwC’s 2013 Global State of Information Security Survey (GSISS), our clients continue to experience an increased number of third party related breaches and very few have programs in place which effectively manage vendor risk. Additionally, there is an increasing view by many regulators that “best efforts” around TPRM are not good enough.

15%

17%

13%

11%

12%

11%

8%

10%

9%

0% 5% 10% 15% 20%

Partner or supplier

Customer

Service providers/consultants/contractors

2010 2011 2012

• 26% of respondents have an inventory of vendors who handle sensitive information

• 32% of respondents require vendors to comply with their policies

• 26% of respondents conduct compliance assessments of third parties who handle personal data of their customers and employees

Many of our clients do not have vendor risk management programs or the programs are very immature

The number of breaches resulting from vendors and other third parties is steadily increasing

Page 13: Managing third party risks and rewards

PwC 13

What we are telling boards

Third-party compliance landscape

• A subcomponent of overall risk management

• Legal compliance is outside company’s direct control and has its own unique control environment

• The number of third party relationships are typically significant

• Companies can be held accountable for acts of agents, resellers, distributors, partners, suppliers, etc.

• Compliance aspects also include protection of intellectual property, environmental laws, labor laws, health and safety

Page 14: Managing third party risks and rewards

PwC 14

Customer Churn

Research shows that companies experience customer turnover following a security breach, and some industries are more susceptible than others.

* Symantec and Ponemon Institute, “2013 Cost of Data Breach Study United States,” May 2013

0.3%

1.3%

1.5%

2.0%

2.5%

2.6%

2.7%

2.9%

3.3%

3.8%

4.2%

4.5%

4.5%

Public

Retail

Communications

Media

Hospitality

Technology

Industrial

Consumer

Transportation

Services

Pharmaceutical

Healthcare

Financial Services

Customer Churn following a security breach by industry

Page 15: Managing third party risks and rewards

Changing Regulatory Drivers Force Businesses to Focus on Third Party Risk Management

15

In the last 10-15 years, multiple new regulations in all industries have demanded increased focus on how organizations monitor third parties. To enable compliance, each organization should validate existing processes against current regulatory guidance through a gap analysis.

Health Insurance Portability and Accountability Act, HIPPA August, 1996

July, 2001 GLBA, Gramm-Leach Bliley Act

OCC Bulletin 2001-47 , Oversight and Management of Third-Party Relationships November, 2001

May, 2002 OCC Bulletin 2002-16, Foreign 3rd-Party Service Providers

HITECH Act November, 2007

May, 2007 H.F. 1758, MN Plastic Card Security Act

January, 2010 NRS 603A, NV Data Security Law

July, 2010 Wash. H.B. 1149, WA Data Security Law

March, 2012 CFPB Bulletin 2012-03

201 Mass. Code Regs. 17 MA, Data Security Law March, 2010

PCI-DSS v2.0 Payment Card Industry Data Security Standard January, 2011

CFPB Bulletin 2013-02 March, 2013

1996 2013 2001 2007 2010 2003

October, 2013 OCC Bulletin 2013-29

PCI-DSS v3.0 Payment Card Industry Data Security Standard August, 2013

FRB SR 13-19 December, 2013

PwC

June, 2013 CFPB Bulletin 2013-06

Page 16: Managing third party risks and rewards

Comments organizations have shared with us regarding their Third Party Risk challenges

Page 17: Managing third party risks and rewards

PwC 17

Here are some of the comments organizations have shared with us regarding their Third Party Risk challenges

We were told by our vendor that their SOC 1 or 2 is enough. Is that sufficient?

We have inadequate resources to assess our high risk population on an ongoing basis.

Where do we start? We have no pre-contract TPRM process in place.

We don't centrally manage our TPRM.

I have operational staff focused on TPRM and they aren't risk and controls specialists.

My vendors have vendors. How do we address the risks associated with those, “Fourth party” vendors?

Page 18: Managing third party risks and rewards

PwC 18

Implementing a third party risk management program Assess vendor operations – example assessment model

Self-Assessments

Reviews of existing

Reports (i.e. SOC-2)

Remote assessments (documentation reviews with third party)

Desktop assessments (telephone/WebEx)

Onsite assessments

Spectrum of Review

Am

ou

nt

of

Eff

ort

& C

ost

Ass

essm

ent

Met

ho

d

Qu

an

titi

es

10%

80%

No Action

0%

5% 5%

The results of the risk profiling should drive the method used to assess the vendors. During the first year of implementation, the onsite assessment may be used for a majority of third parties, but as the program matures, the amount of third parties requiring onsite assessments can decrease.

Page 19: Managing third party risks and rewards

PwC

Audience Question: Stratification

Do you currently have a process to stratify vendors into different risk categories (e.g., Critical, High, Moderate, and Low)?

?

Page 20: Managing third party risks and rewards

PwC 20

Gather product/service

information

Calculate Inherent Risk

Factor

For Vendors deemed of high

or moderate Inherent Risk,

complete questionnaires /assessments

Perform control effectiveness

evaluation

Provide effectiveness

ratings indicating

results of each assessment of the product /

service

Residual Risk Score and Rating is

Calculated

Conclude on whether to

proceed with Vendor

Risk modeling framework – Inherent risk

Higher risk

Vendors

identified for

review

To

tal V

en

do

r In

ve

nto

ry

Begin with

general ledger

and remove

categories

that don’t

pose risk

Identify and

remove

services that

will have risk

management by

other means

Prioritize

higher risk

services

provided by

third-parties

Vendor Controls

Own Controls

Higher Risk

Vendor Relationships

More due

diligence

Less due

diligence

Page 21: Managing third party risks and rewards

PwC 21

We have observed that most organizations have not yet adopted stratification—a leading practice in managing Third Party risk

Adding to the challenge of effectively managing vendor-related risk, we see today’s companies also struggling with:

• Managing inbound requests from service organizations • Implementing formal enterprise-wide TPRM governance (Compliance

and Enterprise risk management, etc.) • Maintaining an accurate and complete inventory of vendors • Incorporating other third-party relationships into their TPRM

programs (e.g., business partners, joint ventures, distribution channels, attorneys, utilities, etc.)

• Establishing standard operational risk methodologies and policies • Identifying/using TPRM key risk indicators • Implementing and using technology to adequately support the TPRM

program, taking some of the burden from the business • Staying ahead of, and effectively complying with, changing

regulatory requirements

Our observations are underscored by the results of PwC’s Global State of Information Security Survey 2013:

• Only 69% of the surveyed companies lack an accurate inventory of locations or jurisdictions where data is stored1

• 74% of companies do not have a complete inventory all third parties that handle personal data of its employees and

customers

• 73% of companies lack incident response processes to report and manage breaches to third parties that handle data1

Types of data that typically need to be protected:

• Intellectual Property (IP)

• Personally Identifiable Information (PII)

• Payment Card Industry (PCI)

• Protected Health Information (PHI)

Page 22: Managing third party risks and rewards

Insights and Lessons Learned

Page 23: Managing third party risks and rewards

PwC

Protect Information and Manage Compliance

Aligning to a common risk language and

process

Leveraging effective processes and technologies

Disciplined information flow

You can outsource a process but you cannot outsource the risk or liability. Regulations are applying

enhanced vendor risk management requirements. Additionally, protecting the brand requires a

close look at vendor risk management.

Agreeing upon a common set of terms and definitions is necessary to create a consistent process for

defining, managing and measuring third party risks. Once done, it is easier to develop new processes

to address changes to regulatory and business requirements.

Leading tools and technology drive groups to use common risk management processes, which

enhances the effectiveness and efficiency of the TPRM program. This will allow management to

have a better view of metrics and enables them to make better decisions around governance, risk

and compliance management and corresponding communications.

Communication to stakeholders, employees and business partners is critical throughout the entire

third party risk management program process. Managing these communications throughout the

development of the program is critical for success.

Clear business engagement

Working in a transparent and integrated fashion with all functional and operating group

stakeholders is required to develop a solution that delivers against the needs of the organization.

Many companies have a designated liaison in the business to build relationships, increase awareness

and harmonize business needs with third party risk capabilities.

Insights and Lessons Learned

“Work Smarter NOT Harder”

When designing a third party risk management program, focus on having the third parties do as

much of the “heavy lifting” as possible, to recue the operational burden of program to the enterprise.

This can be accomplished through the use of automated workflow and leveraging third party

accessible tactical and strategic technology solutions.

“Start Smart”

By focusing on the target operating model when designing a third party risk management program,

significant cost saving and minimal operational impact to business operations may be achievable.

Areas that help include third party stratification, leveraging of existing risk processes and

governance structures, focus on products/services, leverage three-lines-of-defense model, etc.

23

Page 24: Managing third party risks and rewards

PwC

Q&A

The information contained in this document is shared as a matter of courtesy and for information or interest only. PwC has exercised reasonable professional care and diligence in the collection, processing, and reporting of this information. However, data used may be from third-party sources and PwC has not independently verified, validated, or audited such data. PwC does not warrant or assume any legal liability or responsibility for the accuracy, adequacy, completeness, availability and/or usefulness of any data, information, product, or process disclosed in this document; and is not responsible for any errors or omissions or for the results obtained from the use of such information. PwC gives no express or implied warranties, including, but not limited to, warranties or merchantability or fitness for a particular purpose or use. In no event shall PwC be liable for any indirect, special, or consequential damages in connection with use of this document or its content. Information presented herein by a third party is not authored, edited or reviewed by PwC and PwC is not endorsing third parties or their views. Reproduction of this document or recording of its presentation, in whole or in part, in any form, is prohibited except with the prior written permission of PwC. Before making any decision or taking any action, you should consult a competent professional adviser.

© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.