third party risk management - sigsig.org/docs2/s26_third_party_risk_management_what...third party...
TRANSCRIPT
What Regulators are Focused on Now and Why
Third Party Risk Management:
Options Clearing Corporation
Tom CiardielloVice President, Strategic Sourcing
Ontala Performance Solutions
Linda Tuck ChapmanPresident
sig.org/eval
Third Party Risk Management
What Regulators are Focused On
Now and Why
LINDA TUCK CHAPMAN
Ontala Performance Solutions
416.452.4635
TOM CIARDIELLO
Options Clearing Corporation
312.322.4984
3
About Options Clearing Corporation
As the world's largest equity derivatives clearing house, our mission is to provide market participants with innovative risk management solutions. We pride ourselves on offering industry leading efficiencies in the clearing and settlement of options, futures and other financial transactions. We also value the important role we play in educating investors and the public about the prudent use of options and futures markets. As a systemically important institution, we recognize our critical role in promoting financial stability and integrity in every market we serve.
Options Clearing Corporation is the world's largest equity derivatives clearing organization. OCC is dedicated to promoting stability and financial integrity in the marketplaces that it serves by focusing on sound risk management principles. By acting as guarantor, OCC ensures that the obligations of the contracts it clears are fulfilled.
© 2016 ONTALA Performance Solutions Ltd..
@ 2016 Crowe Horwath LLP
Confidential Information. Do not copy or distribute.
4
Ontala Performance Solutions, in association with Crowe Horwath Global Risk Consulting, are
experienced practitioners and experts in third party risk management. We publish timely
information, conduct educational events, and deliver relevant market insight on critical topics
such as emerging risks, regulatory compliance, and industry trends.
Ontala Performance Solutions: Practicing Thought Leaders
© 2016 ONTALA Performance Solutions Ltd..
@ 2016 Crowe Horwath LLP
Confidential Information. Do not copy or distribute.
5
What we’ll talk about today
Context for Action1
2
What is a “non-vendor” third party?3
Compliance versus risk management
4 Assessing material sub-contractor risk
5
6
Monitoring critical relationships
Concentration risk
© 2016 ONTALA Performance Solutions Ltd..
@ 2016 Crowe Horwath LLP
Confidential Information. Do not copy or distribute.
6
1. Context for action – recent regulatory criticism
< $10 B $10 – 50B $50 – 100B > $100B
Completeness –full lifecycle of “vendors” 8.9% 25% 0% 26.3%
Completeness – includes all “non-vendors” 4.4% 25% 12.5% 21.1%
Consistency – across all lines of business 8.9% 12.5% 12.5% 47.4%
Due Diligence – quality, completeness, docs 17.8% 37.5% 12.5% 21.1%
Business Continuity Mgmt (new Appendix J) 15.6% 37.5% 0% 10.5%
Governance and Oversight 4.4% 12.5% 0% 36.8%
Effective Challenge 0% 0% 0% 15.8%
Monitoring 20% 25% 0% 21.1%
Reporting 2.2% 0% 12.5% 15.8%
Other 46.7% 25% 62.5% 42.1%
• The 2015 RMA Third Party Risk Management survey provided
interesting data and insight into the current regulatory environment
© 2016 ONTALA Performance Solutions Ltd..
@ 2016 Crowe Horwath LLP
Confidential Information. Do not copy or distribute.
7
3PRM Operating Framework
Strategic
Sourcing
Business
Strategy
Risk Acceptance
“Risk SME” Due
Diligence
Business-led
Sourcing
Controls
Design
Residual Risk
Rating
Residual Risk
Assessment
Questionnaire
Validation &
Approval
Preliminary Risk
Assessment
Questionnaire
Periodic
Re-assessment
Post-contract
Management &
Monitoring
Contract
Execution
Renew or
Terminate
Negotiations &
Contracting
Business-led
Sourcing
Validation &
Approval
2. Operating Framework:
- identifying and assessing risk
and managing riskOur proprietary Operating Framework addresses the entire lifecycle of relationships
© 2016 ONTALA Performance Solutions Ltd..
@ 2016 Crowe Horwath LLP
Confidential Information. Do not copy or distribute.
8
2. Governance Framework:
- managing and monitoring risk
Third Party Risk Management
Delegated AuthorityOperational Risk
Management
Risk SME Due Diligence
Escalation and Remediation
Risk Controls
Effective Challenge
KRI’s and KPI’s
ENTERPRISE RISK MANAGEMENT (ERM)
BOARD OF DIRECTORS
3PRM GOVERNANCE COMMITTEE
Contract Terms and Conditions
Process-based Procedures
Management and Monitoring
“Book of Record” - workflow, evidence and QA reviews
Performance and Risk Reporting
Trend Analysis & Reporting
Governance & Oversight
Policies & Standards
Assessments & Controls
Enablement & Evidence
Insight & Action
Our proprietary Governance Framework defines effective oversight and governance
© 2016 ONTALA Performance Solutions Ltd..
@ 2016 Crowe Horwath LLP
Confidential Information. Do not copy or distribute.
9
3. What is a “Non-Vendor” third party?
RMA Third Party Risk Management Roundtable members developed the
following definitions, which are now in common use
What is a
Third Party?
Overall
An entity, including an affiliate, that has a business relationship with
the institution or its customers, and is not itself a customer. Third
party relationships include:
Non-Vendor
Third Party
"Non-vendor" third party relationships are typically acquired by a
business line/segment directly, not through a sourcing/procurement
function. Financial remuneration, if applicable is typically transacted
outside of Accounts Payable processes. These relationships may be
managed solely by a business line/segment, or managed in
conjunction with a corporate risk management function.
Vendor
Third Party
"Vendor" third parties are service providers that provide a product or
service to the institution. These relationships are typically sourced
through a sourcing/procurement process. Payment is typically
transacted by Accounts Payable.
© 2016 ONTALA Performance Solutions Ltd..
@ 2016 Crowe Horwath LLP
Confidential Information. Do not copy or distribute.
10
Analysts and Advisors 40%
Agents 54.5%
Affiliates 60.6%
Affinity Relationships 36.3%
Alliances, Partnerships 48.5%
Brokers 45.5%
Correspondent Banking 63.6%
Counterparties 36.4%
Debt Underwriters,
Securitization, Trustees30.3%
Financial Product Providers 51.5%
Non-Vendor program coverage
Financial Market Utilities (FMUs) 75.8%
Government Special Purpose Entity 48.5%
Indirect Lending 33.3%
Joint Marketing/ Co-branding 57.6%
Rating Agencies 42.4%
Servicers 54.5%
Tenants 21.2%
Trade Associations 42.4%
Wholesale Banking Relationships 63.6%
The 2015 RMA Survey provides information about the scope and
maturity of non-vendor third party management
© 2016 ONTALA Performance Solutions Ltd..
@ 2016 Crowe Horwath LLP
Confidential Information. Do not copy or distribute.
11
Non-Vendor programs: current state
Rate the maturity level of your “non-vendor” Third Party Risk Management program.
< $10 B $10 – 50B $50 – 100B > $100B
Fully mature 15.6% 25% 0% 10.5%
Will be fully mature in < a year 24.4% 25% 62.5% 15.8%
Doesn’t address the full lifecycle yet 20% 0% 25% 26.3%
New or underway 40% 50% 12.5% 47.4%
$50 -
$100 B,
62.50%
> 100 B,
26.30%
Inventory substantially
complete?
$50 -
$100 B,
87.50%
$100 B,
36.80%
Programs substantially similar?
Not
there
yet
© 2016 ONTALA Performance Solutions Ltd..
@ 2016 Crowe Horwath LLP
Confidential Information. Do not copy or distribute.
12
< $10 B $10 – 50B $50 – 100B > $100B
Identified during the RFP / selection
process37.8% 75% 50% 57.9%
Rely on contractual terms with third
parties62.2% 62.5% 62.5% 68.4%
Third party must update list of material
fourth parties annually.6.7% 25% 0% 15.8%
Identified by automated assessment in
third party risk management system2.2% 12.5% 25% 15.8%
Other (please specify) 8.9% 25% 50% 21.1%
4. Assessing material sub-contractor risk
The 2015 RMA Survey reveals immaturity in rigor for assessing and
controlling material subcontractor risks
© 2016 ONTALA Performance Solutions Ltd..
@ 2016 Crowe Horwath LLP
Confidential Information. Do not copy or distribute.
13
Relationship Managers in the first line of defense should have defined responsibilities, including frequency and documentation requirements to manage:
Performance
Costs
Risks
Compliance to contract terms, laws and regulations
Business resilience
Negative news
Issues and incidents
Strategic fit
Risk Control groups in the second line of defense should have defined responsibilities, including frequency and documentation requirements to monitor and reassess:
Risks
Technology requirements/fit
Strategic fit
5. Monitoring critical relationships
© 2016 ONTALA Performance Solutions Ltd..
@ 2016 Crowe Horwath LLP
Confidential Information. Do not copy or distribute.
14
Executive summary can be downloaded at:
http://www.rmahq.org/2015-rma-third-party-vendor-risk-management-survey/
For more information on the RMA 2015 Survey
© 2016 ONTALA Performance Solutions Ltd..
@ 2016 Crowe Horwath LLP
Confidential Information. Do not copy or distribute.
15
Your presenters
Tom Ciardiello
Vice President, Strategic Sourcing
and Vendor Management Office
Options Clearing Corporation
312.322.4984
Linda Tuck Chapman
CPO Emeritus
President, ONTALA Performance Solutions Ltd
in association with Crowe Horwath
416.452.4635
Evaluation How-to:
Your feedback drives
SIG Event content
By signing and
submitting your
evaluation, you are
automatically entered
into a prize drawing
Why?
Option 1: App
1. Select Schedule2. Select Schedule by Day3. Select Day4. Select Session5. Scroll to Description
6. Click on the Evaluation link
Option 2: Browser
1. Go to www.sig.org/eval2. Select Session (#S26)
How?
COMPLETE &SUBMIT EVAL
Tweet: #SIGspring16
Session #26
Third Party Risk Management:
What Regulators are Focused on Now and Why
www.sig.org/eval
Download the App: bit.ly/SIGOrlando
Tom Ciardiello
Vice President, Strategic Sourcing and Vendor Management Office
Options Clearing Corporation
312.322.4984
Linda Tuck Chapman
CPO Emeritus
President, ONTALA Performance Solutions Ltd
in association with Crowe Horwath