Centralized & Standardized Approach Third Party Risk Management

Slides:

Advertisements

Similar presentations

SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.

Advertisements

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

Audit Considerations of Data Center Consolidation Jon Ingram Audit Manager Information Technology Audits Florida Auditor General 1.

1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Security Controls – What Works

Vendor Management Frequent regulatory findings:

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

IT Service Delivery And Support Week Eight IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA CISA CISSP) 1.

Internal Auditing and Outsourcing

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or

TOP 10 TECHNOLOGY INITIATIVES © Robert G. Parker S-1 9. Preventing and Responding to Computer Fraud IT Security Ranked #2 Preventing and Responding.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

ISM Workshop 1 Independent Oversight Perspectives Michael A. Kilpatrick Deputy Director Office of Security and Safety Performance Assurance.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

1 DOE IMPLEMENTATION WORKSHOP ASSESSING MY EMS Steven R. Woodbury

Managing Third Party Risk In a world fraught w/Risk Trust In the Cloud How are you Protecting Customer Data? February 26, 2014 Case Study Vincent Campitelli.

Roles and Responsibilities

IIA_Tampa_ Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee

CERTIFICATION In the Electronics Recycling Industry © 2007 IAER Web Site - -

Business Continuity and Disaster Recovery Planning.

The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.

MANAGING THIRD-PARTY RISK New York Region Regulatory Conference Call March 3, 2011.

Conducting Clinical Risk Assessments And Implementing Compliance Practices Jane L. Stratton Chiron Corporation VP/Associate General Counsel Chief Compliance.

ESTABLISHING A MANUFACTURING ENTERPRISE Can you create and run a manufacturing enterprise?

Copyright © Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September.

Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking.

Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

IT Summit November 4th, 2009 Presented by: IT Internal Audit Team Leroy Amos Sue Ann Lipinski Suzanne Lopez Janice Shelton.

The Second Annual Medical Device Regulatory, Reimbursement and Compliance Congress Presented by J. Glenn George Thursday, March 29, 2007 Day II – Track.

Office of Human Research Protection Georgia Health Sciences University.

Chapter 8 Auditing in an E-commerce Environment

0 Due Diligence Monitoring and Auditing of Third Party Vendors October 28, 2008 Pharmaceutical Regulatory and Compliance Congress and Best Practices Forum.

Current risk and compliance priorities for law firms PETER SCOTT CONSULTING.

Board Financial Oversight Governing Board Online Training Module.

INTERNAL AUDIT BRIEFING Business Objectives Business Objectives: What are they and how are they used?

Safety Management Systems Session Four Safety Promotion APTA Webinar June 9, 2016.

Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Environmental Management Division 1 NASA Headquarters Environmental Management System (EMS) Michael J. Green, PE NASA EMS Lead NASA Headquarters Washington,

Vendor Management by Banks: How Law Firms Are Affected Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of.

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

Scales Technology FZCO

Draft - Enterprise Risk Management Risk Universe

Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.

Managed IT Solutions More Reliable Networks Are Our Business

What Is Vendor Management And Why Is It Important To You?

Performing Risk Analysis and Testing: Outsource or In-house

The Importance of an AML Programme

Michael Romeu-Lugo MBA, CISA March 27, 2017

IIASA Governance Review

Document Evaluation Process May 2005 Revision

Auditing Cloud Services

Internal and Governmental Financial Auditing and Operational Auditing

Current ‘Hot Topics’ in Information Security Governance Auditing

Vendor Management & Business Value

San Francisco IIA Fall Seminar

Quality Management Systems – Requirements

MARKETING, PURCHASING AND PRODUCTION (7 - 9%)

Deloitte Consulting LLP SCOOPS Session

SAP GRC EOH GRC Solutions Divisional divider Option 1.

Cyber Security: What the Head & Board Need to Know

IT OPERATIONS Session 7.

General Data Protection Regulation “11 months in”

IT Management Services Infrastructure Services

Anatomy of a Common Cyber Attack

Contract Requirements for Suppliers

Presentation transcript:

Centralized & Standardized Approach Third Party Risk Management

Why Outsource Services? Focus on Your Core Competencies Reduce Labor Costs Increased Efficiencies Economies of scale for Vendor – Better pricing for Client Access to Best Tools & Resources However… You Cannot Outsource Liability So You Must Have a Robust Oversight Program

Risks of Outsourcing Regulatory Compliance Information Security Reputational Risks Business Continuity Operational Risks Privacy Quality Code of Conduct/Ethics Environmental Geo-Political Health & Safety Labor Standards Supply Chain Risks

Typical TPRM Reporting Structures Finance Commodity Type Legal Contract Focus Risk Management TPRM Business Line Typical TPRM Reporting Structures

Cross-Functional TPRM Program Third Party Risk Management Program Program Support/ Tools Compliance Sourcing & Procurement Business Units Enterprise & Operational Risk Legal Internal Audit Information Technology Risk Office Information Security Third Parties CENTRALIZATION

Regulatory Recommended 4 Elements of TPRM Outsourcing Risk Analysis Pre-Engagement Due Diligence Contract Negotiation & Restructuring Ongoing Monitoring & Performance STANDARDIZATION

Oversight Lifecycle Registration Outsourcing Risk Analysis Exit Strategy Pre-Engagement Due Diligence Request for Proposal Contracting Ongoing Monitoring Audit & Inspection Issue Management Termination/Renewal

Aligning Due Diligence Tiering Risk & Aligning Due Diligence Tier 1 Highest Risk Onsite Audits Tier 2 Desk Audit Tier 3 Lowest Risk Performance Scoring Financial Reputation OFAC Exclusionary STANDARDIZATION

Audit Process Tiering Recurring Schedule Auditor Independence

STANDARDIZATION Audit Scope General Information Organization structure Third-party relationships Discuss site logistics and touring; operational facility, data center, off-site record retention, etc. Offshore State-Side Vertical Audit Follow-up Audit Issues/Remediation Pending Action Items Service to Ocwen Services provided to Ocwen Process Flow of Service Customer Contact Data/Non-Public Information (NPI) Movement Ocwen Network/Application Access Service to Ocwen (continued) Business Rules (Adequacy and completeness to ensure Ocwen, Investor, Regulatory compliance) SLA compliance/Reporting Score-carding (adequate performance metrics) Review Due Diligence Package (DDP) for any questions/concerns Quality Control & Assurance Structure Program Detail Reviews/Testing Conducted Documented/Communicated Results and Reporting Compliance (Local, Federal Regulatory, State, Ocwen/Investor) Applicable Laws, Regulations, Requirements Discuss program methodology Business Rules (Adequacy and completeness to ensure Ocwen, Investor, Regulatory compliance) Assurance for proportionate service/care across geographical, demographic areas Complaints (sources, escalation process, reporting.) Compliance Training BCP/Disaster Recovery Review Plans Review Results Relevant Failures Remediated, etc… STANDARDIZATION

STANDARDIZATION Audit Scope Cont’d Vendor Management Identify high-risk third-party vendors Identification Screening Monitoring Supervision Observation & Interview with Processing Team/Representative of Core Ocwen Service Scheduled & Deviation Processing Control Points Status Reporting Incident Reports Information Security Policy/Procedures/Governance Network Infrastructure / Architecture Data Flow Encryption Access/ Data Security/Audit & Recovery Back-up Process Incident Reporting/ Response Process Cloud Computing Remote Access Mobile Devices Physical Security Coordinator Discuss Physical Security Program Observe Site Physical Security Human Resources/Recruiting Internal & Contractors Hiring Practices & Requirements Communication of Job Duties Structure of Monitoring/Supervision Logical and physical security access authorizations Review hiring, termination and requirements documents Facility Tour Physical security - Internal & access security Observe Processing Areas Data/Server Security, etc… Accounts Receivable – Invoicing to Ocwen Fees Schedule and SLA Reconciliation Process Billing Accuracy Assurance STANDARDIZATION

STANDARDIZATION Controls Reviewed Vendor Management Physical & Logical Security Controls Human Resources Management Network Management Training/Certifications Encryption Business Continuity Planning (BCP) Remote Access Disaster Recovery (DR) Mobile Devices Regulatory Compliance Change Management Incident Response Cloud Computing Management Reporting Password Management Quality Management System STANDARDIZATION

Why Centralize TPRM? Ensure all vendors, corporatewide, are vetted and managed to same standards Ensure end-to-end process flow without gaps Ensure all vendor data is secured in single database and retained per corporate policy Ensure all vendor audit and performance issues are timely reported and managed Single source of reporting Most efficient use of resources Eliminate duplication of effort/review

Trends Standardization 4th Party Oversight Issues Shared Assessment - Standard Information Gathering (SIG) Mortgage Bankers Association (MBA) Default Firm Project Contract Templates Tools Standardization Vendor Oversight (Process Unity, Metric Stream, ServiceNow, etc.) Security Scoring (Bitsight, Security Scorecard, etc.) Financial Reviews (Rapid Ratings, IDC, Experian, etc. ) Reputation Monitoring (Lexis Nexis (World Compliance), Google, etc.) GRC (Reg/Standard Libraries, Issue Management, etc.) Reliance on SOC reports Social Media Focus on Third Party program strength 4th Party Oversight Cloud Security Incident Management Cyber Security Issues

Questions. D. Michelle Murphy, Esq. https://www. linkedin