Presentation is loading. Please wait.

Presentation is loading. Please wait.

Centralized & Standardized Approach Third Party Risk Management

Similar presentations


Presentation on theme: "Centralized & Standardized Approach Third Party Risk Management"— Presentation transcript:

1 Centralized & Standardized Approach Third Party Risk Management

2 Why Outsource Services?
Focus on Your Core Competencies Reduce Labor Costs Increased Efficiencies Economies of scale for Vendor – Better pricing for Client Access to Best Tools & Resources However… You Cannot Outsource Liability So You Must Have a Robust Oversight Program

3 Risks of Outsourcing Regulatory Compliance Information Security
Reputational Risks Business Continuity Operational Risks Privacy Quality Code of Conduct/Ethics Environmental Geo-Political Health & Safety Labor Standards Supply Chain Risks

4 Typical TPRM Reporting Structures
Finance Commodity Type Legal Contract Focus Risk Management TPRM Business Line Typical TPRM Reporting Structures

5 Cross-Functional TPRM Program
Third Party Risk Management Program Program Support/ Tools Compliance Sourcing & Procurement Business Units Enterprise & Operational Risk Legal Internal Audit Information Technology Risk Office Information Security Third Parties CENTRALIZATION

6 Regulatory Recommended 4 Elements of TPRM
Outsourcing Risk Analysis Pre-Engagement Due Diligence Contract Negotiation & Restructuring Ongoing Monitoring & Performance STANDARDIZATION

7 Oversight Lifecycle Registration Outsourcing Risk Analysis
Exit Strategy Pre-Engagement Due Diligence Request for Proposal Contracting Ongoing Monitoring Audit & Inspection Issue Management Termination/Renewal

8 Aligning Due Diligence
Tiering Risk & Aligning Due Diligence Tier 1 Highest Risk Onsite Audits Tier 2 Desk Audit Tier 3 Lowest Risk Performance Scoring Financial Reputation OFAC Exclusionary STANDARDIZATION

9 Audit Process Tiering Recurring Schedule Auditor Independence

10 STANDARDIZATION Audit Scope General Information Organization structure
Third-party relationships Discuss site logistics and touring; operational facility, data center, off-site record retention, etc. Offshore State-Side Vertical Audit Follow-up Audit Issues/Remediation Pending Action Items Service to Ocwen Services provided to Ocwen Process Flow of Service Customer Contact Data/Non-Public Information (NPI) Movement Ocwen Network/Application Access Service to Ocwen (continued) Business Rules (Adequacy and completeness to ensure Ocwen, Investor, Regulatory compliance) SLA compliance/Reporting Score-carding (adequate performance metrics) Review Due Diligence Package (DDP) for any questions/concerns Quality Control & Assurance Structure Program Detail Reviews/Testing Conducted Documented/Communicated Results and Reporting Compliance (Local, Federal Regulatory, State, Ocwen/Investor) Applicable Laws, Regulations, Requirements Discuss program methodology Business Rules (Adequacy and completeness to ensure Ocwen, Investor, Regulatory compliance) Assurance for proportionate service/care across geographical, demographic areas Complaints (sources, escalation process, reporting.) Compliance Training BCP/Disaster Recovery Review Plans Review Results Relevant Failures Remediated, etc… STANDARDIZATION

11 STANDARDIZATION Audit Scope Cont’d Vendor Management
Identify high-risk third-party vendors Identification Screening Monitoring Supervision Observation & Interview with Processing Team/Representative of Core Ocwen Service Scheduled & Deviation Processing Control Points Status Reporting Incident Reports Information Security Policy/Procedures/Governance Network Infrastructure / Architecture Data Flow Encryption Access/ Data Security/Audit & Recovery Back-up Process Incident Reporting/ Response Process Cloud Computing Remote Access Mobile Devices Physical Security Coordinator Discuss Physical Security Program Observe Site Physical Security Human Resources/Recruiting Internal & Contractors Hiring Practices & Requirements Communication of Job Duties Structure of Monitoring/Supervision Logical and physical security access authorizations Review hiring, termination and requirements documents Facility Tour Physical security - Internal & access security Observe Processing Areas Data/Server Security, etc… Accounts Receivable – Invoicing to Ocwen Fees Schedule and SLA Reconciliation Process Billing Accuracy Assurance STANDARDIZATION

12 STANDARDIZATION Controls Reviewed Vendor Management
Physical & Logical Security Controls Human Resources Management Network Management Training/Certifications Encryption Business Continuity Planning (BCP) Remote Access Disaster Recovery (DR) Mobile Devices Regulatory Compliance Change Management Incident Response Cloud Computing Management Reporting Password Management Quality Management System STANDARDIZATION

13 Why Centralize TPRM? Ensure all vendors, corporatewide, are vetted and managed to same standards Ensure end-to-end process flow without gaps Ensure all vendor data is secured in single database and retained per corporate policy Ensure all vendor audit and performance issues are timely reported and managed Single source of reporting Most efficient use of resources Eliminate duplication of effort/review

14 Trends Standardization 4th Party Oversight Issues
Shared Assessment - Standard Information Gathering (SIG) Mortgage Bankers Association (MBA) Default Firm Project Contract Templates Tools Standardization Vendor Oversight (Process Unity, Metric Stream, ServiceNow, etc.) Security Scoring (Bitsight, Security Scorecard, etc.) Financial Reviews (Rapid Ratings, IDC, Experian, etc. ) Reputation Monitoring (Lexis Nexis (World Compliance), Google, etc.) GRC (Reg/Standard Libraries, Issue Management, etc.) Reliance on SOC reports Social Media Focus on Third Party program strength 4th Party Oversight Cloud Security Incident Management Cyber Security Issues

15 Questions. D. Michelle Murphy, Esq. https://www. linkedin


Download ppt "Centralized & Standardized Approach Third Party Risk Management"

Similar presentations


Ads by Google