Presentation is loading. Please wait.

Presentation is loading. Please wait.

Centralized & Standardized Approach Third Party Risk Management

Published byGeorgia Cook Modified over 6 years ago

Similar presentations

Presentation on theme: "Centralized & Standardized Approach Third Party Risk Management"— Presentation transcript:

1 Centralized & Standardized Approach Third Party Risk Management

2 Why Outsource Services?
Focus on Your Core Competencies Reduce Labor Costs Increased Efficiencies Economies of scale for Vendor – Better pricing for Client Access to Best Tools & Resources However… You Cannot Outsource Liability So You Must Have a Robust Oversight Program

3 Risks of Outsourcing Regulatory Compliance Information Security
Reputational Risks Business Continuity Operational Risks Privacy Quality Code of Conduct/Ethics Environmental Geo-Political Health & Safety Labor Standards Supply Chain Risks

4 Typical TPRM Reporting Structures
Finance Commodity Type Legal Contract Focus Risk Management TPRM Business Line Typical TPRM Reporting Structures

5 Cross-Functional TPRM Program
Third Party Risk Management Program Program Support/ Tools Compliance Sourcing & Procurement Business Units Enterprise & Operational Risk Legal Internal Audit Information Technology Risk Office Information Security Third Parties CENTRALIZATION

6 Regulatory Recommended 4 Elements of TPRM
Outsourcing Risk Analysis Pre-Engagement Due Diligence Contract Negotiation & Restructuring Ongoing Monitoring & Performance STANDARDIZATION

7 Oversight Lifecycle Registration Outsourcing Risk Analysis
Exit Strategy Pre-Engagement Due Diligence Request for Proposal Contracting Ongoing Monitoring Audit & Inspection Issue Management Termination/Renewal

8 Aligning Due Diligence
Tiering Risk & Aligning Due Diligence Tier 1 Highest Risk Onsite Audits Tier 2 Desk Audit Tier 3 Lowest Risk Performance Scoring Financial Reputation OFAC Exclusionary STANDARDIZATION

9 Audit Process Tiering Recurring Schedule Auditor Independence

10 STANDARDIZATION Audit Scope General Information Organization structure
Third-party relationships Discuss site logistics and touring; operational facility, data center, off-site record retention, etc. Offshore State-Side Vertical Audit Follow-up Audit Issues/Remediation Pending Action Items Service to Ocwen Services provided to Ocwen Process Flow of Service Customer Contact Data/Non-Public Information (NPI) Movement Ocwen Network/Application Access Service to Ocwen (continued) Business Rules (Adequacy and completeness to ensure Ocwen, Investor, Regulatory compliance) SLA compliance/Reporting Score-carding (adequate performance metrics) Review Due Diligence Package (DDP) for any questions/concerns Quality Control & Assurance Structure Program Detail Reviews/Testing Conducted Documented/Communicated Results and Reporting Compliance (Local, Federal Regulatory, State, Ocwen/Investor) Applicable Laws, Regulations, Requirements Discuss program methodology Business Rules (Adequacy and completeness to ensure Ocwen, Investor, Regulatory compliance) Assurance for proportionate service/care across geographical, demographic areas Complaints (sources, escalation process, reporting.) Compliance Training BCP/Disaster Recovery Review Plans Review Results Relevant Failures Remediated, etc… STANDARDIZATION

11 STANDARDIZATION Audit Scope Cont’d Vendor Management
Identify high-risk third-party vendors Identification Screening Monitoring Supervision Observation & Interview with Processing Team/Representative of Core Ocwen Service Scheduled & Deviation Processing Control Points Status Reporting Incident Reports Information Security Policy/Procedures/Governance Network Infrastructure / Architecture Data Flow Encryption Access/ Data Security/Audit & Recovery Back-up Process Incident Reporting/ Response Process Cloud Computing Remote Access Mobile Devices Physical Security Coordinator Discuss Physical Security Program Observe Site Physical Security Human Resources/Recruiting Internal & Contractors Hiring Practices & Requirements Communication of Job Duties Structure of Monitoring/Supervision Logical and physical security access authorizations Review hiring, termination and requirements documents Facility Tour Physical security - Internal & access security Observe Processing Areas Data/Server Security, etc… Accounts Receivable – Invoicing to Ocwen Fees Schedule and SLA Reconciliation Process Billing Accuracy Assurance STANDARDIZATION

12 STANDARDIZATION Controls Reviewed Vendor Management
Physical & Logical Security Controls Human Resources Management Network Management Training/Certifications Encryption Business Continuity Planning (BCP) Remote Access Disaster Recovery (DR) Mobile Devices Regulatory Compliance Change Management Incident Response Cloud Computing Management Reporting Password Management Quality Management System STANDARDIZATION

13 Why Centralize TPRM? Ensure all vendors, corporatewide, are vetted and managed to same standards Ensure end-to-end process flow without gaps Ensure all vendor data is secured in single database and retained per corporate policy Ensure all vendor audit and performance issues are timely reported and managed Single source of reporting Most efficient use of resources Eliminate duplication of effort/review

14 Trends Standardization 4th Party Oversight Issues
Shared Assessment - Standard Information Gathering (SIG) Mortgage Bankers Association (MBA) Default Firm Project Contract Templates Tools Standardization Vendor Oversight (Process Unity, Metric Stream, ServiceNow, etc.) Security Scoring (Bitsight, Security Scorecard, etc.) Financial Reviews (Rapid Ratings, IDC, Experian, etc. ) Reputation Monitoring (Lexis Nexis (World Compliance), Google, etc.) GRC (Reg/Standard Libraries, Issue Management, etc.) Reliance on SOC reports Social Media Focus on Third Party program strength 4th Party Oversight Cloud Security Incident Management Cyber Security Issues

15 Questions. D. Michelle Murphy, Esq. https://www. linkedin

Download ppt "Centralized & Standardized Approach Third Party Risk Management"

Similar presentations

SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.

SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Audit Considerations of Data Center Consolidation Jon Ingram Audit Manager Information Technology Audits Florida Auditor General 1.

Audit Considerations of Data Center Consolidation Jon Ingram Audit Manager Information Technology Audits Florida Auditor General 1.
1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.

1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works

Security Controls – What Works
Vendor Management Frequent regulatory findings:

Vendor Management Frequent regulatory findings:
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
IT Service Delivery And Support Week Eight IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA CISA CISSP) 1.

IT Service Delivery And Support Week Eight IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA CISA CISSP) 1.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM 817.352.4929 or

Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
TOP 10 TECHNOLOGY INITIATIVES © 2013 - Robert G. Parker S-1 9. Preventing and Responding to Computer Fraud IT Security Ranked #2 Preventing and Responding.

TOP 10 TECHNOLOGY INITIATIVES © Robert G. Parker S-1 9. Preventing and Responding to Computer Fraud IT Security Ranked #2 Preventing and Responding.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
ISM Workshop 1 Independent Oversight Perspectives Michael A. Kilpatrick Deputy Director Office of Security and Safety Performance Assurance.

ISM Workshop 1 Independent Oversight Perspectives Michael A. Kilpatrick Deputy Director Office of Security and Safety Performance Assurance.
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
1 DOE 450.1 IMPLEMENTATION WORKSHOP ASSESSING MY EMS Steven R. Woodbury 202-586-4371

1 DOE IMPLEMENTATION WORKSHOP ASSESSING MY EMS Steven R. Woodbury
Managing Third Party Risk In a world fraught w/Risk Trust In the Cloud How are you Protecting Customer Data? February 26, 2014 Case Study Vincent Campitelli.

Managing Third Party Risk In a world fraught w/Risk Trust In the Cloud How are you Protecting Customer Data? February 26, 2014 Case Study Vincent Campitelli.

Similar presentations

Ads by Google