Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing 3 rd Party Risks During a Crisis Experis |, June 20131 Danny Shaw SE Practice Leader IT Risk Advisory Services Managing and mitigating the risks.

Published byVictor Otwell Modified over 10 years ago

Similar presentations

Presentation on theme: "Managing 3 rd Party Risks During a Crisis Experis |, June 20131 Danny Shaw SE Practice Leader IT Risk Advisory Services Managing and mitigating the risks."— Presentation transcript:

1 Managing 3 rd Party Risks During a Crisis Experis |, June 20131 Danny Shaw SE Practice Leader IT Risk Advisory Services Managing and mitigating the risks related to business partner relationships Third Party Portfolio Risk Management

2 Managing 3 rd Party Risks During a Crisis Experis |, June 20132 Why do we care ….. Theres a lot of $$$ involved! 95% of organizations buy or provide outsourcing services 75% of organizations spend upwards of 50% of their budgets on outsourcing A management team cannot claim to be in control of its business if it is not in control of the contracts the business depends on. What is more, any business that seeks competitive advantage must be committed to improving the performance of its procurement function. Gartner Research, Six Keys to Better Procurement Contract Management

3 Managing 3 rd Party Risks During a Crisis Experis |, June 20133 Objectives: Organizations frequently rely upon 3rd party service providers to deliver a wide variety of services and other activities. The What is your responsibility These arrangements may result in activities being outsourced in their entirety, but they do not relieve the hiring organizations of the responsibility for managing the activities and identifying/controlling the risks associated with the relationships. Learning Objective 1: Gain an understanding of the potential risks that may arise from the use of 3rd party service providers Learning Objective 2: Identify the basic elements of an effective 3rd party risk management program

4 Managing 3 rd Party Risks During a Crisis Experis |, June 20134 Vendor Risk Management Process The use of a 3 rd party service provider reduces managements direct control over the activities at hand, but therefore increases the need for oversight of the activities from start to finish. –The key to the effective use of a 3 rd party in any capacity is for the organization to appropriately assess, measure, monitor and control the risks associated with the relationship.

5 Managing 3 rd Party Risks During a Crisis Experis |, June 20135 Why do we care ….. Theres a lot of $$$ involved! 95% of organizations buy or provide outsourcing services 75% of organizations spend upwards of 50% of their budgets on outsourcing

6 Managing 3 rd Party Risks During a Crisis Experis |, June 20136 U.S. Government spends $550 billion annually on outsourced products and services 2013 Global Outsourcing Market for IT, BPO and call center services ALONE is $450B – Whos minding your assets?

7 Managing 3 rd Party Risks During a Crisis Experis |, June 20137 CASE STUDY: Boeing 787 Dreamliner

8 Managing 3 rd Party Risks During a Crisis Experis |, June 20138 A complex, integrated, interconnected environment Made of entirely new composite material 6,000 engineers 43 top tier suppliers on 3 continents 80% of production outsourced Exacting technological demands Overly ambitions production deadlines Supply chain issues + new technology + new approach = PROBLEMS

9 Managing 3 rd Party Risks During a Crisis Experis |, June 20139 The result? Plane delayed by 2+ years Upwards of $6 billion in lost profits Millions in contract penalties for late delivery Reputation took a hit Without collaboration and measurement the 300 year old parable still applies: of THE BLIND MEN AND THE ELEPHANT

10 Managing 3 rd Party Risks During a Crisis Experis |, June 201310 75% Reduce and control operating costs 65% Focus on core competencies 59% Resources not available internally 52% Reduce internal headcount 51% Reallocate internal resources for higher value purposes Top 5 Reasons Organizations Outsource

11 Managing 3 rd Party Risks During a Crisis Experis |, June 201311 69% IT (all categories) 29% Operations and administration 26% Customer service 21% Other (wide variety) 20% Financial (payroll, etc.) Top 5 Functions Outsourced

12 Managing 3 rd Party Risks During a Crisis Experis |, June 201312 Third-Party Arrangements - WHY? Appropriately managed 3rd-party relationships can: –Enhance competitiveness, –Provide diversification and –Help organizations to attain key strategic objectives. –FASCILITATE Business Continuity –They can facilitate an increase in revenue or a reduction of costs. However, these business arrangements can also present risks to the organization. The board of directors and senior management are ultimately responsible for –managing activities conducted through 3rd-party relationships –as well as identifying and controlling the risks arising from such relationships.

13 Managing 3 rd Party Risks During a Crisis Experis |, June 201313 Cloud Based 3rd-Party Arrangements Global cloud services revenue projected to reach –$149B by 2014 and –$241B by 2020. Information Security - nightmare or an enabler for cloud adoption, with recent increases in highly publicized cloud security breaches. cloud security

14 Managing 3 rd Party Risks During a Crisis Experis |, June 201314 Potential risks arising from 3rd-party relationships 3 rd party risk is not a simple, easily identifiable risk attribute, but rather a combination of risks ranging from the familiar to the highly complex. Such risks can vary greatly, depending upon the specific characteristics of each third-party arrangement. Risks Relationships are Associated as the following: –Strategic –Reputational –Operational –Transaction –Credit –Compliance

15 Managing 3 rd Party Risks During a Crisis Experis |, June 201315 Strategic Risk The risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the organizations strategic goals.

16 Managing 3 rd Party Risks During a Crisis Experis |, June 201316 Reputation Risk The risk arising from negative public opinion. –3 rd Party relationships that result in dissatisfied customers, inappropriate recommendations, security breaches resulting in the disclosure of sensitive information and violations of laws and regulations are examples of situations that could create negative publicity and harm the reputation of the business.

17 Managing 3 rd Party Risks During a Crisis Experis |, June 201317 Operational Risk The risk of loss resulting from: inadequate or failed internal processes, people, and systems, or from external events. –3 rd Party relationships often integrate the process of other organizations with the internal processes of the business and can thereby increase the overall complexity of the operational environment.

18 Managing 3 rd Party Risks During a Crisis Experis |, June 201318 Transaction Risk The risk arising from problems with service or product delivery. –A 3rd-partys failure to perform as expected due to: –inadequate capacity, –technological failure, –human error or fraud exposes the entity to transaction risk. –lack of effective BC / DR plans –a weak IT internal control environment that threatens the integrity of systems and resources.

19 Managing 3 rd Party Risks During a Crisis Experis |, June 201319 Credit Risk The risk that a third party, or any other creditor necessary to the third-party relationship, is unable to meet the terms of the contractual relationship. –Solvency? The basic form of credit risk involves the financial condition of the service provider itself. –Peak Demand? A crisis can stress the abilities of your provider. Can they handle peak demands?

20 Managing 3 rd Party Risks During a Crisis Experis |, June 201320 Compliance Risk The risk arising from violations of laws, rules or regulations, or from noncompliance with internal policies, procedures or business standards. –Compliance risk is exacerbated when the organization has inadequate oversight, monitoring or audit functions. –Does your provided have an SSAE16 SOC1, 2 or 3 that addresses your organizations specific control requirements?

21 Managing 3 rd Party Risks During a Crisis Experis |, June 201321 Manage 3rd-Partys throughout the Vendor Lifecycle Lifecycle stageLeading Practice Attributes 1. Discovery Pre-screening, market research, background checks 2. Selection Involve cross-functional team (procurement, legal, audit, compliance, IT, Security, business process owners) Due diligence information gathering Apply risk-adjusted value measurement and weighted criteria 3. Contract initiation Utilize standardized risk-based vendor checklists Assign risk identification and evaluation tasks to control owners 4. Risk Assessment Apply vendor screening criteria, risk classification, mitigation, and remediation steps to each vendor. 5. Performance Measurement Develop vendor-specific KPIs, scorecards, and benchmarking metrics to measure performance and adherence to contractual requirements 6. Performance Monitoring Ongoing vendor risk and score performance Proactive mitigation of issues Validate compliance and fulfillment of terms 7. Auditing Utilize standardized, risk-driven vendor audit programs conducted periodically to reduce risk and drive compliance Identify and address risks within 3 rd party attestation reports Perform additional internal or external procedures to reduce or mitigate risks 8. Decommission Terminate relationship and exercise applicable clauses

22 Managing 3 rd Party Risks During a Crisis Experis |, June 201322 Risk Assessment Key Components Develop specific business requirements: What do we need? – When do we need it? – How do we pay for it? – How will we know if we got what we paid for? Develop a thorough understanding of: What the proposed relationship will accomplish and Why the use of a 3rd party is in the organizations best interest Analyze the benefits costs, legal aspects & potential risks Perform a risk/reward analysis for significant matters, Compare the proposed 3rd-party relationship to other methods of performing the activity: the use of other vendors, performing the activity in-house, etc. Identify performance criteria internal controls, reporting needs and contractual requirements.

23 Managing 3 rd Party Risks During a Crisis Experis |, June 201323 Due Diligence in Selecting a Third Party The scope and depth of the due diligence activity should be directly related to the significance and magnitude of the anticipated relationship with the third party. Not only should the due diligence be performed prior to selecting a 3rd party, but also periodically throughout the duration of the relationship. Comprehensive due diligence involves the review of all available information concerning a potential 3rd party, focusing upon the entitys financial condition, its specific relevant experience, its reputation and the scope/effectiveness of its operations & controls.

24 Managing 3 rd Party Risks During a Crisis Experis |, June 201324 Due Diligence Review Audited financial statements Experience & capabilities in the proposed activity Business reputation Qualifications/experience of the companys principals Existence of significant complaints, litigation or regulatory actions Use of other parties or subcontractors Scope of internal controls, systems & data security, audit coverage Business resumption strategy & contingency plans Adequacy of management information systems Insurance coverage

25 Managing 3 rd Party Risks During a Crisis Experis |, June 201325 Contract Structuring & Review Management expectations should ensure that the specific obligations of both parties are outlined in a written contract prior to entering into the arrangement. Board approval should be obtained prior to entering into any significant third-party arrangements. Legal counsel should review significant contracts prior to finalization. Contract should prohibit assignment, transfer or subcontracting of obligations to another entity.

26 Managing 3 rd Party Risks During a Crisis Experis |, June 201326 Content of the Contract Scope Compliance (SOX, HIPAA, PCI, GLBA, NERC/FERC, etc.) Cost/compensation Insurance / Cyber-Insurance / Cyber-Liability Performance standards Management information reports, 3 rd Party Attestations Right to audit Confidentiality, Security, and Data Ownership Business resumption and contingency plans Default & termination Dispute resolution Indemnification, Limits on Liability

27 Managing 3 rd Party Risks During a Crisis Experis |, June 201327 Oversight of 3 rd -Party Activities Management should periodically review the 3 rd partys operations Verify that they are consistent with the terms of the written agreement and that risks are being controlled. Management should consider designating a specific officer to: coordinate the oversight activities with respect to significant relationships and, as necessary involve other operational areas (audit, IT) in the monitoring process. An effective oversight program will generally include the monitoring of the third partys quality of service, risk management practices, applicable internal controls and reports

28 Managing 3 rd Party Risks During a Crisis Experis |, June 201328 Technology Enablers Vendor management solutions can provide strategic advantages, as well as process efficiencies. Some of these key features include: Automated workflow – routing processes such as review, approval, and alerts which must be satisfied before a contract can be fully executed Central repository for all vendor management data – a single repository containing all vendor management data allows for pattern analysis, risk remediation, and reporting Ad-hoc, dashboard and schedule reporting – multiple types of reports provide stakeholders the flexibility to monitor a broad array of vendor data Access control – capabilities to control who can create, update, renew, or delete contractual relationships Vendor assessment – the ability to create tailored questionnaires based on specific risk profiles allows an organization to gather the information they need to actively manage vendor relationships

29 Managing 3 rd Party Risks During a Crisis Experis |, June 201329 1.Conduct market research and ask around 2.Widely distribute your RFP/Bid/Tender 3.Have strong evaluation criteria and an experienced proposal review team 4.Google / Facebook key personnel offered 5.Perform due diligence on technical and financial capabilities to perform 6.Demand a demonstration 7.Meet the key executives 7 Steps to Better Third-Party Relationships

30 Managing 3 rd Party Risks During a Crisis Experis |, June 201330

31 Managing 3 rd Party Risks During a Crisis Experis |, June 201331 Did we meet our Objectives? Learning Objective 1: Gain an understanding of the potential risks that may arise from the use of 3rd party service providers Learning Objective 2: Identify the basic elements of an effective 3rd party risk management program.

32 Managing 3 rd Party Risks During a Crisis Experis |, June 201332 Danny Shaw SE Practice Leader, IT Risk Advisory Services Experis ++1.678.910.4355 (m) Danny.Shaw@experis.com Thank You! Any Questions?

Download ppt "Managing 3 rd Party Risks During a Crisis Experis |, June 20131 Danny Shaw SE Practice Leader IT Risk Advisory Services Managing and mitigating the risks."

Similar presentations

St. Louis Public Schools Human Resources Support for District Improvement Initiatives (Note: The bullets beneath each initiative indicate actions taken.

St. Louis Public Schools Human Resources Support for District Improvement Initiatives (Note: The bullets beneath each initiative indicate actions taken.
A BPM Framework for KPI-Driven Performance Management

A BPM Framework for KPI-Driven Performance Management
The Compliance & Risk Functions In Credit Unions What Supervisors need to know? Michael Mullen ILCU Learning Advisor.

The Compliance & Risk Functions In Credit Unions What Supervisors need to know? Michael Mullen ILCU Learning Advisor.
Roadmap for Sourcing Decision Review Board (DRB)

Roadmap for Sourcing Decision Review Board (DRB)
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Business Continuity Training & Awareness by Sulia Toutai (ANZ)

Business Continuity Training & Awareness by Sulia Toutai (ANZ)
State of Indiana Business One Stop (BOS) Program Roadmap Updated June 6, 2013 RFI ATTACHMENT D.

State of Indiana Business One Stop (BOS) Program Roadmap Updated June 6, 2013 RFI ATTACHMENT D.
SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.

SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.
Presentation for the Management Study of the Code Enforcement Process City of Little Rock, Arkansas August 3, 2006.

Presentation for the Management Study of the Code Enforcement Process City of Little Rock, Arkansas August 3, 2006.
Organization Conflict of Interest (OCI) under FAR March 2012.

Organization Conflict of Interest (OCI) under FAR March 2012.
Grow Your Business through Contact Centre Outsourcing Fanny Vaz Director, Personal Market Unit, CTM.

Grow Your Business through Contact Centre Outsourcing Fanny Vaz Director, Personal Market Unit, CTM.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Current Developments in the Securities Lending Industry.

Current Developments in the Securities Lending Industry.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Sarbanes-Oxley Compliance Process Automation

Sarbanes-Oxley Compliance Process Automation
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
The Information Systems Audit Process

The Information Systems Audit Process
Customized Service Models for 3(16) Fiduciaries

Customized Service Models for 3(16) Fiduciaries
Vendor Management Frequent regulatory findings:

Vendor Management Frequent regulatory findings:

Similar presentations

Ads by Google