Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 1
Third Party Risk Management Solution Private and confidential March 2019 Risk Advisory
Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 3
1. The extended enterprise
2. Third party risks in an extended enterprise network
3. Deloitte’s Third-Party Risk Management (TPRM) solution
4. Deloitte’s third-party risk management - Approach and methodology
5. Deloitte’s engagement delivery models for TPRM programme
Contents
Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 4
The extended enterprise
Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 5
The extended enterprise is the concept that an organisation does not operate in isolation. Its success is dependent upon a complex network of third-party relationships.
Licensing –Labs –
Inventory –Shipping –
Tier 1-N suppliers –Brokers/Agents –
Contract –manufacturing
Certification –bodies
Fourth –parties
Infrastructure and –application support
Hosted vendor solutions –Disaster recovery –
Licensed vendor solutions –Hardware lease –
– Recruiting – Benefits providers– Payroll processing
– Advertising agency
– Media ad sales
– Warranty processing– Call center
– Office products– Waste disposal– Cleaning
Joint ventures
Customers
Facilities
Marketing
Customers support
Distribution and Sales
Franchise
Logistics
Sourcing
R & D
Insurance
Technology
– Sales agents– Distributors – Loyal partners
– Contractors
Organisation
Human Resources
The extended enterprise
Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 6
Third party risks in an extended enterprise network
Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 7
Third party risks in an extended enterprise network
Loss of reputation – Risk to the reputation of the organisation from the use of third-party relationships due to a myriad of reasons, including misuse of intellectual property, poor product quality, lack of compliance to human rights, and environmental regulations, etc.
Poor performance – Lack of sustained performance from third-party relationships, resulting in costly mistakes, over allocation of capital to oversee relationships, and defeating the purpose of outsourcing strategy
Supply chain disruption – Key third-party business disruptions due to bankruptcy, geopolitical issues, macro risks, etc. can result in supply chain disruption
Lack of compliance – Third party acts corruptly to gain business advantage for organisation resulting in hefty fines or is not in compliance with the environment, conflict minerals, health and safety, labour rights, etc. regulations
Data risk – Loss, misuse, or mishandling of critical data of the organisation or its customers by a third-party relationship can result in financial loss; hefty fines and decrease in shareholder value
Financial impact – Financial loss from under-reporting of revenue from licenses, royalty partners, distributors, franchisees, etc. and over-payment for services from third-party relationships
Product recall – Poor product quality, safety issues, or faulty packaging by third parties can lead to product recalls resulting in recall costs, lawsuits from consumers, increased costs from settlements, and lost revenue from missed sales opportunities
Extended enterprise
• Sell side• Buy side• Infrastructure
Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 8
Deloitte’s Third-Party RiskManagement (TPRM) solution
Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 9
How can we help?
Our delivery model is scalable, adaptable, and built on industry-specific benchmarks to fast-track an organisation’s extended enterprise management function.
With our TPRM solution, executives across the value chain receive the following:
A holistic view of risks and third-parties through the central repository of Deloitte’s automated platform with an executive dashboard and benchmarking against industry standards.
Leading standardised processes applied across all markets and businesses, with a consistent application of third-party risk scoring, sensing, and monitoring.
Optimising risk management efficiency, enhancing revenue recovery, and driving cost reduction in managing the third-party risk management programme at an operational level
Information for enhanced decision-making through analysis of the latest data from the ongoing assessments to arrive at a more informed decision from a governance perspective
Access to subject-matter expertise through trained Deloitte professionals with risk domain experience.
Ongoing monitoring and zero instance of non-compliance to regulations by leveraging Deloitte’s proprietary industry-specific risk intelligence maps
Holistic view of third-parties
and risks
Compliance to regulations
Optimise risk management
efficiency
Obtain risk maturity
Drive cost reduction
Ongoing monitoring
Deloitte’s TPRM
solutionEnhance revenue recovery
Enhanced decision making
Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 10
TPRM automation platform
In today’s digital world, TPRM capabilities need to also be technology-driven to automate processes, report generation, analyse data that TPRM activities generate, and track overall improvements.
The TPRM automation platform increases efficiency along with productivity, reduces overall cost of the TPRM programme, and enables efficient monitoring of ongoing activities, including third-party risks and compliance through a centralised platform. This provides a consistent client user experience and reduces human errors.
Additionally, the use of technology increases data integrity and provides seamless and reliable reporting.
These benefits outweigh the cost of acquiring technology solutions to automate the TPRM process.
Perform third-party due diligence
Build third-part riskquestionnaires
Report on your third-party profile
Chart trends and insightswith smart analytics
Assess third-party viabilityand impact on risk
Track third-party performance
Store and retrieve evidencefor each assessment
Customise reports and dashboardsas per stakeholder requirement
Manage assessment findings
Drag-and-drop user interface
Conduct trigger-based approvaland review actions
Scale and integrate withflexible workflows
Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 11
Deloitte’s third-party risk management - Approach and methodology
Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 12
Deloitte’s third party risk management - Approach and methodology
Policy, procedures, standards and guidelines
Manage, monitor and remediate
Review coverage
Data sources (Company internal systems like ERP, CRM, billing system)
New/Existingthird-parties
Third-party evaluation
Parameters/Third-party information Spend Services Others Self AssessmentFinancial health/solvency
Onsite
Contract risk and compliance review
Remote
Information security and cyber security
Continuous Monitoring
Privacy review
Hybrid
Health and safety
SLA/Performance review
Integrity and regulatory review
Quality review
Employment practices
Third-party selection Risk engine • Confidentiality
• Availability Integrity
• Service categorisation• Inherent risk profile
• Review method• Review type
• Frequency• Reporting
Contract and on-board
Third-partyprofile
Termination
CISO Team Supply chain Chief Risk Office Business controller
Views Data repository
Review of both business and information security controls
Workflow
Review of business controls
Analytics and reporting
Review of information security controls
Third-party coverage model
Review methodReview typeThird-party prioritisation
Reporting
Automation
Key Performance Indicators (KPI)
Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 13
Deloitte’s engagement delivery models for TPRM program
Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 14
Project based / Assessment specific
Managed service
Staff augmentation / Co-sourcing
Build-Operate-Transfer
Deloitte’s engagement delivery models for TPRM programVarious engagement delivery model
Description:• Client engages Deloitte to assess their
third parties on a fixed cost or T&M basis
Trend:• Works when there is a tactical
requirement to address specific assessments
• Client are moving to other models since third-party Risk Management has become more strategic
Description:• The client receives service delivery
as per the defined SLA• Trained staff, framework, and tools
are provided by Deloitte
Trend:• Clients use this model to deliver
TPRM effectively and efficiently as per the assessment costing model
Description:• Deloitte delivers TPRM through
its trained staff• Client may provide the tools,
framework, and methodology• Client and Deloitte teams work
as one
Trend:• Increasing trend when client
have their centralised captive centres operating out of India and other low-cost geographies
Description:• In a Build-Operate-Transfer
(BOT) model, the TPRM offshore delivery centre is usually developed based on specific requirements of a client
Trend:Often selected by clients who do not have skill sets, scale, or capability within a function or geography
Client
Client
Client
Client
Deloitte
Deloitte VIC
Deloitte staff and assets
Service Delivery
Service Delivery
Deloitte VIC
Deloitte VIC
Organisation assets such as
tools, assessment framework etc.
Organisation staff and assets
Captive centreReceives service delivery
Provides staff
Service provider staff and assets
TPRM delivery capabilities
Joint team
Functions are shared
Deloitte provides staff and assets
Service provider staff, tools, framework, and
take entire ownership of deliverables and quality
Service delivery based on fixed cost or time and material basis
Managed service delivery
Service delivery supervised by client
Ownership transfer
Service delivery to organisation
Deloitte develops new delivery capabilities on TPRM
Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 15
Key contacts
Rohit Mahajan President Risk Advisory [email protected]
Gautam [email protected]
Munjal [email protected]
Vishal [email protected]
Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 16
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.
This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP). This material (including any information contained in it) is intended to provide general information on a particular subject(s) and is not an exhaustive treatment of such subject(s) or a substitute to obtaining professional services or advice. This material may contain information sourced from publicly available information or other third party sources. DTTILLP does not independently verify any such sources and is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such sources. None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this material, rendering any kind of investment, legal or other professional advice or services. You should seek specific advice of the relevant professional(s) for these kind of services. This material or information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser.
No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person or entity by reason of access to, use of or reliance on, this material. By using this material or any information contained in it, the user accepts this entire notice and terms of use.
©2019 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche Tohmatsu Limited