Embed Size (px)
Citation preview
www.nicsa.org
Third-Party Risk Management: Implementing a Strategy
Part I of II
1
SPONSORED BY:
www.nicsa.org
The use of third-party service providers has become increasingly pervasive, complex, and
interconnected within the investment management industry
• Increased number of core operations and IT
services being outsourced
• Third parties also outsource - common
providers can create layering and unforeseen
concentration risk
• Dispersed dependencies create increased
reliance and risk exposure from entities outside
of your direct control
This growth of the extended enterprise model calls for continued evolution of the Extended
Enterprise Risk Management (EERM) strategy, with mature programs applying a consistent,
enterprise-wide level of discipline that extends across the entire third-party lifecycle.
An evolving landscape
:
Copyright © 2015 Deloitte Development LLC. All rights reserved.
www.nicsa.org
Enhanced quality of risk management processes through centralized execution on the business’ behalf
Transparency into third-party performance and risk exposure by improving information flow through the organization
Improved efficiency through centralized tools and processes
Reduced risks through centralization of controls and quality gates
Increased consistency scale and common communication
Strategy & Planning
Contract & On-board
Evaluate & Select
Terminate Off-board
Manage & Monitor
Third-Party Management
Lifecycle
Strategy & planning – Develop sourcing strategy,
consider cost/benefits and develop business
Evaluate & select - Identify and assess risks / perform
due diligence
Contract & on-board - Incorporate risk, compliance,
and performance requirements in contracts
Manage & monitor - Perform risk management and
ongoing monitoring & coordinating with each third
party
Terminate & off-board - Determine need to terminate the
third party and manage the off-boarding process
Some benefits of an EERM Framework
Many companies are moving toward an end-to-end framework to create a controlled and efficient process to effectively manage the business and regulatory requirements. A well-designed and sustainable framework can help manage third-party risks and provide
structure for governance and monitoring the process.
Maintaining control & managing third-party risk
:
Copyright © 2015 Deloitte Development LLC. All rights reserved.
www.nicsa.org
CPE CODE:
897
www.nicsa.org
Governance and
Oversight
The organizational
structure, committees,
and roles and
responsibilities for
managing third parties
EERM Framework
Risk
Domains
Operating
Model
Components
Business
Objectives
Risk and Compliance
ManagementGrowth / Innovation Client Experience Cost Reduction
Improved Time to
Market
Reputation Risk Strategic RiskGeopolitical Risk
Contractual RiskInformation Security
Risk
Transaction /
Operational Risk
Financial Stability
Risk
Business Continuity
Risk
Compliance / Legal
RiskCredit Risk
Plan, Evaluate and Select Contract and On-board Manage and Monitor Terminate and Off-boardManagement
Process
Detail
Our EERM framework—based on the Office of the Comptroller of the Currency (OCC) and other regulatory requirements, as well as industry practices—provides a structured review of the operating model components required to support an effective program.
An effective EERM program supports business objectives including growth, innovation, reduced cost, and risk and compliance.
Delivering effective EERM requires a comprehensive operating model that includes governance and oversight, policies and standards, management
processes, tools and technology, risk metrics and reporting, and risk culture.
Management and risk domains support delivery of EERM capabilities and the management of risk. Each domain is comprised of its own set of management
activities/capabilities and related risks.
Deloitte Advisory’s EERM framework
Risk Culture
Tone at the top, clarity
on risk appetite,
appropriate training
and awareness. to
promote positive risk
culture
Policies and
Standards
Management
expectations for the
management of third
parties and related
risks
Risk Metrics and
Dashboard
Reports identifying
risks and performance
associated with third
parties, tailored
toward multiple levels
of management
Management
Processes
Processes to manage
risks across the third-
party lifecycle
Tools and
Technology
Tools and technology
that support EERM
processes
:
Copyright © 2015 Deloitte Development LLC. All rights reserved.
www.nicsa.org
Stages of EERM Capability Maturity
Sta
keh
old
er
Valu
e
Integrated
Risk
Intelligent
Top DownFragmentedInitial
• Ad hoc/chaotic
• Depends primarily on
individual heroics,
capabilities, and verbal
wisdom
• Independent EERM
activities
• Limited focus on the
linkage of third-party
risks with the
company’s overall
strategic risks
• Limited alignment of
risks to strategies
• Disparate monitoring &
reporting functions
• Common framework,
program statement,
policy
• Routine risk
assessments
• Communication of
risks to the key
stakeholders
• Awareness activities
• Dedicated team
• Coordinated risk
management activities
across identified
segments
• Risk appetite is fully
defined
• Risk monitoring,
measuring, and
reporting to the board
• Contingency plans and
escalation procedures
in place
• EERM discussion is
embedded in the
company’s strategic
planning, capital
allocation, product
development, etc.
• Risk-sensing, early
warning risk indicators
used
• Risk modeling
/scenarios applied
• Industry benchmarking
used regularly
Representative Attributes Describing Each Maturity Level
Initial Fragmented Top Down IntegratedRisk
Intelligent
Capability Maturity Stages
1. How capable is the organization today to manage its extended enterprise risks?
2. How capable does it need to be?
3. How can it get to its desired state? By when?
4. How can we leverage existing extended enterprise risk management practices?
:
Copyright © 2015 Deloitte Development LLC. All rights reserved.
www.nicsa.org
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering
accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a
substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may
affect your business. Before making any decision or taking any action that may affect your business, you should consult a
qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”),
its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and
independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see
www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about
for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to
attest clients under the rules and regulations of public accounting.
www.nicsa.org
CPE CODE:
430
www.nicsa.org
• Broker approval• CP approval and
monitoring• CP exposure reporting• Best Execution reporting
• Risk Contribution monitoring and reporting
• Scenario analysis
Head of Risk Management US
• Analytics monitoring and reporting
• Performance Attribution
• Fund Performance monitoring
• GIPS reporting• Peer analysis
Global RiskUS CEO
Operational Risk
Broker-CounterpartyRisk
PerformanceAnalytics & Attribution
Investment Risk
VENDOR ASSESSMENT TEAM
Vendor Relationship Owners
Vendor Universe
Vendor Governance
Office Information Security
Business Continuity
Operational Risk
Finance
Compliance incl. Privacy
Purchasing
Legal
Op Risk Management System- Relationship Owner
Attestations- Framework Attestations
Emerging Risks- Compliance-Risk Oversight- Top Risks
• Risk and event identification and assessment
• Monitoring and reporting
9
www.nicsa.org
Vendor Governance Purview
Assessment Areas
• Business Continuity
• Data Integrity and Security
• Financial Terms & Stability
• Insurance
• Internal Controls
• Losses / Legal Actions
• Regulatory Compliance
• Reputation
• Service Levels
VG Office
• Maintain framework
• Coordinate Initial Assessment / Take-on
• Coordinate Periodic Due Diligence
• Raise Concerns
• Track Remediation Actions
• Report out
• Participate in Compliance-Risk Oversight Discussions
Vendor Universe *
Tier 1 (Core A)
• Functionally critical
• Financially critical
• Subject to laws / regulations
• Necessary to legal / regulatory obligations
• Central to control functions
Tier 2 (Core B)
• Failure could cause serious damage
• Annual outlay > $500k
Tier 3 (Non-core)
* Exceptions
• Financial distributors• Brokers and Counterparties
VENDOR ASSESSMENT TEAM
• Op Risk Management System• Vendor Assessment System• SIG Questionnaire (Shared
Assessments Group)
Vendor Universe
Vendor Governance
Office
10
www.nicsa.org
Board Oversight
Custodian
Fund Accounting
Financial Reporting
Tax Compliance
Transfer Agent
SubTAs & Omnibus Providers
Sub-Advisors
Pricing Services
Others For Management Consideration
Printing and Mailing
15c Materials
Blue Sky Reporting
Escheatment Services
Proxy Solicitation Services
Others
11
Third-Party Oversight
Independent Director
Viewpoint
www.nicsa.org
CPE CODE:
755
12
www.nicsa.org
Board OversightIndependent Director Viewpoint
Consider Board Committee Structure– Committees: Audit;
Compliance; Contracts
– Where should oversight reside?
– Interdisciplinary approach
13
Frequency of Board Reporting
Level of Detail– Dashboards
www.nicsa.org
Inventory of Third-Party Service Providers Independent Director Viewpoint
14
NameNature of Services Provided
Primary Management oversight: “Business Owner” of Each Relationship
Summary of Management’s Oversight Functions
Summary of Board Reporting on Each Provider
www.nicsa.org
High Level “Sub-TA Dashboard”Independent Director Viewpoint
15
For each relationship:
AUM Date last visit Risk RankReview Status
SSAE#16 or FICCA
Reports
