This presentation discusses current trends and challenges companies are facing in managing third parties risks and leading practices in several areas including, but not limited to, stakeholder interaction, risk stratification, vendor reviews, and ongoing monitoring. Presented at the Creating value and trust: Navigating risk and meeting customer expectations, PwC's Internal Audit Ethics and Compliance Retail and Consumer Roundtable for internal audit and ethics and compliance executives, April 2014. For more information, please visit: http://pwc.to/1rbVnlY
Internal Audit, Ethics & Compliance roundtable Third Party Risk Management How can companies effectively manage the risks of Third Party relationships? April 22, 2014 www.pwc.com
PwC 2 With you today Rob Stouder Director, Third Party Risk Management Midwest Region Leader Rob.Stouder@us.pwc.com (317) 940-7501
PwC 3 Agenda What is Third Party Risk Management? Why is it Important? What we are seeing in organizations Benefits of a Third Party Risk Management program Insights and Lessons Learned Q&A
What is Third Party Risk Management?
PwC 5 Third Party Risk Management Activities Vendor Evaluation & Selection Contract Signing / Service Initiation Vendor Service Contract / Service Termination Third Party risk profiling: Evaluate risk profile of third party based on company and nature of services to be provided. Due diligence assessments: Perform due diligence assessments based on the initial risk profile. Contract language and exception management: Support the management and tracking of exceptions to standard contract language and requirements. Ongoing risk profiling Assess vendors risk profiles as their environments and nature of services change. Ongoing monitoring: Evaluate relevant controls, with the frequency of assessment based on the risk profile. Typically, these assessments include one or more of the following: On-site assessment Remote assessment Self-assessment Contract Termination Management: Manage and track vendor / service termination process to confirm vendors meet obligations in their contract and that all client data is removed per the vendors contractual obligations. Program Oversight Policies, Standards and Guidelines Training and Awareness Program Strategy, Governance and Roles & Responsibilities VRM Operational Processes Systems and Technology - Metrics and Reporting Continuous Improvement
PwC Foundations for an effective Third Party Risk Management program 6 Methodology Data & Information Governance Linkages between contracting and payables/general ledger Comprehensive contracts management system and contract data Well defined and maintained third-party repositories (vendor master, etc.) Third party / vendor usage data Strong organizational and employee data for identifying third-party linkages across the organization Issues and incidents repositories to track third-party issues Recovery and resiliency back-up of key/critical third parties Know your third parties/due diligence Standard operational risk methodologies and defined risk levels Standard controls effectiveness assessment methodology Escalation, exception, and exemption processes Customer complaint handling Third party risk management office Operational risk governance body Critical Third party Oversight
PwC 7 Pop Quiz Planning / Governance Do you have an inventory of Third Parties? Is it by service? Is it risk ranked? Do you have current contracts related to the service being provided? Are there standardized risk profiling methodologies with defined assessment frequencies and types in place? Due Diligence and Third Party Selection Are due diligence assessments performed prior to contracting? Are they around privacy? Are they around security? Do you know which of your vendors have access to data? Do you know which subcontractors are used by your third parties, and what work they are performing for you? Contract Negotiation Do contract clauses include the authority to audit the Third Parties processes over the service provided? Are contracts for similar services consistent and contain Service Level Agreements? Ongoing Monitoring Do monitoring processes include both risk AND performance concerns? Termination Do you have exit strategies in place for significant Third Party relationships?
PwC 8 Common TPRM risks Regulatory: The risk of an organization being out of compliance due to a third-partys failure to comply with laws/regulations. Service Delivery: The risk that a third-party fails to meet your needs based on the delivery of their products/services. Exit Strategy: The risk that the organization will have an inability to service its clients based on the termination or exit from a third- party relationship. Financial: The risk of financial loss to the organization due to the third-party being unable to operate due to financial instability. Information Security and Privacy: The risk of unauthorized loss of data or that an organizations data security has been breached at your third-party. Business Continuity and Resiliency: The risk of third- party failure on the ability of the organization to serve its clients. Reputational: The risk and impact to the organizations reputation based on services provided by your third-party. Global Geographic Location: The political, geographic, regulatory, legal, and economic risks of outsourcing to a country or region. Third- Party Risk Spectrum Reputational Service Delivery Financial Business Continuity and Resiliency Global Geographic Location Information Security and Privacy Regulatory Exit Strategy
PwC Audience Question: Governance Do you have a formal Third Party Risk Management function at your organization? ?
Third Party Risk Management Program Structure 10 Governance Enterprise Risk Committee Third Party Management Office Management & Oversight Business Unit Third Party Risk Manager (High & Critical Risk Services) Subject Matter Specialists Third Parties Legal & Compliance Reputational Due Diligence InfoSec Business Unit Sponsor Sourcing Contracts ManagementProcurement Financial Due Diligence Bank Management Privacy BCM Operational Risk Oversight Third Line of Defense PhySec Technology Internal Audit Second Line of Defense First Line of Defense Board of Directors Subcontractors Third Party Risk Management roles and responsibilities impact each aspect of the three lines of defense model
Why is Third Party Risk Management important?
PwC 12 Why is Third Party Risk Management relevant? Based on the results of PwCs 2013 Global State of Information Security Survey (GSISS), our clients continue to experience an increased number of third party related breaches and very few have programs in place which effectively manage vendor risk. Additionally, there is an increasing view by many regulators that best efforts around TPRM are not good enough. 15% 17% 13% 11% 12% 11% 8% 10% 9% 0% 5% 10% 15% 20% Partner or supplier Customer Service providers/ consultants/contractors 2010 2011 2012 26% of respondents have an inventory of vendors who handle sensitive information 32% of respondents require vendors to comply with their policies 26% of respondents conduct compliance assessments of third parties who handle personal data of their customers and employees Many of our clients do not have vendor risk management programs or the programs are very immature The number of breaches resulting from vendors and other third parties is steadily increasing
PwC 13 What we are telling boards Third-party compliance landscape A subcomponent of overall risk management Legal compliance is outside companys direct control and has its own unique control environment The number of third party relationships are typically significant Companies can be held accountable for acts of agents, resellers, distributors, partners, suppliers, etc. Compliance aspects also include protection of intellectual property, environmental laws, labor laws, health and safety
PwC 14 Customer Churn Research shows that companies experience customer turnover following a security breach, and some industries are more susceptible than others. * Symantec and Ponemon Institute, 2013 Cost of Data Breach Study United States, May 2013 0.3% 1.3% 1.5% 2.0% 2.5% 2.6% 2.7% 2.9% 3.3% 3.8% 4.2% 4.5% 4.5% Public Retail Communications Media Hospitality Technology Industrial Consumer Transportation Services Pharmaceutical Healthcare Financial Services Customer Churn following a security breach by industry
Changing Regulatory Drivers Force Businesses to Focus on Third Party Risk Management 15 In the last 10-15 years, multiple new regulations in all industries have demanded increased focus on how organizations monitor third parties. To enable compliance, each organization should validate existing processes against current regulatory guidance through a gap analysis. Health Insurance Portability and Accountability Act, HIPPA August, 1996 July, 2001 GLBA, Gramm-Leach Bliley Act OCC Bulletin 2001-47 , Oversight and Management of Third-Party Relationships November, 2001 May, 2002 OCC Bulletin 2002-16, Foreign 3rd-Party Service Providers HITECH Act November, 2007 May, 2007 H.F. 1758, MN Plastic Card Security Act January, 2010 NRS 603A, NV Data Security Law July, 2010 Wash. H.B. 1149, WA Data Security Law March, 2012 CFPB Bulletin 2012-03 201 Mass. Code Regs. 17 MA, Data Security Law March, 2010 PCI-DSS v2.0 Payment Card Industry Data Security Standard January, 2011 CFPB Bulletin 2013-02 March, 2013 1996 20132001 2007 20102003 October, 2013 OCC Bulletin 2013-29 PCI-DSS v3.0 Payment Card Industry Data Security Standard August, 2013 FRB SR 13-19 December, 2013 PwC June, 2013 CFPB Bulletin 2013-06
Comments organizations have shared with us regarding their Third Party Risk challenges
PwC 17 Here are some of the comments organizations have shared with us regarding their Third Party Risk challenges We were told by our vendor that their SOC 1 or 2 is enough. Is that sufficient? We have inadequate resources to assess our high risk population on an ongoing basis. Where do we start? We have no pre-contract TPRM process in place. We don't centrally manage our TPRM. I have operational staff focused on TPRM and they aren't risk and controls specialists. My vendors have vendors. How do we address the risks associated with those, Fourth party vendors?
PwC 18 Implementing a third party risk management program Assess vendor operations example assessment model Self- Assessments Reviews of existing Reports (i.e. SOC-2) Remote assessments (documentation reviews with third party) Desktop assessments (telephone/WebEx) Onsite assessments Spectrum of Review AmountofEffort&Cost AssessmentMethod Quantities 10% 80% No Action 0% 5% 5% The results of the risk profiling should drive the method used to assess the vendors. During the first year of implementation, the onsite assessment may be used for a majority of third parties, but as the program matures, the amount of third parties requiring onsite assessments can decrease.
PwC Audience Question: Stratification Do you currently have a process to stratify vendors into different risk categories (e.g., Critical, High, Moderate, and Low)? ?
PwC 20 Gather product/service information Calculate Inherent Risk Factor For Vendors deemed of high or moderate Inherent Risk, complete questionnaires /assessments Perform control effectiveness evaluation Provide effectiveness ratings indicating results of each assessment of the product / service Residual Risk Score and Rating is Calculated Conclude on whether to proceed with Vendor Risk modeling framework Inherent risk Higher risk Vendors identified for review TotalVendorInventory Begin with general ledger and remove categories that dont pose risk Identify and remove services that will have risk management by other means Prioritize higher risk services provided by third-parties Vendor Controls Own Controls Higher Risk Vendor Relationships More due diligence Less due diligence
PwC 21 We have observed that most organizations have not yet adopted stratificationa leading practice in managing Third Party risk Adding to the challenge of effectively managing vendor- related risk, we see todays companies also struggling with: Managing inbound requests from service organizations Implementing formal enterprise-wide TPRM governance (Compliance and Enterprise risk management, etc.) Maintaining an accurate and complete inventory of vendors Incorporating other third-party relationships into their TPRM programs (e.g., business partners, joint ventures, distribution channels, attorneys, utilities, etc.) Establishing standard operational risk methodologies and policies Identifying/using TPRM key risk indicators Implementing and using technology to adequately support the TPRM program, taking some of the burden from the business Staying ahead of, and effectively complying with, changing regulatory requirements Our observations are underscored by the results of PwCs Global State of Information Security Survey 2013: Only 69% of the surveyed companies lack an accurate inventory of locations or jurisdictions where data is stored1 74% of companies do not have a complete inventory all third parties that handle personal data of its employees and customers 73% of companies lack incident response processes to report and manage breaches to third parties that handle data1 Types of data that typically need to be protected: Intellectual Property (IP) Personally Identifiable Information (PII) Payment Card Industry (PCI) Protected Health Information (PHI)
Insights and Lessons Learned
PwC Protect Information and Manage Compliance Aligning to a common risk language and process Leveraging effective processes and technologies Disciplined information flow You can outsource a process but you cannot outsource the risk or liability. Regulations are applying enhanced vendor risk management requirements. Additionally, protecting the brand requires a close look at vendor risk management. Agreeing upon a common set of terms and definitions is necessary to create a consistent process for defining, managing and measuring third party risks. Once done, it is easier...