Innovations in Third-Party Risk Management 2019 Risk Summit Nonprofit Risk Management Center Lansdowne Resort & Spa Leesburg, VA October 21, 2019
T oday’s Speakers T om Rogers, CPA Jeff T enenbaum, Esq. Founder & CEO Chair of the Nonprofit Vendor Centric Organizations Practice Lewis Baach Kaufmann Middlemiss PLLC 1
Agenda Who are third parties and what is third-party risk management? c 4 top influencers driving third-party risk management 9 trends and innovations for managing risk with your third parties c Closing thoughts c 2
Section 1: Who Are Third-Parties and What Is Third-Party Risk Management? 3
The typical mid-sized organization has over 1,000 third-party relationships. Ponemon Institute Third-Party Survey
What Is a Third Party? Provide goods and services for your own use Perform outsourced Any company or functions on your behalf individual with which or whom you have entered into a business relationship to: Provide access to markets, products and other types of services . 5
Examples of Nonprofit Third Parties • Software manufacturers, such as membership, • Subrecipients donors, grants, accounting, learning • Subcontractors • Software hosting • Consultants and independent contractors • Credit card processing • HR and payroll companies • Printing and publications • IT hardware, services and support • Fulfillment and mail houses • Accountants and auditors • Meeting/event-related vendors • Lawyers • Fundraisers • Agents and brokers • Temporary agencies 6
What Is Third-Party Risk Management? The process whereby an organization monitors and manages the potential exposure to problems, harm or loss that arise from interactions with all external parties with which it has a relationship. This may include both contractual and non-contractual parties. 7
6 Types of Risks You Need to Manage Strategic Reputational Operational Risk arising from your inability Risk of disruption to operations Risk of your organization to implement strategies or due to the failure in a vendor’s receiving negative public processes, people or systems. strategic initiatives due to opinion due to problems vendor advice/failure. with, or failure of, a vendor. Transactional Compliance Information Security Risk related to the exposure of Risk of financial loss or Risk related to your non-public information (yours and damage to credit due to violation of laws, policies, or your members, customers and your inability to deliver regulations due to clients’) information due to important services, or something the vendor breach or other fault of a vendor. transact business, due to does (or doesn’t do). problems created by a vendor or even fraud. 8
When Are Third Parties Risky? All of the Time! Contract / Rebid / Procurement Contracting Onboarding Offboarding service delivery renewals 9
Section 2: 4 Key Influencers Driving Third-Party Risk Management 10
Driver #1. Increasing Reliance on Third Parties Source: Deloitte Third-Party Management Global Survey 11
Driver #2. Increased Complexity of Relationships " There's a secular movement that's happening... more to an annuity relationship as well as a subscription relationship. These are the long-term relationships we want to have with all customers.” - Satya Nadella CEO, Microsoft 12
Driver #3. Increased Data-Sharing 13
Driver #4. Increased Regulatory Oversight 14
83% of organizations experienced a third-party incident in the last 3 years. 46% of those experienced a moderate to severe impact on customer service, financial position, reputation or regulatory compliance. Deloitte Third-Party Management Global Survey
Section 3: 3 Themes & 9 Trends in Third- Party Management 16
Theme 1 Expanded Risk Management Activities During Procurement 17
Theme #1 1. Organizations Are Being More Deliberate About Adding New Third Parties Key Reasons Why • Avoid introducing unnecessary risks from new relationships • Reduce the # of vendors, contracts and compliance requirements to manage 18
Theme #1 2. Organizations Are Developing Risk-Mitigating RFPs Key Reasons Why • Improve accuracy and completeness of vendor proposals and statements of work • Identify and remediate risk issues early on • Comply with regulatory requirements 19
Theme #1 Components of a Solid RFP Package Deliverables and timelines – what you Executive overview – frames purpose and 5 1 expect to be produced and by when objectives Responsibilities of both parties – what Organizational background – provides 6 2 resources you will provide and what you context about your organization expect of them Evaluation process and key factors – Functional, technical and business requirements – 7 3 how you’ll evaluate proposals and what details everything that the solution needs to do factors are most important to you Standard terms and conditions – teases out risk 8 Pricing information – defines all components 4 issues at the beginning of the process preferred methodology 20
Theme #1 3. Organizations are Significantly Expanding Pre-Contract Due Diligence Key Reasons Why • Understand risks that are inherent in the relationship • Assess the adequacy of policies, controls and contractual terms to mitigate those risks • Prevent contracting with third parties whose risk exceeds your tolerance 21
Theme #1 Where Companies Are Focusing Their Due Diligence Source: Deloitte Third-Party Management Global Survey 22
Theme #1 Types of Due Diligence that May Be Needed IT and Information Security Corporate Health Access Financials and credit • • Protection Bankruptcy • • Storage Litigation • • Destruction Negative news • • . General Screening Employment Practices Operations Management Business registration Background screening • Quality systems • • Licensing Code of conduct / conflicts • Internal controls • • Insurance • Training Core software platforms • • Sanctions • Offboarding Downstream vendors (4 th parties) • • Politically exposed persons • Potential conflicts • 23
Theme #1 4. Organizations Are Establishing Standards for Their Third-Party Relationships • Cybersecurity standards • Licensing standards • Insurance standards • Employment screening standards • Performance/reliability standards • Contracting standards 24
Theme 2 Standardization of Contracting and Contract Management 25
Theme #2 5. Organizations Are Standardizing Contractual T erms and Conditions Key Reasons Why • Create guidelines for contract signers • Reduce overall risk exposure • Address concerns when using vendor contractual templates Source: IACCM 26
Theme #2 13 Common, Standard T erms and Conditions 7. How can the vendor describe its relationship with 1. Term and termination you? 2. Fees and expenses 8. Indemnification and limitation of liability 3. Intellectual property ownership and licensing 9. Insurance requirements 4. Confidentiality, conflicts of interest, non- 10. Post-termination/expiration obligations and competition, non-solicitation of your employees restrictions 5. What is each party responsible to do under the 11. Dispute resolution contract? 12. Service-level agreements 6. Authority (including limits thereon) to act on 13. Others – each contract needs to be tailored to your behalf? each matter/transaction 27
Theme #2 6. Organizations are Standardizing Third-Party Onboarding Key Reasons Why • Align stakeholders • Support policy compliance • Create basis for a more successful relationship 28
Theme #2 Key Onboarding Activities Evaluate need for contingency Identify oversight planning activities and Review contract assign requirements and responsibilities align stakeholders Establish system access and data Create and security centralize vendor Assign contract and contract manager profiles 29
Theme #2 7. Organizations Are Using Risk Standards to Determine Level of Contractual Oversight and Management Key Reasons Why • Focus on the riskiest contracts • Scale oversight activities based on the level of risk • Increase compliance with contractual terms and conditions 30
Theme #2 Types of Oversight Activities • Basic Oversight o Ensuring goods and/or deliverables conform to agreement with vendor o Ensuring invoices are complete, accurate and reconciled to purchase order or contract o Ensuring timely payment of vendor according to payment terms o Monitoring contract auto-renewal and expiration dates • Expanded Oversight o Monitoring compliance with service-level agreements o Conducting surveys of internal stakeholder (and perhaps the vendor) o Facilitating business reviews and issue remediation meetings o Onsite visits and control testing o Developing contingency plans o Formal offboarding 31
Theme 3 Establishing Resources and Infrastructure for the Third-Party Risk Management Function 32
Theme #3 Third-Party Risk Management Framework Source: EY 33
8. Organizations Are Establishing Theme #3 Functional Owners of TPRM Key Reasons Why • Provide governance and oversight • Clarify roles and responsibilities • Assign accountability • Meet regulatory requirements Source: Deloitte Third-Party Management Global Survey 34
Recommend
More recommend
