National Bank of Canada

3rd Party Risk from a Sourcing

and Corporate View

Ronald Forget Bernard Truong

Director Principal/Senior Manager Senior Director, Third Party
- Governance and Center of Risk Management
Excellence – Sourcing National Bank of Canada
National Bank of Canada
3rd Party Risk Management
Ronald Forget
Bernard Truong
April 2016

CONFIDENTIAL
 OBJECTIVES OF THE PRESENTATION

▪ Risk from a Sourcing perspective
▪ What is a RISK?

▪ How to assess RISK?

▪ How to mitigate RISK

▪ 3PRM from a Corporate Management perspective
▪ Risk domains oversight

▪ 3PRM framework

▪ Beyond regulatory requirements

61 Third Party Risk Management 
 DEFINITION OF A RISK

 RISK is about
▪ The probability of loss inherent in 
an organization's operations and 
environment (such as competition
and adverse economic conditions) 
that may impair its ability to 
provide returns on investment. 
Business risk plus the financial risk
arising from use of debt (borrowed 
capital and/or trade credit) equal 
total corporate risk.

62 Third Party Risk Management 
 BUSINESS RISKS

 Who are they?

 How to identify them?
 How to qualify them?
 How to prioritize them?
 How to manage them?
 Who should manage them / be
responsible?
 What is the role of the Sourcing Advisor
versus the other Experts or Business
Partners?

63 PRESENTATION TITLE
 How the RISK is impacting the Business Objectives?

▪ OPERATING COST (RUN the BUSINESS)

▪ CLIENT EXPERIENCE

▪ TIME TO MARKET / COMPETITIVE

▪ COMPLIANCE MANAGEMENT

▪ GROWTH/INNOVATION

64 Third Party Risk Management 
Sourcing Framework:
 SOURCING MAIN FOCUS (during the Sourcing Cycle)

▪ Due diligence (Best selection for the best return)

▪ Contractual/Strategic and Legal RISK

▪ Financial / Credit RISK

▪ Information Security

▪ Business continuity 

▪ Compliance / Regulations

▪ Operational / Reputational /Environmental & Geopolitical

66 Third Party Risk Management 
 SOURCING / GOVERNANCE GOALS

▪ Build risk appetite and awareness culture

▪ Build metrics and reports

▪ Align with third party policy 

▪ Document the inputs (centralized repository) 

▪ Share the findings with business, experts and risk partners

▪ Monitor critical risk

▪ Establish a good Governance 

67 Third Party Risk Management 
 Process mapping ‐
Questionnaire Criticality
 RISK MANAGEMENT CYCLE

69 Third Party Risk Management 
 BNC Consultant Program Evolution

Current State
 Tenure management
 Supplier performance
Program Launch management
 VMS implementation  Executive dashboard
 MSP provider  Centralized Standard
 Independent Contractor Process
payment provider
Initial State  Supplier rationalization

 No VMS
 Decentralized
 No risk mitigation
 Vendors margins ranging
between 15%-200%
70
 Consultant Risk Management ‐ Evolution
Before Program Implementation
No visibility on active consultants or on
contract infomation
No formal process for independent
contractor Onboarding
No independent contractor
classification/verification
No control on consultant bill rates
Lack of control for consultant hiring process Standardized contracts, proof of insurance
– no standard procedures
No formal approval process
No control over contract duration
No supplier performance management
No control over contract termination
71
Current State
Live snapshot and reporting on every
aspect of contractual workforce
All independent contractors are compliant
with requirements and processes
All independent contractors are screened
and vetted for legal category compliance
Full disclosure of consultant bill rates
and security verification captured
Documented approval process
Consultant tenure management and
special approvals for contracts over 2 years
Quarterly business reviews and formal
performance reviews
Full visibility and procurement/RH
assistance on contract termination
 Key Risk Management Objectives Achieved

Expertise and Advisory

 Dedicated and neutral Professional Team MSP team – Canadian Human Capital SME

Visibility and Control

 Centralized and standardized process with total visibility on spend (Ariba)

Security and Legal

 Secure, documented and formal on-boarding process (insurance, security check, tenure risk etc…)

Payment and Finance

 Accurate time entry management with timely and reconciled payments.

Vendor and Contract

 Vendor performance management through KPI and QBR
 Management, enforcement and audit of contract terms

72
 Framework:
3rd Party Risk Management (3PRM)
 Proactive risk management and oversight is an imperative
Third party risk is a combination of other risks with various degrees of severity based on the maturity of the 
relationship with the third party.  The potential risk exposure from doing business with third parties goes well 
beyond direct financial loss and includes reputational damage, regulatory scrutiny and customer attrition.

Strategic Risk
Business Continuity 
Information 
Risk 3rd Party is not aligned  Security Risk
3rd Party  is unable to  to NBC’s strategic 
objectives Access to information 
continue providing 
outside of defined 
products/services
business requirements
Credit Risk /  Reputation Risk
Financial Stability 
Cannot meet contractual  3rd Party’s issues effect 
obligations due to  NBC’s brand
financial difficulties
3rd Party Risk Domains
Compliance Risk
Geo‐political Risk
actions are inconsistent 
Country specific factors  with legal, regulatory, or 
(government, climate,  policies requirements
etc.) affect performance
Execution Risk
Contractual Risk
CSR Risk
3rd Party is unable to 
Performance of Product   deliver products/services 
/ Service provided is not  Fair labor practices,  appropriately
completely defined Environment, Social 
responsibilities, etc.

The 3rd Party Risk Domains listed above also apply to 4th parties (sub‐contractors) as an 
extension of 3rd party risks
source: Industry Experts

74 Third Party Risk Management (3PRM)
 Overview: 3rd Party Risk Management at NBC
Get an enterprise view on current sourcing portfolio to build an actionable 3rd Party Risk Management (3PRM) 
program based on leading practices.

3rd Party Risk Management Framework
National Bank 3rd party risk management (3PRM) framework aims to proactively identify, assess, monitor and mitigate risk 
associated with our 3rd parties (outsourcers, vendors, suppliers, etc.) through defined governance practices

1 Oversight & Governance 2 Tools & Processes 3 Analytics & Actionable 

Reporting
Three lines of defense operating  Controls for identifying, assessing, 
model, consistent with NBC’s  monitoring and managing 3rd  Enhanced reporting capabilities to 
Enterprise framework and  parties through a framework and a  monitor 3rd party risks;
instituted a Governance Oversight  Supplier Information and  a. Defined risk appetite statement 
Committee; Performance Management (SIPM); and associated dashboards and 
a. Roles of 3 lines of defense  a. Established end‐to‐end 3rd  KRIs
identified party risk management  b. Data Analytics and 
b. Governance committee, initial  framework Consumption (platform TBD)
focus on Tiers 1 & 2,  b. SIPM (ARIBA) enables 3rd  for drill‐down analytics
progressively expanding to  parties intake and
enterprise  risk assessment

75 Third Party Risk Management (3PRM)
 Oversight & Governance
1
3 Lines of Defense

First line of defense Second line of defense Third line of defense

LOB Relationship Manager / Accountable  Operational & Reputational Risks (ORR) /  Internal Audit
Executive & Senior Risk Manager Corporate functions
Role

Establish risk related policies,  Assess/Audit program design 
Own and proactively manage risks
provide oversight and challenge and operating effectiveness
ORR:
▪ Own and manage identified 3rd party risks  ▪ Develop, Implement and monitor 3PRM  ▪ Provide an independent assessment of 
for the business unit arrangements; framework; the effectiveness of the internal control 
▪ Monitor performance and risks to  ▪ Provide subject matter expertise,  environment in 1st and 2nd lines;
Accountabilities

efficiently address gaps with NBC  specialist, support, and independent risk  ▪ Provide timely independent reporting 

standards; oversight of 3rd party risks; to senior management that assesses 
▪ Escalade risks to the proper level for  ▪ Quality Assurance and Effective Challenge; whether key control activities are 
prioritization of action plan; operating effectively and reliably. For 
▪ Analytics and Reporting;
▪ Maintain overall accountability and  example, determining whether there is:
▪ Perform enterprise wide oversight through 
oversight of the relationship: o Effective 3rd party risk 
our SIPM tool.
o Set the strategic direction of 3rd  identification and due diligence
party relationship o Appropriate contract controls

o Make key decisions pertaining to 3rd 
party relationship
o Resolve any escalated issues.
Corporate functions: o Adherence to applicable 
▪ Provide inherent, residual risk assessment  regulatory guidance
and due diligence for their domain of risks; o Appropriate on‐going 3rd party 
▪ Assess implications of 3rd party risk to  management and oversight
their risk domain. o An effective challenge to the 1st 
and 2nd lines that includes 
escalation process

76 Third Party Risk Management (3PRM)
 3rd Party Risk Management
2
High Level Operating Framework
Financial  Business 
Strategic  Information  Reputation  Geographical  Compliance  Operational  Contractual 
Stability /  Continuity 
Risk Security Risk Risk Risk Risk Risk Risk
Credit Risk Risk

Define / Identify  Define Risk Scenarios  /  Mitigate Risk with  Renew / 

Strategic Objectives 
3rd Party Risks Conduct Assessment Controls  / Monitor Terminate

Planning & Due Diligence Oversight & Accountability / On‐going Monitoring

3rd Party Risk Assessment Engagement Risk Assessment
Strategy & Service /  Financial  Background  Business  Information  Compliance Agreement  Manage &
Selection Product  Health Checks Continuity Security Terms Reporting
Review
 Business   Experience   Review   Evaluate   Confirm BCP /   Evaluate   Risk   Evaluate   Residual risk 
requirements as a provider financial  overall  DRP meet  adequate  assessment  terms  assessment
 Market   Review past  statements stability:  business  evidence of  certification  negotiated   Defined 
intelligence /  performance  Compare to  fraud, physical  requirements controls process to business  controls, 
condition  Scan industry  industry  security,   Contingency   Confirm   Compliance  objectives KPIs, KRIs
 Sourcing  news related standards  reputation… planning for  traceability  checks (OSFI,   Review   Analytics & 
Strategy  Relationship  and ratios  Risks policies,  repatriation  of data OCC, IIROC,  insurance  actionable 
 3rd party  risk level  Credit report  controls and  or alternative   Manage  AMF, AML,  clause for  reporting
diversity  Mitigation  and rating practices provider access rights Living wills…) proper   Termination 
measures  Insurance  protection & renewal 
claims /  strategy
litigation

Risk‐Score       3rd Party Segmentation
77 Third Party Risk Management (3PRM)
 On‐going 3rd Party Management
Leveraging foundation of the standard operating model

78 Third Party Risk Management (3PRM)
 Beyond regulatory requirements…
▪ How do you protect your organization’s knowledge/expertise?
▪ Have created a dependency towards your 3rd parties?
▪ Is the quality of your service consistent end‐to‐end?
▪ Have you evaluated the TCE (additional, hidden costs…)?
▪ Did you assess the potential loss of control in your outsourced 
activities?
▪ Did you take into consideration the increase in operational 
risks?

79 Third Party Risk Management (3PRM)
Appendices
 Emerging Industry Trends
An integrated approach to 3rd Party Risk Management
As our procurement organization matures, the focus needs to be more than just cost savings; we need to be 
proactively involved in strategic initiatives and creatively protect the organization. 

Procurement and Finance  • Essential partnership between procurement and Finance (BU CFO) to track and record savings 
Alignment
• Extension of 3rd Party Risk Management to address additional risks beyond Information Security 
New Risk Domains and Supplier Performance (Reputation, Compliance, or Geo‐political Risk) 

• Inclusion of Sub‐Contractors in the Risk Management Program, including inventory, assessment 
Sub‐Contractors (4th Party Risk) and monitoring (Supply Chain Management)

Innovative Solutions • Expand supply market research to include new innovative solutions (i.e. Cloud, social media, etc.)

• Promote and develop the NBC’s customer portfolio within our supplier community and maximize 
Revenue Optimization value to the Bank by being thoughtful about our customer/supplier relationships

International Expansion • Support strategic initiatives in international expansion, licensing, e‐Commerce growth

• Ongoing M&A and Restructuring activities have created new sourcing leverage and required new 
M&A / Divestitures supply strategies

• Increasingly, customers and governments are demanding for plans to make operations more 
Sustainability sustainable and from a more diverse supplier base 

source: Industry Experts

81 Third Party Risk Management (3PRM)
 3rd Party Definition
General definition An entity, including individuals and affiliates, that has a 
business relationship with the institution or its customers, and
is not itself a customer.  Third party relationships include:
Vendor 3rd Party ‘Vendor’ third party are service providers that deliver a 
product or service to the institution.  These relationships are 
typically sourced through a sourcing / procurement process.  
How 3rd parties are  Payment is typically transacted by Accounts Payable.
defined Non‐ Vendor 3rd Party ‘Non‐Vendor’ third party relationships are typically acquired
by a business line / segment directly, not through a sourcing / 
procurement function.  Financial remuneration, if applicable is 
typically transacted outside of Accounts Payable processes.  
These relationships may be managed solely by a business line 
/ segment, or managed in conjunction with a corporate risk 
management function.

Specialized Analysts and Advisors Counterparties
CATEGORIES (Non‐Vendor)

Affiliates Debt Underwriters / Securitization Firms / Trustees
Affinity Relationships Financial Utilities
Alliances and Partnerships Government Special Purpose Entity (GSE)
Brokers Indirect Lending
Correspondent Banks and Wholesale Banking Joint Marketing Partners
Rating Agencies Tenants
Servicers Trade Associations
82 Third Party Risk Management (3PRM)