Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CONFIDENTIAL
OBJECTIVES OF THE PRESENTATION
▪ Risk from a Sourcing perspective
▪ What is a RISK?
▪ How to assess RISK?
▪ How to mitigate RISK
▪ 3PRM from a Corporate Management perspective
▪ Risk domains oversight
▪ 3PRM framework
▪ Beyond regulatory requirements
61 Third Party Risk Management
DEFINITION OF A RISK
RISK is about
▪ The probability of loss inherent in
an organization's operations and
environment (such as competition
and adverse economic conditions)
that may impair its ability to
provide returns on investment.
Business risk plus the financial risk
arising from use of debt (borrowed
capital and/or trade credit) equal
total corporate risk.
62 Third Party Risk Management
BUSINESS RISKS
63 PRESENTATION TITLE
How the RISK is impacting the Business Objectives?
▪ OPERATING COST (RUN the BUSINESS)
▪ CLIENT EXPERIENCE
▪ TIME TO MARKET / COMPETITIVE
▪ COMPLIANCE MANAGEMENT
▪ GROWTH/INNOVATION
64 Third Party Risk Management
Sourcing Framework:
SOURCING MAIN FOCUS (during the Sourcing Cycle)
▪ Due diligence (Best selection for the best return)
▪ Contractual/Strategic and Legal RISK
▪ Financial / Credit RISK
▪ Information Security
▪ Business continuity
▪ Compliance / Regulations
▪ Operational / Reputational /Environmental & Geopolitical
66 Third Party Risk Management
SOURCING / GOVERNANCE GOALS
▪ Build risk appetite and awareness culture
▪ Build metrics and reports
▪ Align with third party policy
▪ Document the inputs (centralized repository)
▪ Share the findings with business, experts and risk partners
▪ Monitor critical risk
▪ Establish a good Governance
67 Third Party Risk Management
Process mapping ‐
Questionnaire Criticality
RISK MANAGEMENT CYCLE
69 Third Party Risk Management
BNC Consultant Program Evolution
Current State
Tenure management
Supplier performance
Program Launch management
VMS implementation Executive dashboard
MSP provider Centralized Standard
Independent Contractor Process
payment provider
Initial State Supplier rationalization
No VMS
Decentralized
No risk mitigation
Vendors margins ranging
between 15%-200%
70
Consultant Risk Management ‐ Evolution
71
Key Risk Management Objectives Achieved
72
Framework:
3rd Party Risk Management (3PRM)
Proactive risk management and oversight is an imperative
Third party risk is a combination of other risks with various degrees of severity based on the maturity of the
relationship with the third party. The potential risk exposure from doing business with third parties goes well
beyond direct financial loss and includes reputational damage, regulatory scrutiny and customer attrition.
Strategic Risk
Business Continuity
Information
Risk 3rd Party is not aligned Security Risk
3rd Party is unable to to NBC’s strategic
objectives Access to information
continue providing
outside of defined
products/services
business requirements
Credit Risk / Reputation Risk
Financial Stability
Cannot meet contractual 3rd Party’s issues effect
obligations due to NBC’s brand
financial difficulties
3rd Party Risk Domains
Compliance Risk
Geo‐political Risk
actions are inconsistent
Country specific factors with legal, regulatory, or
(government, climate, policies requirements
etc.) affect performance
Execution Risk
Contractual Risk
CSR Risk
3rd Party is unable to
Performance of Product deliver products/services
/ Service provided is not Fair labor practices, appropriately
completely defined Environment, Social
responsibilities, etc.
The 3rd Party Risk Domains listed above also apply to 4th parties (sub‐contractors) as an
extension of 3rd party risks
source: Industry Experts
74 Third Party Risk Management (3PRM)
Overview: 3rd Party Risk Management at NBC
Get an enterprise view on current sourcing portfolio to build an actionable 3rd Party Risk Management (3PRM)
program based on leading practices.
3rd Party Risk Management Framework
National Bank 3rd party risk management (3PRM) framework aims to proactively identify, assess, monitor and mitigate risk
associated with our 3rd parties (outsourcers, vendors, suppliers, etc.) through defined governance practices
75 Third Party Risk Management (3PRM)
Oversight & Governance
1
3 Lines of Defense
Establish risk related policies, Assess/Audit program design
Own and proactively manage risks
provide oversight and challenge and operating effectiveness
ORR:
▪ Own and manage identified 3rd party risks ▪ Develop, Implement and monitor 3PRM ▪ Provide an independent assessment of
for the business unit arrangements; framework; the effectiveness of the internal control
▪ Monitor performance and risks to ▪ Provide subject matter expertise, environment in 1st and 2nd lines;
Accountabilities
o Make key decisions pertaining to 3rd
Corporate functions: o Adherence to applicable
party relationship ▪ Provide inherent, residual risk assessment regulatory guidance
o Resolve any escalated issues. and due diligence for their domain of risks; o Appropriate on‐going 3rd party
▪ Assess implications of 3rd party risk to management and oversight
their risk domain. o An effective challenge to the 1st
and 2nd lines that includes
escalation process
76 Third Party Risk Management (3PRM)
3rd Party Risk Management
2
High Level Operating Framework
Financial Business
Strategic Information Reputation Geographical Compliance Operational Contractual
Stability / Continuity
Risk Security Risk Risk Risk Risk Risk Risk
Credit Risk Risk
3rd Party Risk Assessment Engagement Risk Assessment
Strategy & Service / Financial Background Business Information Compliance Agreement Manage &
Selection Product Health Checks Continuity Security Terms Reporting
Review
Business Experience Review Evaluate Confirm BCP / Evaluate Risk Evaluate Residual risk
requirements as a provider financial overall DRP meet adequate assessment terms assessment
Market Review past statements stability: business evidence of certification negotiated Defined
intelligence / performance Compare to fraud, physical requirements controls process to business controls,
condition Scan industry industry security, Contingency Confirm Compliance objectives KPIs, KRIs
Sourcing news related standards reputation… planning for traceability checks (OSFI, Review Analytics &
Strategy Relationship and ratios Risks policies, repatriation of data OCC, IIROC, insurance actionable
3rd party risk level Credit report controls and or alternative Manage AMF, AML, clause for reporting
diversity Mitigation and rating practices provider access rights Living wills…) proper Termination
measures Insurance protection & renewal
claims / strategy
litigation
Risk‐Score 3rd Party Segmentation
77 Third Party Risk Management (3PRM)
On‐going 3rd Party Management
Leveraging foundation of the standard operating model
78 Third Party Risk Management (3PRM)
Beyond regulatory requirements…
▪ How do you protect your organization’s knowledge/expertise?
▪ Have created a dependency towards your 3rd parties?
▪ Is the quality of your service consistent end‐to‐end?
▪ Have you evaluated the TCE (additional, hidden costs…)?
▪ Did you assess the potential loss of control in your outsourced
activities?
▪ Did you take into consideration the increase in operational
risks?
79 Third Party Risk Management (3PRM)
Appendices
Emerging Industry Trends
An integrated approach to 3rd Party Risk Management
As our procurement organization matures, the focus needs to be more than just cost savings; we need to be
proactively involved in strategic initiatives and creatively protect the organization.
Procurement and Finance • Essential partnership between procurement and Finance (BU CFO) to track and record savings
Alignment
• Extension of 3rd Party Risk Management to address additional risks beyond Information Security
New Risk Domains and Supplier Performance (Reputation, Compliance, or Geo‐political Risk)
• Inclusion of Sub‐Contractors in the Risk Management Program, including inventory, assessment
Sub‐Contractors (4th Party Risk) and monitoring (Supply Chain Management)
Innovative Solutions • Expand supply market research to include new innovative solutions (i.e. Cloud, social media, etc.)
• Promote and develop the NBC’s customer portfolio within our supplier community and maximize
Revenue Optimization value to the Bank by being thoughtful about our customer/supplier relationships
International Expansion • Support strategic initiatives in international expansion, licensing, e‐Commerce growth
• Ongoing M&A and Restructuring activities have created new sourcing leverage and required new
M&A / Divestitures supply strategies
• Increasingly, customers and governments are demanding for plans to make operations more
Sustainability sustainable and from a more diverse supplier base
81 Third Party Risk Management (3PRM)
3rd Party Definition
General definition An entity, including individuals and affiliates, that has a
business relationship with the institution or its customers, and
is not itself a customer. Third party relationships include:
Vendor 3rd Party ‘Vendor’ third party are service providers that deliver a
product or service to the institution. These relationships are
typically sourced through a sourcing / procurement process.
How 3rd parties are Payment is typically transacted by Accounts Payable.
defined Non‐ Vendor 3rd Party ‘Non‐Vendor’ third party relationships are typically acquired
by a business line / segment directly, not through a sourcing /
procurement function. Financial remuneration, if applicable is
typically transacted outside of Accounts Payable processes.
These relationships may be managed solely by a business line
/ segment, or managed in conjunction with a corporate risk
management function.
Specialized Analysts and Advisors Counterparties
CATEGORIES (Non‐Vendor)
Affiliates Debt Underwriters / Securitization Firms / Trustees
Affinity Relationships Financial Utilities
Alliances and Partnerships Government Special Purpose Entity (GSE)
Brokers Indirect Lending
Correspondent Banks and Wholesale Banking Joint Marketing Partners
Rating Agencies Tenants
Servicers Trade Associations
82 Third Party Risk Management (3PRM)