© 2015 deloitte 1 managing third party risks september 2015 challenges and trends
TRANSCRIPT
© 2015 Deloitte 1
Managing third party risks
September 2015
Challenges and trends
© 2015 Deloitte 2© 2015 Deloitte
Agenda
What is third part risk?
Why is it important?
How can you address it?
2
© 2015 Deloitte 3
The extended enterprise is becoming the new normal and with that comes an increased dependency on third parties to operate your value chain
Support functionsHave potential effects across the entire supply chain
Extended value chainOriginates in upstream and downstream supply chain partners
Internal operationRelates to internal processes
Develop Plan Source Make
Deliver/Return
Tier N
End-users
Supply Demand
Tier 1
Distributors
3rd party services
AgentsConsultants SuppliersJoint
Ventures Distributors ContractorsPartner-
ships
Co
mp
an
y o
pe
ratio
ns
Ke
y th
ird
pa
rtie
s
Finance Human Resources LegalInformation Technology$$$
© 2015 Deloitte 4
The use of third parties is likely to continue to increase
• During the recession, many organizations push more of their business out to third parties in an effort to reduce
internal costs across the extended enterprise. Optimization
• Regulators have become more focused on how companies are managing outsourcing and third-party risk in
general, and the fines for violations have reached hundreds of millions of euros.Regulatory trends
• When millions of consumers are personally affected by a third-party system failure or security breach, or when a
well-known company is heavily fined or repeatedly called out with regulatory MRAs (matters requiring attention),
the reputation of the involved organizations can suffer.
The importance of reputation
• The free-flowing nature of information plays a role: decades ago, a disruption in a local country would likely have
stayed local; today it can quickly become a global issue.Free flow of reputation
As a result of the escalating risk — and the escalating fallout when risk becomes reality — boards are paying more attention
and asking more questions.
© 2015 Deloitte 5
If you ask the compliance officers, third party risk is already the no. 1 headache
Source: Deloitte compliance trend survey
Third party risk management is a top challenge... …and for good reason
© 2015 Deloitte 6© 2015 Deloitte 6
Agenda
What is third part risk?
Why is it important?
How can you address it?
© 2015 Deloitte 7
Why is third party risk important?
It is not a new concept for organizations to engage with third parties for the provision of products and services, so why is third party management now so important? There are a number of factors driving organizations to place increased importance on third party risk, which can be broadly grouped into the following areas:
Regulation
Global regulators across a variety of risks and industries
are taking risk management of third parties very
seriously. Increased regulations are seen in a variety of
areas, e.g. anti-bribery, corruption and data security.
The global recession has driven many of our clients to
outsource operations to third parties in an attempt to
reduce costs.
Market conditions Reputational impact
Technology
In an attempt to seek out low cost solutions organizations
are increasingly using offshore outsourcing and supplier
networks. This exposes organizations to inherent risks in
trading with overseas suppliers as well as difficulties
obtaining assurance of compliance.
The appearance of specialist suppliers has led to some
organizations becoming very reliant on the products /
services from such suppliers. If that supplier was to fail to
deliver, it could adversely impact the organization.
Overseas providers Specialist suppliers
A failure by a supplier to deliver against its contractual
obligations can have a severe reputational impact on
your organization, particularly if it leads to severe delays
in service or an inability for your organization to continue
to service its customers.
The emergence of cloud computing has created new
opportunities for firms but can also mean new risks to be
mitigated. The impact of sensitive data being leaked
would be highly detrimental to the organization, and there
is a risk that outsourcing partners may have limited
control environments to protect that data.
© 2015 Deloitte 8
Common third party risk categories that should be on the radar
Risk areas
Resilience
Health, safety
and environ-
ment
Intellectual
property
Billing and
perfor-mance
IntegrityCorporate
respons-ibility
Regulatory
Security
Solvency
Solvency• There is no business-wide ongoing
monitoring of third parties solvency and therefore there is limited visibility of third party solvency and financial viability.
Security• The business does not have
adequate visibility as to whether third parties are compliant with physical and information security policies, some of which are client requirements. This can increase with further outsourcing.
Regulatory• There is no central visibility of third
party compliance with data protection act requirements, this increases the risk of breach by third parties, for which the business may be liable.
Corporate responsibility• There are no processes in place to consult with
stakeholders from the corporate responsibility department in order to require third parties to protect the business’ brand and compliance with issues.
Resilience• There are no checks to ensure that
business continuity plans have been completed and tested.
Health, safety and environment• There are limited processes to ensure
contracts include health and safety standards or requirements, the lack of which may expose the business to HSE claims.
Intellectual property• Contracts are not consistently passed
through IP or legal teams to protect our intellectual property from theft or misuse by third party suppliers.
Billing and performance• There is limited ongoing monitoring of
supplier compliance against contractual terms and conditions. As a result, suppliers may be raising inaccurate charges or failing to meet performance standards through contractual non-compliance.
Integrity• There are no processes in place to:
• Ensure AML and ABC clauses are included within contracts.
• Conduct supplier due diligence.• Ensure audit rights are inserted into third party
contracts.• Inspect on-going compliance with policies.
As a result there is potential exposure to legal prosecution in the event of a breach by a third party supplier.
© 2015 Deloitte 9© 2015 Deloitte 9
Agenda
What is third part risk?
Why is it important?
How can you address it?
© 2015 Deloitte 10
However, being on top of the third party risk profile often generates a number of challenges
How can we align the due diligence performed with the risk presented by third party?
Why does it take so long to perform the due diligence activities?
How do you audit a third party?
What type of due diligence activity should be performed?
Which Third Parties should we be auditing?
Why are we performing due diligence on so many third parties?
How can we make the process more efficient and effective?
What monitoring should we be performing?
How can we assess the risk presented by the third party?
How can we obtain more background information about the third party?
How should we act on risks?
What should the scope of the audit be?
How far should we mitigate risks?
How do we act on deviations?
How do we monitor?
Identify Evaluate Mitigate Monitor
© 2015 Deloitte 11
Segment your third party base and direct your focus and efforts on the clusters of concern
• What risks can cause in-compliance and affect you license to
operate?
• What risk can affect you product supply to end-customers?
• What risks can cause overpayments to/understated
revenues from third parties?
• What risks can affect your reputation?
• What risks can affect your business strategy execution?
Legend
High risk Mid risk Low riskBlack swan
© 2015 Deloitte 12
Build and implement a structured framework to manage third party risk
Identify
Evaluate
Mitigate
Monitor
Scope of 3rd parties
Self-disclosure surveys
Nature of relationship
Risk Assessment
Risk-based due diligence
Identification of Red Flags
Low, Medium, High risk
Approve/Deny/Conditions
Contracting (wording)
Internal Controls & Tests
Training & Certifications
Monitor relationship
Monitor transactions
Monitor changes
Periodic re-approval
DATA
Risk Intelligence
CorporateGovernance
Ethics
Corporate Responsibility &Sustainability
External Factors
Planning
Strategy
Corporate AssetsFinance
Human Resources InformationTechnology
Legal Product Development Sales, Marketing and
Communication Compliance Reporting
Board Effectiveness/Knowledge
ManagementAddressing Allegations Biodiversity Communication and
Training
Board Structure and Leadership Communication Climate
Change Compliance Culture
Compensat ion / PerformanceIncent ives/Alignment
Corrective Actions andDiscipline
Community Investment Compliance Information Management
Corporate Responsibility and Sustainability
(CR&S)
Ethical Culture/ Tone at the top
Energy Management and
Alternative Sourcing
Compliance Organization
Reputation /Stakeholder
RelationsEthics Reporting Fair Trade Certification External Fraud Compliance Reporting
Risk Oversight InvestigationNatural Resource
Utilization and Accounting
Controls and Monitoring
Transparency and Financial Integrity Monitoring and Auditing Philanthropy Policies and Procedures
Policies and Procedures
Project Financing Risk Assessment
ProgramAssessment and
EvaluationResource Scarcity Supervision
Structure andOversight Sustainability Strategy
Competition
Credit Rating
Customer Demands
Economic Conditions/
Industry Trends
Geo-political
Hazards/ Catastrophic
Loss
Laws and Regulations
Markets
Third Party/ Joint Venture Requirements
Compliance with Accounting Standards
Financial Disclosure
Financial Information Availability
Financial Statement Fraud
Management Reporting
Regulatory Reporting
ReportingQuality
Statutory Reporting
Sustainability Reporting
Tax Reporting
Training Sustainable Water Quality
Waste Reduction and Closed Loop Production
Operations/Infrastructure Compliance ReportingStrategy and PlanningGovernance
Supply Chain
Business Cont inuity
Management (BCM)
Alliances
Capital Planning Business Concentration
Knowledge Management Business Model
Operational Planning Customers
Growth
Markets
Mergers/ Acquisitions/ Divestures
Outsourcing
Policy
Pricing
Technology
Vision, Missionand Values
Extended Enterprise
Performance Management
ScenarioPlanning
Innovation
Facilities and Equipment Accounting Corporate Culture Architecture Bankruptcy Discontinuance and
DivesturesBranding and Reputation
Intangible Assets Audit Quality
Health and Welfare Benefits Asset Management Competition Innovation, Research,
and DevelopmentCommunication
Personal Safety
Capital Management
Human Resources Policies and Procedures
Business Continuity Management
Contract Management Launch Customer Relations/
Customer Support
Physical Security Credit Implications of Significant Events
Change Management Corporate Investigations Liability Distribution
Process Management Financial Asset Investment
Organization Structure
Contracting and Outsourcing
Environmental, Health & Safety
(EH&S)Product Design/ Quality E-Commerce/ Internet
Strategy
Taxation Insurance and Hedging
Payroll
Information Security (IS) Finance & Accounting Production Investor Relations
Liquidity
Performance/ Talent Management and
Compensation
Operations Government Investigations Substitution Marketing Programs
Pensions
Retirement Programs
Physical and Environmental Intellectual Property (IP) Technology
Obsolescence Market Research
Planning/ Budgeting/ Forecasting
Talent Pipeline/ Recruitment
Privacy and Data Protection
Labor and Employment Issues
Testing Marketing Strategy
Taxation
Training and Development
Problem ManagementLegal and Regulatory Compliance
Timing Public Relations
Project Management
Litigation and Dispute
Resolution
Sales Strategy
Records Management
Records and Information
Management Technology Licensing
Privacy and Security Laws
Planning
Sourcing
Production
Delivery
ReturnsLabor Relations
Legal Entity Planning
Risk category model
Value chain (example)
Finance ITCommunica-
tion/IR HR Indirect Procurement Legal Security CSR
Strategy setting Development Procurement and inbound logistics Manufacturing Distribution Marketing and Sales
1
2 3
4
5
6 7
8
9
10
1
2
3
4
5
6
8
9 10
7
Probability
Imp
act
Which risks should we focus on?
Risk dashboards
Risk prioritizationRisk mitigation plans
Risk dashboards
© 2015 Deloitte 13
Benefits of strong governance
Deloitte’s integrated third party governance and compliance framework solutions enable organizations to optimize their risk and compliance management processes and transform them into sustainable operational solutions.
Key benefits of effective frameworks:
Increased transparency
Demonstrate transparency on risk and control decisions made
Ownership and active management
Drive consistent compliance across multiple business
units and individuals
Alignment to strategy
Third party risk-based
segmentation and management is tied
to the organization’s
strategic business goals
Live data for decision making
Implementing a dashboard to
increase efficiency and reduce reliance on spreadsheets for
tracking
Risk-based management
Use segmentation and risk
management to address increasing risk and severity of
impact
Regulatory compliance
Consistently comply with regulatory requirements
pertinent to the organization’s
business activities
Continuous monitoring
Performance measuring and
monitoring of third parties on a
continuous basis
© 2015 Deloitte 14
About DeloitteDeloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000 professionals, all committed to becoming the standard of excellence.
Deloitte Touche Tohmatsu LimitedDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.