© 2015 Deloitte 1

Managing third party risks

September 2015

Challenges and trends

© 2015 Deloitte 2© 2015 Deloitte

Agenda

What is third part risk?

Why is it important?

How can you address it?

2

© 2015 Deloitte 3

The extended enterprise is becoming the new normal and with that comes an increased dependency on third parties to operate your value chain

Support functionsHave potential effects across the entire supply chain

Extended value chainOriginates in upstream and downstream supply chain partners

Internal operationRelates to internal processes

Develop Plan Source Make

Deliver/Return

Tier N

End-users

Supply Demand

Tier 1

Distributors

3rd party services

AgentsConsultants SuppliersJoint

Ventures Distributors ContractorsPartner-

ships

Co

mp

an

y o

pe

ratio

ns

Ke

y th

ird

pa

rtie

s

Finance Human Resources LegalInformation Technology$$$

© 2015 Deloitte 4

The use of third parties is likely to continue to increase

• During the recession, many organizations push more of their business out to third parties in an effort to reduce

internal costs across the extended enterprise. Optimization

• Regulators have become more focused on how companies are managing outsourcing and third-party risk in

general, and the fines for violations have reached hundreds of millions of euros.Regulatory trends

• When millions of consumers are personally affected by a third-party system failure or security breach, or when a

well-known company is heavily fined or repeatedly called out with regulatory MRAs (matters requiring attention),

the reputation of the involved organizations can suffer.

The importance of reputation

• The free-flowing nature of information plays a role: decades ago, a disruption in a local country would likely have

stayed local; today it can quickly become a global issue.Free flow of reputation

As a result of the escalating risk — and the escalating fallout when risk becomes reality — boards are paying more attention

and asking more questions.

© 2015 Deloitte 5

If you ask the compliance officers, third party risk is already the no. 1 headache

Source: Deloitte compliance trend survey

Third party risk management is a top challenge... …and for good reason

© 2015 Deloitte 6© 2015 Deloitte 6

Agenda

What is third part risk?

Why is it important?

How can you address it?

© 2015 Deloitte 7

Why is third party risk important?

It is not a new concept for organizations to engage with third parties for the provision of products and services, so why is third party management now so important? There are a number of factors driving organizations to place increased importance on third party risk, which can be broadly grouped into the following areas:

Regulation

Global regulators across a variety of risks and industries

are taking risk management of third parties very

seriously. Increased regulations are seen in a variety of

areas, e.g. anti-bribery, corruption and data security.

The global recession has driven many of our clients to

outsource operations to third parties in an attempt to

reduce costs.

Market conditions Reputational impact

Technology

In an attempt to seek out low cost solutions organizations

are increasingly using offshore outsourcing and supplier

networks. This exposes organizations to inherent risks in

trading with overseas suppliers as well as difficulties

obtaining assurance of compliance.

The appearance of specialist suppliers has led to some

organizations becoming very reliant on the products /

services from such suppliers. If that supplier was to fail to

deliver, it could adversely impact the organization.

Overseas providers Specialist suppliers

A failure by a supplier to deliver against its contractual

obligations can have a severe reputational impact on

your organization, particularly if it leads to severe delays

in service or an inability for your organization to continue

to service its customers.

The emergence of cloud computing has created new

opportunities for firms but can also mean new risks to be

mitigated. The impact of sensitive data being leaked

would be highly detrimental to the organization, and there

is a risk that outsourcing partners may have limited

control environments to protect that data.

© 2015 Deloitte 8

Common third party risk categories that should be on the radar

Risk areas

Resilience

Health, safety

and environ-

ment

Intellectual

property

Billing and

perfor-mance

IntegrityCorporate

respons-ibility

Regulatory

Security

Solvency

Solvency• There is no business-wide ongoing

monitoring of third parties solvency and therefore there is limited visibility of third party solvency and financial viability.

Security• The business does not have

adequate visibility as to whether third parties are compliant with physical and information security policies, some of which are client requirements. This can increase with further outsourcing.

Regulatory• There is no central visibility of third

party compliance with data protection act requirements, this increases the risk of breach by third parties, for which the business may be liable.

Corporate responsibility• There are no processes in place to consult with

stakeholders from the corporate responsibility department in order to require third parties to protect the business’ brand and compliance with issues.

Resilience• There are no checks to ensure that

business continuity plans have been completed and tested.

Health, safety and environment• There are limited processes to ensure

contracts include health and safety standards or requirements, the lack of which may expose the business to HSE claims.

Intellectual property• Contracts are not consistently passed

through IP or legal teams to protect our intellectual property from theft or misuse by third party suppliers.

Billing and performance• There is limited ongoing monitoring of

supplier compliance against contractual terms and conditions. As a result, suppliers may be raising inaccurate charges or failing to meet performance standards through contractual non-compliance.

Integrity• There are no processes in place to:

• Ensure AML and ABC clauses are included within contracts.

• Conduct supplier due diligence.• Ensure audit rights are inserted into third party

contracts.• Inspect on-going compliance with policies.

As a result there is potential exposure to legal prosecution in the event of a breach by a third party supplier.

© 2015 Deloitte 9© 2015 Deloitte 9

Agenda

What is third part risk?

Why is it important?

How can you address it?

© 2015 Deloitte 10

However, being on top of the third party risk profile often generates a number of challenges

How can we align the due diligence performed with the risk presented by third party?

Why does it take so long to perform the due diligence activities?

How do you audit a third party?

What type of due diligence activity should be performed?

Which Third Parties should we be auditing?

Why are we performing due diligence on so many third parties?

How can we make the process more efficient and effective?

What monitoring should we be performing?

How can we assess the risk presented by the third party?

How can we obtain more background information about the third party?

How should we act on risks?

What should the scope of the audit be?

How far should we mitigate risks?

How do we act on deviations?

How do we monitor?

Identify Evaluate Mitigate Monitor

© 2015 Deloitte 11

Segment your third party base and direct your focus and efforts on the clusters of concern

• What risks can cause in-compliance and affect you license to

operate?

• What risk can affect you product supply to end-customers?

• What risks can cause overpayments to/understated

revenues from third parties?

• What risks can affect your reputation?

• What risks can affect your business strategy execution?

Legend

High risk Mid risk Low riskBlack swan

© 2015 Deloitte 12

Build and implement a structured framework to manage third party risk

Identify

Evaluate

Mitigate

Monitor

Scope of 3rd parties

Self-disclosure surveys

Nature of relationship

Risk Assessment

Risk-based due diligence

Identification of Red Flags

Low, Medium, High risk

Approve/Deny/Conditions

Contracting (wording)

Internal Controls & Tests

Training & Certifications

Monitor relationship

Monitor transactions

Monitor changes

Periodic re-approval

DATA

Risk Intelligence

CorporateGovernance

Ethics

Corporate Responsibility &Sustainability

External Factors

Planning

Strategy

Corporate AssetsFinance

Human Resources InformationTechnology

Legal Product Development Sales, Marketing and

Communication Compliance Reporting

Board Effectiveness/Knowledge

ManagementAddressing Allegations Biodiversity Communication and

Training

Board Structure and Leadership Communication Climate

Change Compliance Culture

Compensat ion / PerformanceIncent ives/Alignment

Corrective Actions andDiscipline

Community Investment Compliance Information Management

Corporate Responsibility and Sustainability

(CR&S)

Ethical Culture/ Tone at the top

Energy Management and

Alternative Sourcing

Compliance Organization

Reputation /Stakeholder

RelationsEthics Reporting Fair Trade Certification External Fraud Compliance Reporting

Risk Oversight InvestigationNatural Resource

Utilization and Accounting

Controls and Monitoring

Transparency and Financial Integrity Monitoring and Auditing Philanthropy Policies and Procedures

Policies and Procedures

Project Financing Risk Assessment

ProgramAssessment and

EvaluationResource Scarcity Supervision

Structure andOversight Sustainability Strategy

Competition

Credit Rating

Customer Demands

Economic Conditions/

Industry Trends

Geo-political

Hazards/ Catastrophic

Loss

Laws and Regulations

Markets

Third Party/ Joint Venture Requirements

Compliance with Accounting Standards

Financial Disclosure

Financial Information Availability

Financial Statement Fraud

Management Reporting

Regulatory Reporting

ReportingQuality

Statutory Reporting

Sustainability Reporting

Tax Reporting

Training Sustainable Water Quality

Waste Reduction and Closed Loop Production

Operations/Infrastructure Compliance ReportingStrategy and PlanningGovernance

Supply Chain

Business Cont inuity

Management (BCM)

Alliances

Capital Planning Business Concentration

Knowledge Management Business Model

Operational Planning Customers

Growth

Markets

Mergers/ Acquisitions/ Divestures

Outsourcing

Policy

Pricing

Technology

Vision, Missionand Values

Extended Enterprise

Performance Management

ScenarioPlanning

Innovation

Facilities and Equipment Accounting Corporate Culture Architecture Bankruptcy Discontinuance and

DivesturesBranding and Reputation

Intangible Assets Audit Quality

Health and Welfare Benefits Asset Management Competition Innovation, Research,

and DevelopmentCommunication

Personal Safety

Capital Management

Human Resources Policies and Procedures

Business Continuity Management

Contract Management Launch Customer Relations/

Customer Support

Physical Security Credit Implications of Significant Events

Change Management Corporate Investigations Liability Distribution

Process Management Financial Asset Investment

Organization Structure

Contracting and Outsourcing

Environmental, Health & Safety

(EH&S)Product Design/ Quality E-Commerce/ Internet

Strategy

Taxation Insurance and Hedging

Payroll

Information Security (IS) Finance & Accounting Production Investor Relations

Liquidity

Performance/ Talent Management and

Compensation

Operations Government Investigations Substitution Marketing Programs

Pensions

Retirement Programs

Physical and Environmental Intellectual Property (IP) Technology

Obsolescence Market Research

Planning/ Budgeting/ Forecasting

Talent Pipeline/ Recruitment

Privacy and Data Protection

Labor and Employment Issues

Testing Marketing Strategy

Taxation

Training and Development

Problem ManagementLegal and Regulatory Compliance

Timing Public Relations

Project Management

Litigation and Dispute

Resolution

Sales Strategy

Records Management

Records and Information

Management Technology Licensing

Privacy and Security Laws

Planning

Sourcing

Production

Delivery

ReturnsLabor Relations

Legal Entity Planning

Risk category model

Value chain (example)

Finance ITCommunica-

tion/IR HR Indirect Procurement Legal Security CSR

Strategy setting Development Procurement and inbound logistics Manufacturing Distribution Marketing and Sales

1

2 3

4

5

6 7

8

9

10

1

2

3

4

5

6

8

9 10

7

Probability

Imp

act

Which risks should we focus on?

Risk dashboards

Risk prioritizationRisk mitigation plans

Risk dashboards

© 2015 Deloitte 13

Benefits of strong governance

Deloitte’s integrated third party governance and compliance framework solutions enable organizations to optimize their risk and compliance management processes and transform them into sustainable operational solutions.

Key benefits of effective frameworks:

Increased transparency

Demonstrate transparency on risk and control decisions made

Ownership and active management

Drive consistent compliance across multiple business

units and individuals

Alignment to strategy

Third party risk-based

segmentation and management is tied

to the organization’s

strategic business goals

Live data for decision making

Implementing a dashboard to

increase efficiency and reduce reliance on spreadsheets for

tracking

Risk-based management

Use segmentation and risk

management to address increasing risk and severity of

impact

Regulatory compliance

Consistently comply with regulatory requirements

pertinent to the organization’s

business activities

Continuous monitoring

Performance measuring and

monitoring of third parties on a

continuous basis

© 2015 Deloitte 14

About DeloitteDeloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200,000 professionals, all committed to becoming the standard of excellence.

Deloitte Touche Tohmatsu LimitedDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.