3 party risk management approach & lifecycle managing the ...… · energica’ risk management...
TRANSCRIPT
Managing the 3rd Party Risks & Regulatory Impact in Banking & Financial Services Buyers
Ring Fencing: Compliance Matters
3rd Party Risk Management Approach & Lifecycle
OCTOBER 2014
© Copyright 2014 Energica Advisory Services Private Limited (Energica ASPL). All Rights Reserved. The recipient agrees not to distribute, share or use any part of the material without express written permission of Energica ASPL. Any other company and product names mentioned are used for identification purposes only, and may be trademarks of their respective owners. Energica ASPL disclaims all warranties as to the accuracy, completeness or adequacy of such information. Energica ASPL shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. Reproduction of this publication in any form without prior written permission is forbidden. www.energica-global.com
Energica Governance Matters > Perfecting Partnership > Delivering Value
Ramesh Somasundaram CEO & Head IT Sourcing Mgt. & Managed Governance
Services ENERGICA ASPL
3rd Party Supplier Risk Management Approach &
Lifecycle STRATEGIC SOURCING GOVERNANCE
THROUGH
YOUR EXTENDED PARTNER
IT SOURCING MANAGEMENT. GOVERNANCE. ADVISORY.
2 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES
Regulation has challenged the business strategies, operational frameworks and functional business processes of every organization operating across the banking and financial services industry.
Managing the 3rd Party Suppliers, IT Service Providers, Extended Partner’s, GICs and CSPs is becoming very critical considering the emerging risks in today’s multi geography, multi sourcing, multivendor environments for the buyer organization.
The purpose of this Thought Paper (Ring Fencing – A Perspective View on managing the 3rd Party Risks and the Regulatory Impact in Banking & Financial Services Industry ) is to share our view on Regulatory Impact and information regarding the strategic nature of the compliance and operational risks.
What are the various Regulatory Requirements and Control Issues in BFSI industry? Managing the Operational and Compliance Risks with your service provider | GICs | Captives |
Shared Services through Ring Fencing. Overview on the Impact of Regulatory components on Business & IT services standpoint. Energica’ Risk Management approach & framework for managing the 3rd Party Relationships
across the sourcing lifecycle to minimize and mitigate the operational and compliance risks.
This will help our clients (buyer organizations) to effectively manage the 3rd Party Risks more effectively by leveraging a comprehensive risk management frameworks (Ring Fencing) & tools in a continual manner throughout the sourcing lifecycle and more specifically to minimize the Risk from Operational Standpoint.
Please contact Ramesh Somasundaram (Energica) with any questions or for specific consultative expertise | Advise in 3rd Party Supplier Relationship Risk Assessment.
Background: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers
3 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES
Ring Fencing: Business Drivers
The following are the major business drivers for the 3rd Party Vendor Risk Management in Banking and Financial service industry due to complex risks.
Structural Reforms in USA, UK and European Banking & Financial Industries
Resolution Requirements
Extra Territoriality
Cross Border Trade across geographies and implications
Impact on IT Systems & Services
Fragmented Systems
The IT infrastructure of most financial firms is fragmented and inconsistent. Data resides across multiple systems. This fragmentation drives up operating costs, slows the development of new products and hinders managers making decisions that require them to understand the contributions of customers, products and lines of business to the firm’s overall performance.
Operational Risks
Data & Regulatory Reporting
Risk Management:
Meeting the Regulatory Changes & Implications
Solvency II Implications for Insurance Companies
Dependency Constraints & Compliance on Multi Geography Financial Regulatory Requirements (market structures in different countries)
Business Levers: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers
4 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES
Ring Fencing - 3rd Party Risk Assessment: Driving Factors
Lack of Regulatory Oversight & Neglected Warnings.
Increased Regulatory Scrutiny and Compliance Requirements
Third parties representing the biggest compliance risk.
Lack of Regulatory Impact Assessment on IT Sourcing Transactions, Supply Base and Technology
Customers (buyers) have no or minimal systems or processes in place to manage and monitor third-party relationships.
To evaluate, understand and mitigate both supply base and emerging risks
Implement a consistent vendor governance | Risk & Performance management across different region
Meeting the Regulatory Changes & Implications
Data & Regulatory Reporting
DPA for Financial Institutions located outside Europe
Solvency II Implications
Cost, Data and Timeline Pressures
Change management & Implications
Poor or Lack of 3rd Party Risk Management programs
Dependency Constraints & Compliance on Multi Geography Financial Regulatory Requirements (market structures in different countries)
IT Security Breach | Data Theft
Buyers of
IT Services
Supply Side
Partners | Service
Providers
Vendors | SP |
Suppliers
Program
Management
Technology
Product Mgt
SVM | VMO
Governance
Supply Side
Partners | Captives |
GICs
Demand Side
Partners |
Customers Customers |
Distributors | OEMs
Region |
Geography |
Country
Regulatory
Banks & Financial
Institutions Source © Energica ASPL
Driving Factors: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers
5 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES
Ring Fencing: Market Trends & Operational Levers
The New Regulatory Environment will create opportunities, challenges for Banking, Financial Institution Companies (Buyers). Before looking at ways of managing complex risks better, it is useful to understand the sources of complexity, regulatory impact and complex parameters revolving around Banking & Financial institutions.
New Regulatory Scrutiny and Compliance Requirements across Banking, Capital Markets, Insurance and Investment Management Sectors
Expanding Geographical foot-print
Customer Demands
New Product Offerings
Distribution Innovation - Multi Channel Customer Interactions (Cross Border, ATM, Internet, Bank, Mobile, Call Centers, market places)
Structural Impedimental Issues & Fragmented Systems
Technology Management
Product Proliferation: The number of products offered by financial firms has increased dramatically in the past 20+ years.
Fragmented Systems: The IT infrastructure of most financial firms is fragmented and inconsistent. Lead to Modernization and development of new systems.
Data & Regulatory Reporting: Regulatory compliance now requires much more from banks and insurers: more data collection, more risk analysis, and more monitoring and reporting
Regulatory Impact Index: The table depicted on the next page indicates on overview of the Regions and the Regulatory Components impacting the BFSI industry segment.
Market Trends: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers
6 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES
Source © Energica ASPL
RING FENCING
Regulatory Impact:
Industry-Country NEXUS
Bank
ing
&
Secu
ritie
s
Fina
ncia
l
Serv
ices
Inve
stm
ent
Mgm
t.
Insu
ranc
e
Bank
ing
&
Secu
ritie
s
Fina
ncia
l
Serv
ices
Inve
stm
ent
Mgm
t.
Insu
ranc
e
Bank
ing
&
Secu
ritie
s
Fina
ncia
l
Serv
ices
Inve
stm
ent
Mgm
t.
Insu
ranc
eBa
nkin
g&
Secu
ritie
sFi
nanc
ial
Serv
ices
Inve
stm
ent
Mgm
t.
Insu
ranc
e
Financial Services
Capital Requirements Regulation and Directive (CRD IV)
European Market Infrastructure Regulation (EMIR)
Financial Transaction Tax (FTT) P**
The Foreign Account Tax Compliance Act (FATCA)
The Fourth Money Laundering Directive (MLD4)
General Data Protection Regulation (GDPR) P**
Market Abuse Directive Legislative Package (MAD II)
Markets in Financial Instruments Regulation & Directive (MiFID II)
Wire Transfer Regulation (WTR) D*
Securities Financing Transactions Regulation (SFT) P**
TARGET2-Securities (T2S)
Dodd-Frank Wall Street Reform and Consumer Protection Act
Network and Information Security Directive (NISD) P**
Banking | Financial Services | Securities
Bank Levy Act
Bank Recovery and Resolution Directive (BRRD)
BCBS 239 - Risk data aggregation and risk reporting
Benchmark Regulation D*
Central Securities Depositary Regulation (CSDR)
EU Banking Structural Reforms
European Commission Communication on Shadow Banking D*
The Financial Services (Banking Reform) Act 2013 D*
Mortgage Credit Directive (MCD)
Payment Accounts Directive (HM Treasury)
FCA review of client assets regime for investment business
International Financial Reporting Standards (IFRS 9)
Payment Service Directive
Insurance
CASS 5A P**
ComFrame D* - The Common Framework for the Supervision of
Internationally Active Insurance Groups (ComFrame)
Insurance Distribution Directive (IDD) D*
Solvency II
Investment Management
Alternative Investment Fund Managers Directive (AIFMD)
European Long-Term Investment Funds Regulation (ELTIF)
Client Assets Review
Regulation on Key Information Documents for PRIIPs - D*
UCITS V Directive - V & VI - D*
EuSEF and EuVECA Regulation
Money Market Funds Regulation (MMF) - D*
UCITS V Directive - VI P**
UK EUROPEUSA GLOBAL
BFSI Regulatory Components : Ring Fencing - Compliance Matters Regulatory Impact Index: The table depicted below indicates an overview of the Regions and the Regulatory Components impacting the BFSI industry segments.
7 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES
IT Sourcing
Risk Spectrum :
Emerging
Risks
BFSI
Regulatory
Impact
Managing Your
Supply Base |
3rd Party Risks
Go Beyond
Internal Audit
Plan
Outsourced
Activities &
Retained
Organizations
Responsibilities
Risk
Management
Programs
Enhance Your
Risk Radar by
3rd Party Risk
Relationship
Assessments
Feed Back
Loop –
Continual
Improvements
& Optimizing
your 3rd Party
Risks
I. IT Sourcing is aggressive and the momentum will continue.
II. Emerging Risks and widening Risk Spectrum.
III. Managing 3rd Party Risks and Compliance Matters in a highly regulated BFSI industry is VERY CRITICAL.
IV. Define a Responsibility Matrix for the Outsourced Activities & Retained Organization
V. Establish a Comprehensive Risk Management Programs for the BFSI Regulatory Changes
VI. Vendor Risk Assessment and Risk Profiling
VII. Optimizing Your compliance and operational Risks through Feed Back Loop
Source © Energica ASPL
Enhance Your Risk Radar : Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers
8 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES
BFSI Regulatory Impact: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers
Accommodating Business Changes & New Rules
Stress Testing
Documentation
Regulatory Reporting
Data Governance
Risk Management Programs
Personalization
IT Security
Wealth Mgt. & Investment Advisory
Mortgages – Consumer Lending
Investment Banking
Securities Trading
Hedge Funds
Insurance
Banking
• Regulatory Reporting • Enhanced GRC Systems &
Solutions • BI | EDW Solution
Requirements • IT Security • Distribution Innovation |
Technologies • Personalization • Improved Products &
Services on Customer Excellence
• Privacy Intrusion
• Data Mgt. Strategy • Data Quality • Data Governance • DMT Programs
• Geography Specific Impact
• Business Transactions | IT Services on Cross Border Trade across geographies and implications
• IT compliance due to New Regulatory components like BASEL III, Dodd Frank Act, SEPA , FATCA
• Refined GRC reporting requirements
• Risk Management Programs
• Consolidated GRC Systems
• Dependency Constraints & Compliance on Multi Geography Financial Regulatory Requirements (market structures in different countries)
• 3rd Party Risk Assessments
GRC Territory |
Region
IT Systems Data
Regulatory Impact on IT Systems and Services | Change Management | Key Process Areas (KPA)
Key P
roce
ss A
reas
(KP
A)
In
du
stry
Im
pact
9 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES
Approach and Methodology* will be refined based on the client’ actual scope and requirements
Source © Energica ASPL
Third Party Risk
Management &
Strategic Planning
•Assess alignment
of outsourced
activity with Buyer’s
strategy and
oversight capacity
•Assess risk inherent
in outsourced
activity individually
and as part of
broader
operational
strategy
Due Diligence
•Assess risk
associated with a
specific third party
and in context with
other outsourced
activities
Contracting
•Define Compliance
expectations &
Regulatory Impact
Roadmap
•Enable effective
oversight
•Create 3rd Party
Risk Management
Reporting
framework
Risk Assessment
•Monitor changes in
risk profile,
financial,
operational,
reputation,
regulatory and
litigation activity
and personnel
•Periodic onsite
reviews , site visits,
compliance audits
etc..
Risk Profiling
• Implement
consistent
approach to
documenting
compliance
activities
throughout third-
party life cycle
•Evaluate systems’
capacity for
documenting,
aggregating, and
reporting relevant
data
Ongoing
Monitoring &
Reporting
•Enable assessment
of third-party
performance, key
risk indicators, and
alignment with
strategic objectives
• Feed Back Loop
and Continual
Improvement
Programs
3rd Party Risk Management Approach & Lifecycle: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers
Ring Fencing Energica’s Integrated Approach* towards 3rd Party Supplier Risk Management
10 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES
3rd Party Risk
Management
Strategic Planning
Outsourced
Activities
Retained
Organization
Responsibilities
Contract
Management
BFSI Regulatory
Impact | IT
|Business |
Technology Operational &
Compliance
Risks
3rd Party Risks
Risk
Assessment &
Control
Assessments
Monitoring and
Reporting
Feed Back
Loop
Banking
Investment Banking
Mortgages
Financial Services
Treasury Services
Card Services
Insurance
Banking Financial Services Insurance
Suppliers |
Service
Providers
GICs |
Captives
Shared
Services
3rd Party Risk Management Approach & Lifecycle: Ring Fencing - Compliance Matters Banking & Financial Services Regulatory Compliance
Buy Side
Supply Side
BFSI – Regulatory Components
Europe
USA UK
BFSI Industry Sectors
3rd Party Risk Management Lifecycle
11 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES
Key Takeaways Extra Territoriality
IT Compliance is very critical due to New Regulatory components like BASEL III, Dodd Frank Act, SEPA , FATCA
Consolidated GRC Systems Regulatory Impact on IT Systems
Distribution Innovation Improved Products & Services on Customer Excellence Privacy Intrusion
Operational Risk Management
Monitoring Supply base Risks are very critical from Operational and Strategic aspects. Auditing Outsourced Operations | Business Processes covering supply base, 3rd Party vendors,
Captives/GICs/SSC across onsite/off-site/near-shore/offshore locations. Disaster Recovery/Business Continuity Planning Audits IT Security Audits Carry out Compliance audits across the 3rd Party Relationships on a periodical basis Continual Supply base monitoring and Improvement programs Build/Enhance appropriate GRC systems to aggregate and report accurate risk data to ensure
compliance Risk Management:
Meeting the Regulatory Changes & Implications- Enhanced GRC Systems Solvency II Implications for Insurance Companies Dependency Constraints & Compliance on Multi Geography Financial Regulatory
Requirements (market structures in different countries
Takeaways: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers
12 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES
Key Takeaways
Emerging risks should be addressed as an unavoidable part of the business growth and expansion.
Technology and the shifting geopolitical landscape are creating ever more complex and interrelated risks.
Change Management is a Key to Risk Management considering the regulatory Impact across BFSI industry segments covering Region /Country of operations and the underlying Business Units.
Risk managers should develop and maintain a ‘risk radar’ database of all risks including emerging risks, based on active investigation and detailed information about each threat.
Oversight that precedes a third-party relationship covering strategic planning, diligence, and contracting is essential to defining expectations, enabling effective risk management, and ensuring that outsourcing can satisfy both business and regulatory objectives.
Enhancing and Leveraging the Cross functional relationship to manage the risks between IT and Business (technology risks), with Procurement/Sourcing teams (supply chain risks), by establishing/refining the standard procedures and processes (regulatory and compliance).
Conducting periodical 3rd Party Vendor Risk Assessments as a part of the Risk Management Programs (Supplier Governance) to enhance your risk appetite and minimize the business Impact.
Takeaways: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers
13 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES
In Closing… Way Forward. How Energica Can help the Buyer Organization on 3rd Party Vendor Risk Assessments across
the Sourcing and Vendor Management (SVM) Value Chain? Energica’ Approach and Methodology* on 3rd Party Relationship Risk Assessment will be
refined based on the client’ actual scope, requirements, sourcing and vendor landscape etc..
Enegica’s 3rd Party Relationship Risk Assessments (Ring Fencing) methodology varies depending on the size and actual scope of the client’s outsourcing contract(s).
Energica considers several environmental factors when evaluating the scope of 3rd Party Relationship Risk Assessments | Audit Programs, including: the sourcing landscape, number of deals, geography, country, business units, IT services, service provider, maturity of the relationship, degree of VRM Risk Management Strategy, Process and 3rd Party Vendor Risk Management programs, maturity of the Vendor Risk monitoring processes, practices and reporting.
Energica has a network of consultants with GRC Expertise and Capabilities cut across BFSI, Telecom and Healthcare arena. Energica will designate internationally experienced associate(s), who will support the client depends on the nature of engagement.
Energica will provide you with Assessment reporting that includes an executive summary, our approach, Risk Assessment | Audit findings and practical recommendations for the 3rd Party Relationship(s) audited as well as other sourcing agreements that you may have with similar vendors.
We would welcome the opportunity to further discuss about the 3rd Party Supplier Risk Assessment
/or/ about our managed governance services with you. Please feel free to contact Ramesh Somasundaram @ +91 99620.55678 or write to [email protected] /or/ [email protected]
Way Forward: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers
© Copyright 2014 Energica Advisory Services Private Limited (Energica ASPL). All Rights Reserved. This document is confidential and is intended solely for the use and information of the client to whom it is addressed. The information contained within this document is proprietary to Energica ASPL and it reserves the right to all information provided. The recipient agrees not to distribute, share or use any part of the material without express written permission of Energica ASPL.. The recipient would treat this material as Confidential Information. The information contained herein has been Collated/obtained from sources believed to be reliable. Energica ASPL disclaims all warranties as to the accuracy, completeness or adequacy of such information. Energica ASPL shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. Reproduction of this publication in any form without prior written permission from Energica ASPL is forbidden.
www.energica-global.com
Energica
Ring Fencing: Compliance Matters Energica’s Integrated Approach* towards
3rd Party Supplier Risk Management
Sourcing Mgt & Governance IT Vendor Management & Managed Governance
Services
Sourcing Governance Through Your Extended Governance Partner
IT SOURCING MANAGEMENT. GOVERNANCE. ADVISORY.
Governance Matters > Perfecting Partnership > Delivering Value
Ramesh Somasundaram CEO & Head IT Sourcing Mgt. & Managed Governance Services, (C) +91.99620.55678 Email: [email protected]
ENERGICA ASPL Energica Advisory Services Private Ltd
OCTOBER 2014
EASPLMGS102014005