Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 0

Using Metrics to Improve Your

Third-Party Risk Management Program

Presented byRandy Stephens & Michael Volkov

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 1www.navexglobal.com

• NAVEX Global’s 2017 Third-Party Risk Management Benchmark Report

• Key Findings

• Using Metrics to Improve your Third-Party Risk Management Program

• Key Takeaways & Recommendations

• Q&A + Additional Resources

Agenda

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 2www.navexglobal.com

Statistical SnapshotThe 2017 Third Party Risk Management Benchmark Report

• Conducted by an independent research company, collected anonymously

• 427 respondents across more than 22 industries, Including:

Job Level:• 8% C-Suite & Senior Executives• 42% Senior Managers & Directors• 28% Other Management• 16% Non-Management

Regions Where Respondents Manage Third Parties:• 78% United States• 54% Europe• 50% Asia• 42% Latin America• 41% Canada• 33% Middle East• 32% Australia / New Zealand / Pacific Islands• 28% Africa• 21% Caribbean

Job Function:• 25% Ethics & compliance• 20% Legal• 15% Risk Management

Company Size:• 38% Large Organizations (5,000+ employees)• 34% Medium Organizations (500 – 5000 employees)• 28% Small Organizations (<500 employees)

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 3www.navexglobal.com

Key Findings

Using Metrics to Improve Your Third-Party Risk Management Program

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 4www.navexglobal.com

Risk-Based Programs are EvolvingKey Findings

• Top program concerns this year have shifted from previous years

• Budget security has improved

• Mature programs are aligning with evolving regulatory requirements

• Automation delivers program sophistication and performance

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 5

Survey QuestionHow concerned are you about your third party risk management program?

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 6www.navexglobal.com

A continual shift over the last three yearsTop Issue: Cyber Security and Data Protection

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 7www.navexglobal.com

Legal concerns top program objectives for the third consecutive yearTop Objectives Align to Risk Protection

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 8www.navexglobal.com

A shift in issues does not likely alter long term trendsA Shift in Issues in 2017

• Cyber security and data protection is a universal market concern

• Risk management essentials remain the focus of third party risk programs

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 9www.navexglobal.com

Consistent challenges for program stakeholdersBudget Trends Look Positive

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 10www.navexglobal.com

The third party landscape continues to growSignificant Organizational Risk Lies with Third Parties

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 11www.navexglobal.com

A realization of the level and nature of riskBudget Improvements Indicate Increasing Understanding & Maturity

• Increases in anticipated budgets allow for strategic planning and program consistency

• Understanding your risk factors helps to define program requirements

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 12

Survey QuestionAt what maturity level do you believe your program currently resides?

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 13www.navexglobal.com

Risk-based program requirements drive program sophistication We See an Increase in Program Maturity

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 14www.navexglobal.com

A risk-based approach drives risk mitigationImprovements in the Approach to Risk Management

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 15www.navexglobal.com

Screening and Monitoring Practices Tied to Program Maturity

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 16www.navexglobal.com

Regulatory Alignment Structures Strong Programs

• Multiple global regulatory agencies are aligning on program best practice recommendations

• Mature third party risk management programs tend to align to those recommendations, processes and structure

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 17

Survey QuestionDo you use a purpose-built automated solution to manage your third party risk management? (i.e., not an office management solution)

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 18www.navexglobal.com

Making the commitment to automated third party risk management is obviousAutomated Systems Are a Requirement for Program Success

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 19www.navexglobal.com

Automated solutions allow for more complete risk managementAutomated Systems Are a Requirement for Program Success

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 20www.navexglobal.com

Program Assessment Defined by Maturity

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 21www.navexglobal.com

Automated systems improve program performanceAutomated Systems Are a Requirement for Program Success

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 22www.navexglobal.com

Mature Programs See Exceptional Performance

Those respondents with advanced programs rate their ability to do the following:

• Implement a risk-based program: 87%

• Comply with laws and regulations: 87%

• Conduct deeper dives where needed: 82%

• Defensibility of program with enforcement agencies: 83%

• Accurately define risk: 84%

• Determine the ROI of the program: 50%

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 23www.navexglobal.com

Mature Programs See Exceptional Performance

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 24www.navexglobal.com

Program Maturity as a Performance Driver

• Those with reactive and basic programs put themselves at risk

• Those with maturing and advanced programs are most likely to see better results

• When seeking a third-party risk management program ROI, keep in mind that automated programs typically deliver measurable results upon which you can build additional program elements

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 25www.navexglobal.com

Using Metrics to Improve Your Third-Party Risk Management Program

Using Metrics to Improve Your Third-Party Risk Management Program

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 26www.navexglobal.com

Metrics to Know

• The point at which managing third parties appears to become more challenging is when the number of third parties reaches 100

• 57% of all respondents indicate that they pursue a risk-based program that corresponds to the nature and level of risk

• 38% of respondents update their third party due diligence policy once a year

• In 2016, 25% of respondents identified none of their third parties as high risk. In 2017, only 3% identified none of their third parties as high risk.

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 27www.navexglobal.com

Metrics to Know

• 69% of respondents identified or discovered red flags or other negative third-party information through their due diligence processes

• Among those who use third-party due diligence providers to facilitate their programs, those systems typically return:

− adverse media reports (64%)

− government investigations or conviction (59%)

− connections to government officials (55%)

− adverse financial information (54%)

− politically exposed persons (52%)

− individuals or entities on a government or sanctions watch list (51%).

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 28www.navexglobal.com

Key Takeaways and Recommendations

Using Metrics to Improve Your Third-Party Risk Management Program

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 29www.navexglobal.com

Demonstrating third-party risk management program valueKey Takeaways

• Benchmarking your program is critical; identify points of improvement

• Secure an annual budget and executive support

• Understand where your program lies on the the maturity index – strive for improvement

• Consider how you will measure program effectiveness

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 30

Additional Third Party Risk Management Assets

• Third Party Risk Management Thought Leadership: http://www.navexglobal.com• White Paper: How to go from Manual to Automated Third Party Due Diligence Monitoring: Ten Steps

to Success• White Paper: Anti-Bribery & Corruption Risk Assessment Checklist• White Paper: What to Ask: Assessing Third Party Risk Management Solutions• Guide: A Prescriptive Guide to Third Party Risk Management• Guide: Definitive Guide to Third Party Risk Management

• More Benchmarking Resources From NAVEX Global:o 2017 Hotline Benchmark Report & Toolkito 2017 Policy Management Benchmark Reporto 2017 Ethics & Compliance Training Benchmark Report

Become a member of our community-driven resource library: ComplianceNext.com

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 31www.navexglobal.com

Questions

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 32www.navexglobal.com

Thank You