9th Edition: 
Third Party Risk Management & Oversight for Financial Services 

14-15 May 2019   |  Chicago

Mark McDermott

Officer, Vendor Management
State Street

"Conducting Due Diligence Prior to Onboarding to Proactively Limit Risk and Complications."

Steven Friefeld

Global Head of Sourcing & Vendor Management 
Credit Suisse

"Implementing Strategies and Tools to Successfully Monitor Concentration Risk"

"Maturing Frameworks to Adapt with Evolving Regulatory and Industry Standards"

Head of Third Party Risk Management 
MUFG, Union Bank

Jeannie Pumphrey

 For registration details and multiple attendee discounts, please contact:

Melini Hadjitheori 

Christopher M. Kovalsky

Head of Third-Party Risk Management
Webster Bank

"Standardizing Due Diligence Questionnaires (DDQ) to Strengthen Overall Processes and Save Time."

We brought together key industry leaders  from financial institutions that have devoted their time and energy into Third Party Risk Management.

Interested? Do you feel you will benefit?


© Copyright 2019 marcus evans conferences

Prime city centre locations and venues ensure your event experience is as convenient as possible




How do you determine the frequency of continuous monitoring for any given third party? 

Sallie Mae evaluates the risk of every third party in scope for the Third-Party Management program and uses risk segmentation to determine the frequency of continuous monitoring and reassessments. An aspect of segmentation is due diligence tier, which drives the level of rigor applied to ongoing monitoring activities for both the business area and Risk Partners such as the Vendor Management Office, Information Security, Compliance, etc.
What best practices are used to assess the potential risk a third party might bring to your organization? 

A best practice we have installed is ensuring that the correct subject matter experts are involved at the start of the process. Sallie Mae brings a group of Risk Partners (Legal, Information Security, Compliance, Privacy, etc.) together weekly to review risk assessments entering the pipeline. They are given an opportunity to review the function/service being requested and interact with the business area to help them evaluate the risk. The resulting segmentation, spend, and residual risk identification drive due diligence activities meant to protect Sallie Mae.
What strategies are used to ensure proper documentation of risk assessments and due diligence? 

Sallie Mae uses a vendor management tool to administer risk assessment surveys and store business logic used to assign due diligence activity. Risk Partners, such as Information Security maintain their own systems to track assessments and store results. We have deployed an in-house project tracker to manage pre-contract Procurement activity, initial due diligence, and the receipt of documentation across various systems. Post contract, we use an in-house SharePoint application to track ongoing monitoring activity for both business areas and Risk Partners. The SharePoint application consists of a document library to store artifacts, a playbook of ongoing monitoring activity, a contact list, and several lists to track control activity with frequency and responsible party assigned.
What are the best practices in continuously evaluating risk factors applicable to each third party? 

Risk Partner subject matter expertise is key. The Vendor Management Office serves as an aggregator of risk management information from various Risk Partners and business areas. Each Risk Partner contributes according to their specialty, leaving the business area to evaluate performance and the relationship for the third party they own. Periodic reviews ensure each responsible party is delivering according to the agreed-upon frequency.

Ahead of the 9th Edition: Third Party Risk Management & Oversight for Financial Services, we spoke with  Katherine Edwards, Director, Vendor Management at Sallie Mae Bank about categorizing third parties and risk.


Katherine Edwards,  will be presenting during the first day, 14th of May at 8:30 am. 
Presentation topic
Categorizing Third Parties and Risk to Prioritize Monitoring Efforts and Degree

•Classifying vendors into risk categories to establish monitoring frequency 

•Conducting inherent and residual risk assessments to evaluate potential impact 

•Ensuring comprehensive documentation of all operations and monitoring activity to better gauge risk 

•Evaluating various risk factors to assess third party performance
•Comparing composite risk scores for reporting