9th Edition: 
Third Party Risk Management & Oversight for Financial Services 

14-15 May 2019   |  Chicago

 For registration details and multiple attendee discounts, please contact:

Melini Hadjitheori 
melinih@marcusevanscy.com

We brought together key industry leaders  from financial institutions that have devoted their time and energy into Third Party Risk Management.

Interested? Do you feel you will benefit?

THE SPEAKERS

© Copyright 2019 marcus evans conferences

Prime city centre locations and venues ensure your event experience is as convenient as possible

LOCATION

CHICAGO

ABOUT THE INTERVIEW

After third party ratings drop, what are the best strategies in monitoring the risks and ensuring remediation?
In a connected, digital and highly competitive world, third-party partnerships offer companies the opportunity for greater agility by reducing production or delivery time, while also lowering costs. And companies are seizing that opportunity. 
While these ecosystems offer incredible opportunities for organizations to provide exceptional customer experiences and drive profitable growth, they also open the door to a host of new risks. Media headlines have been filled with revelations of cyber-attacks and security breaches, regulatory fines, legal actions against top-level executives and reputational damage caused by third-party vulnerabilities. 

The strategies in monitoring the third-party risks and ensuring remediation by organizations to improve their TPRM posture is by taking stock of their current governance structure, identifying and inventorying third-party risk, developing an approach for assessing risk, testing and improving the policies and procedures they have in place, and making certain they have the right capabilities and procedures in place to measure and report their progress.

Let’s unpack it further: 
• Instil oversight and governance
Establish a robust governance structure with engagement from the board and C-Suite so that sound risk management practices are embedded into the organization’s culture. Set the tone at the top.
• Get a full view of your third-party inventory
Identify, categorize and assess your existing third-party population to effectively manage your third-party inventory.
• Establish a risk approach and models
Adopt risk models according to your organization’s risk appetite and culture. Determine the level of risk your organization is willing to take.
• Implement policies and standards
These should outline the purpose and phases of the TPRM framework and define the roles and responsibilities of accountable stakeholders.
• Establish and execute
TPRM processes these should be cascaded into each phase of the third-party risk management life cycle.
• Harness emerging technology to improve risk mitigation outcomes
Use technology to automate processes, analyse data and report metrics to improve decision making and understand the operational effectiveness of the TPRM function. 

What are the best practices in conducting additional due-diligence on high-risk relationships?
The following assessments should be carried out (at a minimum): 
Control Assessment - activities related to corporate due diligence, such as Sanction Screening, Business Continuity, Physical Security, IT Security (Security Assessment Questionnaires, Security Software Assessments.)
Financial Assessment – activities that determine the financial solvency, creditworthiness and viability of the 3rd party. This includes:
• Reviewing audited financial statements
• Determining if the 3rd party is owned by a holding company and if it is, gaining a parental indemnification agreement
• Identifying if the 3rd party is acting under a ‘doing business as’ name and if it is, ensuring that it is reflected in the contract
Operational Review – activities related to corporate due diligence, such as competency and capacity
Licensing and Registration – activities related to conducting a review of licensing and registration 

What types of controls are placed on low-risk relationships that are efficient yet reduce time and costs?
The depth and scope of the assessments that are conducted should be aligned to the nature of the goods / services provided by the third party and the service levels agreed upon during the contract negotiation. The objective is to ensure that the provider is meeting the organisations expectations and that it is operating in accordance with agreed terms and conditions. 

Third-Party Monitoring and Testing Approach / assessment would usually be conducted electronically / remotely (i.e. via email or online survey). 
Desktop Assessment – A remote assessment conducted by the Assessor that utilizes remote methods such as Telephone Interviewing and electronic Inspections. This type of assessment may include one or more of the following categories:
• File reviews (Open/Closed)
• Service Level Assessment
• Remote Call Quality Reviews
Self-Assessment – An assessment conducted by the Local Business Unit, overseen by the Contract Owner, and supported by the Assessor. This may include:
•A self-certification attestation, where the third party may be required to confirm their position in relation to a specific thematic assessment.

At what point should an independent audit report be required of a third party?
In certain jurisdictions the Authority/Regulator needs to be notified of outsourcing of material business functions to third parties. The Notification needs to outline that the following processes have been reviewed and this can be obtained by getting an independent audit report: 
• Assessed the costs and benefits and potential risk to its business inherent in the proposed outsourcing;
• Governance, risk management, and internal controls (including fitness and propriety);
• Ability to comply with applicable laws; and
• Operational and financial capability.
• Identified any conflicts of interest, or potential conflicts of interest,
• Identified and assessed all material risks, including those relating to data privacy;
• Developed appropriate contingency plans to ensure the continuous functioning of the insurance business of the insurer in the event that the outsourcing arrangement is terminated or found to be ineffective. 

Are there any best practices in evaluating the risk level a Financial Institution can sustain?
Third parties provide companies with many benefits, but they carry inherent risks. The sheer number of third-party relationships companies have makes it difficult to oversee the risks they bring. That’s why having an efficient and effective third-party risk management program is critical—and boards need to know if the risks are being adequately addressed. 

Governance, a higher-level process involving directing and managing risk management and related activities to address stakeholder expectations, therefore needs to reinvent itself to focus on maximising the opportunity, while also managing compliance requirements. The explicit linkage and strategy starting at the Board and C-suite level is considered an integral part of the organisational strategy – setting process. 

Risk appetite is one of the essential concepts that must be understood and consistently applied to be able to reap the strategic benefits out of the emerging perspective on governance and risk management. 
The risk appetite for outsourcing must be must be set by the board of directors to ensure alignment to best practice for financial institutions.

Ahead of the 9th Edition: Third Party Risk Management & Oversight for Financial Services, we spoke with Nkateko Mabaso, Head – Risk Control Services at AIG South Africa about implementing risk and remediation plans when third party ratings drop.

NKATEKO MABASO PRESENTATION TOPIC

Nkateko Mabaso,  will be presenting during the second day, 15th of May at 2:00 pm. 
  
Presentation topic: Establishing Protocols and Developing a System of Controls when Identifying High and Low Risk Relationships

• Implementing risk and remediation plans when ratings drop and requiring evidence of successful change made
• Conducting additional due diligence on high-risk relationships to detect any threats
• Automating reviews on low-risk relationships to reduce costs and save time
• Determining risk level FI can sustain financially and responding accordingly
• Requiring independent audit reports for high risk third parties to evaluate risk severity
• Adjusting risk management practices to counteract with the level of potential risk