The Importance of Third-Party Risk Management

• Why is third party risk management of critical importance now?
• What have been the regulators concerns?
• What is third party risk management?
• Third party risk and interconnectedness
• The risks relating to third parties
•  Overview of joint US guidance
• The background paper from the BIS
• Responsibility
• The third-party risk management program
• Identification of critical activities and significant bank functions
• Third-party relationship life cycle

Case Study:  What makes a third-party service provider critical?

Due Diligence, Collaborative Arrangements and Third-Party Selection

•  Planning for a third-party relationship
• Collaborative arrangements
•  Assessment processes and procedures
•  Information security
•  Due diligence and third-party selection
• Strategies and goals
• Legal and regulatory compliance
• Financial condition
• Business experience
• Fee structure and incentives
• Qualifications and background
•  Third-party risk management
• Management of information systems
• Operational resilience
• Incident reporting and management programs
• Physical security
• Human resource management
• Reliance on subcontractors
• Insurance coverage
• Contracting issue

 Case Study:  What should be the contents of the due diligence conducted?  What are the key issues that are identified in specific cases?

 Contract Negotiation

• Nature and scope of arrangement
• Performance measures or benchmarks
•  Responsibilities for providing, receiving, and retaining information
• The right to audit and require remediation
• Responsibility for compliance
• Cost and compensation
•  Ownership and license
•  Confidentiality and integrity
•  Operational resilience and business continuity
•  Indemnification
•  Insurance
•  Dispute resolution
•  Limits on liability
•  Default and termination
•  Customer complaints
•  Subcontracting
•  Foreign-based third parties
•  Regulatory supervision

 Oversight and Accountability

• The role of the Board
•  Management responsibilities
•  Policy and procedures
•  Independent reviews
•  Documentation and reporting
•  Inventory of third-party relationships
•  Risk assessment
•  Role of internal audit
•  Reporting and monitoring

Case Study: In which areas are outsourcing policies required? What do they need to address?

Case Study: What approach should internal audit take with regard to outsourcing and third-party risk management?

Risk Assessing Third Parties

• How to ensure that all third-parties are identified
• Considering occasional providers
• Risk assessing third parties
• What perspective is appropriate?
• Where is the data?
• How often should this be reconsidered?
• What is the impact of the analysis?

Case Study: What are the constituents of the risk assessment grid?

Ongoing Monitoring

• The role of monitoring
• Key factors
• Reviewing goal alignment
• Reviewing audits
• Monitoring performance
• Monitoring information security
• Monitoring business resumption contingency planning
• Monitoring recovery processes
• Monitoring complaints

Termination

• The issues to address
• Factors that matter
• Information security
• Associated risks

High Risk Areas

• Cloud computing
• Software vendors and suppliers
• Payment service providers
• Business continuity providers
• Systems testing

Case Studies: Consider the risk management implications of each of these areas.

Technical areas and third-party risk management

• Legal
• Accountants
• Tax advisors
• Economists
• Consultants

Case Study: What work should be undertaken on specialists and how should they be bought into third-party risk management?

 Supervisory Reviews of Third-Party Relationships

• What matters to regulators
• Review of risk management processes
• Review risk assessment

What this is likely to mean in practice

•  Putting this together
  • Building a control structure
  • Implementing governance procedures
  • The register and its integration
  • Monitoring and action
  • Dealing with exceptions
  • Substitutability
  • Exit routes and issues

Case Study: What is the impact on your ability to manage your bank?

Summary with Group Discussion, Q&A

Delegates will gain a thorough understanding of the management of third-party risk management and the requirements set out in the proposed US guidelines. This knowledge will enable learners to grasp what this is likely to mean in practice and how the risk should be assessed and mitigated, specifically

• The role of third-party risk management
• The governance and reporting requirements
• How to risk assess a third-party
• What makes a third-party critical and what that is likely to mean in practice
• The level of due diligence to be conducted
• How to incorporate third-party risk management into operational resilience
• The impact on internal audit

A Tier 1 Global Bank risk expert  will lead group case studies for an on- the- job learning style experience to immediately result in the application of learned concepts in the workplace immediately.

Highly interactive expert-led intensive presentation, Q&A, group real-time in-depth case studies, regulation and discussion supported by key principles and theory. The virtual learning platform uses safe, industry preferred encrypted Cisco WebEx to optimize live face-to-face visual interaction, discrete chat, for polling and quizzes.

(An invitation via email with access link is included for all participants.)