In a recent survey conducted by the Technology TPRM Forum, Third Party Risk leaders indicated a growing focus on establishing strong partnerships with internal vendor management teams. This was identified as the top action with the intended benefit being able to more effectively support business demand.
While the value of an aligned VMO-FLOD is clear, reality of establishing the needed collaboration remains elusive.
Vendor Management teams must become more aware of risk as a necessary dimension to incorporate in their operations and not view FLOD representatives as an extension of internal audit.
FLOD team members must bring value, enabling the VMO to meet business demands with risks assessment and monitoring integrated into operational process.
VMO must see value – FLOD must establish credibility.
Essentially an environment of trust and an appreciation for one others perspective is required to pull the team together. Without this foundation, no level of effort will yield the necessary results. FLOD will take on more of an oversight function, impacting SLOD effectiveness and ultimately lessening the contribution of audit.
The Technology TPRM Forum intends to conduct a follow-up survey among TPRM and VMO leaders to identify specific best practices being leveraged today to form a strong, productive VMO/TPRM bond.
As Operational Risk Management (ORM) leaders are rapidly establishing dedicated Technology Third Party Risk Management organizations, they are being challenged by their executives to address the accelerated pace of Digital Transformation. The need is to establish process, procedures, terms and assessments necessary to effectively assess risk of digital technology adoption, such as FinTech, while satisfying regulator expectations.
To be truly effective, Enterprise and Operational Risk leaders must seize the opportunity to establish themselves as strategic facilitator of the digital agenda. By doing so, ORM leaders reduce the strain on their organizations and enable improved focus and execution. Consider these steps to enable a comprehensive and effective Digital TPRM program.
1.Facilitate a focused Digital Transformation dialogue across leadership
Include Corporate Executives, Business, Product, Procurement, Audit, Technology leaders to establish a common vision.
Get clarity – move beyond technology to specific third parties in each area of category
2.Bring this detailed message to the operational leaders in each functional area.
Drive alignment between executive vision and operational execution
Challenge third party non-conformance
3.Clarify ‘risk must-haves’ for third parties to establish Minimum Viable Risk (MVR) tolerance
4.Establish process by which third parties are engaged with defined roles and responsibilities
5.Create frequent reporting to enhance transparency, status, gaps and corrective measures
Creating a dedicated Digital TPRM program separate from or a sub-set of the Technology TPRM will create the focus necessary for ORM leaders to meet accelerating business time expectations with identified risk.
Technology has become a critical, cross-functional element for every comprehensive Operational Risk Management program. The drive for financial organizations and banks to rapidly adopt FinTech and other emerging technologies while satisfying the requirements of regulators has placed effective risk management of the technology portfolio center stage.
The mission of the Technology TPRM Forum is to create an environment for the open exchange of information and experience to support creation of best practices. We will support this dynamic thru the creation of targeted research, sharing interviews with Enterprise, Operational and Technology risk leaders and our unfiltered observations.
Please join us in making the Technology TPRM Forum a productive setting that produces community benefit.
It is well documented that TPRM leaders continue to invest in GRC platforms to enable risk operations. In TPRM Forum’s recent survey, nearly 40% of TPRM leaders indicated investment in a GRC platform will be their leading action to mature and enhance capabilities.
So why are some TPRM leaders experiencing sub-optimal GRC performance?
Governance, Risk & Compliance platforms, like any sophisticated technology tool, offers significant capabilities. While user friendly, they require significant integration, workflow design and ongoing maintenance. This is not a trivial level of effort and requires the appropriate skills to realize the intended value.
TPRM Forum’s PULSE Assessment methodology documents a TPRM organizations maturity in addition to operational risk and environment complexity. Through these efforts, TPRM Forum observes a consistent result: TPRM operations with dedicated, technically capable GRC Platform Administrators achieve greater maturity, operational capability and significantly more value from their GRC platform. Unfortunately, true dedicated GRC Platform Administrators are in the minority of TPRM operations today.
Perhaps GRC platform providers contribute to this challenge as they highlight the flexibility and ease of use of their technologies. ‘Drag-n-Drop’ workflow creation and well-designed user interfaces may mislead TPRM leaders as to the underlying complexity, creating an impression a technical role is not required. When GRC Administrator role is missing, TPRM Forum observes significantly lower levels of GRC platform utilization, integration management and maintenance challenges and continued proliferation of other solutions, limiting the GRC platforms ability to achieve comprehensive, cross-organization integration.
A GRC platform is the core underpinning of risk operations. Make certain to include budget for a technically competent platform administrator to realize the intended value and benefit.
TPRM Forum’s recent survey of TPRM leaders identified effective collaboration of FLOD operations with Vendor Management, Strategic Sourcing and Procurement as the leading area of focus for improvement. Alignment across the cross-functional teams has the potential to achieve comprehensive vendor life cycle management and evidence support. The issue though is how to centralize and coordinate activity.
Looking specifically at the ‘monitoring’ phase of Third Party Risk & Vendor Management, we quickly see there are a number of activities, if coordinated and managed centrally, will provide regulators and audit the evidence required to substantiate effective TPRM operations. It also drives a productive level of collaboration and in essence, bonds the teams.
Third Part Risk Management ‘Monitoring’ Life Cycle Phase includes, but is not limited to, the following activities:
Vendor Management Organization:
Contract Management – collection and maintenance of the Deliverable & Obligation tracker with a structured, formal calendar of events. Artifacts stored in central, accessible location. This could include annual Insurance certificate, SOC II Type II Audit, DR Annual Test Results, Policy revisions etc.
4th Party Management – definition and approval of 4th party sub-contractors and execution of proper onboarding and offboarding by the Third Party
Performance Management – SLA & KPI’s associated with the contracted services
Operational Service Management – onsite assessments of the technology services aligned to CMMi, ITIL, NIST or similar independent methodology
Third Party Risk Management – FLOD:
Third Party Classification
Ongoing, dynamic monitoring (Business dimensions)
RCSA management &/or coordination
Regulatory environment changes and Legal Impacts
Regulator response support
Centralized reporting/vendor profile
Contract Currency – Revision and Amendment Maintenance
TPRM Forum recommends consistent, ongoing collaborative sessions between parties to ensure activities and schedules are maintained and a central, accessible repository is continually updated. This is a great opportunity to work with your GRC platform team to ensure activities and artifact collection is incorporated into workflow with artifacts accessible through a central dashboard.
For many organizations, the initial impetus to discuss software asset management is the receipt of an audit notification communication from a software publisher. This sets-off a predictable series of events as IT and Financial executives grapple with the impact of the pending audit. The steps are:
First Step: Immediate action to reduce audit impact
Executives quickly assemble to discuss options and realize there is significant exposure. During these conversations, the lack of supporting data and evidence to confirm deployment with entitlement levels emerges. The decision is quickly made to secure expert support from one of the many experts that can help reduce penalties.
Second Step: Realization that there may be others in the queue
As IT and financial executives come to the realization that there is little evidence to support or challenge the audit, the question quickly turns to the broader software asset estate.
Upon completion of audit negotiations or in parallel, organizations engage a partner to scan their environment, align consumption with entitlements and identify gaps. Quantifying potential exposure.
Third Step: Question what steps need to be taken to eliminate this exposure and prevent this from future occurrence
Typical focus is on defining the appropriate entitlement management, deployment controls, and process workflows by which the asset is managed. In addition, identification of a platform to dynamically ping the environment and quickly identify areas of non-compliance.
In essence, establish a Software Asset Management organization and operation by which software assets are efficiently and actively managed in the environment.
What would be the benefit if we reversed the process? Instead of ‘swimming upstream’ why not establish a SAM mindset in anticipation of an audit?
Be prepared with a comprehensive software asset management operation. Once established, when audit notification arrives you can comfortably ‘go with the flow’!
Vendor Management Organizations (VMO) and First Line of Defense (FLOD) third party risk teams struggle to achieve effective collaboration. Contributors to this challenge is VMO and FLOD risk professionals see situations from different perspectives and speak a slightly different language. These dynamic impacts the ability for VMO’s to achieve the maturity necessary to deliver value while limiting the FLOD’s risk effectiveness.
The TPRM Forum recommends VMO and FLOD leaders focus on the following areas to establish ‘Common Ground’.
Mature VMO’s establish vendor classifications to drive innovation and identify emerging technologies to support the road map
FLOD and TPRM organizations categorize third parties to develop appropriate strategies based on risk dimensions
Making this a collaborative partnership enables VMO’s and FLOD/TPRM teams to support one another while establishing a more comprehensive strategic view of risk
FLOD and TPRM teams continually monitor regulatory bulletins and guidance to identify potential impact to evidence and compliance requirements.
VMO’s continually strive to ensure Terms & Conditions, KPI’s and service definitions are driving the desired behavior.
Working in unison with Procurement and legal, VMO’s and FLOD/TPRM can continually focus revisions and updates to maintain contract currency
VMO’s focus on continuing improvement (CI) and achieving greater savings and performance.
FLOD/TPRM teams focus on monitoring compliance and adherence to stated requirements
Working together, understanding one another’s monitoring focus and activities while sharing details of assessment activities provides additional data points.
The TPRM Forum’s PULSE Assessment provides an excellent foundation to forge a strong alignment of VMO and FLOD teams to support business expectations and manage risk exposure.
Susceptibility is defined as ‘the state or fact of being likely or liable to be influenced or harmed by a particular thing’.
In the case of a software audit, Susceptibility is the likely severity, disruption and extent of financial exposure a firm may experience in the event a software publisher issues an audit notice. Negotiating the reduction or elimination of software audit findings, while valuable, is NOT Software Asset Management.
Effective SAM requires careful orchestration, monitoring and entitlement management. SAM encompasses successful alignment of policy, procedures, controls, procurement, IT and PMO processes with rapid infraction identification. Properly executed, SAM not only minimizes audit exposure, it delivers efficiency of software investment.
Like regulators such as the OCC, CFPB and others examining compliance, software publishers produce significant Third Party Risk exposure requiring proactive and dynamic management. The TPRM Forum is pleased to share the introduction of the Audit Susceptibility Index ™ assessment designed to help SAM operations identify the actions and tactics to mature their operations and establish enhanced productivity and efficiency.
For additional information on how we can support your SAM needs, please use the CONTACT page.
The Third Party Risk Management community is dominated by content focused on GRC and TPRM technology tools. White papers, research reports, web-ex presentation fill our in-box daily. Each claiming unmatched ability to solve our challenges.
What is missing from this ongoing barrage is guidance and best practices on how TPRM leaders can successfully leverage to support the other key elements of TPRM operations. Best Practices such as:
·How TPRM leaders can effectively build organizations and operations integrated with business operations, procurement, VMO and legal.
·How the tool can enable quick, accurate and dynamic monitoring combined with the other activities such as RCSA’s and contract triggers to provide a single risk view.
·How do we establish rapid, ‘fast-track’ risk processes to meet business expectation
·How to integrate existing tools to maximize investment
TPRM leaders understand the importance of the TPRM platform, but it is an enabler, not the complete required solution. Let’s build on this foundation and expand the discussion to encompass a comprehensive TPRM solution!