Global SRN is currently leading a significant market research program on the ‘Impact of Intelligent Automation and Data Analytics on TPRM Operations’. As the leader of this program, I am in the fortunate position to consolidate the input from our 30 TPRM leaders who comprise the Advisor Team and the now 15 Community Partners. Last week I shared the insight pertaining to the skill challenge impacting TPRM operations. I want to share a second observation concerning FLOD structure.
We have received a tremendous amount of comment on the subject of TPRM FLOD structure. What should be a straight forward 3-tier structure, continues to be an area of confusion and exposure across a surprising number of those providing survey input.
Questions are typically in 2 primary areas:
If your FLOD is ‘centralized’:
How do you make certain your associates are integrated and viewed as a contributor by the line of business team?
Are they ‘risk-skilled’ – ‘expert in the assigned LOB’ – Both?
If your FLOD is ‘decentralized’:
Do the associates report to the SLOD organization or LOB?
Is FLOD activities executed by a full-time associate or are task assigned to existing LOB staff such as vendor management?
How do you ensure the FLOD activities are viewed as core versus optional?
Both approaches CAN produce the desired and required results IF LOB leaders and risk leaders work together to carefully identify roles, responsibilities, task and activities. While it is no small undertaking, this extra effort always produces positive results.
There are multiple operational ‘Maturity’ assessments promoted throughout the Third Party Risk Management community. Each offers a unique perspective and definite orientation on which operational capability and maturity is measured. What most of these assessments seem to have in common, is a mature TPRM organization (Level 4 & Level 5) introduces analytics to their operation.
Currently, the data captured in TPRM & GRC platforms is basic, essential data points. Much of which has been developed to meet or satisfy regulatory requirements. What happens when we take a fresh look at the information TPRM can collect and maintain with an eye toward business value?
Collaboration between IA platform providers, GRC & TPRM platform providers, data feed and dynamic reporting partners and implementation partners offers significant potential to help TPRM and GRC leaders unlock value. Global SRN (www.globalsrn.org) has initiated a research program with Academic and Market partners to facilitate this interaction. If this is an area of interest, please leave a comment in TPRM Forum’s Contact page and we will respond.
TPRM Forum’s recent survey of TPRM leaders identified effective collaboration of FLOD operations with Vendor Management, Strategic Sourcing and Procurement as the leading area of focus for improvement. Alignment across the cross-functional teams has the potential to achieve comprehensive vendor life cycle management and evidence support. The issue though is how to centralize and coordinate activity.
Looking specifically at the ‘monitoring’ phase of Third Party Risk & Vendor Management, we quickly see there are a number of activities, if coordinated and managed centrally, will provide regulators and audit the evidence required to substantiate effective TPRM operations. It also drives a productive level of collaboration and in essence, bonds the teams.
Third Part Risk Management ‘Monitoring’ Life Cycle Phase includes, but is not limited to, the following activities:
Vendor Management Organization:
Contract Management – collection and maintenance of the Deliverable & Obligation tracker with a structured, formal calendar of events. Artifacts stored in central, accessible location. This could include annual Insurance certificate, SOC II Type II Audit, DR Annual Test Results, Policy revisions etc.
4th Party Management – definition and approval of 4th party sub-contractors and execution of proper onboarding and offboarding by the Third Party
Performance Management – SLA & KPI’s associated with the contracted services
Operational Service Management – onsite assessments of the technology services aligned to CMMi, ITIL, NIST or similar independent methodology
Third Party Risk Management – FLOD:
Third Party Classification
Ongoing, dynamic monitoring (Business dimensions)
RCSA management &/or coordination
Regulatory environment changes and Legal Impacts
Regulator response support
Centralized reporting/vendor profile
Contract Currency – Revision and Amendment Maintenance
TPRM Forum recommends consistent, ongoing collaborative sessions between parties to ensure activities and schedules are maintained and a central, accessible repository is continually updated. This is a great opportunity to work with your GRC platform team to ensure activities and artifact collection is incorporated into workflow with artifacts accessible through a central dashboard.
Susceptibility is defined as ‘the state or fact of being likely or liable to be influenced or harmed by a particular thing’.
In the case of a software audit, Susceptibility is the likely severity, disruption and extent of financial exposure a firm may experience in the event a software publisher issues an audit notice. Negotiating the reduction or elimination of software audit findings, while valuable, is NOT Software Asset Management.
Effective SAM requires careful orchestration, monitoring and entitlement management. SAM encompasses successful alignment of policy, procedures, controls, procurement, IT and PMO processes with rapid infraction identification. Properly executed, SAM not only minimizes audit exposure, it delivers efficiency of software investment.
Like regulators such as the OCC, CFPB and others examining compliance, software publishers produce significant Third Party Risk exposure requiring proactive and dynamic management. The TPRM Forum is pleased to share the introduction of the Audit Susceptibility Index ™ assessment designed to help SAM operations identify the actions and tactics to mature their operations and establish enhanced productivity and efficiency.
For additional information on how we can support your SAM needs, please use the CONTACT page.
The Third Party Risk Management community is dominated by content focused on GRC and TPRM technology tools. White papers, research reports, web-ex presentation fill our in-box daily. Each claiming unmatched ability to solve our challenges.
What is missing from this ongoing barrage is guidance and best practices on how TPRM leaders can successfully leverage to support the other key elements of TPRM operations. Best Practices such as:
·How TPRM leaders can effectively build organizations and operations integrated with business operations, procurement, VMO and legal.
·How the tool can enable quick, accurate and dynamic monitoring combined with the other activities such as RCSA’s and contract triggers to provide a single risk view.
·How do we establish rapid, ‘fast-track’ risk processes to meet business expectation
·How to integrate existing tools to maximize investment
TPRM leaders understand the importance of the TPRM platform, but it is an enabler, not the complete required solution. Let’s build on this foundation and expand the discussion to encompass a comprehensive TPRM solution!
In a recent survey conducted by the Technology TPRM Forum, Third Party Risk leaders indicated a growing focus on establishing strong partnerships with internal vendor management teams. This was identified as the top action with the intended benefit being able to more effectively support business demand.
While the value of an aligned VMO-FLOD is clear, reality of establishing the needed collaboration remains elusive.
Vendor Management teams must become more aware of risk as a necessary dimension to incorporate in their operations and not view FLOD representatives as an extension of internal audit.
FLOD team members must bring value, enabling the VMO to meet business demands with risks assessment and monitoring integrated into operational process.
VMO must see value – FLOD must establish credibility.
Essentially an environment of trust and an appreciation for one others perspective is required to pull the team together. Without this foundation, no level of effort will yield the necessary results. FLOD will take on more of an oversight function, impacting SLOD effectiveness and ultimately lessening the contribution of audit.
The Technology TPRM Forum intends to conduct a follow-up survey among TPRM and VMO leaders to identify specific best practices being leveraged today to form a strong, productive VMO/TPRM bond.
Technology TPRM Forum is pleased to share the results of the survey covering the impact Digital Transformation is having on TPRM operations. We hope you enjoy the survey findings and it brings value to your TPRM efforts.
Thank you to the 114 risk professionals who completed the IT-TPRM.com survey on the impact of Digital Transformation on TPRM operations. The survey is now closed and we have initiated analysis of the results but wanted to share the typical profile or average demographics of the respondent.
Respondents to the IT-TPRM.com survey are:
Members of their TPRM organization
Work in the banking and capital market segment
On average, have $100 billion assets under management
Is being impacted by digital transformation
Cloud is the leading digital technology impacting operations
Primary operational focus is accelerating support of business operations
Most concerned about identifying 4th and 5th parties for business continuity
Believes regulators will increasingly focus on capacity and concentration of third parties
We will release final survey results and analysis next week!
Thank you to Venminder for the opportunity to discuss the impact digital transformation is having in the TPRM operations. It is easy to see Venminder’s commitment to this community and desire to continually evolve best practices.
The IT-TPRM.com survey on the impact of Digital Transformation ask respondents the specific areas and activities TPRM leaders are taking with regards to Business Continuity. Results so far show a significant separation between oversight and governance tactics versus operational engagement. It appears TPRM professionals have limited interest or involvement in areas necessary to execute the business continuity plan, preferring to focus on assessing effectiveness of contract terms, identification of sub-contractors and alignment across parties.
Do you agree? Does this lead to ineffective business continuity? Does this create an unnecessary void between TPRM and operational execution? Should the FLOD be more engaged in scenario and BIA development?