TPRM FLOD Centralized-Decentralized Debate

arrows box business chalk
Photo by Pixabay on Pexels.com

Global SRN is currently leading a significant market research program on the ‘Impact of Intelligent Automation and Data Analytics on TPRM Operations’.  As the leader of this program, I am in the fortunate position to consolidate the input from our 30 TPRM leaders who comprise the Advisor Team and the now 15 Community Partners. Last week I shared the insight pertaining to the skill challenge impacting TPRM operations. I want to share a second observation concerning FLOD structure.

We have received a tremendous amount of comment on the subject of TPRM FLOD structure. What should be a straight forward 3-tier structure, continues to be an area of confusion and exposure across a surprising number of those providing survey input.

Questions are typically in 2 primary areas:

If your FLOD is ‘centralized’:

  •  How do you make certain your associates are integrated and viewed as a contributor by the line of business team?
  • Are they ‘risk-skilled’ – ‘expert in the assigned LOB’ – Both?

If your FLOD is ‘decentralized’:

  • Do the associates report to the SLOD organization or LOB?
  • Is FLOD activities executed by a full-time associate or are task assigned to existing LOB staff such as vendor management?
  • How do you ensure the FLOD activities are viewed as core versus optional?

Both approaches CAN produce the desired and required results IF LOB leaders and risk leaders work together to carefully identify roles, responsibilities, task and activities. While it is no small undertaking, this extra effort always produces positive results.

 

Global SRN TPRM Program Launch

Logo

The team at Global SRN (www.globalsrn.org) is pleased to announce the formal kick-off of the research program ‘Impact of Intelligent Automation & Data Analytics on TPRM Operations’.  A true community effort, Global SRN has formed an Advisory Panel of leading TPRM executives along with Academic Partners such as Carnegie Mellon and Community Partners such as KPMG, EY, Grant Thornton, Rapid Ratings, Aravo, WorkFusion and other TPRM participants to develop a comprehensive insight to this emerging issue. If you’re interested in joining the team, please let me know!  

TPRM: Level 3 Maturity & Beyond

flight sky earth space
Photo by Pixabay on Pexels.com

TPRM Forum’s recent survey of TPRM leaders identified effective collaboration of FLOD operations with Vendor Management, Strategic Sourcing and Procurement as the leading area of focus for improvement. Alignment across the cross-functional teams has the potential to achieve comprehensive vendor life cycle management and evidence support. The issue though is how to centralize and coordinate activity.

Looking specifically at the ‘monitoring’ phase of Third Party Risk & Vendor Management, we quickly see there are a number of activities, if coordinated and managed centrally, will provide regulators and audit the evidence required to substantiate effective TPRM operations. It also drives a productive level of collaboration and in essence, bonds the teams.

Third Part Risk Management ‘Monitoring’ Life Cycle Phase includes, but is not limited to, the following activities:

  • Vendor Management Organization:
    • Contract Management – collection and maintenance of the Deliverable & Obligation tracker with a structured, formal calendar of events. Artifacts stored in central, accessible location. This could include annual Insurance certificate, SOC II Type II Audit, DR Annual Test Results, Policy revisions etc.
    • 4th Party Management – definition and approval of 4th party sub-contractors and execution of proper onboarding and offboarding by the Third Party
    • Performance Management – SLA & KPI’s associated with the contracted services
    • Operational Service Management – onsite assessments of the technology services aligned to CMMi, ITIL, NIST or similar independent methodology
  • Third Party Risk Management – FLOD:
    • Inventory maintenance
    • Third Party Classification
    • Ongoing, dynamic monitoring (Business dimensions)
    • RCSA management &/or coordination
    • Concentration identification
    • Regulatory environment changes and Legal Impacts
    • Regulator response support
    • Centralized reporting/vendor profile
  • Strategic Sourcing:
    • Contract Currency – Revision and Amendment Maintenance

TPRM Forum recommends consistent, ongoing collaborative sessions between parties to ensure activities and schedules are maintained and a central, accessible repository is continually updated. This is a great opportunity to work with your GRC platform team to ensure activities and artifact collection is incorporated into workflow with artifacts accessible through a central dashboard.

Software Asset Management – Audit Susceptibility

CoverSusceptibility is defined as ‘the state or fact of being likely or liable to be influenced or harmed by a particular thing’.

In the case of a software audit, Susceptibility is the likely severity, disruption and extent of financial exposure a firm may experience in the event a software publisher issues an audit notice. Negotiating the reduction or elimination of software audit findings, while valuable, is NOT Software Asset Management.

Effective SAM requires careful orchestration, monitoring and entitlement management. SAM encompasses successful alignment of policy, procedures, controls, procurement, IT and PMO processes with rapid infraction identification. Properly executed, SAM not only minimizes audit exposure, it delivers efficiency of software investment.

Like regulators such as the OCC, CFPB and others examining compliance, software publishers produce significant Third Party Risk exposure requiring proactive and dynamic management. The TPRM Forum is pleased to share the introduction of the Audit Susceptibility Index assessment designed to help SAM operations identify the actions and tactics to mature their operations and establish enhanced productivity and efficiency.

For additional information on how we can support your SAM needs, please use the CONTACT page.

When did TPRM become a Tool-Centric Discussion?

TPRM DecomposedThe Third Party Risk Management community is dominated by content focused on GRC and TPRM technology tools. White papers, research reports, web-ex presentation fill our in-box daily. Each claiming unmatched ability to solve our challenges.

What is missing from this ongoing barrage is guidance and best practices on how TPRM leaders can successfully leverage to support the other key elements of TPRM operations. Best Practices such as:

·         How TPRM leaders can effectively build organizations and operations integrated with business operations, procurement, VMO and legal.

·         How the tool can enable quick, accurate and dynamic monitoring combined with the other activities such as RCSA’s and contract triggers to provide a single risk view.

·         How do we establish rapid, ‘fast-track’ risk processes to meet business expectation

·         How to integrate existing tools to maximize investment

TPRM leaders understand the importance of the TPRM platform, but it is an enabler, not the complete required solution. Let’s build on this foundation and expand the discussion to encompass a comprehensive TPRM solution!

Are TPRM Leaders Underestimating Blockchain Impact?

Digital Tech Analysis - Q2

Responses continue to stream in for the IT-TPRM.com survey on the impact of Digital Transformation on TPRM operations. We remain on track to share the full survey Mid-June!

The survey ask respondents to identify the digital technology dynamics impacting their organization currently or in the coming 12 months. To no surprise, Cloud, Cybersecurity  & Automation are consistently identified as the technologies of greatest impact. The surprise so far is how low Blockchain is trending as a key area of focus for TPRM leaders.

At the recent RMW GCOR conference, during the regulator panel they stated the areas of great focus and interest is Cloud, Automation & Distributed Ledger (Blockchain). Are TPRM leaders not seeing what is emerging on the horizon or not clear as yet how it will impact their operations? Share your thoughts! Please take 3 1/2 minutes to take the survey.

Take the Survey

 

ORM Leaders: Seize Control of Digital Transformation

pexels-photo-931911.jpegAs Operational Risk Management (ORM) leaders are rapidly establishing dedicated Technology Third Party Risk Management organizations, they are being challenged by their executives to address the accelerated pace of Digital Transformation. The need is to establish process, procedures, terms and assessments necessary to effectively assess risk of digital technology adoption, such as FinTech, while satisfying regulator expectations.

To be truly effective, Enterprise and Operational Risk leaders must seize the opportunity to establish themselves as strategic facilitator of the digital agenda. By doing so, ORM leaders reduce the strain on their organizations and enable improved focus and execution. Consider these steps to enable a comprehensive and effective Digital TPRM program.

1.       Facilitate a focused Digital Transformation dialogue across leadership

  • Include Corporate Executives, Business, Product, Procurement, Audit, Technology leaders to establish a common vision.
  • Get clarity – move beyond technology to specific third parties in each area of category

2.       Bring this detailed message to the operational leaders in each functional area.

  • Drive alignment between executive vision and operational execution
  • Challenge third party non-conformance

3.       Clarify ‘risk must-haves’ for third parties to establish Minimum Viable Risk (MVR) tolerance

4.       Establish process by which third parties are engaged with defined roles and responsibilities

5.       Create frequent reporting to enhance transparency, status, gaps and corrective measures

Creating a dedicated Digital TPRM program separate from or a sub-set of the Technology TPRM will create the focus necessary for ORM leaders to meet accelerating business time expectations with identified risk.

The Expanding Technology Third Party Risk Management Remit

pexels-photo-59197.jpegGlobal Banks and Financial Institutions are under severe pressure to reduce operating cost while at the same time deliver on a Digital Transformation agenda that enhances customer experience and produces new revenue streams through expanded product offerings. To meet this challenge, these organizations are increasingly turning to Automation (RPA/AI) to gain operational efficiency and FinTech platforms to satisfy their digital agenda; both introduce incremental risk to their enterprise risk profile.

This dynamic is forcing Enterprise and Operational Risk leaders to re-think the treatment of technology third parties. As technology solutions have expanded beyond IT and are engaged across operations, Technology Third Party Risk Management first line and second line teams are being challenged to move beyond vulnerability and resilience to address the full spectrum of an expanded technology portfolio. To do so, FLOD and SLOD will need to be dedicated, multi-discipline teams. FLOD focused on collaboration across key internal parties with SLOD providing oversight and coordination with Audit, Compliance and enterprise leaders.

Working closely with procurement, Technology TPRM leaders need to establish clear positions on Right of Survivorship, Change in Ownership, Termination and other likely events when dealing with micro-venture backed companies. This will enable rapid contracting establish consistent risk categorization and support regulator expectations.

Enterprise & Operational Risk Management Leader Insights

pexels-photo-288477.jpegIn preparation to design a targeted survey for Technology Third Party Risk Management (TPRM) emerging trends and best practices, I have had the opportunity to interview a dozen Enterprise Risk and Operational Risk leaders at major global banks and financial institutions. Based on the insights gained in these conversations, the following areas were continually voiced as areas of top priority for effective Technology TPRM execution. We will dig into each of these areas with the upcoming research effort.

  1. ·         Effective TPRM of technology partners is at the forefront of enterprise and operational risk leader’s agendas
  2. ·         Technology TPRM is more than Vulnerability Assessments and Threat Management
  3. ·         Algorithm-centric risk practices are inadequate to assess Technology TPRM
  4. ·         Comprehensive First Line of Defense (FLOD) execution is necessary for Second Line of Defense (SLOD) to effectively achieve goals and objectives
  5. ·         SLOD leaders must be able to effectively communicate and collaborate across IT leaders, procurement, audit and compliance. Knowledge of the services, intended processes and contract terms are key.