Global SRN and our member companies are sponsoring an industry survey on the impact of intelligent automation and data analytics on TPRM operations. The questionnaire is live at this time and we are very excited to share response has been very strong.
If you are part of the TPRM, enterprise or operational risk community, please invest the time to share your opinion and insights. Global SRN, our member firms and our 15 Community Partners will be making the full survey results available at no cost so we all benefit!
Global SRN is currently leading a significant market research program on the ‘Impact of Intelligent Automation and Data Analytics on TPRM Operations’. As the leader of this program, I am in the fortunate position to consolidate the input from our 30 TPRM leaders who comprise the Advisor Team and the now 15 Community Partners. Last week I shared the insight pertaining to the skill challenge impacting TPRM operations. I want to share a second observation concerning FLOD structure.
We have received a tremendous amount of comment on the subject of TPRM FLOD structure. What should be a straight forward 3-tier structure, continues to be an area of confusion and exposure across a surprising number of those providing survey input.
Questions are typically in 2 primary areas:
If your FLOD is ‘centralized’:
How do you make certain your associates are integrated and viewed as a contributor by the line of business team?
Are they ‘risk-skilled’ – ‘expert in the assigned LOB’ – Both?
If your FLOD is ‘decentralized’:
Do the associates report to the SLOD organization or LOB?
Is FLOD activities executed by a full-time associate or are task assigned to existing LOB staff such as vendor management?
How do you ensure the FLOD activities are viewed as core versus optional?
Both approaches CAN produce the desired and required results IF LOB leaders and risk leaders work together to carefully identify roles, responsibilities, task and activities. While it is no small undertaking, this extra effort always produces positive results.
In my role with Global SRN, I am leading a major market research program to identify the impact Intelligent Automation and Business Analytics is having on current TPRM operations. We are very pleased to share that in all we have 30 TPRM Executives from large global financial organizations, 13 TPRM community partners and 3 academic partners helping develop, distribute and interpret the research results.
As I speak with leaders in each of these areas of the TPRM community, a consistent theme has emerged: TPRM organizations are struggling to secure the skills necessary to support todays operations and are highly concerned about the ability to identify and attract the skills necessary to transform their operations to meet business and regulatory demands. The core issue being how to evolve a community of operational risk professionals from a ‘rule-based’ orientation to a ‘judgment-based’ capability.
With the adoption of Business Analytics and Intelligent Automation, TPRM leaders will require First Line of Defense teams that understand the dynamics of their assigned Line of Business combined with analytical skills to quickly identify patterns and irregularities to take proactive measures. With the population of FLOD associates today primarily having operational risk backgrounds, there is likely a significant re-alignment on the horizon.
The team at Global SRN (www.globalsrn.org) is pleased to announce the formal kick-off of the research program ‘Impact of Intelligent Automation & Data Analytics on TPRM Operations’. A true community effort, Global SRN has formed an Advisory Panel of leading TPRM executives along with Academic Partners such as Carnegie Mellon and Community Partners such as KPMG, EY, Grant Thornton, Rapid Ratings, Aravo, WorkFusion and other TPRM participants to develop a comprehensive insight to this emerging issue. If you’re interested in joining the team, please let me know!
There are multiple operational ‘Maturity’ assessments promoted throughout the Third Party Risk Management community. Each offers a unique perspective and definite orientation on which operational capability and maturity is measured. What most of these assessments seem to have in common, is a mature TPRM organization (Level 4 & Level 5) introduces analytics to their operation.
Currently, the data captured in TPRM & GRC platforms is basic, essential data points. Much of which has been developed to meet or satisfy regulatory requirements. What happens when we take a fresh look at the information TPRM can collect and maintain with an eye toward business value?
Collaboration between IA platform providers, GRC & TPRM platform providers, data feed and dynamic reporting partners and implementation partners offers significant potential to help TPRM and GRC leaders unlock value. Global SRN (www.globalsrn.org) has initiated a research program with Academic and Market partners to facilitate this interaction. If this is an area of interest, please leave a comment in TPRM Forum’s Contact page and we will respond.
The Global Sourcing Research Network (www.globalsrn.org) announces the formation of the TPRM Sub-committee to support members increasing focus and engagement with vendor risk. The initial focus of the TPRM sub-committee is the introduction of a market research effort to identify emerging use case of Intelligent Automation in Third Party Risk Management operations.
As a market survey, Global SRN will engage Academic and Community partners to participate in design, execution and analysis of the results. The goal being to identify current and emerging IA use cases and document best practices to benefit TPRM operations. Potential Academic Partners include Carnegie Mellon University, NC State and others. Community Partners will feature leading Intelligent Automation firms, Governance, Compliance & Risk (GRC) platform, managed service and consortiums as well as advisory firms.
If you are interested to learn more about the Global SRN TPRM sub-committee, please visit Global SRN or TPRM Forum.
It is well documented that TPRM leaders continue to invest in GRC platforms to enable risk operations. In TPRM Forum’s recent survey, nearly 40% of TPRM leaders indicated investment in a GRC platform will be their leading action to mature and enhance capabilities.
So why are some TPRM leaders experiencing sub-optimal GRC performance?
Governance, Risk & Compliance platforms, like any sophisticated technology tool, offers significant capabilities. While user friendly, they require significant integration, workflow design and ongoing maintenance. This is not a trivial level of effort and requires the appropriate skills to realize the intended value.
TPRM Forum’s PULSE Assessment methodology documents a TPRM organizations maturity in addition to operational risk and environment complexity. Through these efforts, TPRM Forum observes a consistent result: TPRM operations with dedicated, technically capable GRC Platform Administrators achieve greater maturity, operational capability and significantly more value from their GRC platform. Unfortunately, true dedicated GRC Platform Administrators are in the minority of TPRM operations today.
Perhaps GRC platform providers contribute to this challenge as they highlight the flexibility and ease of use of their technologies. ‘Drag-n-Drop’ workflow creation and well-designed user interfaces may mislead TPRM leaders as to the underlying complexity, creating an impression a technical role is not required. When GRC Administrator role is missing, TPRM Forum observes significantly lower levels of GRC platform utilization, integration management and maintenance challenges and continued proliferation of other solutions, limiting the GRC platforms ability to achieve comprehensive, cross-organization integration.
A GRC platform is the core underpinning of risk operations. Make certain to include budget for a technically competent platform administrator to realize the intended value and benefit.
TPRM Forum’s recent survey of TPRM leaders identified effective collaboration of FLOD operations with Vendor Management, Strategic Sourcing and Procurement as the leading area of focus for improvement. Alignment across the cross-functional teams has the potential to achieve comprehensive vendor life cycle management and evidence support. The issue though is how to centralize and coordinate activity.
Looking specifically at the ‘monitoring’ phase of Third Party Risk & Vendor Management, we quickly see there are a number of activities, if coordinated and managed centrally, will provide regulators and audit the evidence required to substantiate effective TPRM operations. It also drives a productive level of collaboration and in essence, bonds the teams.
Third Part Risk Management ‘Monitoring’ Life Cycle Phase includes, but is not limited to, the following activities:
Vendor Management Organization:
Contract Management – collection and maintenance of the Deliverable & Obligation tracker with a structured, formal calendar of events. Artifacts stored in central, accessible location. This could include annual Insurance certificate, SOC II Type II Audit, DR Annual Test Results, Policy revisions etc.
4th Party Management – definition and approval of 4th party sub-contractors and execution of proper onboarding and offboarding by the Third Party
Performance Management – SLA & KPI’s associated with the contracted services
Operational Service Management – onsite assessments of the technology services aligned to CMMi, ITIL, NIST or similar independent methodology
Third Party Risk Management – FLOD:
Third Party Classification
Ongoing, dynamic monitoring (Business dimensions)
RCSA management &/or coordination
Regulatory environment changes and Legal Impacts
Regulator response support
Centralized reporting/vendor profile
Contract Currency – Revision and Amendment Maintenance
TPRM Forum recommends consistent, ongoing collaborative sessions between parties to ensure activities and schedules are maintained and a central, accessible repository is continually updated. This is a great opportunity to work with your GRC platform team to ensure activities and artifact collection is incorporated into workflow with artifacts accessible through a central dashboard.
For many organizations, the initial impetus to discuss software asset management is the receipt of an audit notification communication from a software publisher. This sets-off a predictable series of events as IT and Financial executives grapple with the impact of the pending audit. The steps are:
First Step: Immediate action to reduce audit impact
Executives quickly assemble to discuss options and realize there is significant exposure. During these conversations, the lack of supporting data and evidence to confirm deployment with entitlement levels emerges. The decision is quickly made to secure expert support from one of the many experts that can help reduce penalties.
Second Step: Realization that there may be others in the queue
As IT and financial executives come to the realization that there is little evidence to support or challenge the audit, the question quickly turns to the broader software asset estate.
Upon completion of audit negotiations or in parallel, organizations engage a partner to scan their environment, align consumption with entitlements and identify gaps. Quantifying potential exposure.
Third Step: Question what steps need to be taken to eliminate this exposure and prevent this from future occurrence
Typical focus is on defining the appropriate entitlement management, deployment controls, and process workflows by which the asset is managed. In addition, identification of a platform to dynamically ping the environment and quickly identify areas of non-compliance.
In essence, establish a Software Asset Management organization and operation by which software assets are efficiently and actively managed in the environment.
What would be the benefit if we reversed the process? Instead of ‘swimming upstream’ why not establish a SAM mindset in anticipation of an audit?
Be prepared with a comprehensive software asset management operation. Once established, when audit notification arrives you can comfortably ‘go with the flow’!
Vendor Management Organizations (VMO) and First Line of Defense (FLOD) third party risk teams struggle to achieve effective collaboration. Contributors to this challenge is VMO and FLOD risk professionals see situations from different perspectives and speak a slightly different language. These dynamic impacts the ability for VMO’s to achieve the maturity necessary to deliver value while limiting the FLOD’s risk effectiveness.
The TPRM Forum recommends VMO and FLOD leaders focus on the following areas to establish ‘Common Ground’.
Mature VMO’s establish vendor classifications to drive innovation and identify emerging technologies to support the road map
FLOD and TPRM organizations categorize third parties to develop appropriate strategies based on risk dimensions
Making this a collaborative partnership enables VMO’s and FLOD/TPRM teams to support one another while establishing a more comprehensive strategic view of risk
FLOD and TPRM teams continually monitor regulatory bulletins and guidance to identify potential impact to evidence and compliance requirements.
VMO’s continually strive to ensure Terms & Conditions, KPI’s and service definitions are driving the desired behavior.
Working in unison with Procurement and legal, VMO’s and FLOD/TPRM can continually focus revisions and updates to maintain contract currency
VMO’s focus on continuing improvement (CI) and achieving greater savings and performance.
FLOD/TPRM teams focus on monitoring compliance and adherence to stated requirements
Working together, understanding one another’s monitoring focus and activities while sharing details of assessment activities provides additional data points.
The TPRM Forum’s PULSE Assessment provides an excellent foundation to forge a strong alignment of VMO and FLOD teams to support business expectations and manage risk exposure.