Documente Academic
Documente Profesional
Documente Cultură
• Use the HELP icon at the bottom for FAQ’s and system requirements.
Ed Thomas
Senior Vice President
ProcessUnity
Today’s Agenda
• TPRM: Getting Grounded
• Program Building Blocks:
Onboarding & Ongoing Monitoring
• Inherent Risk Best Practices
• Residual Risk & Review Cadences
• Getting Outside Help: External
Content & Managed Services
• Assessing Your Program’s Maturity
& Identifying Steps to Improve
Compliance
Controls Financial IT Operational Management
10
”
© ProcessUnity, Inc. All Rights Reserved.
The Third-Party Risk Lifecycle
1 2 3
Establish an Enforce objectivity within Streamline processes
enterprise-wide process your vendor process while reducing errors
Determining Which Fourth • Which vendors are using fourth parties to deliver services?
(Fifth?) Parties to Assess • How far down the chain do we have to go to feel secure?
Pre-Contract Post-Contract
Building Blocks: Base Processes & Flows
Onboarding Workflow
Pre-Contract Post-Contract
Building Blocks: Base Processes & Flows
Pre-Contract Post-Contract
Building Blocks: Base Processes & Flows
Pre-Contract Post-Contract
Onboarding Workflow
Line of
Business
Third-Party
Manager
Third-Party
Contact
Onboarding Workflow
Line of
Business 1. Request
Third-Party
Service
Third-Party
Manager
Third-Party
Contact
Onboarding Workflow
Line of
Business 1. Request
Third-Party
Service
Follow Up
Third-Party Advance
Request?
Manager 2. Review
Third-Party
Service
Request
Third-Party
Contact
Onboarding Workflow
Line of
Business 1. Request
Third-Party
Service
Follow Up
Yes Follow Up
Third-Party Advance
Inherent
Risk
Request?
Manager 2. Review
Third-Party
Level 3. Send
Assessment
5. Analyze
Assessment
Service
Request
Third-Party
Contact 4. Assessment
Response
Onboarding Workflow
Line of
Business 1. Request
Third-Party
Service
Follow Up
Yes Follow Up
Third-Party Advance
Inherent
Risk
Request?
Manager 2. Review
Third-Party
Level 3. Send
Assessment
5. Analyze
Assessment
6. Create
Related
7. Close
Assessment
Service Issues
Request
Third-Party
Contact 4. Assessment
Response
Onboarding Workflow
Line of
Business 1. Request
Third-Party
Service
Follow Up
Third-Party Advance
Inherent Request
Risk
Manager 2. Review Request?
Level 3. Send 5. Analyze 6. Create 7. Close 8. Agreement Approved
Third-Party Assessment Assessment Related Assessment in Review
Service Issues
Request
Third-Party
Contact 4. Assessment
Response
Onboarding Workflow
Line of
Business 1. Request
Third-Party
Service
Follow Up
Low Critical / High /
Yes Medium Follow Up Yes
Third-Party Advance
Inherent Request
Risk
Manager 2. Review Request?
Level 3. Send 5. Analyze 6. Create 7. Close 8. Agreement Approved
Third-Party Assessment Assessment Related Assessment in Review
Service Issues
Request
Third-Party
Contact 4. Assessment
Response
Onboarding Workflow
Line of Request
Business 1. Request Denied
Third-Party
Service
Follow Up
Critical / High / No
No Low No
Yes Medium Follow Up Yes
Third-Party Advance
Inherent Request
Risk
Manager 2. Review Request?
Level 3. Send 5. Analyze 6. Create 7. Close 8. Agreement Approved
Third-Party Assessment Assessment Related Assessment in Review
Service Issues
Request
Third-Party
Contact 4. Assessment
Response
Ongoing Monitoring: Periodic Due Diligence
Line of
Business
Follow Up
Third-Party
Manager 1. Send
Assessment
3. Analyze
Assessment
4. Create
Related
5. Close
Assessment
Issues
Third-Party
Contact 2. Assessment
Response
Ongoing Monitoring: Service Reviews
Line of
2. Complete
Business Service
Review
Third-Party
Manager 1. Send
Service
Review
Third-Party
Contact
Issue Management & Remediation
Line of
Business
Third-Party
Manager 1. Communicate
to Third-Party
3. Update
Issue
Contact
Third-Party
Contact 2. Respond
to Issue
Inherent Risk
Onboarding Workflow
Line of Request
Business 1. Request Denied
Third-Party
Service
Follow Up
Critical / High / No
No Low No
Yes Medium Follow Up Yes
Third-Party Advance
Inherent Request
Risk
Manager 2. Review Request?
Level 3. Send 5. Analyze 6. Create 7. Close 8. Agreement Approved
Third-Party Assessment Assessment Related Assessment in Review
Service Issues
Request
Third-Party
Contact 4. Assessment
Response
Onboarding Workflow
Line of Request
Business 1. Request Denied
Third-Party
Service
Follow Up
Critical / High / No
No Low No
Yes Medium Follow Up Yes
Third-Party Advance
Inherent Request
Risk
Manager 2. Review Request?
Level 3. Send 5. Analyze 6. Create 7. Close 8. Agreement Approved
Third-Party Assessment Assessment Related Assessment in Review
Service Issues
Request
Third-Party
Contact 4. Assessment
Response
Risk Domains Help Define Inherent Risk Questions
Identity Fourth-Party
Geographic Compliance
• What is the expected annual volume of • Does this third party have access to our IT
records that will be accessed, processed, network or technical infrastructure?
(Information Security)
stored or transmitted by this third party?
(Information Security) • Does the third party outsource any part of
the service? (Geographic / Information
Security)
Define Your Risk Tiers
D C B A
1 2 3 4 5 6 7 8 9 10
Define Your Risk Tiers
D C B A
1 2 3 4 5 6 7 8 9 10
Building a Scoring System
• What is the expected annual contract • Is any part of the third-party service being
amount? (Financial / Business Continuity) provided subject to any regulatory /
• Is the third-party service performed compliance requirements? (Compliance)
domestically? (Geographic) • Does this third-party store, process or
• Is the service essential to the operations of transmit Personally Identifiable Information
the company? (Business Continuity) (PII) or Protected Health Information (PHI)
as part of this service? (Information Security)
• How difficult would it be to replace this
service with an alternative? (Business • Is the service delivered as a cloud-based
Continuity) solution? (Information Security)
• What is the expected annual volume of • Does this third party have access to our IT
records that will be accessed, processed, network or technical infrastructure?
(Information Security)
stored or transmitted by this third party?
(Information Security) • Does the third party outsource any part of
the service? (Geographic / Information
Security)
Building a Scoring System
12 Service is essential
to company operations
2 Service is subject to
regulatory requirements
6 Annual contract
amount > $500,000 2 Third party has access
to PII or PHI
2 Difficult to replace
service with alternative 2 Third party has access to
our technical infrastructure
Intake Questions
& Point Values
2 High annual
record volume 2 Third party outsources
a portion of the service
Checking the Math
MAJOR RECORDS LANDSCAPING
BANK SHREDDER CONTRACTOR
Essential to operations YES (12 Points) NO NO
Contract > $500,000 NO NO
Performed internationally NO NO
Difficult to replace YES (2 Points) NO
High record volume YES (2 Points) NO
Subject to regulatory requirements YES (2 Points) NO
Access to PII or PHI YES (2 Points) NO
Cloud-based solution NO NO
Access to technical infrastructure NO NO
Outsources a portion of the service NO YES (2 Points)
TOTAL SCORE 12 8 2
RISK TIER CRITICAL HIGH LOW
Use Inherent Risk to Scope Due Diligence
LOW MEDIUM HIGH CRITICAL
0-5 6-7 8 - 11 12 +
Use Inherent Risk to Scope Due Diligence
LOW MEDIUM HIGH CRITICAL
0-5 6-7 8 - 11 12 +
ONE SIZE
“FITS” ALL
The Evolution of the Assessment Questionnaire
12 Service is essential
to company operations
2 Service is subject to
regulatory requirements
6 Annual contract
amount > $500,000 2 Third party has access
to PII or PHI
2 Difficult to replace
service with alternative 2 Third party has access to
our technical infrastructure
Intake Questions
& Point Values
2 High annual
record volume 2 Third party outsources
a portion of the service
Determining a
Cadence for Periodic
Due Diligence
Ongoing Monitoring: Periodic Due Diligence
Line of
Business
Follow Up
Third-Party
Manager 1. Send
Assessment
3. Analyze
Assessment
4. Create
Related
5. Close
Assessment
Issues
Third-Party
Contact 2. Assessment
Response
Residual Risk Determines Scope & Frequency
Residual Risk Determines Scope & Frequency
Inherent Previous Assessment
Risk Review Rating
Residual Risk Determines Scope & Frequency
Inherent Previous Assessment
Risk Review Rating
No Prior Review
Unsatisfactory
CRITICAL
Needs Improvement
Satisfactory
Residual Risk Determines Scope & Frequency
Inherent Previous Assessment Residual Assessment Assessment
Risk Review Rating Risk Scope Frequency
No Prior Review Critical SIG Core ASAP
Unsatisfactory Critical SIG Core Annual
CRITICAL
Needs Improvement Critical SIG Core Annual
Satisfactory High SIG Lite Annual
Residual Risk Determines Scope & Frequency
Inherent Previous Assessment Residual Assessment Assessment
Risk Review Rating Risk Scope Frequency
No Prior Review Critical SIG Core ASAP
Unsatisfactory Critical SIG Core Annual
CRITICAL
Needs Improvement Critical SIG Core Annual
Satisfactory High SIG Lite Annual
No Prior Review High SIG Lite ASAP
Unsatisfactory High SIG Lite Biennial
HIGH
Needs Improvement High SIG Lite Biennial
Satisfactory Medium SIG Lite Biennial
No Prior Review Medium SIG Lite ASAP
Unsatisfactory Medium SIG Lite Biennial
MEDIUM
Needs Improvement Medium SIG Lite Biennial
Satisfactory Low SIG Lite Triennial
N/A Low N/A N/A
N/A Low N/A N/A
LOW
N/A Low N/A N/A
N/A Low N/A N/A
Get Help: External
Content & Managed
Services
Incorporate External Ratings & Content
Public Data Evaluation Private Data Validation + Testing
Enriched Content Options
• Understand the difference between public and Financial Cyber Identity Utility
private data validation
• Set a rationale for leveraging by inherent risk tier
• Off-load the time intense operations
• Embed external content into your process
TIME
69 © ProcessUnity, Inc. All Rights Reserved.
Third-Party Risk Maturity Model
INFORMAL
TIME
70 © ProcessUnity, Inc. All Rights Reserved.
Third-Party Risk Maturity Model
INFORMAL REACTIVE
TIME
71 © ProcessUnity, Inc. All Rights Reserved.
Third-Party Risk Maturity Model
TIME
72 © ProcessUnity, Inc. All Rights Reserved.
Third-Party Risk Maturity Model
Dedicated team & available
external resources
High-level of LOB
involvement and active
Dedicated team with a executive promotion
formally defined program
Fully automated processes
Inherent risk calculations
Trend analysis
Single resource / small Risk-based assessments
scoping Comprehensive reporting
team
Assessment scoring Contracts managed with
Manual questionnaire
SLA capabilities
reviews and due diligence Calculated residual risk
Informal, ad hoc approach distribution Integration with external
Manual processes Issues management data sources / providers
Little to no LOB
(spreadsheets, email) involvement or executive Program automation via Continuous program
MATURITY
TIME
73 © ProcessUnity, Inc. All Rights Reserved.
POLL QUESTION #3:
How would you rate the maturity level of
your current TPRM program?
INFORMAL REACTIVE PROACTIVE OPTIMIZED
TIME
75 © ProcessUnity, Inc. All Rights Reserved.
Incrementally Improve Your Program
Take steps to advance your program (and your career)
INFORMAL
Formalize your program
Document, document,
document
Socialize program’s charter
with executives
Advantage: Blank slate
INFORMAL REACTIVE
Formalize your program Nix the one-size-fits all
questionnaire
Document, document,
document Implement a repository for
TPRM data
Socialize program’s charter
with executives Calculate inherent and
residual risk
Advantage: Blank slate
Look to automation
Advantage: Leverage
your recent experience to
determine what’s
working…and what’s not
working
Contact ProcessUnity:
www.processunity.com/contact
Contact Ed Thomas:
ed.thomas@processunity.com