A journey through the development and implementation of a robust third-party risk management program

A journey through the development and implementation of a robust third-party risk management program

By Chris Monk, Managing Director, Protiviti & Kathryn Hardman, Director of Centralized Third-Party Management Office, BBVA US

Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

Chris: As a Managing Director within Protiviti, I help lead our Third-Party Risk Management solution as well as aspects of our Business Performance Improvement and Supply Chain Consulting practices.  I’m a founding member of Protiviti; a firm that I’m very proud to say we started almost 17 years ago and have grown into a billion-dollar global consulting organization.

When it comes to helping clients improve their vendor and third party management capabilities, I’ve worked with financial intuitions of all sizes, as well as companies across a wide range of industries.  I enjoy not only helping clients tackle the details of how to build scalable and compliant programs, but also how to help integrate procurement and third party risk activities to maximize the overall value and user experience.

Kathryn: As the Director of Centralized Third Party Management Office for BBVA US, I lead a team that manages the higher risk third party relationships throughout the lifecycle, from on-boarding to services ending. I also have an operations team in which we assisted in designing and implementing our internal third party management processes and system.

I began with BBVA US in 2006 have been in various positions that have involved taking risk domains through transformation efforts as a result of internal methodology changes or regulatory changes.  Some of these include Credit Risk, Model Risk, and most recently Third Party Risk. I enjoy taking on different risk management areas and helping in creating processes that are efficient, add value, and truly identify and assist in managing risk.

What, for you, are the benefits of attending a conference like Vendor & Third Party Risk USA 2019 and what can attendees expect to learn from your session?

Chris: This is the third CEFPRO conference I have attended, including both the NY and London conferences in the past.  The topic and agenda are obviously one of extreme interest to many; and the conference has typically provided a very good cross-section of what others in the industry are doing – both challenges as well as emerging trends.

From my session, attendees can expect to learn about what the end to end journey looks like.  The successes, some failures and challenges, and a list of things to keep in mind as they embark on their own 3PRM journey.

Kathryn: Attending a conference like this is beneficial for me because it allows me to understand how others are approaching third party risk management.  We are currently looking for efficiency gains and have challenges which I believe others are also experiencing, so this avenue allows for transfer of knowledge, different perspectives and opinions that we can take back to hopefully make improvements to our program.

From the session I will be involved with, attendees can expect to learn about our journey in building a third party risk management program, implementing a new system and the unexpected challenges we experienced along the way and the successes we have achieved.

How can institutions best continue to develop and implement robust third party risk management programs, as an industry, what remains?

Chris: There are many facets to implementing and sustaining third party risk management programs.  First and foremost, it requires an understanding of the evolving regulatory landscape.  Not only what the regulatory guidance specifically outlines, but where the regulators will place emphasis based on the maturity and size of an organization. Next – it is important to remember this is a journey that takes many years; things need to be built in steps and there will always be an opportunity to automate, refine, and even rationalize the effort and program investment.  Finally, I think collaboration across the industry is key. There have been substantial developments over the past couple of years with respect to consortiums, Vendors Risk Management as a service, outsourcing, and the integration of third-party data enrichment and data services to improve the depth and breadth of coverage of vendors – both from a due diligence perspective and ongoing monitoring.  This collaboration will be key to continually drive improvements across the industry and to drive down the cost of compliance.

Kathryn: Developing and implementing any risk management program requires strong support from the organizations management team as well as having a risk-based approach. Initially focusing on higher risk elements, having those identified and managed appropriately, will add value early on and help in the adaptation and early acceptance of the program being implemented.

What remains is the “so what”. We can implement a program, have the program evolve, increase efficiency over time but have we lowered the risk for our company, have we detected early enough to prevent losses (financial or non-financial) and have we added value?  We have put forth investments in people and technology, and created awareness and are actively monitoring our third parties, but we continue to need evidence our ROI so we are not solely viewed as a cost but are viewed and are able contribute to reducing costs, increasing efficiency, providing solutions all the while not increasing risk.

What, for you, are the key elements of a robust vendor and third party risk program?

Chris: It is several things.  Obviously, it starts with having proper governance, including a defined and documented policy, framework, and procedures.  These need to be supported by an effective operating model, including organization design and delineation or roles and responsibilities between first and second lines of defense.   Other key elements would include taking a risk-based approach in how third parties are managed and ensuring appropriate coverage across the entire lifecycle – from planning, through monitoring and termination, and ensuring the entire scope of risk domains are addressed, as well as ensuring that all vendors and third parties are addressed.  This includes non-standard entities such as affiliates, agencies, joint ventures, and revenue sharing deals.

Kathryn: For me the key elements are effective and efficient risk assessments to allow for the organization to properly and informatively choose the right third parties. In addition to selection, is strong contracting structuring that not only protects your organization and your customers, but also establishes expectations, clear deliverables, and service requirements.  Lastly, is robust monitoring to both help detect any signs of deterioration in services or controls that could increase risk your organization.

How can technology and automation be incorporated to enhance development of programs and increase efficiency?

Chris: The use of digital, technology, and automation to increase the velocity and depth of data, analytics, reporting, as well as to carry out business processes and enforce policy through workflow is what distinguishes organizations with leading capabilities.  Technology can be deployed to consolidate all vendor information and manage data quality to improve reporting, visibility, and exception management.  Dynamic risk assessments can be deployed to not only improve the end user experience by focusing only on information which is needed, but also improve data capture to automate and streamline the front-end risk assessment and tiering process.  Integrating with sourcing and procurement software can improve overall visibility, as well as streamline activities to reduce cycle time.  Finally, technology can be used to improve the overall monitoring process by providing real time monitoring, alerts, and tracking administrative items and remediation activities.

Kathryn: Efficiency and data are the two words that come to mind.  The procurement process, which for us is inclusive of contract negotiations, take long enough and to add on top of that risk assessments that cover all the risk domains that are in-depth and thorough only add to already lengthy process.  So, to move from manual processes and be able to automate and quickly identify what risks assessments need to be conducted, what information is needed, and request directly to the vendor is a game changer for efficiency.  Then you add in the data element and the ability to analyse concentrations of risks, cycle times, trends, and allow the data to help you make changes to improve not only your processes but also help in decision making, have truly begun to enhance our program.

How do you see the Vendor & Third Party risk space evolving over the next 6-12 months as processes mature?

Chris: I think we’ll continue to see acquisitions in the technology and software space as well as tighter integration with data services providers as software companies look to expand their capabilities and offerings.  I also believe there will be some movement in the consortium space as companies try to adopt common frameworks to share the burden and cost of data collection and monitoring.  This may also drive progress from third parties providing more standardized and consistent documentation.

Kathryn: I think within the next year we will see an increased desire, from both third parties and those engaging third parties, to standardize information gathering, testing, and reporting. I also think we will continue to see more and more emphasis and controls put on cyber security and being able to manage the risk of both our company and our third parties in which we share information.

vendor & third party risk usa series