The Institute of Internal Auditors Washington, D.C. Chapter Third Party Risk Management

March 7, 2016

Paula Johnson Enterprise Governance & Operational Risk Policy Analyst Office of the Comptroller of the Currency

1

2

Agenda • Third Party Risk Management (TPRM)

• OCC TPRM Guidance

• Third Party Risk Management Lifecycle

• Third Party Relationship Identification

• Risk Identification

• Risk Ranking Process

• Internal Audit & TPRM

• Internal Audit Program

• Challenges of Third Party Risk Management

Agenda OCC Bulletin 2013-29 Third-Party

Relationships: Risk Management Guidance

Key Enhancements- • Identification and measurement

of the risk associated with each third-party relationship

• Risk management practices must apply throughout the life of the relationship

• More robust risk management practices on “critical activities”.

• Board and management oversight responsibilities

3

Third-Party Relationships Lifecycle Phases

4

Third-Party Relationships

Identification

• A third-party relationship is any business arrangement between the bank and another entity, by contract or otherwise.

• Inventory – Affiliates and subsidiaries – Another bank – FRB, DTC, GSEs – Joint Ventures – HR functions – Attorneys, appraisers, consultants

5

Third Party Risk Management

Risk Identification

• Quality & quantity of various risk categories: – Operational Risk – Compliance Risk – Reputation Risk – Strategic Risk – Credit Risk

• Other factors in risk quantity:

– Concentration – Foreign Service Providers – Subcontractors

6

Third Party Risk Management

Third Risk Ranking Process

y Risk Management Effective Risk Ranking Methodology

• Ensures that all its third party relationships are included in the inventory.

• Ranks third party relationships along a continuum of risk.

• Periodic review of third party relationships risk ranking.

7

Agenda Internal Audit Function & Third-Party

Relationships Risk Management

Program Elements • Audit Universe • Audit Risk Assessment • Audit Plan • Third Party Control

Testing

8

Third Party Risk Management

Internal Audit Function

• Audit Universe – Includes third party products & services – Maintain profiles of significant business units,

departments, and products • Audit Risk Assessment

– Identifies third party relationships & risks. • Audit Plan

– Includes applicable third party operated controls. – Reflects a risk based approach – Reflects a timeframe for all controls being tested

9

Third Party Risk Management Internal Audit Function

• Third-Party Operated Control Testing

– Third Party Assurance Reports – Onsite audits – Audit Risk Assessment mapping

• Third-Party Assurance Reports (PCI,

SOC2) – Acceptable source of reports? – Type of control testing? – Acceptable sampling? Scope?

10

Third Party Risk Management

Internal Audit Function

Internal Audit function needs to operate under clear guidance on

testing of third party operated controls

11

Challenges of Third Party Relationships Risk Management

• Relationship monitoring sporadic or not risk based

• Risk assessments of third party providers not fully developed

• Third parties contribute to unsecured access points to bank networks

12

13

• Third Party Risk Management (TPRM)

• OCC TPRM Guidance

• Third Party Risk Management Lifecycle

• Third Party Relationship Identification

• Risk Identification

• Risk Ranking Process

• Internal Audit & TPRM

• Internal Audit Program

• Challenges of Third Party Risk Management