Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
The Institute of Internal Auditors Washington, D.C. Chapter Third Party Risk Management
March 7, 2016
Paula Johnson Enterprise Governance & Operational Risk Policy Analyst Office of the Comptroller of the Currency
1
2
Agenda • Third Party Risk Management (TPRM)
• OCC TPRM Guidance
• Third Party Risk Management Lifecycle
• Third Party Relationship Identification
• Risk Identification
• Risk Ranking Process
• Internal Audit & TPRM
• Internal Audit Program
• Challenges of Third Party Risk Management
Agenda OCC Bulletin 2013-29 Third-Party
Relationships: Risk Management Guidance
Key Enhancements- • Identification and measurement
of the risk associated with each third-party relationship
• Risk management practices must apply throughout the life of the relationship
• More robust risk management practices on “critical activities”.
• Board and management oversight responsibilities
3
Third-Party Relationships Lifecycle Phases
4
Third-Party Relationships
Identification
• A third-party relationship is any business arrangement between the bank and another entity, by contract or otherwise.
• Inventory – Affiliates and subsidiaries – Another bank – FRB, DTC, GSEs – Joint Ventures – HR functions – Attorneys, appraisers, consultants
5
Third Party Risk Management
Risk Identification
• Quality & quantity of various risk categories: – Operational Risk – Compliance Risk – Reputation Risk – Strategic Risk – Credit Risk
• Other factors in risk quantity:
– Concentration – Foreign Service Providers – Subcontractors
6
Third Party Risk Management
Third Risk Ranking Process
y Risk Management Effective Risk Ranking Methodology
• Ensures that all its third party relationships are included in the inventory.
• Ranks third party relationships along a continuum of risk.
• Periodic review of third party relationships risk ranking.
7
Agenda Internal Audit Function & Third-Party
Relationships Risk Management
Program Elements • Audit Universe • Audit Risk Assessment • Audit Plan • Third Party Control
Testing
8
Third Party Risk Management
Internal Audit Function
• Audit Universe – Includes third party products & services – Maintain profiles of significant business units,
departments, and products • Audit Risk Assessment
– Identifies third party relationships & risks. • Audit Plan
– Includes applicable third party operated controls. – Reflects a risk based approach – Reflects a timeframe for all controls being tested
9
Third Party Risk Management Internal Audit Function
• Third-Party Operated Control Testing
– Third Party Assurance Reports – Onsite audits – Audit Risk Assessment mapping
• Third-Party Assurance Reports (PCI,
SOC2) – Acceptable source of reports? – Type of control testing? – Acceptable sampling? Scope?
10
Third Party Risk Management
Internal Audit Function
Internal Audit function needs to operate under clear guidance on
testing of third party operated controls
11
Challenges of Third Party Relationships Risk Management
• Relationship monitoring sporadic or not risk based
• Risk assessments of third party providers not fully developed
• Third parties contribute to unsecured access points to bank networks
12
13
• Third Party Risk Management (TPRM)
• OCC TPRM Guidance
• Third Party Risk Management Lifecycle
• Third Party Relationship Identification
• Risk Identification
• Risk Ranking Process
• Internal Audit & TPRM
• Internal Audit Program
• Challenges of Third Party Risk Management