Third Party Governance and Risk Management

23 October 2017

2

Agenda

Today’s discussion topics

• Third Party Ecosystem

• Insights from the Deloitte Global Third Party Risk Management Survey

• Third party risk management frameworks

• Evolution of third party audits: from third party audits to real time assurance

3

Introductions

Deloitte facilitator

Mark Bethell

Director, Extended Enterprise Risk Management

mabethell@deloitte.co.uk

+44 20 7007 5913 | +44 7917 183787

4

1. Third Party Ecosystem –the “Extended Enterprise”

5

Third Party Ecosystem

The “Extended Enterprise”

6

Third Party Ecosystem

The role of internal audit

7

2. Insights from the Deloitte Global Third Party Risk Management survey

8

Organizational progress in TPGRM since last year appears modest although increasing awareness of risks is expected to prime 2017 and 2018 as years for accelerated maturity

• Survey responses collected during heightened uncertainty (Brexit vote in UK and presidential elections in US).

• Report based on 536 responses, a significant increase from 170 last year.

• Covers 11 countries across the Americas, Europe Middle East and Africa (EMEA) and Asia/Pacific across all key industry segments.

• Respondents typically include those responsible for TPGRM:

• Chief Finance Officers,

• Heads of Procurement/Vendor Management,

• Chief Risk Officers,

• Heads of Internal Audit, and

• Compliance and Information Technology (IT) Risk Heads.

9

Despite increasing executive awareness of risks and some associated improvements in TPGRM, five key areas exist where further effort is required by most organizations

10

Dependency and vulnerabilityDespite high dependency on third-parties, organizations are not fully equipped to manage the risks in a holistic and coordinated manner, including those arising from external uncertainties

53.3 percent of respondent organizations have a “high or critical level of dependence”

40.5 percent of respondents reported “some” increase in dependence on third-parties in the last one year with a further 4.5 percent experiencing “significant” increase

However, only 20.1 percent have integrated or optimized their EERM mechanisms with others aspiring to do so within the next 1-3 years

53.3%

Significant

increase 4.5%

Some increase

40.5%

11

Dependency and vulnerabilityDespite high dependency on third-parties, organizations are not fully equipped to manage the risks in a holistic and coordinated manner, including those arising from external uncertainties

26.3 percent of respondents have faced non-compliance with regulatory requirements (compared to 23.0 percent in 2016). 16.7 percent have suffered reputation damage.

Just 11.6 percent of respondents are “fully prepared” to deal with the increased uncertainty in the external environment. A significant majority of 72.3 percent of respondents are only “somewhat prepared

74.1 percent of respondents have faced at least one third-party related incident in the last three years. As many as one in five respondents have faced a complete third-party failure or an incident with major consequences in the last three years.

Relationship managementUnderstanding of third-parties is increasing but comprehensive, data-driven risk management and capability to predict emerging risks is still developing

55.4 percent of respondents have

a reasonable to excellent

understanding of third parties, with

the other 44.6 percent having

only low or some level of

understanding

46.6 percent do

not have any

organisation

initiatives to

enhance maturity

of contractual data

to increase the

understanding of

their third parties.

Just 13.6 percent of respondents have forward-looking

vigilance capabilities to identify imminent risks and

performance issues of third parties that are well integrated

into their processes of managing their extended enterprise,

while 78.9 percent are at various stages of development of

such capabilities

53.8 percent

consider their

level of knowledge

of third party

contract terms

and related data

to be limited,

including

respondents who

recognize this is

inadequate

13

Governance and risk management processesDespite executive sponsorship there is still a long way to go to get processes and technology working effectively

Ultimate responsibility for third-party risk management rests with the Board, CEO, CFO, CPO or other

members of the C-suite in 74.6 percent of responses

Third-party risk features consistently or periodically on the Board agenda in 53.2 percent of

respondent organizations

The proportion of respondents sceptical

about TPGRM technology in their organizations is

90.6 percent

A similar lack of confidence relating to the

quality of TPGRM processes is also only

marginally up from 82.5percent to 86.4

percent, indicating a slight improvement and increased focus in this

area.

14

Technology platformsAn integrated TPGRM technology platform that addresses the needs of every organization has not emerged

19.9 percent of respondents are

using TPGRM relevant modules of

broader GRC solutions, while 17

percent are using specific TPGRM

solutions

Using features of an existing ERP

system is still the most popular

solution as a technology platform for

TPGRM, as outlined by 43.9

percent of respondents. Only 9.1

percent of respondents supported

this by the use of bespoke solutions

to achieve integration needs.

At least one out of two survey

respondents now combine

more than one technology

platform to address TPGRM

requirements.

15

Emerging delivery modelsNew delivery models are emerging to bring consistency and sought-after skills, enable collaboration, and address decentralization challenges in the wider organization

As many as 62.4 percent of

respondents are equally or

more decentralised than they

are centralised.

Over 59

percent of

respondents

are moving to

increasingly

centralised in

house

functions to

support

TPGRM.

12.8 percent of respondents are moving to an

external service provider based “managed

service” model for third party management

which also reflects an emerging trend.

40.9 percent of respondents are already utilising

information hubs (community models) on third party risk

available as market utilities or intending to do so in the

near future. However, 51.3 percent of respondents are

unaware of this emerging trend

12.8 51.3%

16

3. Third party risk management frameworks

17

Focus on Third Party Risk Management

Third Party Risk Management Frameworks: Core components

Scop

ing

Delivery

18

4. Evolution of third party audits: from third party audits to real time assurance

19

Over the past 15 years, third party risk reviews have evolved from a heavily manual process to a technology-enabled solution with a focus on strategic impact rather than compliance aspects. Further, leading practice is focused upon a proactive approach to limit cash leakages before the occur, compared to the more traditional reactive approach.

Evolution of third party risk reviewsFrom reactive to proactive

20

Supplier assurance frameworkA tiered approach

Under the leading model, a tiered approach organizes suppliers into risk thresholds based on a combination of annualized spend and operational risk factors, and assurance activities become risk-based, focused, and optimized. Suppliers that are deemed the highest risk should be subject to continuous monitoring.

Operational risk/complexity

An

nu

al sp

en

d

Real-Time Assurance

Review of expenditures on an ongoing basis to prevent cost leakage before it occurs and enhance decision making through the use of advanced data analytics

Standardized Testing

Traditional supplier reviews are performed on a defined frequency as established by the organization. Leverage use of advanced data analytics and standardized testing to attain maximum coverage over spend and expedite review process

Ad Hoc Reviews

Horizontal reviews across multiple contracts to be completed in order to gain coverage over specific clauses (e.g. early payment discounts, volume discounts, most favoured pricing)

21

Standardized testing

22

Extended Enterprise Risk Management Standardized testing

The BenefitsThe Challenges

Standardized testing enables businesses to mitigate risk, minimize costs, and increase operational efficiency by leveraging the power of data analytics to review 100% of available data. This refined process helps minimize operational disruption, and typically yields recoveries and cost savings in the range of 3-5% of total spend reviewed.

Uncertainty over supplier spend and ambiguous contract clauses

Extrapolated findings are difficult to recover from suppliers

High volume of transactions reviewed via non-standardized attest processes, resulting in lengthy reviews and payment cycles

Lack of standardized rate tables

Increase transparency and establish an audit culture amongst operators. Enable businesses to drill down in areas where they have experienced supplier issues in recent years

Review 100% of spend in scope and minimize need for extrapolation of findings

Reviews are self-funding and realized cash recoveries can be reinvested in the program to fund remediation activities and additional reviews

Enable faster review and payment of invoices, enabling businesses to take advantage of early payment discounts

Lack of robust central repository to maintain contracts and templates that do exist are not leveraged as intended

Support creation of a supplier database to enable benchmarking comparisons across the supplier basis (e.g. rates, productivity)

Ability to scale up and expand coverage across the supplier base with minimal incremental effort

Inconsistent understanding of contract terms between businesses and their suppliers

23

Real-Time Assurance as part of a leading framework

24

Real-Time Assurance is a leading edge, end-to-end, technology based approach that allows for efficient and effective review of expenditures on an ongoing basis to prevent cost leakage and enhance decision making through the use of advanced data analytics.

Leveraging an RTA approach will dramatically improve many of the contract set-up and invoice review challenges that face organizations throughout the procure-to-pay lifecycle.

Real-Time Assurance (RTA)What is it?

Data is collected on a weekly basis and reconciled against known, site-level data (e.g. swipe card records). Using data analytics, any unsupported charges are immediately identifiable and can be sent back to the supplier for validation. The supplier can only invoice for validated charges, meaning overpayments are prevented.

The process is tailored to achieve Key Performance Indicators that are crucial to the business, such as early pay discounts achieved and overpayments prevented.

25

Results of a Typical Assurance Program Accretive value to be realized through RTA

Traditional assurance programs ONLY identify cash

leakages of 3-5% of contract spend.

Assurance activities cost millions of dollars globally with limited ability to increase coverage

Increase spend coverage up to 5x and enhance

program scalability

Realize full value of leakage prevention of

Enable significant reduction in cost of attest (~30-50%) due to process automation, saving millions of dollars

Data analytics expedite review periods, minimizing operational disruption and enabling realization of early payment discounts!

Through RTA, organizations can realize a return up to 5X greater than traditional assurance models!

Resource and data limitations result in only 2/3’sof in scope spend actually being reviewed.

5-10%

Only 50% of findings identified are actually

recovered following settlement negotiations.

Reviews are operationally disruptive and can deteriorate commercial relationshipswith suppliers

Real-Time exception reporting prevents cash leakages before they occur, resulting in 90-100% collection of billing errors.

Real-Time Assurance (RTA)The benefits

RTA supports the creation of a global supplier database that can be used to inform decision making (e.g. strategic sourcing, benchmarking) while also facilitating the ability to scale up and expand coverage across the supplier base with minimal incremental effort.

SMARTER

RTA prevents leakages before they occur, minimizing operational disruption for suppliers and preserving commercial relationships by eliminating the need for costly settlement negotiations. Further, automated assurance reduces the reliance and administrative burden on local FTEs, enabling employees to focus efforts on higher value activities.

BETTER

Real-Time exception reporting and analytics enhances the control environment, while also enabling the faster invoice payment cycles and realization of early payment discounts!

FASTER

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.

Deloitte LLP is the United Kingdom member firm of DTTL.

This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

© 2017 Deloitte LLP. All rights reserved.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.