Scribd
Upload
14 views

Third-Party Risk Managment - Basics

Uploaded by

Harry Harsa Bani Partapraja
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views

Third-Party Risk Managment - Basics

Uploaded by

Harry Harsa Bani Partapraja
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Third-party Risk Management (TPRM)

Getting Started with the basics of TPRM Data-driven and risk-aware decision making

Deep Mendiratta
Contents

1 Understanding different views on Risk

2 Dealing with Risk Perceptions

3 Evaluating different views on Risk – Use Cases

4 Understanding the ‘Life-Cycle’ Concept

5 Applying the ‘Life-Cycle’ Concept to TPRM

6 Business Model Canvas to begin TPRM Journey


Using simple examples to capture some terms relating to risk
management frameworks and keeping the thought process simple to
start with – before we move on to the frameworks and their practical
application.

THIRD-PARTY RISK MANAGEMENT BASICS 2


Understanding different views on Risk
Scenario: Different Schools – Different Thoughts

“Effect of uncertainty on objectives”, which focuses on the effect of incomplete knowledge of


ISO
events or circumstances on an organization’s decision making.

Risk arises out of uncertainty. It can be defined as the effect of uncertain future events on a
CFA company or on the outcomes the company achieves. One of these outcomes is the company’s
profitability, which is why the effects of risk on profit and rates of return are often assessed.

• Possibility of failing to meet objectives.


SOA
• Can only be defined in context.

THIRD-PARTY RISK MANAGEMENT BASICS 3


Understanding different views on Risk
Scenario: Different Schools – Different Thoughts

Risk can be defined as the combination of the probability of an event and its consequences. In all
IRM types of undertaking, there is the potential for events and consequences that constitute
opportunities for benefit (upside) or threats to success (downside).

COSO The possibility that events will occur and affect the achievement of strategy and business
objectives.

THIRD-PARTY RISK MANAGEMENT BASICS 4


Key Takeaways
❖ Once you look at things with reference to the context
and objectives – the definition of risk becomes all the
more useful (Not understanding the risk is also a risk?)

❖ Risk Management is a continuous process and not


something which only the Top Executives are supposed
to do, it applies to all levels of the Organization, as risks
are uncertainties linked to objectives (strategic,
financial, operational and compliance)

❖ There is no “One Size Fits All” approach in Risk


Management
A top-down approach is easier to work with when you are
Take a look at few of the risk factors as per sample Form dealing with different perceptions of risk, especially while
10Q: working with Third Parties and on TPRM.
• (19) global political, legal, or operational risks;
• (21) technological change; The challenge is to not only deal with management of
• (35) inability to protect our intellectual property or risks confronting every decision and action of the
avoid infringement claims; organization but to manage it in multi-ethnic,
multicultural and multi-language environments.

THIRD-PARTY RISK MANAGEMENT BASICS 5


Dealing with risk perceptions – taking examples from everyday life
Scenario: Swim across the pool
1. You know about Swimming
2. You are a very good Swimmer
3. You don’t know Swimming – never did it
4. You know swimming but never tried it in an
Olympic size pool

Your assessment / perception of the risk will be


different in each of the above scenarios. Yes?

Scenario: Driving on a Road


You own an Audi Q7 and you are a very good
driver – look at picture 2 and 3 on left

1. You are driving your Audi in USA


2. You are driving your Audi on Indian Roads

Even though you have a solid German car, your


assessment / perception of the risk will be
different in each of the given scenarios. Yes?
THIRD-PARTY RISK MANAGEMENT BASICS 6
Key Takeaways
▪ Using these pictures and scenarios only to simplify the
concepts & principles given in the frameworks, which we
will be discussing in the later sessions e.g. Internal &
External factors while evaluating risks
▪ Your responsiveness or behavior towards risk will be
influenced by your perception of the risk – whether you
look at in terms of threats and opportunities or threats
and vulnerabilities e.g. IT professionals are more likely to
expect the impact of a cyber event to be severe than their
counterparts in the risk function
▪ Perception and relevance of risk needs to be aligned at
various levels in the organization, in order to have an
effective risk management program, which works on a
proactive (culture and capabilities) rather than a reactive
Your decisions are also linked to your appetite for risk and the
approach (Historic data and old policies)
information you have for decision making – even if those are
▪ Perception on capability to manage risks also needs to be as simple as Jumping a traffic light signal or Jumping into a
aligned at different levels, when you think in terms of Pool.
perception promoting an effective culture (within teams
and across the organization)
THIRD-PARTY RISK MANAGEMENT BASICS 7
Risk perceptions – working with and around risk perceptions

Scenario: Imagine you are going for an Internal Meeting / Discussion on Risk

Chief Executive Officer Chief Financial Officer Chief Operating Officer Chief Legal Officer

*
• Board & Investor Relations • Financial Management • Multi-site Operations • Laws & Regulations
• Culture & Strategy • Fund Raising • Service Delivery • Compliance
• Sales & Marketing • Margin Improvement • Customer Satisfaction • Contracts
• Global Market Development • Cost Management • Business Turnaround • Agreements
• New Business & Revenue Growth • B/S and P/L Management • Process Improvements • Litigation

Above job roles at individual level are different, still all 4 leaders would have a common view of Risk, despite the fact that they are
guided by their personal knowledge of each risk, their perception of the organization capability to manage specific risks,
and their views of the relevance of each risk to their organization. Depending on the culture, you might face challenges on
working around or dealing with perceptions.
* Illustrative
THIRD-PARTY RISK MANAGEMENT BASICS 8
Key Takeaways

❖ Top Executives in any Company are responsible for


taking high quality decisions

❖ Decisions are guided by Experience, Capability,


Knowledge, Perception, Information

❖ All decisions involve risk – Strategic, Financial,


Operational, Compliance

Whether you are doing internal meetings or external


meetings – all your negotiations and dealings with Third
Parties will involve decision, and you would always rely on
information for making decisions.

THIRD-PARTY RISK MANAGEMENT BASICS 9


Risk perceptions – working with and around risk perceptions

Different risks, different perceptions – different times, different perceptions e.g. work from home in a post covid scenario.
To work around perceptions, you have to take a holistic view of the risks – duly keeping in mind the objectives and
context.
• Vision & Mission • Business Planning
• Strategy and Initiatives • Capital Availability
• Customers and Service Portfolio • Effective Utilization of Funds
• Markets and Growth • Funding for Expansion
• Competition and Expansion Strategic Financial • Liquidity and Credit
• Mergers and Acquisitions • Cost Management
• Culture and Branding • Hedging and Insurance
Objectives
• Business Models & Innovation • Financial Reporting and Disclosures

• Governance • Business Continuity


Compliance Operational
• Statutory Compliances • Service Excellence
• Regulatory Compliances • Service Levels
• Contract Compliances • Customer Satisfaction
• Ethics and Integrity • Customer Protection
• Fraud Prevention • Employee Engagement
• Data Protection and Privacy • Fraud Risk Management
• Environment and Safety
THIRD-PARTY RISK MANAGEMENT BASICS 10
Key Takeaways
❖ Risk is just an expensive substitute for information and
time can transform risk (e.g. there was a time when work
from home was not an acceptable practice?)

❖ To focus on the key risks – look for the objectives and


understand them in the context of the business

❖ Internally, risk is embedded in every decision of the


Organization and depends on information & systems
used for making decisions and the people responsible for
taking decisions. Risks can be negative outcomes
relating to strategic, financial, operational and
compliance activities / objectives. Quality of decisions
also depends on the timing, information used and the
people taking those decisions,

❖ How you manage risks will depend on how you define


those and how well people across the organization
understand risks (including risks due to internal and
external factors).

THIRD-PARTY RISK MANAGEMENT BASICS 11


Evaluating different views on Risk – Business Use Cases
Scenario: Risk is also evaluated in the discipline of Business Model Innovation (BMI) – In Business, risk is
also defined as the potential for losing something of value and that value could be your original investment
or your expected future returns.
Information Risk: When you make decisions without enough information. Ideally, a decision maker relies on the best
available information to maximize the value created by the decision. The information risk can lead to potential
inefficiencies and the status quo will dominate the situation.

Four key decisions: WHAT, WHEN, WHO, WHY


A pioneer in BMI – achieved phenomenal growth with “Sell all carry few” approach. How to reduce
inefficiency – question the assumption and don’t let any symptoms and pain points escape unresolved. Many
more examples of BMI at Amazon.

Another example – American Airlines hived off Sabre to come up with Dynamic Pricing, wherein prices could
be changed at any time depending upon updated information about customer demand. (Sabre: Semi-
Automated Business Research Environment – a reservation system that compiled a large database of
information on worldwide flights, reservations and passengers)

THIRD-PARTY RISK MANAGEMENT BASICS 12


Key Takeaways
❖ Good news and bad news are both news, never ignore
information

❖ Timing of decisions, sequence of decisions and


information at each state in decision making are vital in
business (e.g. Benetton vs. Zara)

❖ Relying on the best-informed party for decision making

❖ Inefficiencies also arise due to conflicts between


intended and actual objectives (Incentive Risk)

❖ Business Models are not disruptive – rather it’s the


customer preferences (or change in preferences) which
cause the disruption (e.g. so many examples during
COVID 19)

❖ Within your TPRM – you can pick out on the


inefficiencies and figure out root cause to work on
process and policy improvements.

THIRD-PARTY RISK MANAGEMENT BASICS 13


Understanding the ‘Life Cycle’ Concept

Life

Born Infant Young Boy School / College Young Man Corporate Employee

End of Story Old Age Growth & Maturity Family Expansion Man & Woman

Business
End of Story Old Age Growth & Maturity Family Expansion Man & Woman
Idea Vision Mission / Goals Strategy Business Processes

Decline Stagnation Maturity Expansion Strategy Implementation People & Systems


and Growth

Another example – System Development Life Cycle – Feasibility, Planning, Analysis, Design, Implement, Sustain
Entire life cycle or value chain can be disturbed by a single external event / factor – That’s “Risk” for you!
THIRD-PARTY RISK MANAGEMENT BASICS 14
Applying the ‘Life Cycle’ concept to TPRM

A B

Due Diligence
Prioritizing Contracting &
Ranking Negotiations

A – Risk View B – Relationship View


THIRD-PARTY RISK MANAGEMENT BASICS 15
TPRM roll-down to a Vendor Management View
TPRM View

Planning, Identification & RFP Risk Assessment Due Diligence Monitoring Off-boarding

Risk Factors • Due Diligence • Performance and


• Stakeholders • • Exit Strategy
Risk & Value Assessments Risk Monitoring
• Business Rationale • • Risk Exposure
Risk Exposure • Policy and • Ongoing Due
• Products or Services • Assessment
Business Impact Procedure Diligence
• Inherent Risks • • Continuity
Analysis (BIA) • Documentation • Site visits / reviews
• Strategic & Operational Planning
• Risk Treatment / • Evaluations • Customer Complaint
Considerations • Transition Planning
Mitigation / • Standard & • Contingency Plans
• Financial Considerations • Execution
Response / RMP Additional Due • TP Certifications
• Compliance Considerations Approach
Diligence

Need / Business Sourcing Risk & Selection & Monitoring


Contracting Performance Relationship Exit
Case Analysis Compliance

• Need • RFP and Bidding • Engagement Risk • Finalization from • SLAs • Notification to TP
• Business Case • Single Source vs. Assessment shortlisted • Contract for Exit
• Vendor Base Multiple options • PSRA (Product / • Scope of Work Administration • Transfer of Assets &
• Cost Benefit • Selection Criteria Service & Supplier) • Duration & Fee • Performance Information
• Determine ROI • Comparisons • Policy Checks Structure Criteria & KPIs • Legal Confirmation
• Go / No-Go • Validation – • Compliance Checks • Contract Vetting • Spend • Final Billing
Decision Proof of Concept • Risk Sign-offs • MSA & SOW Management • Settlements.
• Approvals / Pilot • Anti-Corruption • Contract Final • Oversight
• Shortlisting
VM View
Note: Above schematic is illustrative only – for the purpose of putting things into context

THIRD-PARTY RISK MANAGEMENT BASICS 16


Illustrative Risk View for TPRM

Risk Factors Risk Management Third Party Grading

• TP Supporting critical business • Strategic Risk • Third Party / Vendor Base


process / service • Financial Viability • Business Impact Analysis
• TP having direct access to the • Concentration • Risk Scoring
customers and customer data
• Business Continuity • Prioritization
• TP having access to internal
network of the Company • Operational Risks
• TP having access to employee • Regulatory and Compliance 50 High Risk
data • Contract Compliance
• TP operating out of or • Information Security 200 Medium Risk
headquartered in high-risk zones
/ geographies • Data Privacy

• TP having single point of failure / • Geo-political risks 150 Low Risk


relying on single sub-contractor • 4th Party risks (Sub-contractors)
400 Third Parties in Total

Vendors Suppliers Business Partners Marketing


Affiliates Brokers / Agents
Partners

THIRD-PARTY RISK MANAGEMENT BASICS 17


Key Takeaways
❖ TPRM has wider / broader connotations than Vendor
Management

❖ Putting things into context is very important, before you


move towards frameworks and principles

❖ Principles and Rules are always helpful in framing


policies and for implementing the frameworks through
the policies and supporting processes

❖ Take a holistic view of things before you begin with your


change management / best practices / improvements

❖ Once you know the pain points, you can decide on a top-
down or a bottom-up approach

❖ Cross functional teams work better for policy and process


improvements.

THIRD-PARTY RISK MANAGEMENT BASICS 18


Use the simple Business Model Canvas to begin your TPRM Journey

THIRD-PARTY RISK MANAGEMENT BASICS 19


Next on TPRM

Understanding Risk Management Frameworks and their Application

THIRD-PARTY RISK MANAGEMENT BASICS 20


LinkedIn: https://www.linkedin.com/in/de-risk
For More Free Content: LinkedIn: https://www.Linkedin.com/company/de-risk
YouTube: https://www.youtube.com/@derisk

THIRD-PARTY RISK MANAGEMENT BASICS 21

You might also like