Maximizing Enterprise Value by

Integrating Finance, Procurement and

Risk Functions in a Financial Services

Environment

Blurred Lines:

BB&T

Rohan RanadiveSVP and Third Party

Program Group Manager

Hiperos

Sam MeleVice President Sales

sig.org/eval

Case Study: Managing Third Parties Across the EnterpriseSeamless Integration and Alignment between Finance, Procurement and Risk functions in Financial Services to maximize Enterprise Value

Today’s Speakers

Rohan RanadiveSVP and Third Party Program Group Manager

Sam MeleVice President Sales

About Hiperos

The leading SaaS platform for managing third parties

Purpose-built to minimize third party risk and maximize their value

Manages third parties and third party relationships

Accelerates / automates third party…

Onboarding

Risk Segmentation / Scoring

Due Diligence

Risk / Performance Monitoring

Protects against reputational harm, regulatory exposure and revenue loss

Reduces the cost of third party management

© Hiperos. All rights reserved.4

About BB&T

Financial Industry Challenges Low Margins from continued lower interest rates

Increased cyber threat

Data Breaches

Ransomware

Malware etc.

Increased Regulatory Costs

MRA, Board Resolution, Consent Orders, Fines, Censures etc.

Increased competition from non traditional players

Startups, Fintechs, other established players

Responsible Innovation (OCC)

Incentive Compensation under microscope

Executive claw back

Blurred lines between Vendors, Third Parties, Clients

Prudent Risk Management practices across all risk domains

How do we manage risk and continue to create value?

Compliance Risk

4th Party Risk

Third Party Management

Finance(Savings, M&A, JVs, Alliances)

Information Technology (Information

Security / BCP / DR)

Operations

(RCSA, Ops Risk Loss

Scenarios, BASEL etc.)

Compliance (Consumer Protection

Laws)

Living Will

Recovery and Resolution

Planning (RRP)

Everyone is looking at Third Party Management

Clients

Regulators

Third Party Management Program Timeline

2012 2013 201620152010 20172014

On-boarding of Vendors via Hiperos to

SAP

Centralization(Sourcing thru

Settlement)

Vendor Risk Management

Inherent Risk

Spend / Savings

Vendor Risk Management

program evolution

Start of alignment

(Procurement and Risk)

Tighter alignment and Integration (all stakeholders)

Vendor Risk

Committee moved

to Operational Risk

Full alignment and integration (all control groups)

Continuous Improvement

Program fine tuning, integration

of Hiperos with eGRC tool

Goal: Utilize one system for effective Third Party Management while integrating with other systems

Category Mgt. Structure

Third Party Risk Management

Risk Considerations

Operational

Compliance

Reputational

Financial / Credit

Business Continuity

/ Resiliency

Information Security

and Privacy

Technology

Subcontractor / 4th

Party

Offshore / Country

Physical Security

Concentration

Third Parties

Vendors /

Suppliers

Business

Partners

Government

Agencies and

Utilities

Non Vendor

Payees

• Policies and Standards

• Program Governance

• 3rd Party Inventory

• Risk Stratification

• Reporting and Dashboards

• Issue Management

• Complaint Management

• Training and Communication

• Ongoing Process Improvement

Program Elements

Third Party Management Operating Model

Third Party Management Program

Chief Financial Officer Chief Risk Officer

Business Units (Vendor Managers)

Sourcing, Procurement ,

Contracts, Vendor Management

IT Risk and Information

Security

BCP/DRFinancial Risk Assessment

Cloud

Offshore (Country Risks, Geopolitical

Risks)

Vendor Control Group: SME or risk expert in evaluating risks and corresponding controls throughout the lifecycle

Strawman

Privacy/Compliance

TPM Risk Framework

Vendor Monitoring

Responsibilities

BB&T Risk

Framework

Regulatory

Guidelines

Risk Assessment

Questionnaire and Responses

Vendor

Usage

Planning

Tailored Due

Diligence (initial

and ongoing)

LOB Operational Controls

Master

Agreement

Transactional

Agreement

Tailored Contract

Controls Vendor Contractual

Duties

Vendor Performance Expectations

(SLA/KPI)

Vendor Monitoring

Program

3rd party system

Additional Contract Controls

Additional Business Unit Controls

Approach to Analyzing / Reporting Vendor Risk

Vendor Monitoring Plan

1st Line Templates Vendor Control Group Templates

Vendor Service Organizational Control (SOC) Review

Vendor IT Risk Assessment

Vendor Business and Performance Reviews

Cloud Adequacy Assessment

Vendor Consumer Compliance Review Offshore Control Adequacy

Vendor Usage Planning Vendor Business Continuity

Vendor Contingency and Termination Planning

Vendor Compliance Testing

Vendor Key Indicator (SLA/KPI/KRI) Template

Vendor Compliance Due Diligence

Standard Due Diligence Template Contract Control Adequacy Template

Standardized Assessment Results

1. Corporation’s Highest Risk Rated Vendors

2. Board Report Critical Vendors having Issues

3. High Risk Cloud Vendors

Vendor Management Procedures

Vendor Risk Dashboard

Vendor Risk Reports (e.g.)

Standard templates to evaluate vendor risk

Action Plans / Remediation / Exceptions tracking

Note: Sample Only

Business Unit Level

Vendor Relationship Level(Based on inherent risk characteristics)

Ass

essm

ent

Leve

l

Effective Challenge / Overrides

Ag

gre

ga

ted

Rep

ort

ing

3rd Party System

Policies and Standards Enterprise Level

BU Compliance Scorecards

Relationship Structure

Business Process Vendor

Business Process

Vendor

Relationship

Master or Standalone Agreement

ContractContractsTransactional Agreements

One Many

Contracts

SOW, Schedules etc

Business UnitOne

Many

3rd party system

Business Unit Vendor Portfolio

Co-managed by

BU and TPM to

drive Value and

Manage Risk pend

Sample Dashboards

RiskProfile Pipeline

Vendor Residual

Risk

Business Unit

Perform-ance

Vendor Scorecard - SampleABC Company Overall Risk Status: Less Than Satisfactory MM/YYY

Supplier Lifecycle: Contracted Company Description:ABC Company provides software, outsourcing, and IT consulting for the financial services industry. For banks, ABC offers processing, decision and risk management, and retail channel operations, as well as payment services, such as electronic funds transfer, check and ticketprocessing, and credit card production and activation.

Aggregate Vendor Inherent Risk Rating High

Financial Solvency: Effective

Insurance Coverage Adequacy: Effective

Material Subcontractor Evaluation: Effective

Previous Year Spend: $ 58,204,186

YTD Spend: $ 38,204,186 Legal Entities (Subordinate Suppliers): Material Subcontractors (4th Parties):

Active Business Process Relationships: 3 Legal Entity 1 Sub Contractor 1: Effective

Total Vendor Issues Logged in last 12 months: 8 Legal Entity 2 Sub Contractor 2: Effective

Open Vendor Issues: 4 Legal Entity 3 Sub Contractor 3: Effective

Escalated Vendor Issues 2 Legal Entity 4

Total # of Active Contracts: 15

Total # of Subordinate Suppliers: 5

Escalated Customer Complaints: None Logged

Business Processes or Relationships

Vendor Risk Score

Vendor Tier

Internal Control

Adequacy (SOC)

Contract Control

Adequacy

Vendor Compliance Adequacy

Vendor Continuity Adequacy

Offshore Control

Adequacy

Vendor Performance Assessment

Information Security Controls

SLA/KPI Key Indicator

Cloud Adequacy

Rating

Transition Plan

Adequacy

Approved Exceptions

Overall Control

Effectiveness Rating

Overall Residual Risk

Rating

Credit Card Servicing

65 Tier 1 Unsatisfactory

Effective Effective Unsatisfactory

Unsatisfactory

Needs Improvement

N/A Effective Moderately Effective

Moderately Effective

3 Unsatisfactory

High

Debit Card Servicing

72 Tier 1 Moderately Effective

Effective Moderately Effective

Needs Improvement

Moderately Effective

Needs Improvement

N/A Effective Needs Improvement

Needs Improvement

1 Needs Improvement

High

Loan Syndication

12 Tier 3 N/A Effective N/A N/A N/A Needs Improvement

N/A Effective Moderately Effective

Moderately Effective

0 Moderately Effective

Low/Strong

Conclusions: Company’s aggregate risk exposure to ABC Company continues to grow. Remediation actions are being taken ….Biggest change to the risk profile over the previous quarter came as a result of Information Security Adequacy worsening from the data breaches over the Sunrise platform for debit cards. Company is taking active measures to improve manage and mitigate risk .......Action Plans: 3 main action plans are in place; #1: CIS is evaluating ….

Aggregate Risk Reporting - Sample

Business Process Vendor Inhrent

Risk

Vendor

Tier

Internal

Control

Adequacy

(SOC)

Contract

Control

Adequacy

Compliance

Monitoring

BCP/DR

Adequacy

Infosec

Adequacy

Perf.

Rating

Offshore

Controls

Rating

Overall

Rating

Residual

Risk Rating

Auto Loan Account Servicing DealerTrack Holdings, IncH Tier 1 ME E ME ME ME S N/A ME MH

Data Sciences & Sales

Analytics

Salesforce.com, Inc

H Tier 1 ME ME N/A E NI S N/A NI H

Credit Card Processing Fidelity Information

Services H Tier 1 E E ME E E S E E M

Client Employee Benefits

Consulting & Administration

Mobile Health Consumer

H Tier 1 ME ME IP IP ME S N/A ME MH

High Risk Cloud Relationships (Vendor has >50K Unique Client Records)

Inherent Risk Rating

Tier 1 (High)

Tier 2 (Moderate)

Tier 3 (Low)

Control Effectiveness Rating

E: Effective

ME: Moderately Effective

NI: Needs Improvement

U: Unsatisfactory

Residual Risk Rating Scale

H: High

M: Moderate

MH: Moderate High

ML: Moderate Low

L: Low

Qualitative Ratings

SS: Strong Satisfactory

S: Satisfactory

LT: Less Than Satisfactory

U: Unsatisfactory

Vendor XYZ

Vendor ABC

Vendor 123

Vendor 900

Third party management isn’t about compliance – it’s about good business practices driving good results

The only constant is change – flexibility is key to success

This is bigger than just your suppliers or vendors – its all of the third parties with whom you interact

Automation enables you to drive consistency, execution and auditability across the entire portfolio

This isn’t about data – it’s about transforming data into actionable intelligence

Real-time information from tools provides continuous oversight through a closed loop process

Effective third party management is not an “option” – it is a must –driven straight from the Board

17

Key Takeaways

14

Thank you

Rohan RanadiveSVP and Third Party Program Group ManagerBB&TRRanadive@BBandT.com

Sam MeleVice President Sales Hiperossmele@hiperos.com

Evaluation How-to:

Your feedback drives

SIG Event content

By signing and

submitting your

evaluation, you are

automatically entered

into a prize drawing

Why?

Option 1: App

1. Select Schedule2. Select Schedule by Day3. Select Day4. Select Session5. Scroll to Description

6. Click on the Evaluation link

Option 2: Browser

1. Go to www.sig.org/eval2. Select Session (#11)

How?

COMPLETE &SUBMIT EVAL

Tweet: #SIGfall16

Session #11

Blurred Lines: Maximizing Enterprise Value by Integrating Finance, Procurement and Risk Functions in a Financial

Services Environment

Speakers:

www.sig.org/eval

Download the App: bit.ly/SIGfall16

Rohan Ranadive

SVP and Third Party

Program Group Manager

BB&T

RRanadive@BBandT.com

Sam Mele

Vice President Sales

Hiperos

smele@hiperos.com