third party risk management solution - deloitte …...2019 eoitte touche tomatsu india p third part...

Third Party Risk Management Solution©2019 Deloitte Touche Tomatsu India LLP 1

Third Party Risk Management Solution Private and confidential March 2019 Risk Advisory


1. The extended enterprise

2. Third party risks in an extended enterprise network

3. Deloitte’s Third-Party Risk Management (TPRM) solution

4. Deloitte’s third-party risk management - Approach and methodology

5. Deloitte’s engagement delivery models for TPRM programme

Contents


The extended enterprise


The extended enterprise is the concept that an organisation does not operate in isolation. Its success is dependent upon a complex network of third-party relationships.

Licensing –Labs –

Inventory –Shipping –

Tier 1-N suppliers –Brokers/Agents –

Contract –manufacturing

Certification –bodies

Fourth –parties

Infrastructure and –application support

Hosted vendor solutions –Disaster recovery –

Licensed vendor solutions –Hardware lease –

– Recruiting – Benefits providers– Payroll processing

– Advertising agency

– Media ad sales

– Warranty processing– Call center

– Office products– Waste disposal– Cleaning

Joint ventures

Customers

Facilities

Marketing

Customers support

Distribution and Sales

Franchise

Logistics

Sourcing

R & D

Insurance

Technology

– Sales agents– Distributors – Loyal partners

– Contractors

Organisation

Human Resources

The extended enterprise


Third party risks in an extended enterprise network


Third party risks in an extended enterprise network

Loss of reputation – Risk to the reputation of the organisation from the use of third-party relationships due to a myriad of reasons, including misuse of intellectual property, poor product quality, lack of compliance to human rights, and environmental regulations, etc.

Poor performance – Lack of sustained performance from third-party relationships, resulting in costly mistakes, over allocation of capital to oversee relationships, and defeating the purpose of outsourcing strategy

Supply chain disruption – Key third-party business disruptions due to bankruptcy, geopolitical issues, macro risks, etc. can result in supply chain disruption

Lack of compliance – Third party acts corruptly to gain business advantage for organisation resulting in hefty fines or is not in compliance with the environment, conflict minerals, health and safety, labour rights, etc. regulations

Data risk – Loss, misuse, or mishandling of critical data of the organisation or its customers by a third-party relationship can result in financial loss; hefty fines and decrease in shareholder value

Financial impact – Financial loss from under-reporting of revenue from licenses, royalty partners, distributors, franchisees, etc. and over-payment for services from third-party relationships

Product recall – Poor product quality, safety issues, or faulty packaging by third parties can lead to product recalls resulting in recall costs, lawsuits from consumers, increased costs from settlements, and lost revenue from missed sales opportunities

Extended enterprise

• Sell side• Buy side• Infrastructure


Deloitte’s Third-Party RiskManagement (TPRM) solution


How can we help?

Our delivery model is scalable, adaptable, and built on industry-specific benchmarks to fast-track an organisation’s extended enterprise management function.

With our TPRM solution, executives across the value chain receive the following:

A holistic view of risks and third-parties through the central repository of Deloitte’s automated platform with an executive dashboard and benchmarking against industry standards.

Leading standardised processes applied across all markets and businesses, with a consistent application of third-party risk scoring, sensing, and monitoring.

Optimising risk management efficiency, enhancing revenue recovery, and driving cost reduction in managing the third-party risk management programme at an operational level

Information for enhanced decision-making through analysis of the latest data from the ongoing assessments to arrive at a more informed decision from a governance perspective

Access to subject-matter expertise through trained Deloitte professionals with risk domain experience.

Ongoing monitoring and zero instance of non-compliance to regulations by leveraging Deloitte’s proprietary industry-specific risk intelligence maps

Holistic view of third-parties

and risks

Compliance to regulations

Optimise risk management

efficiency

Obtain risk maturity

Drive cost reduction

Ongoing monitoring

Deloitte’s TPRM

solutionEnhance revenue recovery

Enhanced decision making


TPRM automation platform

In today’s digital world, TPRM capabilities need to also be technology-driven to automate processes, report generation, analyse data that TPRM activities generate, and track overall improvements.

The TPRM automation platform increases efficiency along with productivity, reduces overall cost of the TPRM programme, and enables efficient monitoring of ongoing activities, including third-party risks and compliance through a centralised platform. This provides a consistent client user experience and reduces human errors.

Additionally, the use of technology increases data integrity and provides seamless and reliable reporting.

These benefits outweigh the cost of acquiring technology solutions to automate the TPRM process.

Perform third-party due diligence

Build third-part riskquestionnaires

Report on your third-party profile

Chart trends and insightswith smart analytics

Assess third-party viabilityand impact on risk

Track third-party performance

Store and retrieve evidencefor each assessment

Customise reports and dashboardsas per stakeholder requirement

Manage assessment findings

Drag-and-drop user interface

Conduct trigger-based approvaland review actions

Scale and integrate withflexible workflows


Deloitte’s third-party risk management - Approach and methodology


Deloitte’s third party risk management - Approach and methodology

Policy, procedures, standards and guidelines

Manage, monitor and remediate

Review coverage

Data sources (Company internal systems like ERP, CRM, billing system)

New/Existingthird-parties

Third-party evaluation

Parameters/Third-party information Spend Services Others Self AssessmentFinancial health/solvency

Onsite

Contract risk and compliance review

Remote

Information security and cyber security

Continuous Monitoring

Privacy review

Hybrid

Health and safety

SLA/Performance review

Integrity and regulatory review

Quality review

Employment practices

Third-party selection Risk engine • Confidentiality

• Availability Integrity

• Service categorisation• Inherent risk profile

• Review method• Review type

• Frequency• Reporting

Contract and on-board

Third-partyprofile

Termination

CISO Team Supply chain Chief Risk Office Business controller

Views Data repository

Review of both business and information security controls

Workflow

Review of business controls

Analytics and reporting

Review of information security controls

Third-party coverage model

Review methodReview typeThird-party prioritisation

Reporting

Automation

Key Performance Indicators (KPI)


Deloitte’s engagement delivery models for TPRM program


Project based / Assessment specific

Managed service

Staff augmentation / Co-sourcing

Build-Operate-Transfer

Deloitte’s engagement delivery models for TPRM programVarious engagement delivery model

Description:• Client engages Deloitte to assess their

third parties on a fixed cost or T&M basis

Trend:• Works when there is a tactical

requirement to address specific assessments

• Client are moving to other models since third-party Risk Management has become more strategic

Description:• The client receives service delivery

as per the defined SLA• Trained staff, framework, and tools

are provided by Deloitte

Trend:• Clients use this model to deliver

TPRM effectively and efficiently as per the assessment costing model

Description:• Deloitte delivers TPRM through

its trained staff• Client may provide the tools,

framework, and methodology• Client and Deloitte teams work

as one

Trend:• Increasing trend when client

have their centralised captive centres operating out of India and other low-cost geographies

Description:• In a Build-Operate-Transfer

(BOT) model, the TPRM offshore delivery centre is usually developed based on specific requirements of a client

Trend:Often selected by clients who do not have skill sets, scale, or capability within a function or geography

Client

Client

Client

Client

Deloitte

Deloitte VIC

Deloitte staff and assets

Service Delivery

Service Delivery

Deloitte VIC

Deloitte VIC

Organisation assets such as

tools, assessment framework etc.

Organisation staff and assets

Captive centreReceives service delivery

Provides staff

Service provider staff and assets

TPRM delivery capabilities

Joint team

Functions are shared

Deloitte provides staff and assets

Service provider staff, tools, framework, and

take entire ownership of deliverables and quality

Service delivery based on fixed cost or time and material basis

Managed service delivery

Service delivery supervised by client

Ownership transfer

Service delivery to organisation

Deloitte develops new delivery capabilities on TPRM


Key contacts

Rohit Mahajan President Risk Advisory [email protected]

Gautam [email protected]

Munjal [email protected]

Vishal [email protected]


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP). This material (including any information contained in it) is intended to provide general information on a particular subject(s) and is not an exhaustive treatment of such subject(s) or a substitute to obtaining professional services or advice. This material may contain information sourced from publicly available information or other third party sources. DTTILLP does not independently verify any such sources and is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such sources. None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this material, rendering any kind of investment, legal or other professional advice or services. You should seek specific advice of the relevant professional(s) for these kind of services. This material or information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser.

No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person or entity by reason of access to, use of or reliance on, this material. By using this material or any information contained in it, the user accepts this entire notice and terms of use.

©2019 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche Tohmatsu Limited

third party risk management solution - deloitte …...2019 eoitte touche tomatsu india p third part...

Documents