How to Translate Policy and Process into Action and Build a RASCI Program

Hello everyone, and welcome to today's webinar hosted by me, Bethany Sirven of MyComplianceOffice, and Third Party Risk Expert and President of ONTALA, Linda Tuck Chapman. 

So this is translating policy and processes into action. How would this actually work? So typically you have sort of sitting in the background some policy tools, processes, at the enterprise level. And so that might be ... You know, if you have an enterprise risk management function you've got some policies around risk. If you don't, you may not actually have too many of these, but you're bound to have control somewhere. So if it's not in risk, my guess is it's probably going to be in finance or possibly in legal. So those are the three areas that seem to have the strongest influence on risk management in any company if it's one of those three areas.

Compliance, basically you may ask why not compliance? And I think that's because compliance is really seen as keeping an eye outside and inside the organization on what you need to do to comply and also whether you are complying. So they rarely take control of risk management procedures and policies. They're much more. They're usually in an advisory capacity because it is hard staying on top of all those rules and a lot of regulations. Bethany and I were talking about that just before we started this. It's just hard to stay on top of everything that's happening. 

So then you're going to actually start turning things into ... You're going to actually build policies and tools and processes for your Third Party Risk Management program or your Vendor Risk Management program or Supplier Risk Management, whatever you want to call it. And the difference between those, basically, a lot of companies are really truly focused on the vendors or suppliers and others are focused on all types of relationships that they have with all kinds of companies that they do business with as long as we're not sort of pulling in it's because they're a customer of your company. 

So you know, figure out your scope. Figure out what your policies are. Our experience is now that you only need on policy, whether it's vendors or whether it's all third party for sort of the life cycle management. It's the execution that might be different. Then you're going to develop some management procedures, and the management procedures are often kind of at the business unit level. So your information security folks are going to have some opinions on what they need to look at and how they're going to assess, and you're going to perhaps require some specific management relationships in the business because that's actually the longest point in time for a relationship to exist. It's not the sourcing and the assessing, et cetera. You got to contract. Sometimes these run for years and years and years, and so you're going to basically harvest the best practices for management in your company and turn those into business level procedures so that you can actually share and sprinkle those best practices across the company. 

So then it usually gets right down to the relationship level. There's kind of supplier level or third party level, and then there's the relationship level. Most companies actually do monitor at the relationship or engagement level because you could have a contract or a master services agreement with a big company. I mean, IBM is always such a good example where they offer hardware services through a third party re-seller, et cetera. You have many, many different types of relationships with these large, complex corporations, so you usually don't want to manage at that level because there's too much complexity and differences across the business units and different people. So you would usually look at a few things at that level, but most of the management and monitoring is done at the actual engagement or relationship level. 

So there's kind of first line of defense type things that they want to look at, which is do they have any independent audit reports that the first line or an expert can help them look at? Most commonly those would be SOC to type two, which is an audit of the control environment around things like information security, physical security, et cetera. Or there's the SSAE16, people think that that's the same thing. It's not, it's different. That's actually for financial transaction processing, what controls do they have in place and what does the audit's opinion of that look like? And so these are things that are going to equip the first line to understand how does this company manage?

They also are going to implement business and performance reviews, and so those are going to be on a frequency according to how important the relationship is. If you're building a program, it's kind of helpful to create some templates and to at least suggest how often they need to determine whether or not they're performing. One of the things I like to do is put a score card in place that's completed by the business and/or the supplier, and then have that relationship manager attest that they've been following the policies and procedures of your organization and that the information that they've gotten from the third party provider looks right. And then you've got a pretty solid scorecard or some sort of interim assessment of performance. You're going to have to have good service level agreements in order to be able to know that though, and that's usually a weakness in companies that are new at this. 

You want to look at consumer compliance, consumer complaints, et cetera, and determine whether or not they're complying with your requirements and whether or not your customers are happy. So you would put something in your contract and have a process in place to understand if there's customer complaints that are coming in. Are you hearing about them? How are they staying current with compliance responsibilities that they have? Usage planning, things change. Right? So I was actually talking to somebody the other day and I won't give you his name, but I'll quote him. He said, "The plan never survives first contact," which I thought was really pretty priceless. No matter what plan you have in place, it's going to change. 

Contingency and termination planning, if you're not familiar with the FFIEC guidelines, just look up on the internet appendix J. There's really great outlines for business resilience, planning and testing in there. And so disaster recovery and contingency planning are kind of ... They're not exactly the same thing. The contingency planning is what if there's a total failure, what are you going to do? And then of course you have your key indicators, your service level agreements, key performance indicators and key risk indicators. And then what kind of due diligence? So in the long run, these are all the responsibility of the first line of defense. To understand them, you may help them get there, but that's really how they understand if the third party is the right one for them to do business with. 

And so if you're in the second line you should create some processes and templates for this to help them do it, and these are just sort of a list of them. Cloud is growing leaps and bounds. I would just point out that some of the big cloud providers probably have tighter controls than most companies, so don't be afraid of cloud but make sure you get the right provider in place. If there is an off shore component of this, and especially if you regulate it, you're going to have to put some extra controls in place, and you should probably understand some of the potential disasters of the zone that they're in. I mean, think back to when Japan had the tsunami and the tech companies couldn't get parts for to build PCs and phones, et cetera. 

So all these things, basically they can ... The second line of defense can help put these things in place so that the first line of defense can understand what the findings are from due diligence. They can get really good advice in terms of what controls to put in place and how best to monitor these relationships and how the second line of defense can help them do that. So then that usually ends up being kind of a risk dashboard. If you have a good technology this is easy. If there's a risk dashboard telling you what activities are happening you can sort of customize your dashboards on these technologies to see what's happening with the portfolio of relationships you care the most about and you can start getting reports out of your system. 

And if you're very thoughtful about the data governance requirements when you're building your system, as long as there's a field in a system for something, anything that you could possibly ever want to know, even if it's a custom report, you can pull a report on anything. So think long and hard if you're building or enhancing or strengthening. Think about anything that anybody could possibly ask you and just get a feel in there for it, and then you'll make your life a lot easier later. I can't tell you how many people just struggle so much to pull information out when there's a problem or somebody senior wants to know something. You pull the scorecards together and you get all the information that sort of stacks up to show up in those dashboards. 

I think the concepts of the independent challenge and exception management is really important, because if you think about risk and governance oversights, I want to know why have these challenges existed. Because maybe your controls are too tight, too loose or something, and maybe the business is right. It may be that certain businesses are really willing to take on much more risk than any other parts of the organization. You need to figure out if that's okay, because maybe it is. But you don't really know that unless you actually have had challenges, and you can look at your exceptions that have been granted and understand how to continuously adjust your program. 

Because at least twice a year you should go in and figure out what's working well and what have we learned, and how should we make this better. This is all about the business. It's all about your company's reputation. It's about your customers. It's about your bottom line and it's protecting all of those things. And so if you do your job well in building these programs, you'll do a great job in helping the business run the business better. Okay, so let's move on. 

What I want to point out is I've always worked with RACI, which stands for Responsible Accountable Consult or Inform. And if you're building a program it's really important that you have every single activity with a single party in the responsible or accountable line. The responsible, basically who's going to do the work to get there because somebody has to be responsible and try not to make too many things joint because then things will fall into the cracks.

The S is fairly new to me, and that's actually Support. And so you can either have a RACI or a RASI with an S in the middle when you're building your grid for who does what throughout the life cycle of the program. But don't forget to take into account all of these individuals and what is their ... Where did they fit into the RACI? Actually, you need to make sure you have not left any of these groups out. So we talked about the roles and responsibility of each of these, and don't forget your risk committee as a board because the board themselves will want to know things but it's filtered through your risk committee. Your risk committee, or your third party risk management oversight committee need to know more than your senior management and your board, because my experience is the more senior you are the less they actually want sort of finite details. But if they want them, they want them now. So you have to always be very, very well prepared with all kinds of data in your back pocket, but don't try and present it all to them because that's not what they want. What they really want to know is what's important, and it's up to you to figure out the best way to communicate those.

Okay. So I'm going to move on from here and I have a polling question, which I'm really interested in this question. What's happening with your program and what's most problematic? I think many people on the call who are listening in have a program, but we're trying to figure out sort of where do we go from here? When Bethany and I talk and I go out and look for more input for webinars that people might want to attend, we'll try and help you deal with these. So in my opinion the resource level is probably going to show up as a big problem because there's so much activity management right now. Not everything is automated. Systems aren't necessarily working as well as you'd like. The education isn't there. The third parties are getting due diligence and you can't always get what you want from them in a timely manner. So there is so much wasted time in activity management. 

So isn't this interesting? This is a little bit different than I thought. The first line of defense, it'd be interesting to think about why are they not adopting the first line. So I think that there is probably two or three things you want to consider. The first one is think about the change management activities that you have gone through. Have you actually taken the time to communicate and train and then provide some follow up or support to the first line? Second thing you should think about is how am I adding value to their business, because one of the complaints is that you're lengthening the cycle time to get anything done. We've never had problems before. Why do we have to do this, et cetera. I think you need to get by that as quickly as possible and looking for the rewards and what's in it for them is probably the best place to start. 

And so at the engagement level, they may not understand sort of what this is all about, so I'd encourage you to think about why this is and then to move one. The under resourced in the first line of the defense, it's interesting. For my book I interviewed the CEO of Fifth Third, and I'm sure he wouldn't mind me saying this because it's in the book. They actually have heavily invested in risk management resources in their first line of defense, recognizing that they would prefer the second line of defense as a governance function and the first line owns the risk. So they've hired a lot of new people in the last year and a half and moved to assist with risk management, and the vast majority have gone into the first line. 

So it's a kind of an interesting question is where are you in the journey and is it time to take a pause and look at who's doing what and is that appropriate. And if in fact your first line of defense has all kinds of new work and no new resources, you know, can you quantify it and help people understand what's being driven in? But I would go to the next step, which is the second line of defense. It is if you're in the second line it is your job to find ways to automate and simplify the processes. So the RMA just is about to publish a survey that they've done, and one of the things that really caught my attention is that the size of the in scope managed third party relationships and programs is shrinking. 

And that tells me A, we've been able to sort out things that don't matter so much and B, there's probably a lot of consolidation happening because it costs money to do all this work and to manage them. And C is sort of back to you, which is look for ways to automate and to simplify what you're doing, and get rid of the things that are not actually all that useful. Because if you don't do those things and bring in data feeds and use technology, et cetera, you can hardly expect the top of the house to keep building your army. Then complexity, I have to laugh when I see that. Man, I see this all the time. I actually go into work with companies to try and help them simplify. 

Anyhow, so we're starting to run out of time, so I'm going to move on to a concept. I learned this actually way back when, when I was there heading up a learning organization. My boss there he introduced me to this concept of Johari's Window. Johari basically, this is sort of my adaptation of this, but if you think about what you're trying to accomplish and you think about a third party relationship, think about this window. Whether it's you or working with your business, you actually do know what you know. So you very often also know what you don't know and so that's kind of the easy part. Right? You could deal with this. 

So if you're working in the second line with a first line or in the first line with the second line, this is actually very challenging. You actually don't know what you know because it's so familiar to you. So Bethany cautioned me that Third Party Risk Management is new to a lot of people. Make sure that we explain things in pretty straight forward terms. And so it would be easy for me to fall victim to I don't even know what I know and I could get off on some lingo and everybody's saying, "Hey, whatever. I've checked out. I don't understand it." So that's really important that you deal with that. 

And the last pane in the window is you don't know what you don't know, and that's the one that always worries me the most. So if you can find a way to really settle down on these other three windows, you can spend your brain time on figuring out how do you learn about what you don't even know about and what are you going to do about it when you do. Because as soon as it's actually visible to you or transparent or top of mind, you can then figure out what to do with it. So I encourage you. I love this model. I've been using this for like, 20 years. It's fantastic. 

This webinar was co-hosted with Linda Tuck Chapman of Ontala Performance Solutions.