Hello everyone, and welcome to today's webinar hosted by me, Bethany Sirven of MyComplianceOffice, and Third Party Risk Expert and President of ONTALA, Linda Tuck Chapman. 

So I'm going to go on, and I'm just going to describe this is sort of my view of the world around if you're building a program or if you're trying to explain what you're doing to someone else in your organization or to your third party. You have to build a strong operating framework, and so everybody has a role in this, but it always starts with the business. The business has a strategy. The business has a need. They're going to go to market and find a new service provider or a third party relationship, or they're going to renew an agreement they have, they want to change the one they have, or in fact they may want to end one of the ones that they have. If you can create a visual for your organization around what you're trying to accomplish, and if you're early days basically, you're going to sort of take a step by step view. Right? What's the business need? How do I know that this is a critical relationship or a critical activity for my company? What's the filter I put on that? And the next thing you want to consider is, well what risks do we really need to deal with? 

So if you're in any company of any kind I know that you're going to be dealing with these four risks. You're going to be looking at information security risks, so whether or not you have customer data, you still have data or information you want to protect. You're going to consider business resilience, which is your business continuity. You're going to look at the financial stability of the company that you're doing business with, and you're going to assess their overall control environment, including how they manage their own third parties, because that can affect your company.

So what you really want to do in your governance framework is figure out who's going to do this in your lines of defense. You need to actually be able to identify risks. You need to be able to assess them. You need to put controls in place, and controls is just a fancy word of saying, "What are my contract terms and conditions? What am I going to require my own business unit to do to make sure that the risk level does not increase, or if it's unacceptable in some areas that we can at least monitor it so that it doesn't affect us?" Then you're going to go into ... You put a contract in place and it is a very good practice to get the business to review the deal that you have, that they have in front of them.

My experience is that senior executives in business units actually have very rarely have seen this information in the past. So what risks do they actually face? What does this third party bring to them, and what kind of arrangement have they put in place? What kind of contractual terms do you have? Are they good, bad or indifferent? Have them acknowledge that they're accepting it. And then you go into the monitoring phase, which is really providing governance and oversight, and occasionally you're going to go back and test that due diligence to make sure nothing changed. And then some day it's all going to come around again. 

So that's an operating framework, and if you do it well you can divide up the work around the different players in a very logical way, so that they only need to be involved in what they actually have an opinion on and can contribute to. And also it allows you to segment your most critical relationships from all others. So kind of rule of thumb, you're going to find that probably about 10, no more than 15% of all third party relationships you have need to be actively managed. So doing a good job on this with your initial filters, they'll sort out the wheat from the chaff. And if you put too much in your program or too many types of relationships and say that they're all scary, it just creates a lot of noise, and people will stop paying attention. 

So that leads to the next discussion, which is really, well how are you going to provide governance? So when we move on to the three lines of defense and we start talking about how this works, I just want to understand what it is that people are doing. So there are some governance and oversight by your board, your senior management, and if you're in a large organization with Enterprise Risk Group, your Enterprise Risk Management Group is going to have a framework that they want you to operate inside. 

You have all kinds of policies and standards and procedures that you're going to have to build and document, and it's not necessarily that people are going around the policy, but you need to be very clear in your own mind how it's all supposed to work and you need to test whether or not people are actually following the processes and the policies. You've got the monitoring, and there is monitoring both from the relationship, but also from a governance perspective. You need to make sure that you understand the risk profile of the portfolio of relationships that supports your critical activities, or deliver critical services. And if you do a good job of putting this data cube together, that's why I like the Rubik's cube view of the world, you'll also be able to slice and dice it by risk types. And you can equip your folks in the second line of defense, in your risk oversight groups, with enough information they can understand risk trend and decide if their controls are effective or not. 

You know, you need a technology. If you're trying to do this without a technology, don't try it for long because you'll get buried in it. I know of people who are managing 100 tab spread sheets, trying to keep track of all the activity. That's pretty fruitless, actually. So you want to book a record, and you want to be able to pull reporting from it and to workflow your activities and add notifications. Manage issues and incidents, which occurs in the business, but you need to understand what's happening because maybe you can change the controls or your selection criteria. And then I would highly recommend that you have an oversight committee or a governance committee of some sort that you can escalate issues and problems to and they can help you navigate the existing relationships and approve the program. 

And that's all going to be sitting on key risk indicators, key performance indicators, and understanding through how much risk is your company able to take on, and how does that all line up? I really like the idea of effective or independent challenge, and the challenge is a right and a responsibility of the people who are in this program to challenge individuals or groups or functions that are willing to take on more risk than your company is willing to accept. You have quality control, which happens in the business. They are actually responsible, and quality assurance is the governance and oversight. And of course, then you want to move into reporting and analysis.

So that's all the activity that's happening, and then what we want to do is talk about, well how would this look in a three lines of defense model, which is really sort of how it all ties together. 

This webinar was co-hosted with Linda Tuck Chapman of Ontala Performance Solutions.