Introduction to Third Party Vendor Risk Management
You can download a full copy of the slides from this webinar.
Full video transcript available below:
Welcome everyone and thank you for joining this, our first webinar of 2017. Today we're going to take you through a close look at the development of third party risk management practices, and take you through the results of a research study we recently conducted with the Center for Financial Professionals, or CefPro for short. Please note that the slides from today and a video recording of the session will be made available on the MCO website. All registrants will receive an email from us in the coming days with a link to download these resources. |
If you have any questions, please use the chat option on the side panel of the GoToWebinar screen. We'll try to answer all of these at the end of the presentation when we'll hold a Q&A session. During the webinar, we'll have several polling questions. I would ask you to participate and cast your vote on each question, please, as it makes for a far more engaging session. I'll now pass you over to Shane. |
Thank you, Joe. Welcome, everyone. In researching the vendor risk management space, we've talked to many different companies in different sectors. We've conducted telephone interviews and face to face discussions. We've done secondary research to look at other published information, attended various conferences as we all do, and of course we've commissioned this particular primary research report, which was conducted by the Center for Financial Professionals, or CefPro. I'll run through a brief introduction, and then we'll go through the research in detail and then close out then with a Q&A session. |
The inclusion as well as the development of third party relationships is an essential part of business. It's growing in the global economy as that expands. Now, we are seeing some anti-global sentiment reflected in part I suppose with the election of Donald Trump and the hard Brexit approach from the UK and their departure from the EU. However, on the other side of that pendulum, it probably was noteworthy to see that the Chinese Premier yesterday embraced globalism in his speech up at Davos talks, and that's the first time a Chinese Premier has ever attended these talks, so there's swings and roundabouts in this issue. |
The management, therefore, of third parties, and the inherent risks that these third parties can represent, remains a really important issue and one that must be managed. So good third party management is an enabler to good business and better performance, while poor practices really do expose an organization to financial and reputational damage. Now, I'm just going to start off by way of background, and before getting into our own results, it's always noteworthy to just look at a Deloitte study and set the scene from 2016. |
Interestingly, almost 9 out of 10 organizations that they polled, and there were 170 organizations from various different industries, you can see the source there on the bottom right, report that they faced a disruptive incident with third parties in the last two to three years, and 11% of them reported that it was a complete failure. So being let down by a third party obviously can range from inconvenience to catastrophe, literally, and I suppose that the possibility, or it would appear, the probably of being let down that makes us all nervous and keeps us awake at night. |
It is reputation that's on the line, and as one relies more and more on the value chain in the organization as we do some more globalization, and the need for control and management becomes more important. So this would appear to explain the drive to in-source, as you see here, 58.4% in-sourced third party governance and risk management. That's their acronym there, TPGRM, Third Party and Governance Risk Management. So speaking of reputations, we'll just take a brief look at some of the enforcement actions that have been taking place. |
Now, this webinar is not about the fines, but let's be honest, the fines are representative, or they're the evidence of this continuing [inaudible 00:04:04] organization space, when they fail to implement and operate risk mitigation programs to protect and promote the company, its finances and its reputation. I'm not going to read through them all but I think ... You know, if you're just looking at the top three represent $73 million in fines in the first two weeks of 2017, and the bottom four are all from December of 2016, or sorry, the bottom three. |
The interesting case here is probably Mondelez International, which I think was the first enforcement action settlement of the year. It's an interesting one. As we understand, and we might be corrected on this, the exposure to risk for Mondelez didn't come about by any poor practice on their part in the first instance. We understand that they did not recruit the agent or pay them money that was at the center of this issue. It would appear that the risk arose out of their acquisition of Cadbury some years before, and it appears that in this instance, they acquired that exposure to risk through that acquisition of another business and the activities that other business appeared to have conducted at this time. |
So it's interesting when we look at third party risk management. It's not just about the here and now. We often have to look backwards as well, retrospectively, and make sure the conduct of people in the business and third parties that are appropriate. We can't let today go by without obviously just briefly referencing the Deutsche Bank settlement. It's not directly related to third parties but it is related to conduct of business and the implications of that. This settlement has now been agreed at $7.2 billion, and I think brings in total, the banking centers pay $24 billion in fines related to the financial crisis. |
I suppose, look, the impact of that is that their United States listed shares fell 3.2%. This really is what happens with [inaudible 00:06:07], not to mention the reality of the reputational damage. One other one, and then we'll move on, very brief but very relevant to the announcement this week of the long-running investigation into Rolls-Royce. It concluded, and they've accepted a fine of 671 million sterling, which will be payable to three different countries. You have the UK, which is the primary country here, the U.S., and Brazil. |
I think it, again, highlights like the impact on finances and reputation clearly, but in this case, something very different as well has emerged. The SFO, which is the Serious Fraud Office in the UK led by a guy called Green, has been flexing its muscles and has been implementing tried and trusted procedures, that we've seen used in the U.S., into the UK legislations that appeared in 2014. Primarily, primary among this was the use of what's called a DPA, or a Deferred Prosecution Agreement, so the way that they were able to conduct this investigation was to get cooperation from Rolls-Royce and its management into practices that go all the way back to 1989, we believe, through the [DFA 00:07:24]. They're now going to look for extended powers. We'll all be sitting back to see how that goes. |
You can download a copy of the research report discussed here.