WHITE PAPER Third-Party Risk Management Lifecycle Guide



Similar documents
Vendor Management. Outsourcing Technology Services

GUIDANCE FOR MANAGING THIRD-PARTY RISK

White Paper: The Seven Elements of an Effective Compliance and Ethics Program

KNOW YOUR THIRD PARTY

Simplify the Complexity of Managing 3rd Party Anti-Bribery / FCPA Compliance

Compliance Management, made easy

Board of Directors and Management Oversight

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

ASTRAZENECA GLOBAL POLICY SAFEGUARDING COMPANY ASSETS AND RESOURCES

Vendor Risk Management in the New Regulatory Environment. kpmg.com

White Paper on Financial Institution Vendor Management

VENDOR MANAGEMENT. General Overview

The rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions

Microsoft s Compliance Framework for Online Services

8 Key Requirements of an IT Governance, Risk and Compliance Solution

Third Party Risk Management 12 April 2012

LRES Corporation. Best Business Practices for an Appraisal Management Company

Governance, Risk, and Compliance (GRC) White Paper

PCI DSS READINESS AND RESPONSE

EURIBOR - CODE OF OBLIGATIONS OF PANEL BANKS

3 rd Party Vendor Risk Management

Program Overview. CDP is a registered certification designed and administered by Identity Management Institute (IMI).

WHITE PAPER Leveraging GRC for PCI DSS Compliance. By: Chris Goodwin, Co-founder and CTO, LockPath

Risk Management of Outsourced Technology Services. November 28, 2000

Any business relationship between a bank and another entity, by contract or otherwise

The PNC Financial Services Group, Inc. Business Continuity Program

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Mental Health Resources, Inc. Mental Health Resources, Inc. Corporate Compliance Plan Corporate Compliance Plan

2014 Vendor Risk Management Benchmark Study

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

Table of Contents Chapter 1 Introduction Goals & Objectives Required Review Applicability...

Request for Proposal. Contract Management Software

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Copyright 2012, General Dynamics Information Technology. All Rights Reserved.

Minimize Access Risk and Prevent Fraud With SAP Access Control

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

BIG SHIFT TO CLOUD-BASED SECURITY

Preemptive security solutions for healthcare

AstraZeneca US Compliance Program

University of New England Compliance Management Framework and Procedures

Self-Service SOX Auditing With S3 Control

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

AssurX Makes Quality & Compliance a Given Not Just a Goal

Key USP s. Multiple PCI level GRC tool

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

Sparta Systems. Proven Enterprise Quality Management Solutions

RISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA PHONE:

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

DRAFT. Anti-Bribery and Anti-Corruption Policy. Introduction. Scope. 1. Definitions

Compliance Risk Assessment and 3 rd Party Due Diligence & Monitoring

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

Information Security Program

Financial Services Guidance Note Outsourcing

Cisco Global Commerce Audit Preparation Document, v4.0

PCI DSS. Payment Card Industry Data Security Standard.

Vendor Document Management. Advanced solutions for managing vendor data.

OUTSOURCING DUE DILIGENCE FORM

Management of Cloud Computing Contracts and Environment

HIPAA: Compliance Essentials

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Privacy Governance and Compliance Framework Accountability

I S O I E C I N F O R M A T I O N S E C U R I T Y A U D I T T O O L

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

THIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

Supplier Code of Conduct. Effective May 1, Ethics. Matters

Electronic Records Management

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

How RSA has helped EMC to secure its Virtual Infrastructure

PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

Statement of Procurement Conduct

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

WHITE PAPER. Mitigate BPO Security Issues

Digital Asset Manager, Digital Curator. Cultural Informatics, Cultural/ Art ICT Manager

CFPB Readiness Series: Compliant Vendor Management Overview

Finance. Resources. Operations. Marketing. Workflow Hero s Line of Business. Conversation Guide.

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

How To Audit Cloud Computing

OC Chapter. Vendor Risk Management. Cover the basics of a good VRM program, standards, frameworks, pitfall and best outcomes.

Transcription:

WHITE PAPER Third-Party Risk Management Lifecycle Guide

Develop and maintain compliant third-party relationships by following these foundational components of a best-practice assessment program. Third parties are extensions of an organization and their actions can have a direct impact on compliance efforts and brand reputation. This requires companies to survey, assess, and follow-up with dozens, hundreds or even thousands of third parties, and take action against those not in compliance. The Third-Party Risk Management Lifecycle is a model that guides organizations through the third-party review process. Its components are based on procedural best practices to identify, mitigate and manage compliance risks. This model can be used to evaluate a prospective supplier, vendor or global partner prior to signing contracts. You can also employ this model to assess a vendor s performance. Lifecycle Components Planning Creating an evaluation plan prior to signing contracts will help mitigate risks before the relationship is established. Do not rely solely on experience or prior knowledge before committing to a contract. Make the following considerations during the planning and evaluation process: LockPath, Inc. 11880 College Boulevard #200, Overland Park, KS 66210 (913) 601-4800 info@lockpath.com LockPath.com Page 2 of 6

What are the strategic business purposes of hiring this third-party? How will this relationship affect your employees? How will this relationship affect your customers? Do you have a third-party evaluation program in place? How will you evaluate this third party? What benchmarks will you use? Do you have a workflow to remediate risks or incidents discovered during assessments and audits? Do you have a system to report assessment and audit findings so you can prove compliance? Does this third party pose a risk to your operations, compliance, reputation, strategy or products? Due Diligence Conduct thorough due diligence on your third parties to ensure they are capable of performing their duties in accordance with federal and international laws and regulations. Be mindful of the following considerations while forming your due diligence program: General Considerations Will the third party be using subcontractors to perform its contractual duties? How does the third party evaluate its subcontractors? Do these subcontractors have the necessary skills and licenses to meet quality and compliance standards? Do these subcontractors adhere to regulations such as the Foreign Corrupt Practices Act (FCPA)? Is the third party financially sound? Will it be in business in six months, a year, or five years? How will hiring this third party affect your business continuity plan? Does the third party have a business continuity plan in place for your business? For Suppliers How dependable is this supplier s product? How are its products procured? Where are its products manufactured? Are its products produced and delivered in a timely manner so your processes are not delayed? What are the quality assurance procedures its products go through to ensure top performance? How will you handle customer complaints about the supplier s product? Do the supplier s business ethics match your organization s business ethics? Where is the supplier sourcing its materials? Are the materials from endangered sources, illegal sources or conflict areas? Is the supplier following local and federal labor laws? How are the working conditions on the supplier s end? Does the supplier follow sustainable practices? Does the supplier comply with ethical regulations such as the FCPA? Does the supplier s legal and compliance program have the necessary licenses to operate and remain compliant with both domestic and international regulations? For Vendors How dependable is the vendor s service? Will the vendor meet its deadlines? Will the vendor meet your deadlines? What are the vendor s escalation and remediation processes if it is underperforming? What quality assurance procedures does the vendor perform on its services to ensure satisfactory performance? LockPath, Inc. 11880 College Boulevard #200, Overland Park, KS 66210 (913) 601-4800 info@lockpath.com LockPath.com Page 3 of 6

What quality assurance procedures will you perform on the vendor s services to ensure satisfactory performance? What kind of access will this vendor have to your organization? What systems will the vendor need to access? Will the vendor have access to any sensitive or confidential information? Is the vendor following security standards, such as ISO/IEC or PCI? If the vendor requires data access, what type of permissions will it need? If the vendor requires building access, will it be accessing restricted areas? Will the vendor go through an onboarding process? What parts of your business will the vendor touch? Is training on your policies and procedures part of the vendor onboarding process? What additional training will the vendor need? Will the vendor require extra security measures either physical or virtual? Does the vendor have the necessary licenses and insurance policies to work with your organization? For Partners Will this partner be representing your brand? How will the partner communicate your brand and/or products? How will the brand guidelines and assets be delivered to the partner? What approval processes for branded materials are needed to ensure brand compliance? Will the partner need to implement your policies and procedures in its organization? What processes do you have in place for communicating your policies and procedures? How will you ensure the partner is adhering to your policies and procedures? How will you oversee remediation if the partner is not following your policies and procedures? Does the partner have international locations and operations? Does the partner have the necessary licenses and insurance policies to work with your organization? What international compliance safeguards does the partner have in place? What remediation processes do you have in place for noncompliance? Assess and Monitor Once a third party is selected and contracted, it is important to ensure it is meeting or exceeding your expectations. Ongoing monitoring of a third party s products and performance, as well as periodic assessments, is a great way to warrant quality work while remaining compliant. Assessments Will your contract include the right to issue and administer periodic performance assessments? How often will you assess the third party? What is the established timeframe for assessment response, and what are the repercussions if the third party does not answer within this timeframe? Is there a workflow established to remediate risks identified in assessments? What compliance provisions will you assess against? Will you use internal or external resources to assess the third party? What, if any, external resources will you use to assess the third party? If the third party is using subcontractors, what is your process for assessing those subcontractors? If the third party is using subcontractors, what is your process for enforcing identified risk remediation? Will your periodic assessments include a review of the third party s information security program, disaster recovery program and business continuity plans? LockPath, Inc. 11880 College Boulevard #200, Overland Park, KS 66210 (913) 601-4800 info@lockpath.com LockPath.com Page 4 of 6

Monitoring Who from your organization is responsible for monitoring the third party s activities and performance? Will you conduct on-site third-party evaluation visits? How will you monitor the third party s activities to ensure compliance with local and federal regulations? How will you monitor the third party s activities to ensure compliance with your policies and practices? How often will you be testing the third party s policies against your controls? Remediate Issue and incident remediation is a key part of sustaining the risk management lifecycle. Without remediation, processes quickly break down, creating inefficiencies and increasing risk and noncompliance. Having a plan in place when issues and incidents arise will help to speed the remediation process, keeping you and your third parties compliant. Who do you hold responsible for noncompliance and incidents? Who does the third party hold responsible for noncompliance and incidents? What is your escalation process if a quality assurance issue arises or an incident occurs? What is the third party s escalation process if a quality assurance issue arises or an incident occurs? Do you have a remediation process in place if the third party fails to comply with any rules or regulations? Is there an established workflow identifying internal/external resources and tasks needed for remediation? How is your remediation process documented? How often will you review remediations to ensure they have been completed and adopted into processes? LockPath s Vendor Risk Management Solution Assessing and monitoring vendors and third parties is an arduous task if conducted manually. On the other hand, an automated system can help organizations identify, classify, monitor, and recommend risk mitigation to support business operations and regulatory requirements. LockPath s Keylight platform can simplify the steps of the Third-Party Risk Management Lifecycle by offering the following functionality: Manage Vendor Relationships Keylight helps users efficiently assess risk, communicate policies, and manage contracts, vendor profiles, and vendor performance. Survey Third Parties Users can create surveys from questions provided by content providers like Shared Assessments, or they can customize their own. Users can survey third parties by subsets and/or at different frequencies and you can bulk distribute surveys to multiple vendors in minutes. Automate Reviews and Support Audits With Keylight, users can create third-party policies and ties assessments to those policies. The platform also helps users store and document supplier due diligence and remediation activities, classify and categorize suppliers, and see a history of VRM status. Control Assessment and Monitoring Keylight provides the ability to assess the effectiveness of controls and to perform ongoing monitoring at the individual service delivery or contract level. Each contract can have mapped controls specific to the terms/conditions of that contract. Based on the risk level of the vendor, assessments based on controls can be automated and completed on a regular interval. Analytics and reporting of the assessment progress and results can be monitored in real time. LockPath, Inc. 11880 College Boulevard #200, Overland Park, KS 66210 (913) 601-4800 info@lockpath.com LockPath.com Page 5 of 6

Risk Assessments and Analytics Effective vendor risk management requires qualitative and quantitative analytical tools to assess and prioritize risk, and to discover relationships and patterns. Keylight can issue vendor assessments and provide graphical analytics based on assessments. It can also assign a risk level for each vendor and generate a report on overall risk potential. Remediation Management Keylight allows users to develop action plans to identify control failures and other deficiencies and track plans to completion. It has standard remediation functionality that can create and track remediation plans against each vendor along with due dates for those plans to be completed. Exception Management Keylight makes it easy to document exceptions to control requirements and make periodic reviews of whether an exception is or is not still required. This is done through Keylight s Risk Manager, where risk exceptions can be logged, tracked and approved/denied. For more information on how the Keylight platform or to schedule a demo, contact finserv@lockpath.com or call 913.601.4800. About LockPath LockPath is a market leader in corporate governance, risk management, regulatory compliance (GRC) and information security (InfoSec) software. The company s flexible, scalable and fully integrated suite of applications is used by organizations to automate business processes, reduce enterprise risk and demonstrate regulatory compliance to achieve audit-ready status. LockPath serves a client base of global organizations ranging from small and midsize companies to Fortune 10 enterprises in more than 15 industries. The company is headquartered in Overland Park, Kansas. LockPath, Inc. 11880 College Boulevard #200, Overland Park, KS 66210 (913) 601-4800 info@lockpath.com LockPath.com Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information