Forensic Services Third Party Risks
Landscape of third party risk Focus on third parties that: perform functions on behalf of the company provide products and services that the company does not originate franchise the company s attributes (brand) Risks to be managed when using third parties strategic credit other (liquidity, price, FX, country) reputational supply chain compliance transactional technology privacy operational Due Diligence experience audited financial statements reputation, complaints, litigation qualifications internal controls adequacy of MIS BCP/DR cost of development, implementation and support use of third parties supply chain transparency insurance Risk Assessment integration with strategic objectives expertise to oversee and manage activity cost/benefit customer expectations Contract scope of arrangement performance measures responsibility for management information reports right to audit cost and compensation ownership and license confidentiality and security business resumption indemnification insurance dispute resolution limits on liability default and termination customer complaints Expected documentation list of suppliers valid, current and complete contracts business plans identifying management s planning process, decisions and due diligence evidence the firm evaluated supplier s controls and monitors supplier s performance regular reports to board, or delegated committee, of the results of ongoing oversight activity Ongoing Oversight financial conditions financial statements suppliers obligations to sub-suppliers insurance coverage monitor controls audit reports supplier policies on-site visits compliance risks BC/DR plans and test results quality of service and support SLA reporting problem management alignment with an organisation s strategy customer complaints customer satisfaction survey periodic performance meetings 1
What is driving due diligence? Failing to monitor is like living in a home without a smoke alarm. You won t know about the fire until you notice the smoke and your house is gone. Compliance FCPA UK Bribery Act Sarbanes-Oxley Act OFAC Sunshine & Bertrand Act Dodd-Frank conflict minerals FATCA AML KYC United States Federal Sentencing Guidelines EU Terrorism List Business enhancer mergers & acquisitions media profile ethics and governance brand value competitor profiles third-party connections market intelligence transaction monitoring What you don t know can hurt you! Others OECD Good Practice Guidance on Internal Controls, Ethics and Compliance TI Business Principles for Countering Bribery World Economic Forum Partnering Against Corruption Initiative reputational risk financial risk fraud compliance & regulatory risk operational risk strategic risk 2
Types of risk to consider Operational Risk Risk that arises from the potential that inadequate internal controls, operational problems, breaches in internal controls, unforeseen catastrophes, or decentralised operations could result in unexpected losses, or the inability to maintain a well controlled IT processing environment. business locations business units business process transaction processing unauthorised activities cost efficiencies intellectual property functionality business continuity IT change management Compliance & Regulatory Risk potential that unenforceable contracts, lawsuits, or adverse judgments can disrupt or otherwise negatively affect client operations of client. Adverse consequences from non-compliancewith rules and regulations. HIPAA HITECH PCI Sarbanes-Oxley litigation human resource regulation contracts privacy laws and regulations developing e-business laws and regulations (local, state, national, international) state laws Financial Risk Technology Risk Strategic Risk potential that incomplete, inaccurate, or unauthorised transactions, fraud, or inadequate internal controls could affect the integrity of information regarding the financial condition of a client. Sarbanes-Oxley transaction processing unauthorised activities SEC and accounting governance standards fair disclosure IT change management interface consolidations data integrity data sensitivity potential that new systems, technologies, inter- and intraconnectivity, changes, and security threats could adversely affect the integrity and confidentiality of client data and transactions, as well as the efficiency, effectiveness and availability of the IT processing environment. IT change management operating platforms databases web-based applications network connectivity electronic communications and data transfers IT outsourcing/cloud potential for negative publicity linked to a client s business practices, adverse business decisions, or lack of responsiveness to changed business conditions that will cause a decline in the customer base, costly litigation, or revenue reductions. or internal control breaches intellectual property fraud competition business development new products and markets alliances brand value ethics and governance third-party connections 3
Profiling third party risk 4
Contact Details Rudy Hoskens Partner T: +32 (0)2 710 4307 E: rudy.hoskens@pwc.be Sally Trivino Director T: +32 (0)2 710 9753 E: sally.trivino@pwc.be Jacqueline Gram Director T: +32 (0)2 710 4151 E: jacqueline.gram@pwc.be