Third Party Risk Management Solution

Private and confidential

March 2019 Risk Advisory
©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 1
©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 2
 Contents
1. The extended enterprise

2. Third party risks in an extended enterprise network

3. Deloitte’s Third-Party Risk Management (TPRM) solution

4. Deloitte’s third-party risk management - Approach and methodology

5. Deloitte’s engagement delivery models for TPRM programme

©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 3
The extended enterprise
©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 4
The extended enterprise

The extended enterprise is the concept that an organisation does not operate in isolation. Its success is dependent upon
a complex network of third-party relationships.

Joint
Franchise
ventures

– Sales agents
Certification – Licensing – Distribution
R&D – Distributors
bodies Labs – and Sales – Loyal partners

Inventory –
Logistics Customers
Shipping –

Tier 1-N suppliers –

– Warranty processing
Fourth – Brokers/Agents – Customers
parties Sourcing – Call center
Contract – support
manufacturing
Organisation

– Advertising – Media
Marketing agency ad sales
Infrastructure and –
application support
Hosted vendor solutions – – Office products
Technology Facilities – Waste disposal
Disaster recovery –
Licensed vendor solutions – – Cleaning
Hardware lease –
– Recruiting
Human – Contractors
Insurance – Benefits providers
Resources
– Payroll processing

©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 5
Third party risks in an extended
enterprise network
©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 6
Third party risks in an extended enterprise network

Loss of reputation – Risk to the reputation of the organisation from the use of third-party
relationships due to a myriad of reasons, including misuse of intellectual property, poor
product quality, lack of compliance to human rights, and environmental regulations, etc.

Supply chain disruption – Key third-party business disruptions due to bankruptcy,

geopolitical issues, macro risks, etc. can result in supply chain disruption

Data risk – Loss, misuse, or mishandling of critical data of the organisation or its
customers by a third-party relationship can result in financial loss; hefty fines and
Extended decrease in shareholder value
enterprise
Product recall – Poor product quality, safety issues, or faulty packaging by third parties can
• Sell side lead to product recalls resulting in recall costs, lawsuits from consumers, increased costs
• Buy side from settlements, and lost revenue from missed sales opportunities
• Infrastructure
Financial impact – Financial loss from under-reporting of revenue from licenses,
royalty partners, distributors, franchisees, etc. and over-payment for services from
third-party relationships

Lack of compliance – Third party acts corruptly to gain business advantage for organisation
resulting in hefty fines or is not in compliance with the environment, conflict minerals, health
and safety, labour rights, etc. regulations

Poor performance – Lack of sustained performance from third-party relationships, resulting

in costly mistakes, over allocation of capital to oversee relationships, and defeating the
purpose of outsourcing strategy

©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 7
Deloitte’s Third-Party Risk
Management (TPRM) solution
©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 8
How can we help?

Our delivery model is scalable, adaptable, and built

on industry-specific benchmarks to fast-track an
organisation’s extended enterprise management
function.
With our TPRM solution, executives across the value
chain receive the following: Holistic view of Optimise risk
third-parties management
A holistic view of risks and third-parties through and risks efficiency
the central repository of Deloitte’s automated platform
with an executive dashboard and benchmarking
against industry standards.
Ongoing Drive cost
Leading standardised processes applied across all monitoring reduction
markets and businesses, with a consistent application
of third-party risk scoring, sensing, and monitoring.
Deloitte’s
TPRM
Optimising risk management efficiency, enhancing
revenue recovery, and driving cost reduction Enhanced
solution Enhance
in managing the third-party risk management decision revenue
programme at an operational level making recovery
Information for enhanced decision-making
through analysis of the latest data from the ongoing
assessments to arrive at a more informed decision
from a governance perspective Compliance to Obtain risk
regulations maturity
Access to subject-matter expertise through trained
Deloitte professionals with risk domain experience.
Ongoing monitoring and zero instance of non-
compliance to regulations by leveraging Deloitte’s
proprietary industry-specific risk intelligence maps

©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 9
TPRM automation platform

Perform third-party due diligence

Store and retrieve evidence

for each assessment

Build third-part risk

questionnaires
Customise reports and dashboards
as per stakeholder requirement
Report on your third-party profile
Manage assessment findings
Chart trends and insights
with smart analytics
Drag-and-drop user interface
Assess third-party viability
and impact on risk
Conduct trigger-based approval
and review actions
Track third-party performance
Scale and integrate with
flexible workflows
In today’s digital world, TPRM capabilities need to also be
technology-driven to automate processes, report generation,
analyse data that TPRM activities generate, and track overall
improvements.
The TPRM automation platform increases efficiency
along with productivity, reduces overall cost of the TPRM
programme, and enables efficient monitoring of ongoing
activities, including third-party risks and compliance through
a centralised platform. This provides a consistent client user
experience and reduces human errors.
Additionally, the use of technology increases data integrity
and provides seamless and reliable reporting.
These benefits outweigh the cost of acquiring technology
solutions to automate the TPRM process.

©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 10
Deloitte’s third-party risk management
- Approach and methodology
©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 11
Deloitte’s third party risk management - Approach and methodology

Policy, procedures, standards and guidelines

Data sources (Company internal systems like ERP, CRM, billing system)

New/Existing Third-party prioritisation Review type Review method

third-parties

Third-party Parameters/Third- Financial health/solvency

Spend Services Others Self Assessment
evaluation party information
Contract risk and compliance review

Information security and cyber security Onsite

Third-party • Confidentiality
Risk engine Integrity
selection • Availability Privacy review

Health and safety Remote

Contract and Third-party • Service categorisation
on-board • Inherent risk profile SLA/Performance review Continuous
profile
Integrity and regulatory review Monitoring
Third-party coverage • Review method • Frequency Quality review
Termination Hybrid
model • Review type • Reporting
Employment practices

Manage, monitor and remediate

Reporting
CISO Team Chief Risk Office Supply chain Business controller Key Performance Indicators (KPI)

Automation
Views Workflow Data repository Analytics and reporting

Review of Review of both business and Review of information

Review coverage business controls information security controls security controls

©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 12
Deloitte’s engagement delivery
models for TPRM program
©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 13
Deloitte’s engagement delivery models for TPRM program
Various engagement delivery model

Project based / Assessment specific Staff augmentation / Co-sourcing

Description: Description:
Deloitte VIC Deloitte
• Client engages Deloitte to assess their • Deloitte delivers TPRM through
third parties on a fixed cost or T&M Deloitte provides its trained staff Provides staff
basis staff and assets • Client may provide the tools,
Service
Trend: framework, and methodology Service delivery Delivery
• Client and Deloitte teams work supervised by client
• Works when there is a tactical
Service delivery based as one Joint team
requirement to address specific
on fixed cost or time
assessments and material basis Trend: Functions
Client are shared
• Client are moving to other models • Increasing trend when client
since third-party Risk Management has Organisation
have their centralised captive assets such as
become more strategic centres operating out of tools, assessment
Client
India and other low-cost framework etc.
geographies

Managed service Build-Operate-Transfer

Description: Description:
Deloitte VIC Client Deloitte VIC
• The client receives service delivery • In a Build-Operate-Transfer
as per the defined SLA Service provider staff, (BOT) model, the TPRM Organisation Service provider
tools, framework, and staff and assets staff and assets
• Trained staff, framework, and tools offshore delivery centre is
take entire ownership of
are provided by Deloitte usually developed based
deliverables and quality Deloitte develops
on specific requirements Service
new delivery
Trend: of a client delivery
capabilities on
to organisation
• Clients use this model to deliver TPRM
Managed service delivery Trend:
TPRM effectively and efficiently as
per the assessment costing model Often selected by clients who Service Deloitte
do not have skill sets, scale, Delivery staff and assets
Client or capability within a function Ownership
Captive TPRM delivery
Receives service delivery or geography centre transfer capabilities

©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 14
Key contacts

Rohit Mahajan
President
Risk Advisory
rmahajan@deloitte.com

Munjal Kamdar
Partner
mkamdar@deloitte.com

Gautam Kapoor
Partner
gkapoor@deloitte.com

Vishal Chaturvedi
Partner
vchaturvedi@deloitte.com

©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 15
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and
each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about
for a more detailed description of DTTL and its member firms.

This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP). This material (including any information contained in it) is intended to provide general information on a
particular subject(s) and is not an exhaustive treatment of such subject(s) or a substitute to obtaining professional services or advice. This material may contain information sourced from
publicly available information or other third party sources. DTTILLP does not independently verify any such sources and is not responsible for any loss whatsoever caused due to reliance
placed on information sourced from such sources. None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is,
by means of this material, rendering any kind of investment, legal or other professional advice or services. You should seek specific advice of the relevant professional(s) for these kind of
services. This material or information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any
action that might affect your personal finances or business, you should consult a qualified professional adviser.

No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person or entity by reason of access to, use of or reliance on, this material. By using this
material or any information contained in it, the user accepts this entire notice and terms of use.

©2019 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche Tohmatsu Limited

©2019 Deloitte Touche Tomatsu India LLP Third Party Risk Management Solution 16