Impact of Digital Transformation on TPRM Operations

2. The Technology TPRM Forum, utilizing insights and perspective from leading TPRM executives, created a targeted survey to identify the impact Digital Transformation is having on third party risk operations. The questionnaire focused on: Digital Technologies having greatest impact Actions taken to meet the digital challenge The benefit of these actions Business Continuity developments Anticipated regulator focus The survey was promoted via Technology TPRM Forum's blog www.IT- TPRM.com and was hosted on Survey Monkey. The survey was available to respondents between May 28 thru June 15. In all, there were a total of 114 respondents to the survey. 2 Survey Overview The following represents the analysis, opinion and recommendations of Technology TPRM Forum. All rights reserved by Technology TPRM Forum – Not to be distributed without explicit permission

3. 3 Technology TPRM Forum Future Areas of Study The Impact of Digital Transformation on TPRM Operations survey is the first step to support development of TPRM best practices. The Technology TPRM Forum will follow this research with a series of study's focused in the areas identified in this survey as key to TPRM operations.  FLOD/VMO Alignment o FLOD Optimization o VMO Empowerment  Accelerated Risk Process  Business Continuity Optimization Findings & Recommendations 1. First Line of Defense organizations are under severe pressure to support multiple digital transformation areas, forcing them to oversight role versus operational contribution. Recommendation:  Increase automation. Utilize a TPRM platform  Hire FLOD team members of diverse skills to align with area of focus: establish credibility  Define alignment, roles & responsibilities with VMO teams. Make certain FLOD is engaged, collaborating and embedded in operations – not an oversight layer 3. TPRM organizations are yet to identify the best manner to support Business Continuity & Resilience requirements despite increased regulator focus. Recommendation:  Assign FLOD with knowledge of infrastructure operations  Collaborate, coach and support response plan creation – drive/facilitate scenario definition with roles and responsibilities  TPRM-BC teams support incident management - not own 2. TPRM leaders are placing priority on accelerating processes to support business initiatives, increasing potential risk exposure. Recommendation:  Establish joint TPRM-IT-Business-InfoSec panel to define accelerated process for risk identification and tolerance leveling  Establish dynamic monitoring strategy to continually assess risk of critical emerging third parties such as FinTech enablers  Clearly define rules of engagement with consequence for non-compliance across operations 4. TPRM leaders work with Procurement/Strategic Sourcing and Legal to continually identify terms to keep pace with regulatory requirements and nature of your environment. Recommendation:  TPRM, VMO, Procurement & legal to schedule frequent review of Terms and Conditions necessary to be added to existing agreements  Review anticipated regulatory requirements and collaboratively identify language to support if/when regulatory change is confirmed. All rights reserved by Technology TPRM Forum – Not to be distributed without explicit permission

5. 94% of survey respondents indicated they are currently being impacted by digital transformation or anticipate it happening in the coming 12 months. Extent of Digital Disruption Near universal acknowledgment exist that digital transformation is impacting TPRM operations. This dynamic is well documented across the TPRM community, yet little detail exist on specifics challenges and opportunities for TPRM professionals 5 Technology TPRM Forum’s goal is to identify the exact digital technologies, their impact and actions to harness digital capability. All rights reserved by Technology TPRM Forum – Not to be distributed without explicit permission

6. TPRM leaders overwhelmingly indicate Cloud (89%), Automation/RPA (73%) and Cyber Security (68%) as the top technologies driving digital transformation. At 21%, Blockchain has quickly grown in awareness with TPRM leaders and is anticipated to accelerate in the coming months. Digital Transformation Decomposed As a generic term, Digital Transformation encompasses multiple technologies. Respondents were asked to identify the specific technologies which they identify are producing disruption in their TPRM operations. 6 All rights reserved by Technology TPRM Forum – Not to be distributed without explicit permission

7. Not surprisingly, TPRM operations have employed multiple techniques to meet the growing challenge to operations caused by digital agendas. These actions show the breadth of areas TPRM leaders must effectively support including business operations, procurement, IT, Audit and InfoSec. Nature of Digital Impact To date, accelerated ‘fast track’ process development top the list of tactics to meet the digital transformation challenge. Results also show broad cross-functional impact across Business Continuity (IT Infrastructure), Cybersecurity (InfoSec), and Contract Management (Procurement). This highlights the diversity of skills and expertise required of FLOD teams and a high need for collaboration. 7 All rights reserved by Technology TPRM Forum – Not to be distributed without explicit permission

8. TPRM Actions Intended Benefits 8 TPRM leaders indicate alignment with the Vendor Management Organization is the leading action to meet the digital agenda. This places a high degree of dependency on VMO’s understanding risk operations and FLOD members providing value. TPRM leaders also seek greater involvement with Procurement and Legal to ensure contract terms with strategic third parties remain current. The primary anticipated benefits of the actions identified by TPRM leaders is to successfully accelerate risk identification, monitoring and mitigation actions to support business operations. Additional benefits are enhanced alignment with internal VMO and Procurement with improved Third Party monitoring capability. Collaboration supports the ability to establish an integrated front producing more rapid and comprehensive risk decisions and effective monitoring to track change to tolerance levels. All rights reserved by Technology TPRM Forum – Not to be distributed without explicit permission

9. FLOD organizations run the risk of being viewed as an unnecessary overhead layer lacking credibility or value. It appears that TPRM operations have not as yet settled on best practice to support BC and operational resilience. This could be a reflection of BC being a more recent area of focus for regulators. Business Continuity Response to Business Continuity show a distinct separation between oversight and operational activities. TPRM leaders indicate a clear current focus on oversight and governance activities. 9All rights reserved by Technology TPRM Forum – Not to be distributed without explicit permission

10. The FFIEC’s Appendix J combined with OCC comments have created an environment where TPRM leaders are anticipating incremental and expanded requirements. Respondents indicate 2 of the 3 top areas anticipated for increased scrutiny relate to Business Continuity. Anticipated Regulator Focus Increased focus by regulators on Business Continuity and Resilience will ultimately drive TPRM teams to get engaged in a more significant fashion than currently indicated. It will require deeper understanding of operations, business impact and contingencies to accurately assess capacity and concentration. 10All rights reserved by Technology TPRM Forum – Not to be distributed without explicit permission

11. The normalized profile of a respondent to Technology TPRM Forum’s survey on the impact of digital transformation on TPRM operations is a TPRM professional from the Banking & Capital Market Community with over $50 billion in assets under management. Respondent Profile 11 All rights reserved by Technology TPRM Forum – Not to be distributed without explicit permission Key Demographic Data Points: o 58% of respondents are from Banking & Capital Markets o 56% represent organizations with over $50 Billion in assets under management. o 13% of the respondents are from organizations with over $300 Billion in assets under management. o 62% of respondents are from risk organizations – 49% are from TPRM teams o 18% of respondents are from PMO or Procurement organizations

12. www.IT-TPRM.com Questions & Comments: Jim.hussey@it-tprm.com The Technology TPRM Forum supports the TPRM community through the www.IT-TPRM.com blog featuring original research, articles and perspectives on the emerging issues. In addition, the Technology TPRM Forum provides advisory services focused on FLOD Assessment & Enablement Strategies, VMO Risk Sensitivity Strategy and Business Continuity Modeling & Operational Responsiveness. The Technology TPRM Forum is proud to be an Executive in Residence with Global SRN (https://www.globalsrn.org/) The leading non-profit organization dedicated to drive informed decision-making and best practices around global sourcing of services. All rights reserved by Technology TPRM Forum and www.IT-TPRM.com – Not to be distributed without explicit permission 12

Impact of Digital Transformation on TPRM Operations

Jim Hussey

Impact of Digital Transformation on TPRM Operations