The document discusses the importance of third-party risk management in the investment management industry, highlighting the increasing complexity and interdependence of outsourced services. It introduces an evolving Extended Enterprise Risk Management (EERM) framework aimed at enhancing risk management processes through centralized execution and improved transparency across the third-party lifecycle. The framework emphasizes governance, oversight, and the integration of risk management with business objectives to effectively control and mitigate third-party risks.

1. www.nicsa.org
Third-Party Risk Management:
Implementing a Strategy
Part I of II
1
SPONSORED BY:

2. www.nicsa.org
The use of third-party service providers has become increasingly pervasive, complex, and
interconnected within the investment management industry
• Increased number of core operations and IT
services being outsourced
• Third parties also outsource - common
providers can create layering and unforeseen
concentration risk
• Dispersed dependencies create increased
reliance and risk exposure from entities outside
of your direct control
This growth of the extended enterprise model calls for continued evolution of the Extended
Enterprise Risk Management (EERM) strategy, with mature programs applying a consistent,
enterprise-wide level of discipline that extends across the entire third-party lifecycle.
An evolving landscape
:
Copyright © 2015 Deloitte Development LLC. All rights reserved.

3. www.nicsa.org
 Enhanced quality of risk management processes through centralized execution on the business’ behalf
 Transparency into third-party performance and risk exposure by improving information flow through the organization
 Improved efficiency through centralized tools and processes
 Reduced risks through centralization of controls and quality gates
 Increased consistency scale and common communication
Strategy & Planning
Contract &
On-board
Evaluate
& Select
Terminate
Off-board
Manage &
Monitor
Third-Party
Management
Lifecycle
Strategy & planning – Develop sourcing strategy,
consider cost/benefits and develop business
Evaluate & select - Identify and assess risks / perform
due diligence
Contract & on-board - Incorporate risk, compliance,
and performance requirements in contracts
Manage & monitor - Perform risk management and
ongoing monitoring & coordinating with each third
party
Terminate & off-board - Determine need to terminate the
third party and manage the off-boarding process
Some benefits of an EERM Framework
Many companies are moving toward an end-to-end framework to create a controlled and efficient process to effectively manage the
business and regulatory requirements. A well-designed and sustainable framework can help manage third-party risks and provide
structure for governance and monitoring the process.
Maintaining control &
managing third-party risk
:
Copyright © 2015 Deloitte Development LLC. All rights reserved.

4. www.nicsa.org
CPE CODE:
897

5. www.nicsa.org
Governance and
Oversight
The organizational
structure, committees,
and roles and
responsibilities for
managing third parties
EERM Framework
Risk
Domains
Operating
Model
Components
Business
Objectives
Risk and Compliance
Management
Growth / Innovation Client Experience Cost Reduction
Improved Time to
Market
Reputation Risk Strategic RiskGeopolitical Risk
Contractual Risk
Information Security
Risk
Transaction /
Operational Risk
Financial Stability
Risk
Business Continuity
Risk
Compliance / Legal
Risk
Credit Risk
Plan, Evaluate and Select Contract and On-board Manage and Monitor Terminate and Off-boardManagement
Process
Detail
Our EERM framework—based on the Office of the Comptroller of the Currency (OCC) and other regulatory requirements, as well as
industry practices—provides a structured review of the operating model components required to support an effective program.
 An effective EERM program supports business objectives including growth, innovation, reduced cost, and risk and compliance.
 Delivering effective EERM requires a comprehensive operating model that includes governance and oversight, policies and standards, management
processes, tools and technology, risk metrics and reporting, and risk culture.
 Management and risk domains support delivery of EERM capabilities and the management of risk. Each domain is comprised of its own set of management
activities/capabilities and related risks.
Deloitte Advisory’s EERM framework
Risk Culture
Tone at the top, clarity
on risk appetite,
appropriate training
and awareness. to
promote positive risk
culture
Policies and
Standards
Management
expectations for the
management of third
parties and related
risks
Risk Metrics and
Dashboard
Reports identifying
risks and performance
associated with third
parties, tailored
toward multiple levels
of management
Management
Processes
Processes to manage
risks across the third-
party lifecycle
Tools and
Technology
Tools and technology
that support EERM
processes
:
Copyright © 2015 Deloitte Development LLC. All rights reserved.

6. www.nicsa.org
Stages of EERM Capability Maturity
StakeholderValue
Integrated
Risk
Intelligent
Top Down
FragmentedInitial
• Ad hoc/chaotic
• Depends primarily on
individual heroics,
capabilities, and verbal
wisdom
• Independent EERM
activities
• Limited focus on the
linkage of third-party
risks with the
company’s overall
strategic risks
• Limited alignment of
risks to strategies
• Disparate monitoring &
reporting functions
• Common framework,
program statement,
policy
• Routine risk
assessments
• Communication of
risks to the key
stakeholders
• Awareness activities
• Dedicated team
• Coordinated risk
management activities
across identified
segments
• Risk appetite is fully
defined
• Risk monitoring,
measuring, and
reporting to the board
• Contingency plans and
escalation procedures
in place
• EERM discussion is
embedded in the
company’s strategic
planning, capital
allocation, product
development, etc.
• Risk-sensing, early
warning risk indicators
used
• Risk modeling
/scenarios applied
• Industry benchmarking
used regularly
Representative Attributes Describing Each Maturity Level
Initial Fragmented Top Down Integrated
Risk
Intelligent
Capability Maturity Stages
1. How capable is the organization today to manage its extended enterprise risks?
2. How capable does it need to be?
3. How can it get to its desired state? By when?
4. How can we leverage existing extended enterprise risk management practices?
:
Copyright © 2015 Deloitte Development LLC. All rights reserved.

7. www.nicsa.org
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering
accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a
substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may
affect your business. Before making any decision or taking any action that may affect your business, you should consult a
qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”),
its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and
independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see
www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about
for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to
attest clients under the rules and regulations of public accounting.

8. www.nicsa.org
CPE CODE:
430

9. www.nicsa.org
• Broker approval
• CP approval and
monitoring
• CP exposure reporting
• Best Execution reporting
• Risk Contribution
monitoring and reporting
• Scenario analysis
Head of Risk
Management US
• Analytics monitoring
and reporting
• Performance Attribution
• Fund Performance
monitoring
• GIPS reporting
• Peer analysis
Global Risk
US CEO
Operational
Risk
Broker-Counterparty
Risk
Performance
Analytics &
Attribution
Investment Risk
VENDOR ASSESSMENT TEAM
Vendor Relationship Owners
Vendor Universe
Vendor
Governance
Office Information
Security
Business
Continuity
Operational
Risk
Finance
Compliance
incl. Privacy
Purchasing
Legal
Op Risk Management System
- Relationship Owner
Attestations
- Framework Attestations
Emerging Risks
- Compliance-Risk Oversight
- Top Risks
• Risk and event
identification and
assessment
• Monitoring and
reporting
9

10. www.nicsa.org
Vendor Governance Purview
Assessment Areas
• Business Continuity
• Data Integrity and Security
• Financial Terms & Stability
• Insurance
• Internal Controls
• Losses / Legal Actions
• Regulatory Compliance
• Reputation
• Service Levels
VG Office
• Maintain framework
• Coordinate Initial Assessment / Take-on
• Coordinate Periodic Due Diligence
• Raise Concerns
• Track Remediation Actions
• Report out
• Participate in Compliance-Risk Oversight
Discussions
Vendor Universe *
Tier 1 (Core A)
• Functionally critical
• Financially critical
• Subject to laws / regulations
• Necessary to legal / regulatory
obligations
• Central to control functions
Tier 2 (Core B)
• Failure could cause serious
damage
• Annual outlay > $500k
Tier 3 (Non-core)
* Exceptions
• Financial distributors
• Brokers and Counterparties
VENDOR ASSESSMENT TEAM
• Op Risk Management System
• Vendor Assessment System
• SIG Questionnaire (Shared
Assessments Group)
Vendor Universe
Vendor
Governance
Office
10

11. www.nicsa.org
Board
Oversight
Custodian
Fund Accounting
Financial Reporting
Tax Compliance
Transfer Agent
SubTAs & Omnibus Providers
Sub-Advisors
Pricing Services
Others For
Management
Consideration
Printing and Mailing
15c Materials
Blue Sky Reporting
Escheatment Services
Proxy Solicitation Services
Others
11
Third-Party
Oversight
Independent
Director
Viewpoint

12. www.nicsa.org
CPE CODE:
755
12

13. www.nicsa.org
Board Oversight
Independent Director Viewpoint
Consider Board
Committee Structure
– Committees: Audit;
Compliance; Contracts
– Where should oversight
reside?
– Interdisciplinary approach
13
Frequency of
Board Reporting
Level of Detail
– Dashboards

14. www.nicsa.org
Inventory of Third-Party Service Providers
Independent Director Viewpoint
14
Name
Nature of Services Provided
Primary Management oversight: “Business Owner” of
Each Relationship
Summary of Management’s Oversight Functions
Summary of Board Reporting on Each Provider

15. www.nicsa.org
High Level “Sub-TA Dashboard”
Independent Director Viewpoint
15
For each relationship:
AUM Date last visit Risk Rank
Review
Status
SSAE#16 or
FICCA
Reports