© 2015 CEB. All rights reserved Version: X.X Last modified: [insert date format: DD Month YYYY]
CONFIDENTIAL OR CONFIDENTIAL-RESTRICTED [Delete as appropriate]
CEB Virtual Event Hosted by the Compliance and Ethics Leadership Council 10 December 2015 12:30-1:30 EST
Accelerating the Third-Party Due Diligence Process
An In-Depth Look at TE Connectivity's Approach
1. What does the average third-party risk managementprocess look like?
2. Where are there holes or stall points in that process?3. How are leading companies looking to solve for those
stall points?4. What can we learn from one tech company that has
worked hard to manage the due diligence processbetter?
5. What resources does CELC have to support us here?
What We Will Discuss Today
2
To submit a question or thought in writing: Log onto the web platform at http://ceb-event.adobeconnect.com/celc121015/ and include your question or comment in the box entitled Submit a Question.
To join the discussion or to submit a question via the phone line: Press *1 to be included in the phone queue. (Press *2 to remove your name from the queue.)
Have a question or comment after today’s webinar? E-mail us at [email protected] with any feedback, questions, comments, etc.
A Few Quick Housekeeping Matters
3
Roadmap For Today’s Conversation
Managing Due Diligence: TE’s Practice At a
Glance
Lessons Learned From A Peer: An In-Depth Look at TE’s Approach
Q&A and Feedback Session
Third-Party Risk Management: A
Brief Look at The Data
4
Brian Risser
Third Party Compliance Manager
TE Connectivity
Prior positions include:
Manager of Financial Policies and Controls (TE Connectivity)
Manager of Financial Integrations (TE Connectivity)
Senior Financial Accountant (Armstrong World Industries)
Our Panelist at a Glance
5
Roadmap For Today’s Conversation
Managing Due Diligence: TE’s Practice At a
Glance
Lessons Learned From A Peer: An In-Depth Look at TE’s Approach
Q&A and Feedback Session
Third-Party Risk Management: A
Brief Look at The Data
6
© 2015 CEB. All rights reserved. CELC4277615SYN
THE PROCESS WE’VE BUILTCompliance’s Standard Third-Party Risk Management Process
Source: CEB 2015 Third-Party Risk Diagnostic. Note: This is an abridged version of the full process map found in CEB’s Third-Party Resource Center.
of compliance executives rate their third-party programs as effective at creating standards, requirements, and controls to manage third-party risk. 66%
Recertify or Terminate Relationship
Segment and Conduct Due
Diligence
Contract, Remediate Risk, and Certify
Monitor and Audit
Review Business
Justification Form
1 5432
CEB Process SupportCEB offers a suite of resources to support members who are in the process of building or refining their third-party risk management process, including process maps, implementation guidance, and member-donated tools and templates.
7
8© 2015 CEB. All rights reserved. CELC4277615SYN
THE HOLE IN OUR PROCESSBusiness Partner Process Avoidance Undermines Risk Reduction
43% of compliance executives report that internal partners avoid the compliance review process at least some of the time.
Source: CEB 2015 Third-Party Risk Diagnostic.
Business sponsors avoid the compliance review process…
...minimizing the ability of existing
procedures to reduce risk.
Review Business
Justification Form
Segment and Conduct Due
Diligence
Contract, Remediate Risk, and Certify
Monitor and Audit
Recertify or Terminate
Relationship
9© 2015 CEB. All rights reserved. CELC4277615SYN
OPERATIONAL TAXES WEIGH HEAVILYBusiness Partner’s Mental Model Including Estimated Cost of Each Activity, Per Year
Costs
n = 55–82.Source: CEB 2015 Third-Party Risk Diagnostic.a 18,000 = 60-day median cycle time x 300 estimated number of new third parties receiving due diligence in a given year.b $525,000 = Basic Due Diligence ($250 estimated charge of basic due diligence per third party x 300 estimated number of third parties that receive due diligence) + Enhanced Due Diligence ($15,000 estimated charge for enhanced due diligence x 30 estimated number of third parties that receive enhanced due diligence).
c Percentage of Procurement, Internal Audit, and Information Security executives who agree or disagree with the statement, “My organization’s compliance program effectively supports third-party compliance risk management.”
18,000 Business Days Spent Waiting for Third-Party Approvala
$525,000Annual Due Diligence Spendb
Limited Perceived Risk Reduction Only 22% of functional partners agree that Compliance is effective in reducing third-party risk.c
Benefits
10© 2015 CEB. All rights reserved. CELC4277615SYN
Monitor and Audit
Recertify or Terminate Relationship
Review Business
Justification Form
Segment and Conduct Due
Diligence
Contract, Remediate Risk, and Certify
Select Third Party
Identify Business
Need
Source: CEB analysis.
BREAKING THE CYCLEOpportunities for Improvement in Compliance’s Third-Party Risk Management Process
Opportunity 1: Help the business make risk-informed decisions.
Opportunity 2: Rationalize unnecessary process complexity.
Opportunity 3: Remove barriers to third-party compliance.
1
2 3
Business-Owned
Compliance-Owned
11© 2015 CEB. All rights reserved. CELC4277615SYN
Help the Business Make Risk-Informed Decisions
Rationalize Unnecessary Process Complexity
Remove Barriers to Third-Party Compliance
Strategic Decision Support
Integrated Risk Framework
Partner ComplianceCompetency
Due Diligence Process Effi ciency
Supplier Mentoring Program
Monitoring Effi ciency
Roadmap For Today’s Conversation
Managing Due Diligence: TE’s Practice At a
Glance
Lessons Learned From A Peer: An In-Depth Look at TE’s Approach
Q&A and Feedback Session
Third-Party Risk Management: A
Brief Look at The Data
12
© 2015 CEB. All rights reserved. CELC2606115SYN
13
OVERVIEW
TE Connectivity accelerates the third-party onboarding process by identifying the specific tasks that become stall points within the due diligence process and sending task owners targeted support designed to accelerate completion of the task. In addition, Compliance sends biweekly progress reports to all due diligence stakeholders, creating process transparency that enables meaningful accountability.
SOLUTION HIGHLIGHTS
Identify Process Stall Points: Compare the average length of each task to the desired length to identify those that are contributing to process delay and build support resources tailored to those particular tasks.
Target Support at Process Stall Points for Easier Completion: Send key stakeholders support that targets the root causes of task delay when tasks have not been completed in the appropriate time frame.
Build Accountability for Completing Tasks Through Cross-Stakeholder Visibility: Circulate periodic progress reports to all due diligence stakeholders that outline the current phase and owner of relevant due diligence processes, building accountability for task completion.
COMPANY SNAPSHOT
TE Connectivity Ltd.
Industry: High Technology TE Connectivity designs and manufactures connectivity and sensor solutions for a variety of industries including automotive, industrial equipment, data communication systems, aerospace, defense, oil and gas, consumer electronics, energy, and subsea communications. The company serves customers in more than 150 countries.
2014 Sales: US$13.9 Billion
Employees: 80,000
DUE DILIGENCE PROCESS EFFICIENCY
14
© 2015 CEB. All rights reserved. CELC2606115SYN
GUIDING EMPLOYEES THROUGH THE PROCESS
TE Connectivity’s Due Diligence Process Completion TimeAverage Completion Time Across All New Third Parties
TE Connectivity’s due diligence completion time was three times longer than desired, causing significant delays in third-party onboarding.
“It was clear that our process was taking too long. So, we needed to
understand where the major delays were and how we could make this process easier for our stakeholders.”
Brian RisserBusiness Partner Program ManagerTE Connectivity
Employee Pain Points with Due Diligence Process
Source: TE Connectivity Ltd.; CEB analysis.
Source: TE Connectivity Ltd.; CEB analysis.
Due Diligence Process Completion Time
Desired Completion Time
Actual Completion Time = Three Times Longer
“I got busy and forgot to complete my task.”
“This task is complex and I’m not sure how to complete it.”
“It’s not a big deal if I get to my task next week.”
Automated Overdue RemindersSend support-oriented reminders to stakeholders when they do not complete tasks within the desired time period.
Cross-Stakeholder Progress ReportsCreate visibility in the due diligence process so that stakeholders can see when their counterparts are causing delays.
15
© 2015 CEB. All rights reserved. CELC2606115SYN
IDENTIFYING SPEED BUMPS IN THE PROCESS
TE Connectivity’s Due Diligence Process MapIdentifying Most Problematic Tasks
TE Connectivity mapped its due diligence process and identified the tasks that most commonly cause delays.
■ To eliminate these delays,Compliance embeds processsupport in automated remindere-mails to help stakeholderscomplete tasks in a timelyfashion.
Bu
sin
ess
Sp
on
sor
(In
tern
al
Em
plo
yee)
Bu
sin
ess
Par
tner
(T
hir
d P
arty
)L
egal
an
d
Co
mp
lian
ceD
ue
Dili
gen
ce
Ven
do
r
Source: TE Connectivity Ltd.; CEB analysis.
Exceeds Desired Completion Time
Within Desired Completion Time
Complete business justification form and send Business Partner Questionnaire (BPQ) invite
Review due diligence and approve/disapprove business partner
Close case and finalize business partner status
Provide due diligence results
Complete and send BPQ
Calculate risk rating automatically
Approve due diligence type based on risk rating
Set up business relationship and contract
1
6
2
7
3
84
5
Farthest from Benchmark
TE Connectivity measured each task’s average completion rate against the vendor’s best practice completion rates.
16
© 2015 CEB. All rights reserved. CELC2606115SYN
SUPPORTING THROUGH SPEED BUMPS
Sample Automated Reminder E-MailAddressing a Delay in Completing Business Justification Form
Compliance sends task owners support-oriented reminder e-mails once tasks have exceeded the desired completion time.
■ TE Connectivity uses remindersthat are tailored to each task sothat employees receive only thesupport they need to completethe task at hand.
“No matter how much upfront training we did, the business had to
actually work through the process to understand where they would run into pain points and need assistance.”
Brian RisserBusiness Partner Program ManagerTE Connectivity
Source: TE Connectivity Ltd.; CEB analysis.
page 24 Information is TE Confidential & ProprietaryDo Not Reproduce or Distribute
4. Invite Business partner to complete the BusinessPartner Questionnaire
Go to the “Due Diligence” tab in the profile and click on the “Invite” button in theright corner. It will bring up the “Due Diligence Intake Form Invitation”. The information should be pre-populated with the “Main Point of Contact” information from Step #2.
• Choose the Language from the drop down box• Click “Current” if the Partner is an existing business partner; OR click
“Prospective” if the Partner is a new business partner for TE• Click “Send Invitation”.
4
Subject: Reminder: Task Overdue - E-Mail Message
From: Stephanie Roosevelt <[email protected]>
To: John Doe
Dear John,
Our records indicate that you have not yet completed the Business Justification Form for a third party with whom you would like to conduct business. This e-mail is meant to provide you with the right support to complete the form properly.
For guidance on completing this form, please refer to our Business Partner Management Program SharePoint Site or our presentation on TE Connectivity’s Due Diligence Process. If you should still have questions or concerns, contact me using my information below.
Stephanie RooseveltCompliance [email protected](717) 555-1234
Reply Reply All Forward DeleteFlag Move
X—+Resources
• Business Partner Management Program (BPM) SharePoint SiteLinks to more information regarding your responsibilities:
– Policies & Procedures – Business Partner Management Program – An Accountability Handbook – Training Opportunities and Video Tutorials– FAQs– Contact Details for Questions
17
© 2015 CEB. All rights reserved. CELC2606115SYN
VISIBILITY CREATES ACCOUNTABILITY
Biweekly Progress Reports on Due Diligence ProcessIllustrative
Biweekly progress reports to due diligence stakeholders create process visibility and accountability for task completion.
■ Stakeholders can view thecurrent due diligence phaseand owner, and follow up withother stakeholders who aren’tcompleting their tasks.
■ Stakeholders are more likelyto complete their tasks in atimely manner knowing thatothers have visibility into theirprogress.
Source: TE Connectivity Ltd.; CEB analysis.
2/2/15Dear John,Below is your bi-weekly report on the progress of the third parties in which you’re involved as they work through our due diligence process. Please notify the compliance program or any related stakeholders if you have any questions or concerns.
Company Name
Date Opened
Current PhaseCurrent Phase Owner
RegionDate of Process Reset
Days Until Process Reset
Martin Industrial
11/13/14
Complete business
justification form
You NA 2/13/15 11
Quaranta Enterprises
12/20/14
Complete and send business
partner questionnaire
Quaranta Enterprises
EMEA 3/20/15 46
Process Reset
If the overall process takes longer than the predetermined deadline, stakeholders must start the process over from the beginning.
Social Pressure
All stakeholders involved in a particular due diligence process—and business unit leadership—can see which stakeholder is causing delays.
Roadmap For Today’s Conversation
Managing Due Diligence: TE’s Practice At a
Glance
Lessons Learned From A Peer: An In-Depth Look at TE’s Approach
Q&A and Feedback Session
Third-Party Risk Management: A
Brief Look at The Data
18
Key Components Business Partner Management (BPM) Program
• Program training materials:• BPM handbook with “in-scope” definitions• Securimate on-boarding process workflows• User trainings
• Regular meetings with accounting and finance to workon integrating internal controls
• Cross-referencing Securimate Profiles with SAPnumbers
• Regular updates and meetings with Stakeholders
19
Challenges Business Partner Management (BPM) Program – Internal Controls
• Process:• Process design and change is detailed work• Process change is hard for organizations and people• Overall on-boarding takes too long
• People• Business Sponsors and Legal Counsels not completing their
tasks• Accounting and Finance people not making this a priority
• System integration Securimate and SAP
20
Implementation Business Partner Management (BPM) Program
Evolution not Revolution
• All new customers and vendors in Securimate - October 2013• Pilot countries legacy customers and vendors - December 2013• Financial controls in supplier set-up process - March 2014• Sponsor and legal counsel action reports - October 2014• Gating and profile suspension - March 2015• First SAP shut-offs – March 2015• Automated SAP shut-offs – September 2015
21
Implementation The Importance of Consensus
• Board and Executive Management• Regular updates on BPM program and the status of Internal Controls
• Business Segments• Regular meetings – Program updates and proposals for new
processes/program evolution• User feedback
• Trainings, reporting and other interaction with support team• Support team feedback
• Experience with users and common support issues• Accounting/Finance and IT
• Outreach and process/implementation assistance
22
Securimate On-Boarding Process and Metrics
23
Business Partner Management Program - Workflow
Information is TE Confidential & Proprietary Do Not Reproduce or Distribute
Metrics/ Gating Process
• Individual Sponsor Action Reports• Training
Business Partner Questionnaire: • Reminder 1 – 11 days• Reminder 2 – 30 days• Reminder 3 – 45 daysAnnual Renewals:• Reminder 1 – 10 days• Reminder 2 – 20 days
• Individual Legal Counsel ActionReports
• Training
Steele Due Diligence Orders • OSI 3-5 days• EDD 14-21 days
24
Securimate Best Practices 1. Business Sponsor initial activities could be completed in 18 days
• This includes completing the Business Justification form, sending outthe BPQ to the Business Partner and reassigning the case to LegalCounsel once the BPQ is submitted.
2. Business Partner activities could be completed within 10 days• This includes completing the BPQ and executing the Anti-Corruption
Compliance Declaration
3. Legal Counsel activities could be completed within 25-30 days• This includes reviewing the Justification form, the BPQ, ordering and
reviewing Due Diligence and completing and uploading a contract withanti-corruption language
4. BPM Support resources should help streamline the process andprovide support through guidance, reporting and training
• Compliance Counsel support• BPM support
25
Closing the Gap – Gating Measures/Reporting 1. Business Sponsor Action Reports (bi-weekly)
• These reports include action items for completing the BusinessJustification, sending out the BPQ to the Business Partner, following upon the BPQ after 7 days and reassigning the case to Legal Counselonce the BPQ is submitted.
2. Legal Counsel Action Reports (bi-weekly)• These reports include action items for reviewing the Business
Justification and BPQ, ordering Due Diligence, accepting orders,uploading executed contracts and approving or denying BusinessPartners
3. Gating Measures (to be implemented)• BPQ Reminder Emails to Business Partners
• Currently there are no reminder emails, we propose to send them out at 11, 30and 45 days. Reminders have been translated into 21 languages andsuccessfully tested in QC system
• Turn off Profiles older than 90 days (after catch up of backlog)
4. Implement Annual Renewal Process with email reminders• Turn on renewals and email reminders (currently testing in QC)
• Send out reminders at 10 and 20 days and shut off at 45 days
26
Metrics - Best practice (with Gating)
Day 1 Day 16 Day 20 Day 35
Day 37
Day 90
Securimate record created/ loaded
Day 3
Activate account
Day 6
Complete Justification form & send out BPQ invite
BPQ should be received within 10 days
Day 18
Re-assign to Legal Counsel
Order due diligence
EDD – up to 15 days OSI – 3 to 5 days
Due diligence Accepted by requester
Day 45
Upload contract Approve/ Deny profile
27
Gating, Metrics, Reminders, and Action Reports
Day 1 Day 14 Day 30 Day 42 Day 90
1st email reminder Securimate
record created
2nd email reminder
3rd email reminder
Day 60
SHUT OFF: • Pending profile• Pending BPQ• Pending Case
Day 11
Day 3
Request access & Log in
Day 6
Complete Justification form & send out BPQ invite
BPQ should be received within 10 days
Day 28 Day 16 Day 45
Business Sponsor & Legal Counsel Action Reports
Business Sponsor & Legal Counsel Action Reports
Business Sponsor & Legal Counsel Action Reports
28
Notifications, Shutoffs and Waivers
1. Business Sponsor and Legal Counsel Action Reports• Reminders at 45 days and 75 days notifying users that they have 45
days and 15 days left to complete the on-boarding process
2. Shutoffs• Less a waiver is obtained, open Profiles/Cases that are not completed
are shut off at 90 days
3. Waivers• Sponsors and Legal Counsels can ask for a waiver for exceptions such
as contract delays, new sponsors, vacations, etc.• Waivers will require GC or Compliance Counsel approval• Waiver forms will be uploaded to the Securimate record
29
Renewals – Proposed Process/ Gating/ Metrics
Day 1 Day 10 Day 20 Day 45
Annual Renewal kick-off at 1 year anniversary
Prior year BPQ sent out to BP
SHUT OFF 1st email reminder
2nd email reminder
Day 14 Day 28
Business Sponsor Action Reports
Business Sponsor Action Reports
30
Custom Reporting
31
Custom Reporting – Business Sponsor
32
Custom Reporting – Legal Counsel
33
Roadmap For Today’s Conversation
Managing Due Diligence: TE’s Practice At a
Glance
Lessons Learned From A Peer: An In-Depth Look at TE’s Approach
Q&A and Feedback Session
Third-Party Risk Management: A
Brief Look at The Data
34
Third Party Resource Center: For a collection of best practices, implementation guidance, and member-donated tools
CEB Ignition Guide to Conducting Compliance Due Diligence: 7 step, 20 document guide to help you assess risk and build an effective process for conducting due diligence
Benchmarking Reports on Third-Party Governance, Risk Management Maturity, Due Diligence, Monitoring and Auditing, and Vendors
** Please go to the CELC web site to see all of the resources on this topic.
CEB Resources to Support Our Members
35
To submit a question or thought in writing: Log onto the webplatform at http://ceb-event.adobeconnect.com/celc121015/ andinclude your question or comment in the box entitled Submit aQuestion.
To join the discussion or to submit a question via the phoneline: Press *1 to be included in the phone queue. (Press *2 to removeyour name from the queue.)
Have a question or comment after today’s webinar? E-mail us [email protected] with any feedback, questions, comments,etc.
Have a Question or Comment?
36