Workshops for GRC professionals

This workshop will focus on the key risk factors to be considered in the outsourcing decision-making process including:

• Alignment with strategic plan, HR plan, outsourcing policy (if outsourcing has already been implemented) & budget
• Resourcing options available:
  • Fully In-house
  • Fully Outsourced
  • Hybrid – outsourcing arrangement supported by some internal resourcing
• Outsourcing Pros and Cons
• Any industry-specific regulatory requirements
• Risk-Benefit Analysis
• Criticality determination using a defined rationale
• Business case
• Operational Resilience Implications
• DPIA
• Approval process
• If first time outsourcing, may need to define a policy on the basis of those previous points.

This second workshop assumes that the decision to outsource has been made and will focus on the outsourcing due diligence process, contracts etc. including:

• Procurement procedure
• Project management
• Quotation/tendering as appropriate to scale of project incl. evaluation process
• TP due diligence including references, media review, Companies Registration Office check, beneficial ownership, regulatory authorisation if applicable, conflict of interest check including assurances on data segregation, insurance coverage, business continuity arrangements etc.
• Contract negotiation (incl. responsibilities, scope, intra-group assurances, clear schedule of fees and charges etc.), Service Level Agreements (including required clauses e.g. exit clause, hold harmless/liability etc.), Data Protection Agreements if applicable
• Concentration risk assessment
• Final selection decision-making process
• Appropriate contract signing/authorisation
• Communications planning

Workshop 3 deals with the management of third-party risk on an ongoing basis. It will look at the need to retain capability to supervise and assess the activities of the TP:

• Register of Third Parties & risk ownership
• Business Impact Analysis/Process Maps
• Ongoing performance monitoring – KPIs and KRIs
• Regular engagement with each critical TP
• Ongoing due diligence – financial health, media reports, networking amongst TP subscribers etc.
• Managing scope creep – ensure additions are included as addenda
• Auditing/testing (incl. joint business continuity/DR testing)
• Role of RMO in third party risk management
• Three lines of defence (three lines model) including assigning oversight
• Operational resilience/business continuity arrangements
• Major incident/All incident reporting where required

The final workshop will focus on being prepared to exit an arrangement in an orderly manner (whether planned by either party or not), which requires planning from the very outset of the (cross referencing contracts element of workshop 2) outsourcing process. Includes:

• Horizon scanning for emergency alternatives on ongoing basis for critical TPs
• Management of contract renewals including exit clauses and notice periods for all TPs
• Triggering of notice periods to avoid potential penalties
• Buy-out/merger exit options
• Planned handover periods, exit support arrangements (e.g. parallel run/testing requirements), data migration (data cleanse or data selection)/data destruction (agree mutually acceptable format), escrow, stakeholder notification requirements etc.
• Post contractual obligations on TP re data protection, confidentiality etc.