3rd Party Risk Management , Finance & Banking , Geo Focus: Asia

Third-Party Risk Management: Getting It Right

Experts Discuss Audits, Designing the Right Risks and Governance Program
Clockwise from top left: Gabriel Punsalan, Bank of Makati; Kevin Paul Abu, Standard Chartered Bank; Rei Nikolai Magnaye, Equicom Savings Bank; and Philip Kwa, Asian Institute of Management

While third-party management typically involves direct oversight of relationships, supply chain risk encompasses a wider network of resources. Banking experts in the Philippines discussed the many aspects of outside vendors and supply chains and how enterprises can better manage the risks.

See Also: Software Supply Chain Platform for Financial Services

"When you look at third-party risks, you are looking at these external entities - your suppliers and your vendors," said Philip Kwa, academic programs director at the Asian Institute of Management. For supply chain risk, "the processes are spread across different levels of interactions - getting your raw materials from your suppliers and producing it to a finished good to all the way until it reaches your customers. It includes third parties as well as your internal operational processes."

Gabriel Punsalan, acting internal audit group head at Bank of Makati, said enterprises often don't perform governance tests of their third parties and lack a copy of the vendor's plan for internal controls.

Kevin Paul Abu, testing control manager at Standard Chartered Bank, recommended performing a variety of procedures including tabletop exercises. "We also perform an MK Denial review to know if the third party has any sanctions. We also have third-party questionnaires and carry out pre-audits, if it is permitted," he said.

Pre-audits of vendors are not always possible and unless they are part of the contract, audits won't be allowed. "Sometimes we would ask for certifications like SOC certifications or ISO certifications. These certifications often have their scope defined," said Rei Nikolai Magnaye, CISO of Equicom Savings Bank. "A bit of a warning for those who try to have certifications in place for third-party risk assessment: You need to look at something that you call a statement of applicability when it comes to ISO standards as these certificates often do not show everything that is controlled by the third party."

In this video interview with Information Security Media Group, the panelists discussed:

  • The various approaches to third-party risk management;
  • Choosing the right cybersecurity framework for vendor management;
  • Best practices for auditing third-party vendors;

Magnaye has more than 14 years of experience in cybersecurity. He helps companies involved in healthcare and medical services, information technology, banking and finance, insurance and HMO meaningfully uplift their capability, maturity and adherence to best practices and management system standards.

Abu is a risk management practitioner who specializes in IT audit and controls testing. He is a controls testing manager at Standard Chartered Bank, helping to prepare the global company for the requirements of the upcoming UK SOX program. Prior to joining the bank, he supported AECOM as an IT audit manager and previously served as an advisory consultant at SGV & Co. - EY PH.

Kwa, who leads the Masters in Cybersecurity program at the Asian Institute of Management, has more than 20 years of broad global working experience across multiple corporate and entrepreneurial environments.

Punsalan is an internal audit professional with more than over 15 years of experience in audit, finance and accounting across both global and local organizations in the Philippines. He recently assumed the role of acting chief audit executive and concurrently serves as head of IT audit at a local savings bank.


About the Author

Suparna Goswami

Suparna Goswami

Associate Editor, ISMG

Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.