NYSICA, ALBANY May 10, 2018 Third Party Risk Management

NYSICA, ALBANY May 10, 2018 Third Party Risk Management

Do you own or rent your home/apartment? In the last 12 months, have you had plumbing / heating / painting / renovations done? Group Exercise Did you sign a contract for the work? Did you ask if the provider had insurance? Did you actually receive and review the insurance certificate? 2

Deloitte’s 2016 Global Outsourcing Survey Broadening their approach to outsourcing – more than cost cutting. Redefining ways to enter into outsourcing relationships and manage the ensuing risks. Changing how they manage outsourcing relationships to maximize value. 3

Agenda Contracting Third Parties Assessing Risk Risk Transfer Mechanisms Compliance & Oversight Platforms & Technology 4

Today’s Objective Explore the risks and exposures associated with contracting Third Parties Review best practices to assess, transfer/mitigate and manage ongoing risk 5

Internal Control ". defined as a process . to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.”

Types of Third Parties Trades Service Providers Construction Consultants Vendors Professional Services Partners 7

Achievement of Strategic Goals Access to Expertise or Specialties Benefits of Outsourcing Advanced Technology, Systems or Platforms Simplicity and Ease Manage Headcounts Manage Payroll & Expenses 8

Risk & Exposure Outsourcing does not diminish your responsibility to ensure the Third Party activities are conducted in a manner acceptable to laws, regulation and your internal policies. 9

2018 ABC Study 448 responders 45% work with at least 1,000 / year 58% uncovered legal, ethical or compliance issues after initial due diligence 65% were concerned with personal liability Renewal Data – 73% refresh on contract renewal; 53% at least every 3 years 85% somewhat / very concerned about data security risk 82% somewhat / very concerned about data privacy

Risk Arising from Third Party Strategic Reputational Operational Transactional Credit Compliance Data Other 11

Key to Managing Assess Measur e Control Monitor 12

Accountable Parties Risk Assessment Strong Selection Process Responsibility and Control Contract Structuring and Review Oversight and Accountability Process for Managing Associated Risk 13

What is your risk?

Service Provider University’s state of the art athletic complex is open to the extended campus community. Administration outsourced management, class development, services and staffing. A complaint is brought against the facility and management claiming member of staff sexually harassed / assaulted a student. Complaint goes public creating PR nightmare.

Telecommunications Contractor Facility hires telecommunications contractor to upgrade their fiberoptic cable. Contractor accidently crushed sewage line causing sewer backup at facility and neighboring businesses. This resulted in shutting down businesses for clean up and repair. 16

Security System Installer Client had interior work done to their headquarters and needed the security panel moved. Security provider was installing the new key pad and decided to use a short ladder and some shelves to reach work area. Worker fell when stepping from the shelves to ladder. Sustained knee and back injury requiring surgery for both. 17

Vendor Malware This Photo by Unknown Author is licensed under CC BY Bank’s system is compromised when a vendor unintentionally sends a malware program via email to all employees. When a bank employee opens the email, the vendor’s malware gains access to the system. Contact and credit card information is stolen for 75,000 customers. 18

Assessing Third Party Risk: Who are all the parties involved? What kind of work is being done or services is being provided? What type of accidents or losses could occur? What is the worst-case scenario in terms of financial loss and / or injury to persons or property? Are the responsibilities for the risks appropriately placed with those in position to control them? What is the ability of the parties to manage the risk and absorb losses? Is the contract legal and enforceable?

Incorporating Risk Management into Third Party Contracts Identifying Risks Involved Avoid, Mitigate or Prevent, Transfer or Accept the Risks Implement Appropriate Risk Transfer Mechanisms Incorporate Insurance Early in the Selection Process and Contract Drafting Consider working with your insurance Agent or Broker to help guide you through loss scenarios and risk management options. 20

Third Party Contracts: Insurance Guidelines 21

Indemnification and Hold Harmless Contract Language Non-Waiver Language Insurance Coverage and Limits 22

General Liability Business Automobile Workers Compenation & Employers Liability Umbrella Liability Insurance Coverage Professional Liability Cyber Liability Builders Risk Pollution Crime 23

Tier Insurance Requirements Construction / Renovation Project Vendor Contracts Consulting or Professional Services Service Contracts Partner Agreements Trade Contracts MWBEs 24

Sample Consulting / Professional 25

Sample Vendor 26

Sample Construction 27

Additional Contract Requirements Certificates of Insurance & Copies of Endorsements Written on an "occurrence" basis Advance written notice of cancellation (30 days) Additional Insured as specified by Contract Primary and Non-contributory Waiver of Subrogation Licensed in State & AM Best Rating 28

Additional Insured Status 29

Gilbane v. St. Paul Fire DASNY financed and managed construction project Gilbane/TDX (JV) was retained by DASNY to provide Construction Management services. JV was to be named as AI. DASNY separately contracted with Samson for foundation and excavation work. Samson agreed to add AI list to GL. There was no written contract between JV and Sampson Samson causes damage to adjacent building, DASNY sues Samson and architect which commenced 3rd party action against Gilbane. Gilbane sued Liberty to provide legal defense and indemnification. Liberty not obligated to provide coverage on the grounds of no written contract. 30

Define the Process Accountable Team Contract Template: Insurance Requirements Contract Execution, Onboarding, Renewals System or Platform Method of Document Collection & Storage Insurance Compliance & Oversight Frequency, e.g. Renewal of Contract or Policies Method of Third Party Outreach Email, Fax, Upload URL Documentation of Certs / Endorsement Details Review for Compliance & Approval Review Certificates / Endorsements Against Contract Requirements Document System for Compliance or Non-Compliance Set System for Auto Renewal Reminders Ongoing Compliance: Monitoring and Review Renewal Correspondence Setup for Third Party Contract Collection of Renewal Certificates and Endorsements Review, Approve and Document 31

Insurance Documentation Document Collection: – Certificates-Acord 27/28/25/855 Endorsements – Waiver of Subrogation – Primary and Non-contributory – Additional Insured – Policy Decs / Forms / Exclusions pages 32

Do certificates meet contract requirements? Insurance Document Review Is your firm listed correctly as an Additional Insured? Have you received required endorsements? Any forms or exclusions that are problematic? 33

Ongoing Compliance Monitoring & Review Insurance policies renew annually and often differ from expiring: New Broker may amend program New Carrier may have different forms and / or exclusions Coverage, limits, endorsements or language may change Additional Insured’s may be left off 34

Platforms and Technology 35

Number of contracts and related documents Systems: Constraints & Restraints Challenges to Managing Compliance Knowledge and Expertise Time & Ease Resources: Dollars and People 36

Audit Performed for 280 Subcontracts Measuring 10 points of compliance Client had best practices in place and had performed training for team Concerned about acceptability of AI and Endorsement language Formulated a roadmap based on the audit findings 37

Compliance Platform Excel is not a platform Accounting and/or Bid platforms are not built to manage insurance compliance Manual entry makes for errors Manual outreach and follow up will back up the system Needs to have reporting capability Consider your human capital costs 38

Artificial Intellegence 20 Attorneys vs AI Non-Disclosure Agreements Two months of testing Accuracy: AI average 94% Lawyers 85% Timing: Lawyers 51-156 Minutes AI: 26 seconds 39

Platform Consideration Multi-system integration Service, support and training Project and contract tiering Automated outreach and follow-up Simplified URL / Dashboard for Third Parties to upload documents Optical Character Recognition (OCR) technology Dashboard reporting Customization Simplicity / Intuitive Cost Effective 40

41

42

43

Keys to Successful Adoption System integration and data migration must be manageable Must simplify and automate steps in the compliance process Minimize data entry, allowing for more critical thinking What gets measured gets fixed, robust reporting! Cost benefit analysis – do the numbers make sense? 44

Wrap up Number of Third Party Contracts will continue to grow and so too will your resulting risk Developing a replicable process for analyzing and managing Third Party risk and Incorporating insurance into the early stages of contract development will help mitigate losses. Commit to a thorough practice of insurance compliance and review – for both new and renewing contracts. 45