What-Is-Vendor-Management
advertisement
What Is Vendor Management And Why Is It Important To You? Matt Luongo – CLS Bank International June 17, 2015 1. Who manages third party vendors at your organization? 2. Is there a vendor management framework that consistently manages third party risks? 3. Do you know all of your vendors? Do they have a contract? Agenda Vendor Management o Key Components o Effective Vendor Management Framework Regulator Expectations o Focus Areas Disclaimer The opinions expressed in this presentation and on the following slides are solely those of the presenter and not those of CLS Bank. Concepts used have been adapted based on Gartner and Deloitte research and noted as such. In The News Target Investigates Credit Card Breach - 2013 “In 2013, American Express, Capital One, and Discover Bank paid a total of more than $530 million to settle complaints of deceptive selling and predatory behavior by their third-party suppliers.” - McKinsey & Company July 2013 No one ever remembers the vendor’s name What is Vendor Management? Vendor Management is the ongoing management of third-party providers of products or services The goal of VM is to ensure the organization continuously obtains the best value from external providers of products and services while controlling exposure to vendor-related risk Lifecycle Description Governance & Process Establish strategy and governance. Define SOPs, documentation, system, roles and responsibilities Select Vendors Select vendors in accordance with a formal, unbiased practice. Ensure the best fit for the product/service requirements and the best value at the optimal exposure to vendor risk Manage Vendor Contracts Manage vendor contracts through the contract lifecycle Manage Vendor Risk Manage vendor risk to protect the organization from negative effects that can be caused by events on the vendor’s side Manage Vendor Relationships Maintain effective relationships with vendors Manage Vendor Performance Ensure vendors perform as contracted Vendor Manager Business Owner Procurement Finance Legal Sr. Mgmt. Why is it important? Because we must measure, manage, and scrutinize the vendors we rely on to deliver value Reliance Value Risk Need vendors to deliver critical specialized services Over half of a company’s expenditure is with vendors Vendors globally help us achieve our mission Our Contracts are a Strategic Asset Maximise value and deliver great commercial outcomes through our relationships Increased regulatory and member scrutiny on how financial institutions manage third party vendor risk - operational, cyber security, supply chain, compliance, strategic, financial and reputational Importance has evolved with changing business environment 2000 2005 2008 Y2k Offshore Financial Crisis 2013 2015 Nearshore Digital / Internet of Things Oversight Vendor Management is a Core Competence What is a third party vendor? Any individual or entity, which is not a direct employee, which provides a produce/service to, or behalf of, the organization Typically managed at both the engagement and relationship levels Vendors Service Providers Agencies Affiliates Partnerships Law firms Contractors Joint Ventures Government Organizations One service, one contract, provided to one line of business Multiple engagements with the same company Engagement Relationship Vendors may present a combination of risks Inherent risk to the product/ service Risks unique to the third party Source: Deloitte Risk Description Cyber • Ensuring confidentiality, integrity, availability of information assets Compliance/legal • Actions inconsistent with legal, policy or regulatory requirements Service delivery • Third party failures resulting in impact to the service Contractual • Inability to deliver services per contract Business continuity • Inability to continue providing services Intellectual property • Inappropriate use of intellectual property Financial • Inability to meet contractual obligations due to financial difficulties Reputation • Issues impacting an organization’s brand and reputation Geopolitical • Region/country-specific factors Strategic • Third party not aligned with the organization’s strategic objectives Credit • Inability to make obligated payments Quality • Inability to deliver a quality service/produce How do you manage all the vendor activity? Vendor Management Framework provides an end-to-end view to identifying and managing vendors and the risk across the vendor lifecycle Source: Gartner Vendor Management Framework Maturity Model Many models that benchmark the program’s maturity Source: Gartner Vendor Management Maturity Model »Regulatory »Expectations Regulatory Expectations Regulators globally have issued heightened standards and guidance for third party’s. These cover most regulatory expectations…. Expanded scope Oversee all service providers, affiliates, partnerships and other third parties Governance and accountability Define responsibilities of the board, senior management, and relationships managers End-to-end risk management Formalize risk management across the life-cycle and risk domains. Greater scrutiny with high risk vendors. Due Diligence Contracts Monitoring Access how vendors are sought, vetted, selected Do you have them? Do they have the appropriate clauses? Execute a contract inventory. Timely and effective reporting in vendor relationships. Demonstrate you have sufficient visibility and control. Use of scorecards and dashboards Identify all relevant compliance requirements and document how they are being met Compliance Independent Reviews Do your vendors…’Say what they do?’ and ‘Do what they say’. Risks are documented and controls in place. Consider the systemic implications of outsourcing and potential third party failures Business Continuity Governance • • Executive and Board engagement • Defined roles and responsibility • Drive and approve policy • Monitor and oversee vendor portfolio Two tier governance model Sets the tone… • Strategic Alignment • Policy • Risk appetite • Vendor oversight • Escalations Executive Committee Vendor / Operations Committee Drives Vendor…. • Performance • Compliance • Demand pipeline • Business Continuity • Audits Risk Classification • • • Formal risk management across the life cycle and risk domains Risk- based segmentation tool • Risk is not based on value alone Apply resources based on level of segmentation Risks Considerations • Reputational • Info Security and Privacy • Contractual • Service Delivery • Financial • Business Continuity • Geopolitical • Regulatory • Exit Strategy Other Considerations • Domestic/Offshore • Core / Non-core Monitoring Account Plans Dept. Sourcing plans • Pipeline • Stakeholder maps • Governance meetings Performance Dashboards Supplier Account plans: • Engagements • Pipeline • Improvement plans • Innovation • Investment Vendor Risk Dashboards Internet facing Software dev Members Health & Safety Intellectual Prop Geography Reliance Viability Subcontracting Contagion Service Impact Health & Safety Spend 3 5 1 4 1 2.7 4.2 4.2 1.9 1 1 3 5 5 5 5 5 1 5 Penetration testing 3 4.2 3 3.2 1 1.1 4.2 1.4 2.6 1 1 1 5 5 4 4 5 1 2 2.6 4.2 1 3 1 3.1 1 1.4 1.8 1 1 4 5 3 5 5 5 1 5 Provision and support of 3.4 key IT software/systems. 4.6 3 4 1 1.3 4.2 1.4 1.5 1 5 3 4 3 2 2 3 1 5 Hosting of Internal CLS IT systems 3.4 2.2 1 2 1 3.9 1 1.4 2.9 1 5 3 4 3 3 4 3 3 4 Insurance Broker 3.8 1.8 1 1.6 1 1.1 1 1.4 1.7 1 1 2 4 2 1 2 1 1 4 Building works 1.4 1 1 1 1 3.3 4.2 1.4 2.9 1 5 3 3 2 1 2 3 5 5 Data xxx xxx Continuous Improvement Plan underway to: i. SAP data Consistency ii. SAP Coding Design and Software Performance iii. Identification of SAP knowledge gaps plus knowledge transfer iv. Initiative underway to improve CBIA incident management responses and fix time Next Meetings : 20/03/2014 Commercial Commentary xxx Upcoming activity xxx SRO SYSC8 Overall supplier performance tracking green, seven planned sourcing activities underway with all relevant stakeholders involved. Commercial RAG Current Month Operational Performance SLA Description Aggrigated SLA SLA Performance Performance Target ePayments Incidents Aggrigated SLA Performance Target Payment SI SLA Performance Incidents Aggrigated SLA Performance Target Answer Incidents Performance Commentary Faster Payments Performance Target Last Quarter (Av) 99% 99% 99% Last Month 99% 99% 99% Current Month 99% 99% 99% Budget 10 Forecast External Overall Last Quarter (Av) Last Month Oct… Feb… i. The xxx relationship remains healthy across the account ii. Recent visits undertaken to x and x by xxx were successful iii. All contracts signed off and no 'At Risk' work Relationship RAG Overall Feb'13 Jan'13 Mar… Sep… Dec… Aug… Nov… Jan-… Actual 5 0 Relationship Commentary Internal 20 15 Ma… £m inc VAT Subjective Feedback Spend 25 Jul-… i. xxx tracking to agreed spend profile ii. The minimum spend commitment currently stands at charges of £4.45M, with delta of -£1.55M to find. Gxxxo meet to discuss future work to be contracted to close FY12/13 delta. Apr… Current Month Operational RAG Relationship Performance Jun-… Financial / Programme Commentary Financial RAG Last Quarter (Av) Last Month i. SLA performance achieved across all service contracts ii. The volume of service incidents received this period were c. 8% lower than last month which continues a trend over the last few monthd of continued reductions iii. Effort is still being expended within the the AM teams to assist with the MSS network changes - xxx continue to receive favourable feedback Current Month Financial Performance Dec'12 RISKS Contract / Project or Service Budget £k Planned Spend £k Committed Spend £k - £ - Planned Benefit £K EAC £k Actual Benefit £K Status of Activity RISK IMPACT PROBABILITY £ 2,593 HIGH MED £ 692 £ 606 £ 692 LOW HIGH £ 578 £ 530 £ 578 £ 931 £ 855 £ 931 £ 642 £ 593 £ 642 £ £ Actual Spend £k 2,593 £ 2,370 £ 1,702 £ 1,652 £ £ 2,552 £ 2,910 £ 3,047 £ 9,689 £ 9,517 £ 10,133 1,652 £ - £ - Service Last Quarter (Av) Last Month MITIGATION OWNER Consolidated reporting : • Commercial • Performance • Risk • Financials • Relationship Potential Impact Application development Commercial Performance Vendor Vendor Manager Vendor Risks Core Service Service Risks MPLS Service CLS Economic Loss Reputation Settlement Member Regulatory Governance • Portfolio reporting • Segmentation • Aligned governance and resources Regulatory Guidance Snapshot of regulatory bulletins and guidance that provide additional direction for managing risks related to engaging with third parties FFIEC IT Examination Handbook – Appendix J – Resilience of Outsourced Technology Services (Feb 2015) FRB SR 14-1 Recovery and Resolution Preparation (Jan 2014) SEC Reg SCI – Regulation Systems Compliance and Integrity (Nov 2014) NIST 800-161- Supply Chain Risk Management Practices (June 2014) OCC Bulletin 2013-29 – Third-Party Relationships (Oct 2013) • Asserts the financial institution's responsibility to control business continuity risks with third parties • Must consider the potential impact of disruptions and the ability to restore services • Validation of business continuity plans with third parties and considerations for third party testing • Identification of internal and external dependencies, and contingency planning for these dependencies • Firms must have clearly documented agreements with vendors • Requires supplier selection and auditing of vendor services • Defines requirements on identifying, assessing and mitigating supply chain risks for information and communicating technology products and services • Same responsibilities for in-house and out of house services • Adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships • An effective risk management process throughout the life cycle of the vendor relationship Takeaways Third-party relationships must be good for the company, its vendors and consumers Understand how vendors are being managed at your organization Are you focused on the right things? Familiarize yourself with the latest regulatory guidance Regularly assess and monitor the effectiveness of vendor program, not just at the vendor selection stage Include vendor risk management as a function within the vendor management program
