vendor management 101 - chapters site party risk.pdf · enterprise risk management vendor...
TRANSCRIPT
![Page 1: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/1.jpg)
Enterprise Risk ManagementVendor ManagementBusiness Continuity
IT GRCInternal Audit
Regulatory Compliance Manager
VENDOR MANAGEMENT 101
Introduction to Vendor Management
![Page 2: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/2.jpg)
About Your Presenter
Andrea TolentinoLead Operations Consultant
Quantivate LLC425‐947‐5829
![Page 3: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/3.jpg)
About Quantivate
• Founded: 2005• HQ: Woodinville, WA (Seattle Area Tech Core)• NAFCU Services Preferred Partner for Vendor Management
• Offer complete GRC Suite
![Page 4: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/4.jpg)
Outline
• Introduction to VM• The VM Process• Vendor Classification• Due Diligence and Oversight• Vendor Risk Assessment• Preparing for a VM Audit
![Page 5: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/5.jpg)
Introduction to VM
• What is Vendor Management• 6 Components of Vendor Management• Regulations• Who owns the VM program?• Business Benefits
![Page 6: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/6.jpg)
What is Vendor Management?
• Vendor Management is the art of getting more out of your suppliers.o More Serviceo More Assuranceo …and More Value
![Page 7: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/7.jpg)
The 6 Components of VM
• Vendor Selection• Vendor Inventory• Contract Management• Due Diligence and Oversight• Risk Assessment• Vendor Performance Management
![Page 8: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/8.jpg)
1. Vendor Selection
• RFPs• Legal Review• Negotiation• Onboarding
![Page 9: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/9.jpg)
2. Vendor Inventory
Best Practice #1: Start with your Accounts Payable system
Common Mistake #1: Don’t include every vendor in your VM program.
![Page 10: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/10.jpg)
3. Contract Management
• File Management• History• Dates• Terms
![Page 11: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/11.jpg)
4. Due Diligence and Oversight
“Prove to us that you reducing the risk to our member/customers”
• Look for independent documentation of controls where possibleo Financial Risk – Audited financial statementso Legal Risk – Insurance certificateo Info Security Risk – SSAE 16
Common mistake #2: Don’t let IT/Info Sec control the Due Diligence Process.
Best Practice #2: Get subject matter experts involved for each part of the DD review.
![Page 12: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/12.jpg)
5. Risk Assessment
Comparing The Likelihood vs. The Impact
of a vendor failing and hurting your organization
![Page 13: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/13.jpg)
6. Vendor Performance Management
• SLAs• Service• Long term strategy• Leverage for contract re‐negotiation
![Page 14: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/14.jpg)
Regulations
• 2007 NCUA Letter to the Credit Unions 07‐01: Evaluating Third Party Relationships Link
• April 2012 CFPB Bulletin on Service Providers Link
• FDIC Compliance Manual : Third party Service Providers Link
• FFIEC IT Examination Handbook: Third Party Oversight Link
• OCC Bulletin 2001‐47, Third Party Relationships: Risk Management Principles Link
![Page 15: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/15.jpg)
Who Owns the VM Program?
• Finance• IT• Compliance• Risk• Legal
![Page 16: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/16.jpg)
Business Benefits
• Better Serviceo From your vendoro To your member/customers
• Increased Assurance• More Value
![Page 17: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/17.jpg)
VM Process
1. Example VM Process2. Vendor On‐Boarding3. Contract Negotiation4. Classification5. Due Diligence and Oversight
o SSAE 16 reviews
6. Risk Assessment
![Page 18: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/18.jpg)
1. Example VM Process
1. On‐Boarding
•New Vendors Only
2. Contract Review
•New Vendors•Renewing Contracts
3. Classification
•All Vendors
4. Due Diligence / Oversight
• Scaled
5. Risk Assessment
• Scaled and Variable
![Page 19: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/19.jpg)
2. Vendor On‐Boarding
• Business Objectives• Rational for Outsourcing• Cost vs. Benefit Analysis
Tip #1: Track starting & ending costs of vendor services –Helps prove the ROI of your VM program.
• Final Recommendation and Approval
Tip #2: Document reasons for making a new relationship with the vendor
![Page 20: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/20.jpg)
3. Contract Negotiation
14 areas to check (minimum)
1. Scope of service2. SLAs/Performance3. Confidentiality4. Security and Controls5. Financial/Audit Reports6. Software License/ Intellectual Property Ownership7. Warranties
![Page 21: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/21.jpg)
3. Contract Negotiation (con’t)
8. Limitation of Liability9. Indemnification10. Pricing Fees and Payment11. Term12. Termination13. Dispute Resolution14. Assignment
Tip #3: Remember/customer it is a give and take process –the process is needed for everybody to feel like they have arrived at win‐win deal.
![Page 22: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/22.jpg)
4. Classification
• Financial Impact• Information Sharing• Cost• Operational Impact• Third Party Reliance• Transactional (risk of fraud)• Other categories to think about:
o Reputation, Legal/Liability, Confidentiality/Integrity, Regulatory, Member/Customer Satisfaction, Competitive Advantage
Tip #4: Be consistent when classifying vendors, have clear definitions and make sure each vendor owner treat them the same.
![Page 23: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/23.jpg)
5. Due Diligence and Oversight
“Prove to us that you are reducing our risk”
• Business changes/strategic plan• Financials (D&B if needed)• Legal• Operations/Performance• Regulatory/Compliance• Dependencies• Human Resources• Information Security• Reputation• Business Continuity
![Page 24: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/24.jpg)
SSAE 16 reviews
• Date, Time, and Reviewer• Exceptions to testing and Management Response
![Page 25: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/25.jpg)
6. Risk Assessment
• Risk = Likelihood x Impact• Comparing the likelihood vs. the impact of the vendor failing and hurting your organization in each of the associated risk areas.
• Requires both SME of area and Vendor Owner.• Likelihood comes from DD information, Impact comes from business owner
Tip #5: Remember‐ Rate the Risk but do something about it.
![Page 26: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/26.jpg)
Tips Review
• Track starting and ending value of vendor services – Helps prove the ROI of your VM program.
• Document reasons for making a new relationship with the vendor.
• Remember ‐ it is a give and take process – the process is needed for everybody to feel like they have arrived at win‐win deal.
![Page 27: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/27.jpg)
Tips Review (cont’t)
• Be consistent when classifying vendors, have clear definitions and make sure each vendor owner treat them the same.
• Remember ‐ Rate the Risk but do something about it
![Page 28: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/28.jpg)
Agenda Vendor Classification
• The Importance of the Classification Step• Step 1: Review your Vendor Management Policy• Step 2: Create Consistent Classification Levels• Step 3: Classification Definitions• Step 4: Audit Trail• Common Questions
![Page 29: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/29.jpg)
Why are classifications important?
• Helps you understand your inherent risk.
• The more critical vendors you have the more time you will spend later in the process.
![Page 30: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/30.jpg)
Step 1 VM Policy
Review your Vendor Management Policy
• Ensure your VM policy helps define your VM classification.
Tip 1: Keep your policy focused on what you will do, not how you will do it.
![Page 31: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/31.jpg)
Step 2 Classification Levels
Create consistent levels of classification• 3 Levels
o Level 1: Criticalo Level 2: Significanto Level 3: Non‐Essential
![Page 32: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/32.jpg)
Step 3 Classification Definitions
Create consistent definitions for each of the six categories
1. Financial Impacto Would the vendor failure cause a major impact to your Revenue or Expenses?
2. Information Sharingo Does the vendor have access to or store non‐public customer data?
![Page 33: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/33.jpg)
Step 3 (con’t)
3. Costo How much money do you spend each year with the vendor?
Tip 2: Audit yourself, pull the top 10 vendors from Accounts payable and ensure they are covered in your VM program.
4. Operational Impacto Would the vendor failure cause a critical disruption to your operations or customer service?
![Page 34: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/34.jpg)
Step 3 (con’t)
5. Third Party Relianceo Does the vendor market your services, or are you heavily reliant upon a third party vendor to provide your products?
Tip 3: Integrate your VM classification process with your BC program’s BIA (Business Impact Analysis)
6. Transactional (risk of fraud)o Does the vendor play an instrumental role in member/customer transactions?
![Page 35: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/35.jpg)
Step 3 (con’t)
• Other categories to think about:o Reputationo Legal/Liabilityo Confidentiality/Integrityo Regulatoryo Member/Customer Satisfactiono Competitive Advantage
Tip 4: Be consistent when classifying vendors. Have clear definitions and make sure each vendor owner treats them the same.
![Page 36: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/36.jpg)
Step 4 Audit Trail
• Who?• When?• Review Annually
![Page 37: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/37.jpg)
Six Common Questions
1. What do we do with government entities?2. What if different vendor owners classify the same
vendor differently?3. What do we do with vendors that we pay but we
don’t have contracts with?4. How do we handle vendors that provide us
multiple products?5. What should trigger a review of the classification
rating?6. Should we make classification ratings
automatically calculated?
![Page 38: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/38.jpg)
Tips Review
1. Keep your policy focused on what you will do, not how you will do it.
2. Audit yourself, pull the top 10 vendors from Accounts payable and ensure they are covered in your VM program.
3. Integrate your VM classification process with your BC program’s BIA (Business Impact Analysis)
4. Be consistent when classifying vendors, have clear definitions and make sure each vendor owner treat them the same.
![Page 39: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/39.jpg)
Due Diligence
• Oversight vs. Due Diligence• When to Perform Due Diligence• 9 Areas to Review• Common Questions
![Page 40: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/40.jpg)
Oversight vs. Due Diligence
• Oversight ‐ Ongoing review of vendors
• Due Diligence – Done once before contract signing
![Page 41: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/41.jpg)
When to Perform Due Diligence
• New Vendors –Before contract signing
• Critical –Annually• Signification‐ Every other year• Non‐Essential – On contract renewal
• Tip: Scale the review
![Page 42: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/42.jpg)
1. Business changes/strategic plan
Key Question:• “Do you know how the vendor makes money?”
Key Question:• “Do you know how the vendor makes money?”
Documents:• Mission statement /
strategic plan
Documents:• Mission statement /
strategic plan
Public Sources:• Analysts opinionsPublic Sources:• Analysts opinions
Analyze:• Changes to business model
and technology.
Analyze:• Changes to business model
and technology.
![Page 43: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/43.jpg)
2. Financials (D&B if needed)
Key Question:• “Is the vendor going bankrupt?”
Key Question:• “Is the vendor going bankrupt?”
Documents:• FinancialsDocuments:• Financials
Public Sources:• D&B• SEC
Public Sources:• D&B• SEC
Analyze:• Debt vs. Capital• Market Share• Trend
Analyze:• Debt vs. Capital• Market Share• Trend
![Page 44: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/44.jpg)
3. Legal
Key Question:• “Are we getting our money’s worth?”
• “How is the insurance for the vendor?”
Key Question:• “Are we getting our money’s worth?”
• “How is the insurance for the vendor?”
Documents:• SLAs• Contract Terms• Insurance Certificate
Documents:• SLAs• Contract Terms• Insurance Certificate
Public Sources:• NonePublic Sources:• None
Analyze:• Customer service• Satisfaction
Analyze:• Customer service• Satisfaction
![Page 45: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/45.jpg)
4. Regulatory/Compliance
Key Question:• “Are they complying with all regulations?”
Key Question:• “Are they complying with all regulations?”
Documents:• Audit Findings /OpinionsDocuments:• Audit Findings /Opinions
Public Sources:• New lawsPublic Sources:• New laws
Analyze:• Proposed laws• Operating rules
Analyze:• Proposed laws• Operating rules
![Page 46: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/46.jpg)
5. Dependencies
Key Question:• “Who else are we doing business with?”
Key Question:• “Who else are we doing business with?”
Documents:• Vendor Management• Info Sec policy
Documents:• Vendor Management• Info Sec policy
Public Sources:• NonePublic Sources:• None
Analyze:• Access to data• Third parties
Analyze:• Access to data• Third parties
![Page 47: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/47.jpg)
6. Human Resources
Key Question:• “How do they treat their employees?”
• “Are they performing background checks and who are they hiring?
Key Question:• “How do they treat their employees?”
• “Are they performing background checks and who are they hiring?
Documents:• Training• Support process
Documents:• Training• Support process
Public Sources:• Senior management
changes
Public Sources:• Senior management
changes
Analyze:• Attrition• Employee capabilities
Analyze:• Attrition• Employee capabilities
![Page 48: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/48.jpg)
7. Information Security / Privacy
Key Question:• “How safe is my data?”Key Question:• “How safe is my data?”
Documents:• SSAE16• Incident Response• Penetration/Vulnerability
results
Documents:• SSAE16• Incident Response• Penetration/Vulnerability
results
Public Sources:• Privacy policyPublic Sources:• Privacy policy
Analyze:• History of incidents• Where the data resides• Results of tests
Analyze:• History of incidents• Where the data resides• Results of tests
![Page 49: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/49.jpg)
8. Reputation
Key Question:• “Are you happy with the vendor?”
Key Question:• “Are you happy with the vendor?”
Documents:• Complaints• Reference checks (new
vendors)
Documents:• Complaints• Reference checks (new
vendors)
Public Sources:• User groups• Blogs• News articles
Public Sources:• User groups• Blogs• News articles
Analyze:• Renewal ratesAnalyze:• Renewal rates
![Page 50: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/50.jpg)
9. Business Continuity
Key Question:• “If the worst happens, will the vendor be there to serve us?”
Key Question:• “If the worst happens, will the vendor be there to serve us?”
Documents:• BC Plan• Exercise results
Documents:• BC Plan• Exercise results
Public Sources:• History of servicePublic Sources:• History of service
Analyze:• RTO vs RT• RPO vs RP
Analyze:• RTO vs RT• RPO vs RP
![Page 51: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/51.jpg)
10. Cloud Computing
Key Question: How and where is my data being stored?
Key Question: How and where is my data being stored?
Documents:Third party (data center) policiesData center BC/DR plansSSAE 16
Documents:Third party (data center) policiesData center BC/DR plansSSAE 16
Public Sources: NonePublic Sources: None Analyze:Cloud Service Model TypeDeployment ModelData center outsourcing process
Analyze:Cloud Service Model TypeDeployment ModelData center outsourcing process
![Page 52: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/52.jpg)
Common Questions:
• How good/important is Dunn and Bradstreet data?
• What if a vendor won’t share their financials?
• How often should a DD review be performed?
• Who in the organization should perform the DD review?
• What about cloud vendors?
• Do we have to do DD on our significant vendors every year?
![Page 53: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/53.jpg)
Risk Assessment
• Purpose• Risk Management Terms• Calculating Risk• 8 Common Angles of a Vendor Risk Assessment
• So you have calculated a risk rating… now what?
• Common Questions
![Page 54: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/54.jpg)
Purpose
• Boil all of the Due Diligence information down into a single risk rating.
![Page 55: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/55.jpg)
Putting Vendor Management in Risk Management terms
• Classification = Inherent/Raw Risk• Due Diligence = Controls• Risk Assessment = Residual Risk
![Page 56: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/56.jpg)
Calculating Risk
• Risk = Likelihood x Impact
• Likelihood is based on the information you learned during the Due Diligence review.
• Impact is based on how your organization utilizes the vendor.
![Page 57: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/57.jpg)
8 Common Angles for Vendor Risk Assessments:1. Financial2. Legal/Liability3. Operations/Transactions4. Regulatory Compliance5. Market/Dependencies6. Information Security7. Reputation8. Business Continuity
![Page 58: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/58.jpg)
1. Financial:
• Impact Considerations: o If the vendor fails, what’s the impact on my: Revenue, Expenses, Interest Rate, Liquidity, Credit etc…
• Likelihood Considerations:o Now, based on the vendor’s own financials what is the likelihood of that happening?
![Page 59: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/59.jpg)
2. Legal/Liability
• Impact Considerations:o Where does the liability sit?o Is it contractually limited to the some party’s insurance policy?
• Likelihood Considerations: o Can we get sued if the vendor does/doesn’t do something?
![Page 60: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/60.jpg)
3. Operations/Transactions
• Considerations: o What is the complexity and value of the vendor’s service?
• Likelihood Considerations:o What is the volume and threat of fraud?
![Page 61: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/61.jpg)
4. Regulatory Compliance
• Impact Considerations: o Would your organization be subject to fines?
• Likelihood Considerations:o How is the vendor’s compliance program?
![Page 62: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/62.jpg)
5. Market/Dependencies
• Considerations:o Could other vendor’s provide the service?
• Likelihood Considerations:o How many parties are involved in the delivery of the service?
![Page 63: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/63.jpg)
6. Information Security
• Impact Considerations: o What type of data does the vendor have access to?
• Likelihood Considerations: o What did the DD review tell you about the vendor’s internal Information Security program?
![Page 64: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/64.jpg)
7. Reputation
• Impact Considerations: o Would the vendor’s mistake or failure adversely affect our member/customer’s / the public’s view of the organization?
• Likelihood Considerations: o Has the vendor or it’s competitors failed in the past?
![Page 65: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/65.jpg)
8. Business Continuity
• Impact Considerations: o If the vendor is harmed by a natural disaster, how does that affect you?
• Likelihood Considerations: o Does the vendor’s RTO/RPO align with your business continuity plans?
![Page 66: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/66.jpg)
So you have calculated risk rating… now what?• DO SOMETHING ABOUT IT!
o Accept ito Mitigate ito Insure against it
![Page 67: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/67.jpg)
Common Questions
1. Who should be involved in the risk assessment?2. How does this risk assessment integrate with our
overall ERM program?3. How long does it typically take to do a risk
assessment?4. How often should a risk assessment be
performed?5. Should risk assessments be scaled based on
vendor criticality?
![Page 68: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/68.jpg)
Preparing for a VM Audit
• Know your audience• Audit Area 1: Vendor Management Policy• Audit Area 2: Vendor Management Program/Process
• Audit Area 4: Classification• Audit Area 5: Due Diligence• Audit Area 6: Risk Assessment• Audit Area 7: Performance and contract review• Self Audit
![Page 69: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/69.jpg)
Know Your Audience
• Review past audit findings/recommendations
• Review the regulations and ensure you are up‐to‐date with all changes
![Page 70: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/70.jpg)
Audit Area 1: VM Policy
• Provide: Current location of VM policy
• Explain: Approval process
• Prove: Date of last review and approval
![Page 71: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/71.jpg)
Audit Area 2: VM Program/Process
• Provide: VM Program RACI (Responsible, Accountable, Contributor, Informed)
• Explain: Program timeline
• Prove: Current status
![Page 72: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/72.jpg)
Audit Area 3: Vendor Inventory
• Provide: List of critical vendors
• Explain: Which vendors make it on your vendor list.
• Prove: Consistent on‐boarding process
![Page 73: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/73.jpg)
Audit Area 4: Classification
• Provide: Classification definitions
• Explain: Defend your classifications
• Prove: Who was involved in your classification process.
![Page 74: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/74.jpg)
Audit Area 5: Due Diligence
• Provide: Past 3 years of Due Diligence history
• Explain: Who reviews the documents received from vendors
• Prove: What documents were requested and/or received from vendors
![Page 75: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/75.jpg)
Audit Area 6: Risk Assessment
• Provide: Vendor Risk Assessments performed in the last year
• Explain: How vendors were risk rated
• Prove: Approval and Mitigation plans for your vendors
![Page 76: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/76.jpg)
Audit Area 7: Performance and Contract Review• Provide: Inventory of contracts
• Explain How contract dates are managed
• Prove: Consistent contract negotiation process
![Page 77: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/77.jpg)
Self Audit
1. Accounts Payable vs. Vendor List
2. Business Continuity Plan vs. Vendor List
3. SSAE16s for every vendor that has member/customer data?
4. Acceptance or mitigation plan for high risk vendors
![Page 78: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/78.jpg)
Common questions:
• How good/important is Dunn and Bradstreet data?
• What if a vendor won’t share their financials?
• How often should a DD review be performed?
• Who in the organization should complete the DD review?
• What about cloud vendors?
![Page 79: VENDOR MANAGEMENT 101 - Chapters Site Party Risk.pdf · Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager VENDOR](https://reader030.vdocument.in/reader030/viewer/2022040809/5e4dbed9cc132f4fb6538488/html5/thumbnails/79.jpg)
Contact Us
• Web: www.quantivate.como Sign up for a demo
• Phone: 800‐296‐2416
• Email: o [email protected] o [email protected]