vendor management using cobit 5
TRANSCRIPT
Vendor Management: Using COBIT 5
Introduction
New Guidance from ISACA
Areas covered
• IT
• Process owners and stakeholders
• Compliance and laws
• Risk management
• Audit
• Contracts
• Service monitoring
Vendors
• A vendor is a third party that supplies
products or services to an enterprise.
• Most enterprises seek external vendor support for assistance with operations for one of the following reasons:
– Vendor expertise
– Vendor capacity
– Vendor assuming risk
– Vendor leveraging scale
Vendor Management
• Vendor management is a strategic process
that is dedicated to the sourcing and
management of vendor relationships so that:
– value creation is maximized and
– risk to the enterprise is minimized
Vendor Management Objectives
Managing vendors has many benefits, including:
• Data loss reduction
• Decrease in audit findings
• Cost optimization
• Increased availability
• Liability reduction
• Increased end-user satisfaction
• Value creation
Vendors to include
Play a critical role in daily operations
Can have critical impact on the success of strategic projects
Require long-term contracts
Have potential significant financial implications
Are difficult to change overnight
Require frequent interaction and/or disputes
Access or manage substantial critical or sensitive data
Important Documents
Contract Lifecycle
Contract
Contracts accomplishes the following:• Form a common understanding of what needs to
be achieved
• Define all deliverables, relevant service levels and metrics
• Define responsibilities and obligations
• Define the terms and conditions
• Specify how risk will be allocated between parties
• Define legal counsel and jurisdiction stipulations
SLAs
• An SLA is an agreement, preferably documented, between a product or service provider and the enterprise that defines minimum performance targets for a deliverable and how they will be measured and reported.
• The SLA enables customer and vendor accountabilities and expectations to be clearly understood. Performance can have the following implications:– Financial rewards (for exceeding targets)
– Financial penalties (for underperformance)
SLA Common Pitfalls
• Focus on the wrong objectives
• Simplistic metrics
• Inappropriate terminology
• Room for interpretation
• Labor-intensive reporting requirements
SLA Management Benefits
• Better alignment with business objectives
• Ability to manage services proactively
• Greater transparency of service delivery
• Lower service level management overhead
• Better relationships between the enterprise and vendor
SLA Diagram
Stakeholder Responsibilities
Risk – 5 Threat Categories
• T1 – Selection: Wrong vendor
• T2 – Contract: Incomplete | Static
• T3 – Requirements: Poorly defined
• T4 – Governance: Inadequate vendor management
• T5 – Strategy: Vendor lock-in
Mitigation Strategy
Threat COBIT 5 Guidance
1. Diversify sourcing strategy to avoid overreliance or vendor lock in
T5 APO02 Manage strategy, APO10 Manage suppliers
2. Establish policies and procedures for vendor management
T4, T5 APO11 Manage quality– Enablers: Principles, Policies and Frameworks; Information
3. Establish a vendor management governance model
T4, T5 APO09 Manage service agreements, APO10 Manage suppliers– Enabler: Organisational Structures
4. Set up a vendor management organization within the enterprise (VMO)
T4, T5 APO10 Manage suppliers-- Enablers: Organisational Structures; People, Skills and Competencies
5. Forecast requirements regarding the skills and competencies of thevendor employees
T2 APO10 Manage suppliers– Enablers: People, Skills and Competencies
6. Use standard documents and templates
T2 – Enabler: Information
Mitigation Strategy
Threat COBIT 5 Guidance
7. Formulate clear requirements T3, T5 BAI02 Manage requirements definition, BAI03 Manage solutionsidentification and build– Enabler: Information
8. Perform adequate vendor selection
T1, T5 APO10 Manage suppliers, APO12 Manage risk– Enablers: People, Skills and Competencies
9. Cover all relevant life-cycle events during contract drafting
T2 APO11 Manage quality, APO12 Manage risk– Enabler: Information
10. Determine the adequate security and controls needed during the relationship
T4, T2 APO11 Manage quality; APO12 Manage risk, MEA01 Monitor,evaluate and assess performance and conformance– Enablers: Service, Infrastructure and Applications; Information
Mitigation Strategy
Threat COBIT 5 Guidance
11. Set up SLAs T2 APO09 Manage service agreements– Enabler: Information
12. Set up operating level agreements (OLAs) and underpinning contracts
T2 APO09 Manage service agreements– Enabler: Information
13. Set up appropriate vendor performance/service level monitoring and reporting
T2, T4 APO09 Manage service agreements, APO10 Manage suppliers,MEA01 Monitor, evaluate and assess performance and conformance– Enabler: Information
14. Establish a penalties and reward model with the vendor
T2 APO09 Manage service agreements, APO10 Manage suppliers
Mitigation Strategy
Threat COBIT 5 Guidance
15. Conduct adequate vendor relationship management during the life cycle
T4 APO08 Manage relationships, APO10 Manage suppliers– Enablers: Ethics, Culture and Behaviour
16. Review contracts and SLAs on a periodic basis
T4, T5 APO09 Manage service agreements, MEA01 Monitor, evaluateand assess performance and conformance– Enabler: Information
17. Conduct vendor risk management T4, T5 APO10 Manage suppliers, APO12 Manage risk– Enabler: Organisational Structures
Mitigation Strategy
Threat COBIT 5 Guidance
18. Perform an evaluation of compliance with enterprise policies
T4 APO10 Manage suppliers; MEA01 Monitor, evaluate and assessperformance and conformance; MEA03 Monitor, evaluate and assesscompliance with external requirements– Enablers: Principles, Policies and Frameworks; Information
19. Perform an evaluation of vendor internal controls
T4 APO10 Manage suppliers; APO12 Manage risk; MEA01Monitor, evaluate and assess performance and conformance– Enabler: Organisational Structures; Information
Mitigation Strategy
Threat COBIT 5 Guidance
20. Plan and manage the end of the relationship
T2, T4, T5
APO09 Manage service agreements; APO10 Manage suppliers;APO12 Manage risk– Enabler: Services, Infrastructure and Applications; People, Skills andCompetencies; Information
21. Use a vendor management system
T1, T2, T3, T4
APO08 Manage relationships; APO09 Manage serviceagreements; APO11 Manage quality; APO12 Manage risk– Enabler: Services, Infrastructure and Applications
22. Create data and hardware disposal stipulations
T2, T4 APO12 Manage risk– Enablers: Services, Infrastructure and Applications; Information; Principles,Policies and Frameworks
Q&A