© 2012 mcgladrey llp. all rights reserved.© 2014 mcgladrey llp. all rights reserved. © 2012...
TRANSCRIPT
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.© 2012 McGladrey LLP. All Rights Reserved.© 2013 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
Managing Vendor Risk & Compliance
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
Presenter
John MacDonald
McGladrey
Risk Advisory Services Manager
816-289-1826
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
3
Overview
Audit Plan - Monitoring SLAs and SSAE16s
Risk Identification & Opportunity
Vendor Management Program
Integration with GRC
5
4
3
2
1
Risk Assessment & Due Diligence
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
4
Governance, Risk & Compliance
Governance Policy Making
Risk Assessment and Identification
Compliance External - Regulatory Internal - Policy
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
5
Risk Assessment & Opportunity
Audit Plan - Monitoring SLAs and SSAE16s
Risk Identification & Opportunity
Vendor Management Program
Integration with GRC
5
4
3
2
1
Risk Assessment & Due Diligence
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
6
Data Classification
Restricted/ Private
Confidential
Internal
Public
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
7
Risk Taxonomy
CATEGORY EXAMPLES
IT/security – Privacy breach – Identity fraud– IP theft – Data corruption– Denial/loss of service – Data loss
Financial – Vendor bankruptcy – Exchange rate– Price instability – Money laundering– Unrealized ROI – Transaction fraud
Operational – Late delivery – Safety incident – Poor quality – Environmental incident– Damage to assets – Theft
Brand/reputation – Brand damage – Communication crisis– Customer dissatisfaction – Loss of investor confidence– Competitive pressure – Loss of employee confidence
Legal – Contract liability – HR incident– Contract dispute – Labor dispute/grievance – Regulatory action – International law conflict
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
8
Risk Identification
Core IT Suppliers – All Data
Marketing – Customer Data
Payroll/ HR – Employee Data
Demand Planning – Strategy Data
BC/DR – All Data
Benefits Providers – Employee Data
Audit Firms – All Data
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
9
Vendor Risk Management Program
Audit Plan - Monitoring SLAs and SSAE16s
Risk Identification & Opportunity
Vendor Management Program
Integration with GRC
5
4
3
2
1
Risk Assessment & Due Diligence
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
10
Interaction
Does your company regularly visit suppliers?
Yes or No
If yes – what is the trigger?
If no, do you know why?
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
11
Vendor Management Program
- Supplier Vetting and Selection- Impact Assessments- Background Checks- Examples of Work- Prior Experience
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
12
Reference Documents
1. Discuss Vendor Assessment Form
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
13
Case Study: Manufacturer
Context: Understood need for security/risk involvement in selection and credentialing of IT vendors and providing ongoing security oversight.
Approach: Security team is involved in procurement process, conducting mini-assessments to determine whether a more detailed evaluation is warranted based on Data Classification.
Result: Documented agreement that business process owners own the risk and make the decision whether to accept, avoid, mitigate, etc.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
14
Case Study: Manufacturer
Context: Clear need to improve oversight of risk-related to third-party relationships, standardize risk measurement, and compliance assessments.
Approach: Simplify initial assessments - straightforward (primarily yes/no) questions to determine potential categories and estimated level of impact.
Result: Better participation from vendor management and business. Enabled classification of vendors to develop an audit plan for continuous monitoring.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
15
Recommendations
Be very clear about the different types of third party risk
you’re tracking, and who has responsibility for each.
Create triggers to make sure risk and compliance efforts
occur reliably within standard vendor relationship
processes.
Consider ways to open up communication with and
among vendors about trends, patterns, best practices,
etc.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
16
Integration with GRC
Audit Plan - Monitoring SLAs and SSAE16s
Risk Identification & Opportunity
Vendor Management Program
Integration with GRC
5
4
3
2
1
Risk Assessment & Due Diligence
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
17
Governance, Risk & Compliance
Governance Policy Making Involvement of Decision Makers
Risk Assessment and Identification
Compliance External - Regulatory Internal - Policy
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
18
Reference Documents
Define and document up front the responsibilities of:
• Business Owner
• Legal
• Vendor Management facilitator
• Information Security
• IT
• Audit
• Risk Management
• Compliance
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
19
Key Stakeholders
Internal Audit Chief Risk Officer Chief Financial Officer Head of IT / CISO Chief Compliance Officer Chief Information Officer General Counsel (Legal) Enterprise Risk Steering Committee
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
20
Audit Plan
Audit Plan - Monitoring SLAs and SSAE16s
Risk Identification & Opportunity
Vendor Managemnt Program
Integration with GRC
5
4
3
2
1
Risk Assessment & Due Diligence
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
Audit Plan Requirements
Maintaining a complete list of vendors Evaluate vendor compliance – SSAE16s, ISO Evaluate vendor data classification Assign risk classification for each vendor Define audit schedule for each vendor based on
risk classification
Assign Vendor risk classification of the vendor
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
22
Reference Documents
1. Discuss SSAE16 Review
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.
Q & A
John MacDonald
McGladrey
Risk Advisory Services Manager
816-289-1826