© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.© 2012 McGladrey LLP. All Rights Reserved.© 2013 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

Managing Vendor Risk & Compliance

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

Presenter

John MacDonald

McGladrey

Risk Advisory Services Manager

John.MacDonald@mcgladrey.com

816-289-1826

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

3

Overview

Audit Plan - Monitoring SLAs and SSAE16s

Risk Identification & Opportunity

Vendor Management Program

Integration with GRC

5

4

3

2

1

Risk Assessment & Due Diligence

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

4

Governance, Risk & Compliance

Governance Policy Making

Risk Assessment and Identification

Compliance External - Regulatory Internal - Policy

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

5

Risk Assessment & Opportunity

Audit Plan - Monitoring SLAs and SSAE16s

Risk Identification & Opportunity

Vendor Management Program

Integration with GRC

5

4

3

2

1

Risk Assessment & Due Diligence

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

6

Data Classification

Restricted/ Private

Confidential

Internal

Public

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

7

Risk Taxonomy

CATEGORY EXAMPLES

IT/security – Privacy breach – Identity fraud– IP theft – Data corruption– Denial/loss of service – Data loss

Financial – Vendor bankruptcy – Exchange rate– Price instability – Money laundering– Unrealized ROI – Transaction fraud

Operational – Late delivery – Safety incident – Poor quality – Environmental incident– Damage to assets – Theft

Brand/reputation – Brand damage – Communication crisis– Customer dissatisfaction – Loss of investor confidence– Competitive pressure – Loss of employee confidence

Legal – Contract liability – HR incident– Contract dispute – Labor dispute/grievance – Regulatory action – International law conflict

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

8

Risk Identification

Core IT Suppliers – All Data

Marketing – Customer Data

Payroll/ HR – Employee Data

Demand Planning – Strategy Data

BC/DR – All Data

Benefits Providers – Employee Data

Audit Firms – All Data

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

9

Vendor Risk Management Program

Audit Plan - Monitoring SLAs and SSAE16s

Risk Identification & Opportunity

Vendor Management Program

Integration with GRC

5

4

3

2

1

Risk Assessment & Due Diligence

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

10

Interaction

Does your company regularly visit suppliers?

Yes or No

If yes – what is the trigger?

If no, do you know why?

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

11

Vendor Management Program

- Supplier Vetting and Selection- Impact Assessments- Background Checks- Examples of Work- Prior Experience

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

12

Reference Documents

1. Discuss Vendor Assessment Form

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

13

Case Study: Manufacturer

Context: Understood need for security/risk involvement in selection and credentialing of IT vendors and providing ongoing security oversight.

Approach: Security team is involved in procurement process, conducting mini-assessments to determine whether a more detailed evaluation is warranted based on Data Classification.

Result: Documented agreement that business process owners own the risk and make the decision whether to accept, avoid, mitigate, etc.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

14

Case Study: Manufacturer

Context: Clear need to improve oversight of risk-related to third-party relationships, standardize risk measurement, and compliance assessments.

Approach: Simplify initial assessments - straightforward (primarily yes/no) questions to determine potential categories and estimated level of impact.

Result: Better participation from vendor management and business. Enabled classification of vendors to develop an audit plan for continuous monitoring.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

15

Recommendations

Be very clear about the different types of third party risk

you’re tracking, and who has responsibility for each.

Create triggers to make sure risk and compliance efforts

occur reliably within standard vendor relationship

processes.

Consider ways to open up communication with and

among vendors about trends, patterns, best practices,

etc.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

16

Integration with GRC

Audit Plan - Monitoring SLAs and SSAE16s

Risk Identification & Opportunity

Vendor Management Program

Integration with GRC

5

4

3

2

1

Risk Assessment & Due Diligence

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

17

Governance, Risk & Compliance

Governance Policy Making Involvement of Decision Makers

Risk Assessment and Identification

Compliance External - Regulatory Internal - Policy

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

18

Reference Documents

Define and document up front the responsibilities of:

• Business Owner

• Legal

• Vendor Management facilitator

• Information Security

• IT

• Audit

• Risk Management

• Compliance

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

19

Key Stakeholders

Internal Audit Chief Risk Officer Chief Financial Officer Head of IT / CISO Chief Compliance Officer Chief Information Officer General Counsel (Legal) Enterprise Risk Steering Committee

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

20

Audit Plan

Audit Plan - Monitoring SLAs and SSAE16s

Risk Identification & Opportunity

Vendor Managemnt Program

Integration with GRC

5

4

3

2

1

Risk Assessment & Due Diligence

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

Audit Plan Requirements

Maintaining a complete list of vendors Evaluate vendor compliance – SSAE16s, ISO Evaluate vendor data classification Assign risk classification for each vendor Define audit schedule for each vendor based on

risk classification

Assign Vendor risk classification of the vendor

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

22

Reference Documents

1. Discuss SSAE16 Review

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved.

Q & A

John MacDonald

McGladrey

Risk Advisory Services Manager

John.MacDonald@mcgladrey.com

816-289-1826