what is vendor management and why is it important to you? matt luongo – cls bank international...
TRANSCRIPT
What Is Vendor Management And Why Is It Important To You?
Matt Luongo – CLS Bank International
June 17, 2015
2. Is there a vendor management framework that consistently manages third party risks?
3. Do you know all of your vendors? Do they have a contract?
1. Who manages third party vendors at your organization?
Agenda
Vendor Managemento Key Components o Effective Vendor Management Framework
Regulator Expectationso Focus Areas
Disclaimer
The opinions expressed in this presentation and on the following slides are solely those of the presenter
and not those of CLS Bank.
Concepts used have been adapted based on Gartner and Deloitte research and noted as such.
St. Louis Federal Reserve URLs Hijacked - 2015
In The News
Target Investigates Credit Card Breach - 2013
Home Depot’s 56 Million Card Breach Bigger Than Target’s -2014
“In 2013, American Express, Capital One, and Discover Bank paid a total of more than $530 million to settle complaints of deceptive selling and predatory behavior by their third-party suppliers.” - McKinsey & Company July 2013
No one ever remembers the vendor’s name
Effective Vendor Management
Vendor Management is the ongoing management of third-party providers of products or services
The goal of VM is to ensure the organization continuously obtains the best value from external providers of products and services while controlling exposure to vendor-related risk
Lifecycle Description
Governance & Process
Establish strategy and governance. Define SOPs, documentation, system, roles and responsibilities
Select Vendors Select vendors in accordance with a formal, unbiased practice. Ensure the best fit for the product/service requirements and the best value at the optimal exposure to vendor risk
Manage Vendor Contracts
Manage vendor contracts through the contract lifecycle
Manage Vendor Risk
Manage vendor risk to protect the organization from negative effects that can be caused by events on the vendor’s side
Manage Vendor Relationships
Maintain effective relationships with vendors
Manage Vendor Performance
Ensure vendors perform as contracted
What is Vendor Management?
Vendor Manager
Business Owner
Procurement Finance Legal Sr. Mgmt.
Why is it important?
Because we must measure, manage, and scrutinize the vendors we rely on to deliver value
Reliance
Need vendors to deliver critical specialized services Over half of a company’s expenditure is with vendors Vendors globally help us achieve our mission
Value Maximise value and deliver great commercial outcomes through our
relationships
Risk Increased regulatory and member scrutiny on how financial
institutions manage third party vendor risk - operational, cyber security, supply chain, compliance, strategic, financial and reputational
Our Contracts are a Strategic
Asset
Vendor Management is
a Core Competence
Y2kOffshoreFinancial CrisisNearshore
Digital / Internet of
Things
2000 2005 2008 2013
Importance has evolved with changing business environment
Oversight
2015
What is a third party vendor? Any individual or entity, which is not a direct employee, which provides a produce/service to, or
behalf of, the organization Typically managed at both the engagement and relationship levels
Vendors
Affiliates
Contractors
Service Providers
Partnerships
Joint Ventures
Agencies
Law firms
Government Organizations
One service, one contract, provided to one line of business
Multiple engagements with the same company
Engagement Relationship
Vendors may present a combination of risks
Risk Description
Cyber • Ensuring confidentiality, integrity, availability of information assets
Compliance/legal • Actions inconsistent with legal, policy or regulatory requirements
Service delivery • Third party failures resulting in impact to the service
Contractual • Inability to deliver services per contract
Business continuity • Inability to continue providing services
Intellectual property • Inappropriate use of intellectual property
Financial • Inability to meet contractual obligations due to financial difficulties
Reputation • Issues impacting an organization’s brand and reputation
Geopolitical • Region/country-specific factors
Strategic • Third party not aligned with the organization’s strategic objectives
Credit • Inability to make obligated payments
Quality • Inability to deliver a quality service/produce
Inherent risk to
the product/ service
Risks unique to the third
party
Source: Deloitte
How do you manage all the vendor activity?Vendor Management Framework provides an end-to-end view to identifying and managing vendors and the risk across the vendor lifecycle
Source: Gartner Vendor Management Framework
Maturity ModelMany models that benchmark the program’s maturity
Source: Gartner Vendor Management Maturity Model
»Regulatory»Expectations
Regulatory Expectations
Expanded scope Oversee all service providers, affiliates, partnerships and other third parties
Governance and accountability
Define responsibilities of the board, senior management, and relationships managers
End-to-end risk management
Formalize risk management across the life-cycle and risk domains. Greater scrutiny with high risk vendors.
Due Diligence Access how vendors are sought, vetted, selected
Contracts Do you have them? Do they have the appropriate clauses? Execute a contract inventory.
Monitoring Timely and effective reporting in vendor relationships. Demonstrate you have sufficient visibility and control. Use of scorecards and dashboards
Compliance Identify all relevant compliance requirements and document how they are being met
Independent Reviews Do your vendors…’Say what they do?’ and ‘Do what they say’. Risks are documented and controls in place.
Business ContinuityConsider the systemic implications of outsourcing and potential third party failures
Regulators globally have issued heightened standards and guidance for third party’s. These cover most regulatory expectations….
Governance
• Executive and Board engagement• Defined roles and responsibility• Drive and approve policy• Monitor and oversee vendor portfolio
• Two tier governance model
Executive Committee Vendor /
Operations Committee
Sets the tone…• Strategic Alignment• Policy• Risk appetite• Vendor oversight• Escalations Drives Vendor….
• Performance • Compliance• Demand pipeline• Business Continuity• Audits
General awareness of vendors… is
no longer an acceptable
Risk Classification
• Formal risk management across the life cycle and risk domains• Risk- based segmentation tool
• Risk is not based on value alone• Apply resources based on level of segmentation
Risks Considerations• Reputational• Info Security and Privacy• Contractual• Service Delivery• Financial• Business Continuity• Geopolitical• Regulatory• Exit Strategy
Other Considerations• Domestic/Offshore• Core / Non-core
Monitoring
Account Plans
Performance Dashboards
Governance
Vendor Risk Dashboards
Vendor
Vendor Manager
Last Quarter (Av)
SROLast Month
SYSC8Current Month
Performance
SLA Description
AggrigatedSLA
Performance Target
SLA Performance
Incidents
AggrigatedSLA
Performance Target
SLA Performance
Incidents
AggrigatedSLA
Performance Target
Answer Incidents
Target
Last Quarter (Av)
99% 99% 99%Last Quarter
(Av)
Last Month 99% 99% 99% Last Month
Current Month
99% 99% 99%Current Month
Internal External
Last Quarter (Av)
Feb'13
Last MonthJan'13
Current Month
Dec'12
Budget£k
Planned Spend
£k
Committed Spend
£k
Actual Spend
£k
EAC£k
Planned Benefit
£K
Actual Benefit
£K
Status of Activity
IMPACT PROBABILITY
£ 2,593 £ 2,370 £ 2,593 HIGH MED
£ 692 £ 606 £ 692 LOW HIGH
£ 578 £ 530 £ 578
£ 931 £ 855 £ 931
£ 642 £ 593 £ 642
£ 1,702 £ 1,652 £ 1,652
£ 2,552 £ 2,910 £ 3,047
£ - £ - £ 9,689 £ 9,517 £ 10,133 £ - £ -
Commercial Performance
xxx
Upc
omin
g ac
tivity
Continuous Improvement Plan underway to:i. SAP data Consistencyii. SAP Coding Design and Software Performanceiii. Identification of SAP knowledge gaps plus knowledge transferiv. Initiative underway to improve CBIA incident management responses and fix time
Next Meetings :
Com
mer
cial
Co
mm
enta
ry
Overall supplier performance tracking green, seven planned sourcing activities underway with all relevant stakeholders involved.
Commercial RAG
xxx 20/03/2014
xxx
xxx
Operational Performance
Operational RAG
Overall
Financial Performance Relationship Performance
Faster Payments ePayments Payment SI
Perf
orm
ance
Com
men
tary
i. SLA performance achieved across all service contracts ii. The volume of service incidents received this period were c. 8% lower than last month which continues a trend over the last few monthd of continued reductionsiii. Effort is still being expended within the the AM teams to assist with the MSS network changes - xxx continue to receive favourable feedback
Relationship RAG
Overall
Contract / Project or Service
RISKS
RISK
i. The xxx relationship remains healthy across the accountii. Recent visits undertaken to x and x by xxx were successfuliii. All contracts signed off and no 'At Risk' work
Financial RAG
Fina
ncia
l / P
rogr
amm
e Co
mm
enta
ry
i. xxx tracking to agreed spend profileii. The minimum spend commitment currently stands at charges of £4.45M, with delta of -£1.55M to find. Gxxxo meet to discuss future work to be contracted to close FY12/13 delta.
Subjective Feedback
Rela
tions
hip
Com
men
tary
MITIGATION OWNER
0
5
10
15
20
25
Apr…
Ma…
Jun-
…
Jul-…
Aug…
Sep…
Oct
…
Nov
…
Dec…
Jan-
…
Feb…
Mar
…
£m in
c VA
T
Spend
Budget
Forecast
Actual
• Stakeholder maps
• Governance meetings
Consolidated reporting :• Commercial• Performance• Risk• Financials• Relationship
Dept. Sourcing plans• Pipeline
Supplier Account plans:• Engagements• Pipeline• Improvement plans• Innovation• Investment
Service
Dat
a
Core
Ser
vice
Inte
rnet
faci
ng
Soft
war
e de
v
Mem
bers
Hea
lth &
Saf
ety
Inte
llect
ual P
rop
Geo
grap
hy
Rel
ianc
e
Via
bilit
y
Sub
cont
ract
ing
Con
tagi
on
CLS
Eco
nom
ic
Loss
Rep
utat
ion
Set
tlem
ent
Mem
ber
Reg
ulat
ory
Ser
vice
Im
pact
Hea
lth &
Saf
ety
Spe
nd
Application development 3 5 1 4 1 2.7 4.2 4.2 1.9 1 1 3 5 5 5 5 5 1 5
Penetration testing 3 4.2 3 3.2 1 1.1 4.2 1.4 2.6 1 1 1 5 5 4 4 5 1 2
MPLS Service 2.6 4.2 1 3 1 3.1 1 1.4 1.8 1 1 4 5 3 5 5 5 1 5
Provision and support of key IT software/systems.
3.4 4.6 3 4 1 1.3 4.2 1.4 1.5 1 5 3 4 3 2 2 3 1 5
Hosting of Internal CLS IT systems
3.4 2.2 1 2 1 3.9 1 1.4 2.9 1 5 3 4 3 3 4 3 3 4
Insurance Broker 3.8 1.8 1 1.6 1 1.1 1 1.4 1.7 1 1 2 4 2 1 2 1 1 4
Building works 1.4 1 1 1 1 3.3 4.2 1.4 2.9 1 5 3 3 2 1 2 3 5 5
Service Risks Vendor Risks Potential Impact
• Portfolio reporting• Segmentation• Aligned governance and resources
Snapshot of regulatory bulletins and guidance that provide additional direction for managing risks related to engaging with third parties
Regulatory Guidance
FFIEC IT Examination Handbook – Appendix J – Resilience of
Outsourced Technology Services (Feb 2015)
• Asserts the financial institution's responsibility to control business continuity risks with third parties
• Must consider the potential impact of disruptions and the ability to restore services
• Validation of business continuity plans with third parties and considerations for third party testing
FRB SR 14-1Recovery and Resolution
Preparation (Jan 2014)
• Identification of internal and external dependencies, and contingency planning for these dependencies
• Firms must have clearly documented agreements with vendors
SEC Reg SCI – Regulation Systems Compliance and Integrity
(Nov 2014)
• Requires supplier selection and auditing of vendor services
NIST 800-161- Supply Chain Risk Management Practices
(June 2014)
• Defines requirements on identifying, assessing and mitigating supply chain risks for information and communicating technology products and services
OCC Bulletin 2013-29 – Third-Party Relationships
(Oct 2013)
• Same responsibilities for in-house and out of house services• Adopt risk management processes commensurate with the level of risk and
complexity of its third-party relationships• An effective risk management process throughout the life cycle of the vendor
relationship
Takeaways
Understand how vendors are being managed at your organization Are you focused on the right things? Familiarize yourself with the latest regulatory guidance Regularly assess and monitor the effectiveness of vendor program, not just
at the vendor selection stage Include vendor risk management as a function within the vendor
management program
Third-party relationships must be good for the company, its vendors and consumers