Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vendor Risk Management September 19, 2016

Published byKenneth Campbell Modified over 7 years ago

Similar presentations

Presentation on theme: "Vendor Risk Management September 19, 2016"— Presentation transcript:

1 Vendor Risk Management September 19, 2016
DELETE THIS NOTE: Version – November 2013

2 Agenda Introduce RGP and Presenters Objectives of the Session Understand the Growing Importance of Vendor Risk Management (VRM) Review Recent Vendor Risk Incidents and Trends Understand the VRM Regulatory Landscape Provide a VRM Program Assessment Maturity Model Provide a VRM Methodology and Solution Components, including Implementation Challenges and Best Practices Understand Internal Audit’s Role in VRM

3 Our Company Founded in 1996 as part of Deloitte.
Management buy-out (1999) and initial public offering (2000). NASDAQ: RECN. Program Management ▪ Project Management ▪ Change Management Finance & Accounting Governance, Risk & Compliance Information Management Human Capital Supply Chain Management Legal & Regulatory 3,000+ Consultants Globally 87 of the Fortune 100 Have been clients 70+ locations worldwide 48 NAM 12 EUR 12 APAC

4 Your Presenters Lester Sussman Senior Practice Director, Governance Risk & Compliance Phone: David Matthews Senior Practice Director, Supply Chain Management Phone: LES

5 The Growing Importance of VRM
Why Should Companies be Concerned About VRM? The COSO 2013 model emphasizes oversight of third parties It is becoming a competitive advantage to have a VRM program Data breaches and other supplier caused issues can happen in any industry Regulators are mandating enhanced vendor risk management

6 The Growing Importance of VRM
How Can Business Services Provided by a Third-Party Increase a Company’s Risk Exposure? Sensitive customer information and data stored / processed / accessed by Third Party Third Parties who represent the company directly to their client customers and prospects Potential business interruption, if the third party is no longer able to fully or timely meet commitments Not having ready access to information or data and being at the “mercy” of the Third-Party to provide management or regulators reports

7 The Impact of Risk – Failures in VRM
The financial penalties associated with VRM failures can be significant. Reputational risks can be more damaging and, at times, difficult to quantify. Global Bank- $35 million penalty plus restitution to Customers for Unfair Billing Practices and deceptive marketing by one of its vendors. OCC coordinated its action with the Consumer Financial Protection Bureau (CFPB) Big Box Retailer- Credit card security breach resulting from network credentials that were stolen from one of their HVAC vendors University Medical Center - Names, medical information, Social Security numbers, Medicare numbers, health plan IDs, birthdays and physical addresses -- all were potentially stolen Commercial printing company - Former contract worker stole nearly 9 million pieces of private data on customers from 43 clients Health Insurer - Cyber attackers gained limited, unauthorized access to a patient database Global Financial Services firm - $700 million for bad sales practices by vendor for Identity Protection Problems This document is the proprietary and confidential property of Resources Global Professionals.

8 Regulatory Landscape Key Talking Points:
The regulatory landscape is broad and can be complex. Regulators are all working to create a tapestry of applicable controls Trending toward applicability of best practices across all regulators

9 Program Assessment Maturity Model
Where does your current program fit within this maturity model? 5 Continuous Improvement The organization has achieved best practices for vendor risk management implementation and automation. Most Effective 4 Fully Implemented and Operational The organization regularly monitors and measures compliance and identifies process improvements. 3 Fully Defined and Established The organization has a documented, detailed vendor risk management approach, but lacks measurements or enforcement. 2 Determine Road Map to Achieve Goals The organization has a consistent overall process but it is mostly unstructured approach to vendor risk management. Least Effective 1 Initial Visioning The organization has an ad hoc and inconsistent approach to vendor risk management. Maturity Levels Nonexistent There are no vendor risk management processes defined within the organization.

10 Vendor Risk Management (VRM) Components
Comprehensive VRM strategies ensure that vendor risks are identified and managed Program Planning Vendor Inventory Risk Assessment Training and Documenta-tion Ongoing Oversight Termination Critical Success Factors Institutional ownership for VRM program is well established Inherent risks of relationship are understood Cross-functional stakeholders are fully engaged Contracts cover required points Continuous assessment and performance monitoring Broad communication and training This document is the proprietary and confidential property of Resources Global Professionals.

11 Documentation and Training
VRM Components Program Planning Define Scope and Goals Define Program Governance Define Taxonomy and Standards Vendor Inventory Inventory Vendors Stratify Vendors Inventory Documentation Risk Assessment Risk Assessments Understand and Document Inherent Risk Review Contracts, Other Artifacts for Risk Mitigations Perform Assessments Based on Stratification Documentation and Training Reports and Reporting Process Review RACI & Procedures Risk Library Training On-going Oversight Standard Policy Procedure Technology Coordination and Resources Program Quality Review Management Reports Termination Strategy Exit Data Return/ Destruction Intellectual Property Ownership

12 Program Planning Scope What is within program? Critical vendors only?
Define Scope and Goals Define Program Governance Define Taxonomy and Standards Scope What is within program? Critical vendors only? Domestic or global? Program Governance Is scope fully documented? Documented policy and procedures? Objective criteria or rely on judgment? Steering committee including risk, procurement, legal and business/operations? Taxonomy and Standards Are there clear definitions of different risk classes? How do classes effect tasks and timing? What are the documentation of actions requirements? What artifacts should be retained?

13 Inventory Documentation
Vendor Inventory Vendor Inventory Inventory Vendors Stratify Vendors Inventory Documentation Inventory Vendors What was the process to find the universe of vendors? How are new vendors added? Are the inherent risks identified? Is there a business owner for each vendor? Stratify Vendors Is there a template/tool or other objective process that determines level of risk Is stratification done by service or by vendor? Is the stratification validated by the business to ensure that it makes sense? Inventory Documentation Is there a good service description that allows one to confirm the risks can be identified? Are the inherent risks for each relationship documented? What is the process for reviewing the inventory for completeness and risk level?

14 Risk Assessment Understand and Document Inherent Risk
Risk Assessments Understand and Document Inherent Risk Review Contracts, Other Artifacts for Risk Mitigations Perform Assessments Based on Stratification Understand and Document Inherent Risk What are inherent risks and residual risks? What could the vendor do wrong – regardless of how unlikely? What happens if the vendor disappears tomorrow? Risk Assessments Is this initial or on-going assessment? What are the areas to consider? -Finance -Info Security -Business Continuity -Physical Sec -On-shore/Off-shore -TP Risk Mgt -Contract -Insurance -OFAC Are there certifications: SOC, PCI, HIPAA available? Is a standard questionnaire such as the SIG available from the vendor? Is it a public company?

15 Risk Assessment (Cont’d)
Risk Assessments Understand and Document Inherent Risk Review Contracts, Other Artifacts for Risk Mitigations Perform Assessments Based on Stratification Review Contracts Is a fully executed and dated contract available? Is there a repository or any systemic indexing for contract hierarchy, option indexing and expiration dates? What is the process for tracking performance? Are the services being provided consistent with the contract or did the services “morph” over time? Other Artifacts Is a Certificate of Insurance (COI) available to review? Are the dates current? Note: There may be multiple dates!!! Is there cyber insurance? Is your firm named as a Certificate Holder or named insured? Is there language that requires you to be informed, say 30 days in advance, if the policy is cancelled or materially changed? Are there published industry performance standards?

16 Risk Assessment (Cont’d)
Risk Assessments Understand and Document Inherent Risk Review Contracts, Other Artifacts for Risk Mitigations Perform Assessments Based on Stratification Perform Assessments Based on Stratification and Risk Do your policies or procedures require a review at a certain interval? Review previous assessment, if any. Were there any concerns raised in the previous assessment? Has the relationship changed and are the same services (none added or deleted from before) being provided? Does the business owner have any concerns? Did you perform a Google search on any public issues? Can you partner with other areas: IT security, BCP, etc.? Is an on-site visit appropriate?

17 Documentation and Training
Reports and Reporting Process Review RACI & Procedures Risk Library Training Reports and Reporting Process Review reports/data supplied by the business. Is there regular reporting of SLAs or other metrics coming from the vendor? Are there “minuted” scheduled meetings with the vendors? Review RACI and Procedures Is there a RACI matrix and is it being followed? Are procedures up-to-date and what is the change process? Is anything apparently missing from the RACI or procedures? Are there called out responsibilities for data archiving and system utilization, if applicable? Who monitors exceptions and remediation? What is the associated process?

18 Documentation and Training (Cont’d)
Reports and Reporting Process Review RACI & Procedures Risk Library Training Risk Library Can risks be standardized across business silos allowing for grouping of similar risks/controls? Are definitions in plain English? Are responsible SMEs designated for certain areas of expertise, e.g. BCM, IT Security? Training Is training role based? Is it required – for whom? What is the required frequency? Is training completion tracked?

19 On-going Oversight Standard Policy and Procedures
Standard Policy & Procedure Technology Coordination and Resources Program Quality Review Management Reports Standard Policy and Procedures What is required by the VRM policy and procedures as far as type and timing of monitoring of critical and non-critical vendors? Are there standard periodic reporting and required meetings that are documented? Technology Is there a system leveraged by VRM? How do we know all data is entered and kept current? Can a vendor be utilized that is not in the VRM system? Does the system meet the standard IT standards of the firm? Coordination and Resources Is the function appropriately staffed to minimize bottle-necks? If decentralized, how are centralized processes and standards enforced? Is the reporting done as scheduled?

20 On-going Oversight (Cont’d)
Standard Policy & Procedure Technology Coordination and Resources Program Quality Review Management Reports Program Quality Review Is there an independent review done on assessments and management reporting? Does the function have a clear separation of duties? What types of quality reporting or metrics are shared with management and the businesses regarding meeting certain quality levels? What is the mitigation path for quality issues? Management Reports What and when does Senior management receive VRM management reports? What and when does the Board receive reports?

21 Termination Exit Strategy
Data Return/ Destruction Intellectual Property Ownership Exit Strategy Is there a documented exit strategy for all critical vendors? Does the contract address termination? What is the notice period – especially for non-renewal? Is there at will termination? What are the time frames? How would they be replaced? What is the process? Who is involved or needs to approve? What would the Contingency Plan be for sudden and unexpected ceasing or limiting operations by the vendor?

22 Termination (Cont’d) Data Return / Destruction
Strategy Exit Data Return/ Destruction Intellectual Property Ownership Data Return / Destruction Does vendor (or their sub-contractors) have your customer PII? Can it be returned (if paper or other media)? What about copies? If something, like data records are to be destroyed what type of certification is provided? If records are to be destroyed, how long do they remain on backups? Intellectual Property Ownership Does the contract specify who owns any intellectual property that may have been created? How is the future use of Intellectual property monitored or curtailed?

23 Internal Audit’s Role in VRM
Assess third-party relationship alignment with business strategy Evaluate risk identification, assessment and reporting Assess response to material breaches, service disruptions, or other material issues Evaluate staffing and expertise to perform due diligence and ongoing monitoring and management of third parties Test for conflicts of interest or appearances of conflicts of interest in selecting or overseeing third parties Test for concentration risks that may arise from over reliance on a single third party or geography Promote and exercise contract audit rights Evaluate procurement and review of Service Organization Control (SOC) reports Conduct a maturity assessment using the RGP framework Highlight and discuss material risks and deficiencies in the risk management process with the board of directors and senior management Leverage existing guidance from the IIA, regulators and service providers

24 Links to VRM guidance F2_a.pdf party-risk-management/ guides/Pages/Auditing-External-Business-Relationships-Practice-Guide.aspx

25

Download ppt "Vendor Risk Management September 19, 2016"

Similar presentations

Program Management Office (PMO) Design

Program Management Office (PMO) Design
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Sarbanes-Oxley Compliance Process Automation

Sarbanes-Oxley Compliance Process Automation
Viewpoint Consulting – Committed to your success.

Viewpoint Consulting – Committed to your success.
What Is Vendor Management And Why Is It Important To You?

What Is Vendor Management And Why Is It Important To You?
Systemise your compliance management Peter Scott Consulting www.peterscottconsult.co.uk.

Systemise your compliance management Peter Scott Consulting
Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.
“The Impact of Sarbanes Oxley, An Evolving Best Practice” Ellen C. Wolf Senior Vice President & Chief Financial Officer American Water National Association.

“The Impact of Sarbanes Oxley, An Evolving Best Practice” Ellen C. Wolf Senior Vice President & Chief Financial Officer American Water National Association.
Top Tactics for Maximizing GMP Compliance in Blue Mountain RAM Jake Jacanin, Regional Sales Manager September 18, 2013.

Top Tactics for Maximizing GMP Compliance in Blue Mountain RAM Jake Jacanin, Regional Sales Manager September 18, 2013.
Vendor Risk: Effective Management is Essential

Vendor Risk: Effective Management is Essential
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group.

Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Global Program Management Dawn Davis, SVP Global Records Management.

Global Program Management Dawn Davis, SVP Global Records Management.
Practice Management Quality Control

Practice Management Quality Control
Balance Between Audit/Compliance and Risk Management- Best Practices FIRMA 21 st National Training Conference Julia Fredricks, U.S. Chief Compliance Officer.

Balance Between Audit/Compliance and Risk Management- Best Practices FIRMA 21 st National Training Conference Julia Fredricks, U.S. Chief Compliance Officer.
Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

Similar presentations

Ads by Google