Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vendor Management Frequent regulatory findings:

Published byAmi Black Modified over 9 years ago

Similar presentations

Presentation on theme: "Vendor Management Frequent regulatory findings:"— Presentation transcript:

1 Third Party Vendor Management Presented by: Jay Bowman, CISA, CISM Director September 22, 2011

2 Vendor Management Frequent regulatory findings:
Lack of policy and procedures Risk assessment not performed Lack of ranking scheme Due diligence findings Vendor oversight issues Lack of senior management and Board oversight 1 Accume Partners 2009

3 A Few Questions Does your bank have a vendor management policy? A defined program? Is responsibility for vendors centralized? How many vendors does the bank rely upon for products and services? Are there review processes for selecting new vendors and evaluating current ones? 2

4 A Few Questions 3

5 Finding a Starting Point…
4

6 Finding a Starting Point…
5

7 Finding a Starting Point…
6

8 Finding a Starting Point…
7

9 Finding a Starting Point…
8

10 Finding a Starting Point…
9

11 Finding a Starting Point…
10

12 Vendor Management Topics
Policy Responsibility Risk Assessment Selection of New Vendors Oversight of Current Vendors Reporting 11

13 Vendor Management Policy
Establishes: Responsibility for program activities Triggering thresholds or characteristics Risk assessment requirements Procedures for selecting new vendors Procedures for evaluating current vendors Reporting requirements 12

14 Responsibility for Vendor Management
Chief Financial Officer Chief Information Officer Purchasing Manager Legal Shared Other The VM policy should fix accountability & responsibility. 13

15 Risk Assessment (pre-decision to outsource)
Potential impact on strategic goals Management oversight and evaluation Contingency plans Regulatory requirements & guidance 14

16 Risk Assessment Potential impact on strategic goals:
Most vendors will not affect goal attainment Factors Unique product or service Key individuals “Significant” portion of revenues/profits Reputation 15

17 Risk Assessment Management oversight
Does Management have the competence? Does Management have the time? Contingency plans Do others offer this product/service? Can it be brought in-house? Regulatory guidance What additional requirements are imposed? 16

18 Vendor Selection Process
Identification of potential vendors Due diligence and selection Contract negotiation and award 17

19 Identification of Potential Vendors
Trade literature Current vendors Other institutions Internet Trade association Other Policy should lay out requirements. 18

20 Due Diligence and Selection
Evaluation criteria Ranking Subjective vs. Objective Binary vs. Weighted Request for Proposal (RFP) Evaluation team Documentation Approval 19

21 Request for Proposal (RFP)
Advantages: Fosters agreement on: Scope of services Selection criteria All vendors on “level playing field” Easier to reach selection decision Easier to defend selection decision 20

22 Request for Proposal (RFP)
Tips: Evaluation criteria: “Mandatory” versus “most important” Weighting schemes vs. subjective Boilerplate Deadline extensions 21

23 Contract Award & Negotiation
Scope of Services Term Price Service Level Agreement (SLA) Key Personnel Termination Audit Rights Other 22

24 Service Level Agreements
Specific, measureable, auditable Scope of services Requirements of service quality Measurement of service quality Credits/penalties for achieving/failing performance targets Institution’s responsibilities Vendor’s responsibilities 23

25 Current Vendor Evaluation
Frequency and scope depend on vendor rankings and characteristics: Critical vendors: full scope/annually Important vendors: limited scope/annually “Commodity vendors:” may be exempt 24

26 Rankings Considerations
Annual expenditures Processing of critical functions Uniqueness of product or service Access to customer information Management discretion Other 25

27 Vendor Evaluation Topics
Financial stability Performance against SLAs Key personnel turnover Insurance coverage SAS 70/SSAE 16 (service providers) Disaster recovery testing & results Protection of customer information 26

28 Vendor Evaluations Tips: Base evaluations on:
Why the vendor is important The dimensions that carry greatest risk Provide for Management discretion Document evaluations/maintain files 27

29 Reporting Annual summary on vendor management Prepared by Management
Presented to Board (or Committee) Covers: VM policy (any recommended changes) New critical vendors Summary of review of current vendors Other key information 28

30 Vendor Management Framework
Pillar 1 Cost, benefits and risk analysis Identify performance criteria, reporting needs and contractual requirements for a vendor relationship Utilize institution templates and flows to document this process Pillar 2 Vendor financial stability Vendor’s expertise, systems, controls Vendor’s knowledge of relevant regulations Leveraging institution purchasing and contracts management Pillar 3 Service levels Pricing Business continuity Information ownership Audit Confidentiality and security Limits on liability Pillar 4 Scorecards for each vendor reported to Bank management for risk transparency Leverage existing institution controls for identification and assessment of risks Management and Board reporting Regulatory Guidance & Bank Requirements FIL “Managing Third Party Risk” FFIEC “Risk Management of Outsourced Technology Services” November 2000 SR 00-4(SUP) February 2000 “Outsourcing of Information and Transaction Processing” Institution’s ”Vendor Management Policy” 29

31 Questions and Answers 30

32 Contacts For more information, please contact: Jay Bowman
Director, Mid-Atlantic 4900 Ritter Road Suite 222 Mechanicsburg, PA 17055 Phone: 31

Download ppt "Vendor Management Frequent regulatory findings:"

Similar presentations

Project Procurement Management

Project Procurement Management
UMC for Consulting & Services. UMC UMC for Consulting & Services UMC Profile UMC Profile UMC Range of Consulting Services UMC Range of Consulting Services.

UMC for Consulting & Services. UMC UMC for Consulting & Services UMC Profile UMC Profile UMC Range of Consulting Services UMC Range of Consulting Services.
SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.

SERVICE LEVEL AGREEMENTS The Technical Contract Within the Master Agreement.
1 Vendor Evaluation: Selecting for Success Dana McCormick Wells Fargo Home Mortgage Delivery Services Baltimore PCC Education Seminar April 27, 2007.

1 Vendor Evaluation: Selecting for Success Dana McCormick Wells Fargo Home Mortgage Delivery Services Baltimore PCC Education Seminar April 27, 2007.
 BITS 2001 1 BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American.

 BITS BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American.
ASSESSING THIRD PARTY ADMINSTRATORS: FROM RFP TO STEWARDSHIP CLM 207 Monday, April 16, 2012 3:15 p.m. to 4:30 p.m.

ASSESSING THIRD PARTY ADMINSTRATORS: FROM RFP TO STEWARDSHIP CLM 207 Monday, April 16, :15 p.m. to 4:30 p.m.
Intro Matt Reeves – FirsTech Lyle Wolinsky – Global Express Stella Pulliam – Sempra Utilities Kim Folks – Tampa Electric Guidelines for a Successful RFP.

Intro Matt Reeves – FirsTech Lyle Wolinsky – Global Express Stella Pulliam – Sempra Utilities Kim Folks – Tampa Electric Guidelines for a Successful RFP.
Copyright Course Technology 2001 1 Chapter 11: Project Procurement Management.

Copyright Course Technology Chapter 11: Project Procurement Management.
The Outsourcing Process

The Outsourcing Process
Software Development Contracts and Legal Issues Cost plus Fixed price Combined.

Software Development Contracts and Legal Issues Cost plus Fixed price Combined.
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA 2014. The policy advocacy and regulatory work of the GSMA Mobile Money team.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.

Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.
Outsourcing Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Outsourcing Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
WELCOME TO THE PROCUREMENT SEMINAR Procurement and Contracts An Overview of Contract Administration.

WELCOME TO THE PROCUREMENT SEMINAR Procurement and Contracts An Overview of Contract Administration.
Business Acquisition Process Implementation & transition Closing Negotiation of the transaction Due Diligence Engagement TargetIdentification.

Business Acquisition Process Implementation & transition Closing Negotiation of the transaction Due Diligence Engagement TargetIdentification.
Vendor Risk: Effective Management is Essential

Vendor Risk: Effective Management is Essential
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Similar presentations

Ads by Google