Presentation is loading. Please wait.

Presentation is loading. Please wait.

What Is Vendor Management And Why Is It Important To You?

Published byDwayne Brooks Modified over 8 years ago

Similar presentations

Presentation on theme: "What Is Vendor Management And Why Is It Important To You?"— Presentation transcript:

1 What Is Vendor Management And Why Is It Important To You?
Matt Luongo – CLS Bank International June 17, 2015

2 Who manages third party vendors at your organization?
Is there a vendor management framework that consistently manages third party risks? Do you know all of your vendors? Do they have a contract?

3 Agenda Vendor Management Key Components
Effective Vendor Management Framework Regulator Expectations Focus Areas

4 Disclaimer The opinions expressed in this presentation and on the following slides are solely those of the presenter and not those of CLS Bank. Concepts used have been adapted based on Gartner and Deloitte research and noted as such.

5 Home Depot’s 56 Million Card Breach Bigger Than Target’s -2014
In The News Target Investigates Credit Card Breach Home Depot’s 56 Million Card Breach Bigger Than Target’s St. Louis Federal Reserve URLs Hijacked Effective Vendor Management “In 2013, American Express, Capital One, and Discover Bank paid a total of more than $530 million to settle complaints of deceptive selling and predatory behavior by their third-party suppliers.” - McKinsey & Company July 2013 Data breaches at vendors and other third-parties continue to have a high profile in the news. Target – hacked through an HVAC company IRS – Hacked through a third party hosting website Home Depot – hacked through checkout terminals And it’s not just data hacks – Back in 2013, American Express, Capital One and Discover Bank paid $530m to settle complaints by their third-party suppliers Common link – third parties In today’s environment, it would be nearly impossible to find a company that doesn’t contract with a vendor. But the convenience and flexibility of outsourcing to third parties comes with a significant risks, including the potential for regulatory penalties related to vendor incidents. Preventing risk events at third parties providers has always been a challenge, but now the stakes are far higher. So, how do we companies effective manage vendors and the risks associated in dealing with them. Today, No one ever remembers the vendor’s name

6 What is Vendor Management?
Vendor Management is the ongoing management of third-party providers of products or services The goal of VM is to ensure the organization continuously obtains the best value from external providers of products and services while controlling exposure to vendor-related risk Lifecycle Description Governance & Process Establish strategy and governance. Define SOPs, documentation, system, roles and responsibilities Select Vendors Select vendors in accordance with a formal, unbiased practice. Ensure the best fit for the product/service requirements and the best value at the optimal exposure to vendor risk Manage Vendor Contracts Manage vendor contracts through the contract lifecycle Manage Vendor Risk Manage vendor risk to protect the organization from negative effects that can be caused by events on the vendor’s side Manage Vendor Relationships Maintain effective relationships with vendors Manage Vendor Performance Ensure vendors perform as contracted Vendor Manager Business Owner Procurement Finance Legal Sr. Mgmt.

7 Why is it important? Reliance Value Risk
Because we must measure, manage, and scrutinize the vendors we rely on to deliver value Reliance Need vendors to deliver critical specialized services Over half of a company’s expenditure is with vendors Vendors globally help us achieve our mission Our Contracts are a Strategic Asset Vendor Management is a Core Competence Value Maximise value and deliver great commercial outcomes through our relationships Risk Increased regulatory and member scrutiny on how financial institutions manage third party vendor risk - operational, cyber security, supply chain, compliance, strategic, financial and reputational Importance has evolved with changing business environment 2000 2005 2008 2013 2015 Y2k Offshore Financial Crisis Nearshore Digital / Internet of Things Oversight

8 Government Organizations
What is a third party vendor? Any individual or entity, which is not a direct employee, which provides a produce/service to, or behalf of, the organization Typically managed at both the engagement and relationship levels Vendors Service Providers Agencies Affiliates Partnerships Law firms Contractors Joint Ventures Government Organizations One service, one contract, provided to one line of business Multiple engagements with the same company Engagement Relationship

9 Vendors may present a combination of risks
Description Cyber Ensuring confidentiality, integrity, availability of information assets Compliance/legal Actions inconsistent with legal, policy or regulatory requirements Service delivery Third party failures resulting in impact to the service Contractual Inability to deliver services per contract Business continuity Inability to continue providing services Intellectual property Inappropriate use of intellectual property Financial Inability to meet contractual obligations due to financial difficulties Reputation Issues impacting an organization’s brand and reputation Geopolitical Region/country-specific factors Strategic Third party not aligned with the organization’s strategic objectives Credit Inability to make obligated payments Quality Inability to deliver a quality service/produce Inherent risk to the product/ service Risks unique to the third party Source: Deloitte

10 How do you manage all the vendor activity?
Vendor Management Framework provides an end-to-end view to identifying and managing vendors and the risk across the vendor lifecycle Source: Gartner Vendor Management Framework

11 Maturity Model Many models that benchmark the program’s maturity
Source: Gartner Vendor Management Maturity Model

12 Regulatory Expectations

13 Governance and accountability End-to-end risk management
Regulatory Expectations Regulators globally have issued heightened standards and guidance for third party’s. These cover most regulatory expectations…. Expanded scope Oversee all service providers, affiliates, partnerships and other third parties Governance and accountability Define responsibilities of the board, senior management, and relationships managers End-to-end risk management Formalize risk management across the life-cycle and risk domains. Greater scrutiny with high risk vendors. Due Diligence Access how vendors are sought, vetted, selected Contracts Do you have them? Do they have the appropriate clauses? Execute a contract inventory. Monitoring Timely and effective reporting in vendor relationships. Demonstrate you have sufficient visibility and control. Use of scorecards and dashboards Compliance Identify all relevant compliance requirements and document how they are being met Independent Reviews Do your vendors…’Say what they do?’ and ‘Do what they say’. Risks are documented and controls in place. Business Continuity Consider the systemic implications of outsourcing and potential third party failures Regulators globally have issued heightened standards and guidance for third party’s. These cover most regulatory expectations.

14 Vendor / Operations Committee
Governance Executive and Board engagement Defined roles and responsibility Drive and approve policy Monitor and oversee vendor portfolio Two tier governance model General awareness of vendors… is no longer an acceptable Sets the tone… Strategic Alignment Policy Risk appetite Vendor oversight Escalations Executive Committee Vendor / Operations Committee Drives Vendor…. Performance Compliance Demand pipeline Business Continuity Audits

15 Risk Classification Formal risk management across the life cycle and risk domains Risk- based segmentation tool Risk is not based on value alone Apply resources based on level of segmentation Risks Considerations Reputational Info Security and Privacy Contractual Service Delivery Financial Business Continuity Geopolitical Regulatory Exit Strategy Other Considerations Domestic/Offshore Core / Non-core

16 Monitoring Governance Account Plans Performance Dashboards
Dept. Sourcing plans Pipeline Supplier Account plans: Engagements Improvement plans Innovation Investment Stakeholder maps Governance meetings Performance Dashboards Vendor Risk Dashboards Consolidated reporting : Commercial Performance Risk Financials Relationship Portfolio reporting Segmentation Aligned governance and resources

17 Regulatory Guidance Snapshot of regulatory bulletins and guidance that provide additional direction for managing risks related to engaging with third parties FFIEC IT Examination Handbook – Appendix J – Resilience of Outsourced Technology Services (Feb 2015) Asserts the financial institution's responsibility to control business continuity risks with third parties Must consider the potential impact of disruptions and the ability to restore services Validation of business continuity plans with third parties and considerations for third party testing FRB SR 14-1 Recovery and Resolution Preparation (Jan 2014) Identification of internal and external dependencies, and contingency planning for these dependencies Firms must have clearly documented agreements with vendors SEC Reg SCI – Regulation Systems Compliance and Integrity (Nov 2014) Requires supplier selection and auditing of vendor services NIST Supply Chain Risk Management Practices (June 2014) Defines requirements on identifying, assessing and mitigating supply chain risks for information and communicating technology products and services OCC Bulletin – Third-Party Relationships (Oct 2013) Same responsibilities for in-house and out of house services Adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships An effective risk management process throughout the life cycle of the vendor relationship

18 Takeaways Third-party relationships must be good for the company, its vendors and consumers Understand how vendors are being managed at your organization Are you focused on the right things? Familiarize yourself with the latest regulatory guidance Regularly assess and monitor the effectiveness of vendor program, not just at the vendor selection stage Include vendor risk management as a function within the vendor management program Would you buy a company or even a house with a contract? No, why. Because a

Download ppt "What Is Vendor Management And Why Is It Important To You?"

Similar presentations

Organizational Governance

Organizational Governance
Options appraisal, the business case & procurement

Options appraisal, the business case & procurement
Program Management Office (PMO) Design

Program Management Office (PMO) Design
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Auditing Governance Functions

Auditing Governance Functions
What Happened to the Promise of Benefits Realization? Presented by:Dave Peters Date: November 12, 2013.

What Happened to the Promise of Benefits Realization? Presented by:Dave Peters Date: November 12, 2013.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
September 5, 2013 Southern Region Break-Out NAAA Annual Convention.

September 5, 2013 Southern Region Break-Out NAAA Annual Convention.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Vendor Management Frequent regulatory findings:

Vendor Management Frequent regulatory findings:
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
“The Impact of Sarbanes Oxley, An Evolving Best Practice” Ellen C. Wolf Senior Vice President & Chief Financial Officer American Water National Association.

“The Impact of Sarbanes Oxley, An Evolving Best Practice” Ellen C. Wolf Senior Vice President & Chief Financial Officer American Water National Association.

Similar presentations

Ads by Google