Presentation is loading. Please wait.

Presentation is loading. Please wait.

Is Vendor Management The New Risk Management? Douglas DeGrote.

Published byAngel McCoy Modified over 8 years ago

Similar presentations

Presentation on theme: "Is Vendor Management The New Risk Management? Douglas DeGrote."— Presentation transcript:

1 Is Vendor Management The New Risk Management? Douglas DeGrote

2 YES

3 What is Vendor Management? A comprehensive plan for identifying and decreasing potential business uncertainties and legal liabilities regarding the hiring of third parties for products and services. NOT GOOD ENOUGH ANYMORE

4 What is Vendor Risk Management (VRM)? A comprehensive risk based plan for identifying, decreasing and managing potential business uncertainties, impacts and legal liabilities regarding the hiring, use and termination of third parties for products and services program

5 What’s the difference? Why risk based?  Can’t fix everything – focus on high value targets Why a Program?  Plans are executed – A Program has a lifecycle and continued focus What is meant by Managing?  Your companies risk appetite changes – so must your vendor relationship Why focus on Impacts?  It’s not IF it happens…it’s WHEN – you must prepare and test yourself Importance of Use & Termination?  Complacency with a vendor creates risk – need to periodically re- assess  Off-boarding of a vendor has many legal, system & data risks

6 Why is VRM so important? Your business is on the hook for third party data breaches When you outsource operations, risk and compliance remain your responsibility It is estimated that:  Two thirds of companies rely significantly on third parties  The largest area outsourced today is IT at 28%  41% of data breaches in 2013 were caused by a third party  62% of breaches take several months to discover  85% of companies have experienced a supply chain disruption This is a Multi-BILLION Dollar problem…and you own it!

7 Where to start Just five simple steps…  Understand Your Organization’s Risk Appetite  Build Your Program  Run Your Program  Govern Your Program  Assess Your Program

8 Understand Your Organization’s Risk Appetite Know your requirements and expectations  Regulatory, legal, insurance, investor, employee, customer, etc. Apply value $$  Assets, processes, brand, reputation, data, etc. Understand continuity options  Secondary supply or service providers  Manual recoverability Define acceptable impact  Earnings Per Share (EPS), profit margin, etc.

9 Building Your Program Define current state  Identify drivers that influence the scope and size Conduct inventory of vendors  Document assessment criteria based on risk category and size Develop clear program roles and responsibilities  How can you incorporate assessments into other workflows Define your governance model  Use a scalable framework based on program maturity to level set the formality of reporting and exception management Develop a roadmap…with quick wins  Don’t try for “future state” overnight, start with core risk

10 Running Your Program Establish metrics  Define measurements that support decisions and investments Define trigger events  What are the internal and external events that could require adjustments to your program Add maturity to your contract process  Try to build base contract language for different vendor categories and risk levels…ensure it also allows for re-assessments Establish your core team  Not all vendors and service providers are alike…make sure you have the expertise and adaptable processes to handle differences

11 Governing Your Program Optimize management and board communications  Make dashboards, reports and benchmarks meaningful to business Don’t forget training and awareness  Policies are only effective if those accountable are informed Leverage process integration  Integrate with project management, procurement and contracts to implement assessment questionnaires into their processes Understand the vendor lifecycle  Adjust to new categories and types of risk…it’s not just about IT risk  Remember that using a vendor for more than one service or product may be easiest to assess as if it were multiple vendors

12 AssessYour Program Your companies risk appetite will change The list of vendors will change The vendors themselves will change Requirements and expectations will change Your program will need to change as well

13 Look for key “quick wins” Look for “foundational” aspects to implement  Standardized methods to assessing “like” vendors Focus on a few “high impact” yet easy to implement standards  Common templates  Defined core controls that apply to all vendors Re-use what’s working…no need to re-invent the wheel  If Service Level Agreements are working, try to apply them uniformly across vendors and “keep it simple”

14 Start with a “high risk” focus Vendors and third party relationships that:  Play a key role in the companies daily operations.  Have a critical impact on strategic projects  Require long-term contracts  Have potential for significant financial implications  Are difficult to change overnight  Require frequent interaction and collaboration for disputes or have complex problem-resolution mechanisms  Access or manage substantial critical or sensitive data

15 Include Other actions that help mitigate risk Diversify sourcing strategy to avoid “hot spots” of risk Use standard documents and templates Formulate clear requirements to avoid miss-understandings later Cover all relevant life-cycle events during contract drafting Set up Service Level Agreements and Operating Level Agreements Set up appropriate vendor performance/service level monitoring and reporting Perform an evaluation of compliance with enterprise policies Perform an evaluation of vendor internal controls Plan and manage the end of the relationship

16 Be creative How you ask questions is as important as what you ask  Asking if this vendor’s services are under scrutiny for regulatory compliance is good Asking if this vendor’s services are key to being regulatory compliant is even better  Asking if the vendor uses sub-contractors to provide their products or services is good Asking who they use and where they are located is even better

17 Avoid common mistakes Fail to hold vendors to the same security standards you apply in- house Relying on contracts instead of conducting security assessments or audits of vendor security and privacy practices Select vendors based on quality of service and price only, rather than also considering their security or privacy practices Do not know whether or how often the vendor is losing their sensitive data Do not take appropriate responsive action following a vendor breach, such as requiring the vendor to fix the problem

18 In summary Vendors represent a lot of risk for an organization and it’s imperative that it’s understood and managed properly Vendor Risk Management is not a “point in time” analysis but an ongoing relationship that changes and requires you to be forever vigilant Uniformity and standardization is key to creating a program that is sustainable Don’t try to move the mountain…start with some core areas of high risk and mature the program as you expand out Don’t be afraid to ask…this is not a new problem and others have come a long way to solving it

19 THANK YOU

Download ppt "Is Vendor Management The New Risk Management? Douglas DeGrote."

Similar presentations

Options appraisal, the business case & procurement

Options appraisal, the business case & procurement
IBM Corporate Environmental Affairs and Product Safety

IBM Corporate Environmental Affairs and Product Safety
Life Science Services and Solutions

Life Science Services and Solutions
Auditing Governance Functions

Auditing Governance Functions
Chapter 14 Fraud Risk Assessment.

Chapter 14 Fraud Risk Assessment.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Environmental Management System (EMS)

Environmental Management System (EMS)
Primary Benefit Types Value Discipline Benefits – Operating Excellence Reduce Cost Reduce Risk – Product Leadership Increase Revenue – Customer Intimacy.

Primary Benefit Types Value Discipline Benefits – Operating Excellence Reduce Cost Reduce Risk – Product Leadership Increase Revenue – Customer Intimacy.
It’s Time to Talk About Risk and Control

It’s Time to Talk About Risk and Control
“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”

“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.

Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Pwc Performance Measurement Frameworks Acumen Fund - Discussion Document June 16, 2008 *connectedthinking.

Pwc Performance Measurement Frameworks Acumen Fund - Discussion Document June 16, 2008 *connectedthinking.
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Chapter 7 Controlling - To Ensure Results

Chapter 7 Controlling - To Ensure Results
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Euseden INTERNAL AUDIT & ASSURANCE SERVICES.

Euseden INTERNAL AUDIT & ASSURANCE SERVICES.
Vendor Management Frequent regulatory findings:

Vendor Management Frequent regulatory findings:
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

Similar presentations

Ads by Google