Vendor Management 101

Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK

Principal, nControl, LLCAdjunct Professor

• Presentation Overview– Vendor Management Overview

• General• Processes• Financials• Tools• Service-Level Agreements (SLAs)• Security & Privacy Due Diligence• Business Continuity / Disaster Recovery• Project-based Work Versus Staff Augmentation

– Case Studies• SEPTA VVS

Vendor Management

• What is Vendor Management?– Process of managing outside firms that provide

goods or services.• A process not a procurement task.

Vendor Management

• Who Performs Vendor Management?– Dedicated Function

• Procurement

– Shared Function• Legal• Project Management• Business• IT Security

Vendor Management

• Vendor Management Realities– Not All Vendors Are the Same

• Cloud• Business Process Outsourcing (BPO)• Outside Counsel• Staff Augmentation

– Mirrored Staff Can Really Help• Client Project Manager = Vendor Project Manager

– Process Can Be Painful• Divorces Usually Are!

– You Need a Written Contract Agreement• Things Go Wrong

Vendor Management

• Vendor Management Processes– Onboarding

• Business Case• Project Management

– Annual Re-evaluation• Syncs to Onboarding

– Off-boarding “the Break-up”• Documenting Reasons Why• Cleanup

– Badges & Physical Access– Orphaned System Accounts & Data

Vendor Management

• Onboarding– Business Case

• Feasibility• Risk Assessment• Financial Analysis

– Project Management• Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO)• System Development Lifecycle (SDLC)• Funding Gates: Pilot, Proof of Concept (POC)• Procurement: Request for Proposal (RFP), Request for Info (RFI)• Change Management: Requests, Scope, Budget, Schedule

Vendor Management

Vendor Management

Source: Safari Books

• Onboarding– Business Case

• Feasibility• Risk Assessment• Financial Analysis

– Project Management• Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO)• System Development Lifecycle (SDLC)• Funding Gates: Pilot, Proof of Concept (POC)• Procurement: Request for Proposal (RFP), Request for Info (RFI)• Change Management: Requests, Scope, Budget, Schedule

Vendor Management

• Onboarding– Business Case

• Feasibility• Risk Assessment• Financial Analysis

– Project Management• Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO)• System Development Lifecycle (SDLC)• Funding Gates: Pilot, Proof of Concept (POC)• Procurement: Request for Proposal (RFP), Request for Info (RFI)• Change Management: Requests, Scope, Budget, Schedule

Vendor Management

• Onboarding– Business Case

• Feasibility• Risk Assessment• Financial Analysis

– Project Management• Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO)• System Development Lifecycle (SDLC)• Funding Gates: Pilot, Proof of Concept (POC)• Procurement: Request for Proposal (RFP), Request for Info (RFI)• Change Management: Requests, Scope, Budget, Schedule

Vendor Management

Vendor Management

Source: NYSE Euronext

Vendor Management

Source: NYSE Euronext

• Onboarding– Business Case

• Feasibility• Risk Assessment• Financial Analysis

– Project Management• Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO)• System Development Lifecycle (SDLC)• Funding Gates: Pilot, Proof of Concept (POC)• Procurement: Request for Proposal (RFP), Request for Info (RFI)• Change Management: Requests, Scope, Budget, Schedule

Vendor Management

Source: PMI

• RFP/RFI– RFP

• More Prevalent• Drive Structure of Submission• Incumbent/Separate Vendor Can Develop Materials

– RFI• Less Prevalent• More Iterative – Flushes Details Out• Usually Feeds Into RFP Process

Vendor Management

• Onboarding– Business Case

• Feasibility• Risk Assessment• Financial Analysis

– Project Management• Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO)• System Development Lifecycle (SDLC)• Funding Gates: Pilot, Proof of Concept (POC)• Procurement: Request for Proposal (RFP), Request for Info (RFI)• Change Management: Requests, Scope, Budget, Schedule

Vendor Management

Vendor Management

• Annual Re-evaluation– Feed Subsequent Business Cases

• Market Assessment– Pricing Points– Low-Cost Leader– Time to Market

• Metrics– Aligned with SLA

• 360° Feedback– Lessons Learned

» Internal & External Processes

• Determine Need for Process Improvement– RFP / RFI– Vendor Questionnaire

Vendor Management

• Off-boarding “the Break-up”– Documenting the Reasons Why– Cleanup

• Badges & Physical Access• Orphaned System Accounts & Data

Vendor Management

• Financials– Total Cost of Ownership, TCO

• IT = 60%~ Maintenance

– Return on Investment, ROI• Internal Mandate

– Cost-Benefit Analysis, CBA• Payback Period

– Opportunity Cost• Expense of Choosing One Option versus Another

– Sunk Cost• Outsourcing Does Not Yield Benefits

– Capital versus Operating (Budgets, Expenses)

Vendor Management

• Tools– Software

• Web Services– Custom Software Traversing Different Networks

• Vendor Management System (VMS)– Enterprise Resource Planning (ERP) Module

» SAP Ariba eBuyer

• Change Management• Project Management• Business Activity Monitoring (BAM)

– Call Center Metrics

– Artifacts• Microsoft Office® Documents• Adobe PDF®

Vendor Management

• Tools– Research

• Google• Company Literature (White Papers, Presentations)• Advisory Firms (Gartner, IDC, etc.)

Vendor Management

Vendor Management

• SLA Overview– What is an SLA?– SLA Best Practices– SLA Lifecycle– Realistic Expectations with SLAs

Vendor Management

• What is an SLA?– Temporal Service Contract– Un / Negotiated Bilateral Agreement

–Dictates Service Provisions / Expectations / Metrics–Dictates Exit / Divorce Clause(s)–Dictates Refunds, Credits & Surcharges–Dictates Extenuating Circumstances (Force Majeure)

– Not An End User License Agreement (EULA)– Not An Operational-Level Agreement (OLA)

Vendor Management

• What is an SLA?– Specific Sections

–Term–Metrics–Definitions (Outage, Interruption or Failure)–Change Management for SLA–Cause for:

–Termination–Refund–Surcharge–Credit

Vendor Management

• What is an SLA?– Specific Sections

–Cause for:–Credit

–Threshold: Outage lasts for x hours / minutes.–Pro-Rated: Rolling credits for downtime.–Percentage: $ per x hours / minutes.

Vendor Management

• What is an SLA?– Examples of Metrics

–Mean Time To Repair / Recovery (MTTR)–Mean Time Between Failures (MTBR)–Time To Market (TTM) / Time to Implement (TTI)

–Backlog Size–Rework Levels

–Service Uptime / Availability–Data Throughput–Service Satisfaction

–Quality of Service (QoS)

Vendor Management

• SLA Best Practices– Use it for Vendor Selection– Adhere to it Internally– Leverage Change Management– Ensure the Metrics & Definitions Are Understood

–Have an Attorney Interpret the Language / Verbiage– Get References / Do Research– Educate, Inform & Make Aware– Retain All Contract Documents

Source: IBM

Vendor Management

• Realistic Expectations with SLAs– Size Matters– Reputation Matters– Necessary Evil– Vested Interest for Vendor– Outages Happen

–Risk Mitigation Versus Risk Removal – Everybody Loses Something In Litigation– Most Cloud Providers SLAs Are Not Negotiable

–Amazon, Microsoft, etc.–Smaller Providers Cater to Custom Needs

Vendor Management• Security & Privacy Due Diligence

– Existing Certifications / Attestations• SAS 70 Type II / SSAE 16 SOC I-II-III / ISAE 3402• ISO 27001 / 2• ISO 27036• BITS Shared Assessments• PCI DSS• HIPAA / HITECH• COPPA• US Safe Harbor

– Others• Generally Accepted Recordkeeping Principles, GARP®• ISO 9000 / 15489• Capability Maturity Model Integration, CMMi• Better Business Bureau, BBB

Vendor Management

• Security & Privacy Due Diligence– Create Your Own Checklist

–“Have you been breached?”–“Do you have an Information Security Officer?”

– Have an Approved Third Party Assess Them– Place the Sales / Account Person on the Hook

–Vested Interest with Commission

Vendor Management

• Business Continuity Planning / Disaster Recovery– SLA Should Drive Your

–Recovery Time Objective (RTO)–Recovery Point Objective (RPO)

– Plans in Place?–Add to Vendor Questionnaire

– Annual Testing–Add to Questionnaire–Do They Include Their Vendors?

Vendor Management• Project-based Work Versus Staff Augmentation

– Projects–Clearly Defined Scope–Firm Fixed Price–Resource Neutral

– Staff Augmentation–Ambiguous Scope–Hourly–Resource Specific

– Hybrids–Best of Both Worlds

• Case Study: SEPTA VVS– Background– Drivers – Technologies– Limitations– Risks– Lessons Learned– Next Steps

Vendor Management

• Case Study: SEPTA VVS– Background

–Southeastern PA Transit Authority–Vehicle Video Surveillance System–2000+ Vehicles & Train Cars–Phased Project

– Drivers –100’s of Fraudulent Injury Claims Annually–Employee Behavior

Vendor Management

• Case Study: SEPTA VVS– Technologies

–GE Security MobileView–NetApp Storage Area Network (SAN)

– Limitations–Daily MobileView Storage Capacity–Aggregate Online Storage

Vendor Management

• Case Study: SEPTA VVS– Risks

–Privacy Laws–Retention Requirements–Security Regulations

– Lessons Learned–Understand Strategic Direction of Vendor–Understand Ecosystem

–Subcontractors

Vendor Management

Vendor Management

• Presentation Take Aways– Vendor Management = Iterative Process

– Improve Over Time– Strategy & Due Diligence Are VERY Important

–Must Consider the Business Ecosystem

Vendor Management

• References• http://my.safaribooksonline.com/book/software-engineering-and-

development/project-management/0789731975/managing-vendors/ch21lev1sec5

• Questions?• Contact

– Email: steve@ncontrol-llc.com– Twitter: @markes1– LI: http://www.linkedin.com/in/smarkey