What Is Vendor Management And Why Is It Important To You?

Matt Luongo – CLS Bank International

June 17, 2015

2. Is there a vendor management framework that consistently manages third party risks?

3. Do you know all of your vendors? Do they have a contract?

1. Who manages third party vendors at your organization?

Agenda

Vendor Managemento Key Components o Effective Vendor Management Framework

Regulator Expectationso Focus Areas

Disclaimer

The opinions expressed in this presentation and on the following slides are solely those of the presenter

and not those of CLS Bank.

Concepts used have been adapted based on Gartner and Deloitte research and noted as such.

St. Louis Federal Reserve URLs Hijacked - 2015

In The News

Target Investigates Credit Card Breach - 2013

Home Depot’s 56 Million Card Breach Bigger Than Target’s -2014

“In 2013, American Express, Capital One, and Discover Bank paid a total of more than $530 million to settle complaints of deceptive selling and predatory behavior by their third-party suppliers.” - McKinsey & Company July 2013

No one ever remembers the vendor’s name

Effective Vendor Management

Vendor Management is the ongoing management of third-party providers of products or services

The goal of VM is to ensure the organization continuously obtains the best value from external providers of products and services while controlling exposure to vendor-related risk

Lifecycle Description

Governance & Process

Establish strategy and governance. Define SOPs, documentation, system, roles and responsibilities

Select Vendors Select vendors in accordance with a formal, unbiased practice. Ensure the best fit for the product/service requirements and the best value at the optimal exposure to vendor risk

Manage Vendor Contracts

Manage vendor contracts through the contract lifecycle

Manage Vendor Risk

Manage vendor risk to protect the organization from negative effects that can be caused by events on the vendor’s side

Manage Vendor Relationships

Maintain effective relationships with vendors

Manage Vendor Performance

Ensure vendors perform as contracted

What is Vendor Management?

Vendor Manager

Business Owner

Procurement Finance Legal Sr. Mgmt.

Why is it important?

Because we must measure, manage, and scrutinize the vendors we rely on to deliver value

Reliance

Need vendors to deliver critical specialized services Over half of a company’s expenditure is with vendors Vendors globally help us achieve our mission

Value Maximise value and deliver great commercial outcomes through our

relationships

Risk Increased regulatory and member scrutiny on how financial

institutions manage third party vendor risk - operational, cyber security, supply chain, compliance, strategic, financial and reputational

Our Contracts are a Strategic

Asset

Vendor Management is

a Core Competence

Y2kOffshoreFinancial CrisisNearshore

Digital / Internet of

Things

2000 2005 2008 2013

Importance has evolved with changing business environment

Oversight

2015

What is a third party vendor? Any individual or entity, which is not a direct employee, which provides a produce/service to, or

behalf of, the organization Typically managed at both the engagement and relationship levels

Vendors

Affiliates

Contractors

Service Providers

Partnerships

Joint Ventures

Agencies

Law firms

Government Organizations

One service, one contract, provided to one line of business

Multiple engagements with the same company

Engagement Relationship

Vendors may present a combination of risks

Risk Description

Cyber • Ensuring confidentiality, integrity, availability of information assets

Compliance/legal • Actions inconsistent with legal, policy or regulatory requirements

Service delivery • Third party failures resulting in impact to the service

Contractual • Inability to deliver services per contract

Business continuity • Inability to continue providing services

Intellectual property • Inappropriate use of intellectual property

Financial • Inability to meet contractual obligations due to financial difficulties

Reputation • Issues impacting an organization’s brand and reputation

Geopolitical • Region/country-specific factors

Strategic • Third party not aligned with the organization’s strategic objectives

Credit • Inability to make obligated payments

Quality • Inability to deliver a quality service/produce

Inherent risk to

the product/ service

Risks unique to the third

party

Source: Deloitte

How do you manage all the vendor activity?Vendor Management Framework provides an end-to-end view to identifying and managing vendors and the risk across the vendor lifecycle

Source: Gartner Vendor Management Framework

Maturity ModelMany models that benchmark the program’s maturity

Source: Gartner Vendor Management Maturity Model

»Regulatory»Expectations

Regulatory Expectations

Expanded scope Oversee all service providers, affiliates, partnerships and other third parties

Governance and accountability

Define responsibilities of the board, senior management, and relationships managers

End-to-end risk management

Formalize risk management across the life-cycle and risk domains. Greater scrutiny with high risk vendors.

Due Diligence Access how vendors are sought, vetted, selected

Contracts Do you have them? Do they have the appropriate clauses? Execute a contract inventory.

Monitoring Timely and effective reporting in vendor relationships. Demonstrate you have sufficient visibility and control. Use of scorecards and dashboards

Compliance Identify all relevant compliance requirements and document how they are being met

Independent Reviews Do your vendors…’Say what they do?’ and ‘Do what they say’. Risks are documented and controls in place.

Business ContinuityConsider the systemic implications of outsourcing and potential third party failures

Regulators globally have issued heightened standards and guidance for third party’s. These cover most regulatory expectations….

Governance

• Executive and Board engagement• Defined roles and responsibility• Drive and approve policy• Monitor and oversee vendor portfolio

• Two tier governance model

Executive Committee Vendor /

Operations Committee

Sets the tone…• Strategic Alignment• Policy• Risk appetite• Vendor oversight• Escalations Drives Vendor….

• Performance • Compliance• Demand pipeline• Business Continuity• Audits

General awareness of vendors… is

no longer an acceptable

Risk Classification

• Formal risk management across the life cycle and risk domains• Risk- based segmentation tool

• Risk is not based on value alone• Apply resources based on level of segmentation

Risks Considerations• Reputational• Info Security and Privacy• Contractual• Service Delivery• Financial• Business Continuity• Geopolitical• Regulatory• Exit Strategy

Other Considerations• Domestic/Offshore• Core / Non-core

Monitoring

Account Plans

Performance Dashboards

Governance

Vendor Risk Dashboards

Vendor

Vendor Manager

Last Quarter (Av)

SROLast Month

SYSC8Current Month

Performance

SLA Description

AggrigatedSLA

Performance Target

SLA Performance

Incidents

AggrigatedSLA

Performance Target

SLA Performance

Incidents

AggrigatedSLA

Performance Target

Answer Incidents

Target

Last Quarter (Av)

99% 99% 99%Last Quarter

(Av)

Last Month 99% 99% 99% Last Month

Current Month

99% 99% 99%Current Month

Internal External

Last Quarter (Av)

Feb'13

Last MonthJan'13

Current Month

Dec'12

Budget£k

Planned Spend

£k

Committed Spend

£k

Actual Spend

£k

EAC£k

Planned Benefit

£K

Actual Benefit

£K

Status of Activity

IMPACT PROBABILITY

£ 2,593 £ 2,370 £ 2,593 HIGH MED

£ 692 £ 606 £ 692 LOW HIGH

£ 578 £ 530 £ 578

£ 931 £ 855 £ 931

£ 642 £ 593 £ 642

£ 1,702 £ 1,652 £ 1,652

£ 2,552 £ 2,910 £ 3,047

£ - £ - £ 9,689 £ 9,517 £ 10,133 £ - £ -

Commercial Performance

xxx

Upc

omin

g ac

tivity

Continuous Improvement Plan underway to:i. SAP data Consistencyii. SAP Coding Design and Software Performanceiii. Identification of SAP knowledge gaps plus knowledge transferiv. Initiative underway to improve CBIA incident management responses and fix time

Next Meetings :

Com

mer

cial

Co

mm

enta

ry

Overall supplier performance tracking green, seven planned sourcing activities underway with all relevant stakeholders involved.

Commercial RAG

xxx 20/03/2014

xxx

xxx

Operational Performance

Operational RAG

Overall

Financial Performance Relationship Performance

Faster Payments ePayments Payment SI

Perf

orm

ance

Com

men

tary

i. SLA performance achieved across all service contracts ii. The volume of service incidents received this period were c. 8% lower than last month which continues a trend over the last few monthd of continued reductionsiii. Effort is still being expended within the the AM teams to assist with the MSS network changes - xxx continue to receive favourable feedback

Relationship RAG

Overall

Contract / Project or Service

RISKS

RISK

i. The xxx relationship remains healthy across the accountii. Recent visits undertaken to x and x by xxx were successfuliii. All contracts signed off and no 'At Risk' work

Financial RAG

Fina

ncia

l / P

rogr

amm

e Co

mm

enta

ry

i. xxx tracking to agreed spend profileii. The minimum spend commitment currently stands at charges of £4.45M, with delta of -£1.55M to find. Gxxxo meet to discuss future work to be contracted to close FY12/13 delta.

Subjective Feedback

Rela

tions

hip

Com

men

tary

MITIGATION OWNER

0

5

10

15

20

25

Apr…

Ma…

Jun-

…

Jul-…

Aug…

Sep…

Oct

…

Nov

…

Dec…

Jan-

…

Feb…

Mar

…

£m in

c VA

T

Spend

Budget

Forecast

Actual

• Stakeholder maps

• Governance meetings

Consolidated reporting :• Commercial• Performance• Risk• Financials• Relationship

Dept. Sourcing plans• Pipeline

Supplier Account plans:• Engagements• Pipeline• Improvement plans• Innovation• Investment

Service

Dat

a

Core

Ser

vice

Inte

rnet

faci

ng

Soft

war

e de

v

Mem

bers

Hea

lth &

Saf

ety

Inte

llect

ual P

rop

Geo

grap

hy

Rel

ianc

e

Via

bilit

y

Sub

cont

ract

ing

Con

tagi

on

CLS

Eco

nom

ic

Loss

Rep

utat

ion

Set

tlem

ent

Mem

ber

Reg

ulat

ory

Ser

vice

Im

pact

Hea

lth &

Saf

ety

Spe

nd

Application development 3 5 1 4 1 2.7 4.2 4.2 1.9 1 1 3 5 5 5 5 5 1 5

Penetration testing 3 4.2 3 3.2 1 1.1 4.2 1.4 2.6 1 1 1 5 5 4 4 5 1 2

MPLS Service 2.6 4.2 1 3 1 3.1 1 1.4 1.8 1 1 4 5 3 5 5 5 1 5

Provision and support of key IT software/systems.

3.4 4.6 3 4 1 1.3 4.2 1.4 1.5 1 5 3 4 3 2 2 3 1 5

Hosting of Internal CLS IT systems

3.4 2.2 1 2 1 3.9 1 1.4 2.9 1 5 3 4 3 3 4 3 3 4

Insurance Broker 3.8 1.8 1 1.6 1 1.1 1 1.4 1.7 1 1 2 4 2 1 2 1 1 4

Building works 1.4 1 1 1 1 3.3 4.2 1.4 2.9 1 5 3 3 2 1 2 3 5 5

Service Risks Vendor Risks Potential Impact

• Portfolio reporting• Segmentation• Aligned governance and resources

Snapshot of regulatory bulletins and guidance that provide additional direction for managing risks related to engaging with third parties

Regulatory Guidance

FFIEC IT Examination Handbook – Appendix J – Resilience of

Outsourced Technology Services (Feb 2015)

• Asserts the financial institution's responsibility to control business continuity risks with third parties

• Must consider the potential impact of disruptions and the ability to restore services

• Validation of business continuity plans with third parties and considerations for third party testing

FRB SR 14-1Recovery and Resolution

Preparation (Jan 2014)

• Identification of internal and external dependencies, and contingency planning for these dependencies

• Firms must have clearly documented agreements with vendors

SEC Reg SCI – Regulation Systems Compliance and Integrity

(Nov 2014)

• Requires supplier selection and auditing of vendor services

NIST 800-161- Supply Chain Risk Management Practices

(June 2014)

• Defines requirements on identifying, assessing and mitigating supply chain risks for information and communicating technology products and services

OCC Bulletin 2013-29 – Third-Party Relationships

(Oct 2013)

• Same responsibilities for in-house and out of house services• Adopt risk management processes commensurate with the level of risk and

complexity of its third-party relationships• An effective risk management process throughout the life cycle of the vendor

relationship

Takeaways

Understand how vendors are being managed at your organization Are you focused on the right things? Familiarize yourself with the latest regulatory guidance Regularly assess and monitor the effectiveness of vendor program, not just

at the vendor selection stage Include vendor risk management as a function within the vendor

management program

Third-party relationships must be good for the company, its vendors and consumers