Caveat Emptor: What is Vendor Management & Why is it Important to You? Session 4: Vendor Management

Transcription

1 Caveat Emptor: What is Vendor Management & Why is it Important to You? Session 4: Vendor Management insidearm LLC

2 Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the specific circumstances of each case. Every effort has been made to assure this information is up-to-date. It is not intended to be a full and exhaustive explanation of the law in any area, however, nor should it be used to replace the advice of your own legal counsel. Session 4: Vendor Management insidearm LLC

3 Getting Started: Key Questions 1. Who manages third party vendors at your organization? 2. Do you know all of your vendors? Do they have a contract? 3. How often to you evaluate your vendors or do you allow them to self-certify their compliancy? 4. Is there a vendor management framework that consistently manages third party risks? Session 4: Vendor Management insidearm LLC

4 Poll Question #1 Pick the answer that best describes you: Compliance officer; In house or outside counsel; Vendor management/accounting; Operations or business manager; Company owner; or Vendor. Session 4: Vendor Management 4 insidearm LLC

5 Agenda Vendor Management o Key Components o Effective Vendor Management Framework Regulator Expectations o Focus Areas 5

6 Poll Question #2 Pick the answer that best describes where you are in the development of a vendor management program: Thinking about having one but up until now allow vendors to demonstrate their qualifications and compliance; Updating our vendor management program; or Proofing our vendor management compliance controls and strategies in order to improve and fine tune; or Why do I need a vendor management program at all? Session 4: Vendor Management 6 insidearm LLC

7 In The News Target Investigates Credit Card Breach In 2013, American Express, Capital One, and Discover Bank paid a total of more than $530 million to settle complaints of deceptive selling and predatory behavior by their third-party suppliers. - McKinsey & Company July 2013 No one ever remembers the vendor s name 7

8 What is Vendor Management? Vendor Management is the ongoing management of third-party providers of products or services The goal of VM is to ensure the organization continuously obtains the best value from external providers of products and services while controlling exposure to vendor-related risk Lifecycle Governance & Process Select Vendors Description Establish strategy and governance. Define SOPs, documentation, system, roles and responsibilities Select vendors in accordance with a formal, unbiased practice. Ensure the best fit for the product/service requirements and the best value at the optimal exposure to vendor risk Manage Vendor Contracts Manage vendor contracts through the contract lifecycle Manage Vendor Risk Manage vendor risk to protect the organization from negative effects that can be caused by events on the vendor s side Manage Vendor Relationships Manage Vendor Performance Maintain effective relationships with vendors Ensure vendors perform as contracted Vendor Manager Business Owner Procurement Finance Legal Sr. Mgmt. 8

9 Why is it important? Because we must measure, manage, and scrutinize the vendors we rely on to deliver value Reliance Need vendors to deliver critical specialized services Over half of a company s expenditure is with vendors Vendors globally help us achieve our mission Our Contracts are a Strategic Asset Value Risk Maximise value and deliver great commercial outcomes through our relationships Increased regulatory and member scrutiny on how financial institutions manage third party vendor risk - operational, cyber security, supply chain, compliance, strategic, financial and reputational Vendor Management is a Core Competence Importance has evolved with changing business environment Y2k Offshore Financial Crisis Nearshore Digital / Internet of Things Oversight 9

10 What is a third party vendor? Any individual or entity, which is not a direct employee, which provides a produce/service to, or behalf of, the organization Typically managed at both the engagement and relationship levels Vendors Service Providers Agencies Affiliates Contractors Partnerships Joint Ventures Law firms Government Organizations One service, one contract, provided to one line of business Multiple engagements with the same company Engagement Relationship 10

11 Vendors may present a combination of risks Risk Description Cyber Ensuring confidentiality, integrity, availability of information assets Inherent risk to the product/ service Compliance/legal Actions inconsistent with legal, policy or regulatory requirements Service delivery Third party failures resulting in impact to the service Contractual Inability to deliver services per contract Business continuity Inability to continue providing services Intellectual property Inappropriate use of intellectual property Financial Inability to meet contractual obligations due to financial difficulties Risks unique to the third party Reputation Issues impacting an organization s brand and reputation Geopolitical Region/country-specific factors Strategic Third party not aligned with the organization s strategic objectives Credit Inability to make obligated payments Quality Inability to deliver a quality service/produce Source: Deloitte 11

12 How do you manage all the vendor activity? Vendor Management Framework provides an end-to-end view to identifying and managing vendors and the risk across the vendor lifecycle Source: Gartner Vendor Management Framework 12

13 Maturity Model Many models that benchmark the program s maturity Source: Gartner Vendor Management Maturity Model 13

14 Poll Question #3 I am aware that the CFPB, courts and other regulators can hold our company responsible for the conduct of our vendors (and vice versa). True False. Session 4: Vendor Management insidearm LLC

15 Regulatory Expectations Regulators globally have issued heightened standards and guidance for third parties. These cover most regulatory expectations. Expanded scope Governance and accountability End-to-end risk management Due Diligence Contracts Monitoring Compliance Independent Reviews Business Continuity Oversee all service providers, affiliates, partnerships and other third parties Define responsibilities of the board, senior management, and relationships managers Formalize risk management across the life-cycle and risk domains. Greater scrutiny with high risk vendors. Access how vendors are sought, vetted, selected Do you have them? Do they have the appropriate clauses? Execute a contract inventory. Timely and effective reporting in vendor relationships. Demonstrate you have sufficient visibility and control. Use of scorecards and dashboards Identify all relevant compliance requirements and document how they are being met Do your vendors Say what they do? and Do what they say. Risks are documented and controls in place. Consider the systemic implications of outsourcing and potential third party failures 15

16 Governance Executive and Board engagement Defined roles and responsibility Drive and approve policy Monitor and oversee vendor portfolio Two tier governance model Sets the tone Strategic Alignment Policy Risk appetite Vendor oversight Escalations Executive Committee Vendor / Operations Committee Drives Vendor. Performance Compliance Demand pipeline Business Continuity Audits 16

17 Risk Classification Formal risk management across the life cycle and risk domains Risk- based segmentation tool Risk is not based on value alone Apply resources based on level of segmentation Risks Considerations Reputational Info Security and Privacy Contractual Service Delivery Financial Business Continuity Geopolitical Regulatory Exit Strategy Other Considerations Domestic/Offshore Core / Non-core 17

18 Monitoring Governance Account Plans Stakeholder maps Governance meetings Dept. Sourcing plans Pipeline Supplier Account plans: Engagements Pipeline Improvement plans Innovation Investment Performance Dashboards Vendor Risk Dashboards Consolidated reporting : Commercial Performance Risk Financials Relationship Portfolio reporting Segmentation Aligned governance and resources 18

19 Regulatory Guidance Snapshot of regulatory bulletins and guidance that provide additional direction for managing risks related to engaging with third parties FFIEC IT Examination Handbook Appendix J Resilience of Outsourced Technology Services (Feb 2015) FRB SR 14-1 Recovery and Resolution Preparation (Jan 2014) SEC Reg SCI Regulation Systems Compliance and Integrity (Nov 2014) NIST Supply Chain Risk Management Practices (June 2014) OCC Bulletin Third-Party Relationships (Oct 2013) Asserts the financial institution's responsibility to control business continuity risks with third parties Must consider the potential impact of disruptions and the ability to restore services Validation of business continuity plans with third parties and considerations for third party testing Identification of internal and external dependencies, and contingency planning for these dependencies Firms must have clearly documented agreements with vendors Requires supplier selection and auditing of vendor services Defines requirements on identifying, assessing and mitigating supply chain risks for information and communicating technology products and services Same responsibilities for in-house and out of house services Adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships An effective risk management process throughout the life cycle of the vendor relationship 19

20 Regulatory Guidance Snapshot of regulatory bulletins and guidance that provide additional direction for managing risks related to engaging with third parties CFPB Bulletin (April 2012) Defines CFPB s expectation for supervised entities to oversee service providers in a manner that ensures compliance with consumer financial law Legal responsibility for harm to consumers may lie with the supervised entity as well as with the service provider Suggests specific steps to prevent risks: Conducting due diligence to verify the service provider understands and is capable of complying with Federal consumer financial law Reviewing service providers policies, procedures, internal controls and training materials Including clear expectations for compliance, including enforceable consequences for compliance related violations, including UDAAP Establishing internal controls and on going monitoring Taking prompt action upon discovery of problems, including terminating the relationship 20

21 CFPB Enforcement Actions Holding Service Providers Accountable In 2015, the CFPB obtained an injunction that among other things prevented an industry vendor, Global Connect from automatically broadcasting robo-calls to millions of consumers. This was in the midst of an enforcement action against companies, including debt collectors, alleged to have been engaged in a robo-call phantom debt collection operation. Using automated calls to threaten, harass, and deceive consumers in attempts to collect debts the consumers did not owe either to them or others. See, But the CFPB had already advised entities that it would expect them to oversee their serviceproviders activities. See, 21

22 Recommendations for Next Steps Third-party relationships must be good for the company, its vendors and consumers Understand how vendors are being managed at your organization Are you focused on the right things? Familiarize yourself with the latest regulatory guidance Regularly assess and monitor the effectiveness of vendor program, not just at the vendor selection stage Include vendor risk management as a function within the vendor management program 22

23 Poll Question #4 I would like to spend more time drilling into vendor management checklists, contract provisions we should/should not agree to, and any sample policy drafting in this area. Agree; or No opinion; or Disagree. Session 4: Vendor Management insidearm LLC

24 Thank you. Questions? Session 4: Vendor Management insidearm LLC

25 Resources Gartner Vendor Management Resources ype=&typeaheadtermid=&keywords=vendor+management Deloitte Vendor Management Resources Reviews of Top 10 Vendor Management Systems Blog: What Vendor Managers Should Know Session 4: Vendor Management 25 insidearm LLC

26 This webinar was co-produced by generously supported by compliancepf.com This webinar was co-produced by the Compliance Professionals Forum, an educational membership organization created by insidearm. Members receive: clearly explained, up-to-theminute compliance insight how-to guidance and tools help from a network of peers who can walk you through compliance challenges Session 4: Vendor Management insidearm LLC