Vendor risk management leading practices Glenn Siriano KPMG LLP
KPMG International is a Swiss cooperative that serves as a coordinating entity for a network of independent member firms. KPMG International provides no audit or other client services. Such services are provided solely by member firms in their respective geographic areas. KPMG International and its member firms are legally distinct and are separate entities. They are not, and nothing contained herein shall be construed to place these entities in the relationship of, parents, subsidiaries, agents, partners, or joint ventures. No member firm has any authority (actual, apparent, implied or otherwise) to obligate or bind KPMG International or any member firm in any manner whatsoever, or vice versa For the purpose of this document, all references to KPMG International, a Swiss cooperative that serves as a coordinating entity for a network of independent member firms operating under the KPMG name, will be referenced as KPMG International. Throughout this document, "KPMG" ["we," "our," and "us"] refers to the local, independent KPMG member firm or firms. Throughout this document client [ they, their and them ] refers to the local, independent member firm s client. KPMG International provides no client services.
VRM program and program objectives VRM is a risk-based approach to managing vendor relationships through: Risk identification and prioritization Vendor due diligence Vendor stratification Contract management Continuous risk and vendor monitoring Governance and compliance to VRM program structure Key objectives of an organization s VRM program could include the following: monitoring of key financial and operation information related to vendor relationships. Provide a comprehensive view of risks related to engagement with vendors/service providers/business partners Align vendor risk management activities with enterprise risk management programs Assure proper ongoing vendor due diligence Identify, manage and mitigate vendor risks Create central coordination and support for ongoing vendor risk management activities Develop risk expertise to help organizations consider risk issues in addition to cost and service capabilities in selecting business partners Fulfill regulatory/compliance requirements, including sustainability 2
Evolving scope of vendor-related risks Views of vendor risk have historically been limited to supplier quality, performance compliance, and overall viability of the supplier. More recently increased complexity, further integration, and extension of organizational supply chains have resulted in the expansion of these traditional components into myriad specific and ancillary risks, as demonstrated in the graphic below. The risk profiles of the organizations are changing as the organizations are moving to doing business as extended global enterprises. VRM Programs typically focus on: Enterprise-level risks inherent in vendor relationships (e.g., Business continuity) Emerging Risk Profile Vendors performing core business processes (e.g., outsourced functions) Vendor health and financial viability Relationship Specific Risks Risks associated with Client/Customer-facing activities (e.g., customer help desk, service execution) Data Security Geo Political Brand Reputation Supplier Quality Supplier Viability Legal Liability Supplier Performance /Compliance Contractor Employees Intellectual Property Rights Tier 2/ 3 Suppliers Green/ Sustainability Business Continuity 3
KPMG s perspectives KPMG s VRM approach provides a view for describing key touchpoints of the VRM framework. A key tenet of the KPMG approach to VRM is the integration of VRM activities throughout the SS&P life cycle as depicted below. KPMG s Strategic Sourcing and Procurement Representation Leading VRM practices include: VRM integrated throughout the entire strategic sourcing and procurement lifecycle. A significant portion of vendor risk identified and mitigated in the early stages of the strategic sourcing process. Contract management to monitoring and mitigating identified risks. Ongoing vendor risk management assessing changes to residual risks and performing mitigation activities in a structured way. 4
Sources of risk Decisions made in the process of executing sourcing activities as part of the Strategic Sourcing Cycle introduce specific vendor-related risks to the enterprise. Lack of rigor in onboarding and off-boarding processes and/or excessive vendor churn can expose the entity to Business Continuity, IT Security and Sustainability risks. Decisions about what specific goods or services are going to be purchased can lead to risks, such as Brand Reputation and IT Security Risks. (e.g., sharing information with a data services provider). Choosing to include low-cost countries as part of the commodity marketplace can introduce Brand Reputation, Geo-political, and Business Continuity risks. Reliance on a single source or market could expose a client to Business Continuity risks. New vendors could expose a client to risks such as Supplier Viability, Brand Reputation Risk, Physical Security and other risks. Inadequate contractual terms could expose the entity to Legal Liabilities, IT Security and Brand Reputation risks. Inadequate contractual management and monitoring could expose the entity to all risks. 5
Types of risk Risk Type Definitions Inherent Risk the possibility that events or circumstances will prevent the client from achieving its objectives prior to taking into account the effects of internal controls. Inherent risk is also known as gross risk. Internal Control controls help to reduce, transfer or avoid inherent risks throughout the vendor lifecycle via existing capabilities and agreed upon controls. Residual Risk the risk remaining after considering the effect of internal controls implemented throughout the vendor lifecycle. Residual Risk = Inherent Risk Internal Control 6
Vendor risk categories Risk Area Financial risk Operational risk Compliance Business continuity risk Technology/ Information security risk Description The risk that our client s involvement with a vendor/service provider may result in a negative financial impact on profitability or results The risk that our client s involvement with a vendor/service provider may result in a negative impact to the organization s processes, systems and people adversely affecting the ongoing business operations. (e.g., potential for service disruption, reputational harm, failure to perform etc.) The risk to the organization arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, or ethical standards arising due to the organization s involvement with a vendor/service provider. Compliance risk includes: Regulatory compliance: Risks associated with a failure to comply with regulatory requirements when compliance is delegated to the vendor. Records management: Risks associated with the failure to retain required records, to protect those records, and to destroy them based on contractual and regulatory requirements. Data protection/privacy: Risks associated with the unauthorized access, use, or disclosure of client/employee personally identifiable or business secret/confidential information resulting from a lack of adequate administrative controls at the vendor s organization. Anti-money laundering/know your customer/counter terrorist (AML/KYC/CTF): Risks associated with a failure to comply with regulatory and internal policy requirements regarding AML/KYC/CTF when compliance is delegated to the vendor. Fraud, bribery, and corruption: Risks associated with a failure to comply with regulatory and internal policy requirements regarding Fraud, Bribery, and Corruption when compliance is delegated to the vendor. The risk of a significant impact to the timely resumption and delivery of essential services, business processes and operations resulting from the organization s involvement with a vendor/service provider. The risk to an organization resulting from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction of information and/or information systems. 7
VRM strategy, governance, oversight and compliance October 29-30, 2012 Hotel Pennsylvania Description For a Vendor Risk Management program to operate effectively, the overarching objectives, the scope, and policies have to be drafted, agreed upon, and operational. These require the sponsorship and promotion of executive management. This information needs to be documented, communicated across the organization, and available in readily accessible formats and delivery mechanisms. In addition, policies and procedures need to be revisited on a periodic basis to ensure their continued relevance. VRM program governance typically resides within Procurement. Some organizations have created a Supply Chain Finance function to manage and monitor the VRM function. This program governance should be integrated with overall ERM governance. There can be challenges to this governance framework when Procurement is relatively immature or less valued in the organization than other functions/departments. Additional challenges may arise when the GRC function is matrixed or dispersed across the organization. VRM is aligned with brand management/customer relationship management/corporate social responsibility functions in some organizations where there is a very strong brand and customer focus. Key VRM program components to consider: Existence of formalized and documented objectives, scope and policies and level of awareness of this information across the organization Availability of information on objectives and policies during the day-to- day operations of the VRM process How the relevance of this information is maintained and how changes to the information are developed and communicated Interaction with existing risk management processes such as GRC and ERM. Interaction with corporate social responsibility goals and programs Existence of identified responsible executives supporting the program Position and standing of program leadership Integration with ERM governance Ability to assess and manage compliance to program requirements. An established program should monitor enterprise-wide compliance with VRM program components. Clear definitions of program requirements, visibility into program activities, and a robust reporting process will help ensure program compliance. 8 8
VRM program strategy (objectives and scope) October 29-30, 2012 Hotel Pennsylvania Well-defined program objectives help to drive VRM program development and aid in building effective monitoring and compliance frameworks. Key diagnostics: Does a formal VRM strategy exist, and is it documented and communicated? Are there existing GRC and/or ERM strategies with documented risk profiles and tolerances? Is the VRM program integrated to ERM, and vice versa? How mature is the procurement function? What is the nature of the regulatory environment, and how is compliance currently managed? Are there unique/unusual third-party relationships that need to be incorporated into the program? Are there business areas that require special treatment (e.g., outsourced functions, joint ventures)? How transparent are the relationships with vendors, suppliers, and business partners? Are there sustainability standards in place for vendors? Are these standards clearly defined and understood by vendors? Sample objectives: Protect the organization from risks inherent in transacting business with and through third parties within established risk tolerances Evaluate, quantify, and address risk associated with third-party relationships Ensure fulfillment of regulatory requirements and expectations Drive continuous improvement in controls and reporting for managing third-party risk. Sample scope considerations: Centralization/decentralization Determine the degree of centralization or decentralization of procurement within the organization Third parties Determine which third-party relationships will be defined as vendors and managed within the program Geographical coverage Determine what regions should be required to be in compliance with VRM policies Business areas Determine which business areas or units should be required to be compliant with VRM policies Risk Areas Determine what risk areas the VRM program should evaluate, and manage and the key areas representing the most significant risks within the overall vendor population. 9 9
VRM program policy Policies provide the authority and responsibility to build a VRM program that can achieve the defined strategy and objectives. Key diagnostics: Do policies governing procurement activities exist? Are they enterprise-wide/disseminated from the executive level? Are they consistent with other enterprise policies? Do policies fully support, and enable the objectives of the VRM program? Have the policies been consistently adopted throughout the organization? How are policies communicated? Who is responsible for maintaining and updating policy? How are policies reviewed for continuing relevance to changes in the business? How frequently is the review performed? Is there a compliance program in place? Who manages it? How are metrics collected and managed? What are the consequences of noncompliance? Patti Editing for this correction 10 10
VRM governance and oversight VRM governance should be aligned with the overall ERM governance with cascading responsibilities. Key Diagnostics: Who owns responsibility for VRM performance? How are issues/risk events escalated in the organization? Sample governance structure Oversight Structure How is VRM information passed to/from the ERM/GRC monitoring process? What information is shared? Who manages performance metrics for the VRM program? Where does this data reside? What are the key metrics? What are the triggering events to be monitored? What are the elements of the business that make working with third parties carry increased risk? Are there any regulatory requirements? Compliance Management Accountable Execs Business Owners / Vendor Managers Audit Committee Corporate Risk Management Committee (CRMC) Vendor Risk Management Advisory Board Vendor Risk Team 11 11
VRM program compliance The client s VRM program compliance assists the client to ensure that all client stakeholders and process participants are following the defined program. Key Diagnostics: Is there executive support and sponsorship of compliance activities? What types of reporting is generated? Who are the recipients of reports? How are the reports used/reviewed by the recipients? How is noncompliance to program requirements addressed? Compliance Drivers Performance goals vendor managers for Tier 1 vendors should have performance goals directly tied to the management of the vendor to ensure that the relationship is being managed appropriately Training investing in policy and process training, including providing sufficient time and resources for training activities and skills enhancement Management evaluating program performance at regular intervals, and making necessary adjustments Reporting assessing and communicating compliance results to leadership Staffing applying sufficient resources and skill sets to VRM activities 12
VRM process, organization and enabling technology October 29-30, 2012 Hotel Pennsylvania Description The VRM process is a structured approach to assessing and managing vendor risk. The process includes application of risk assessment tools to segment vendors and segment-specific activities to be conducted. This risk-based approach assists clients in making resource and control decisions relative to high risk third-party relationships. The VRM Process should consider all vendor-related compliance programs including those designed to evaluate self-reported contractual elements from suppliers. The VRM organization, roles, and responsibilities will vary based on the level of maturity of the Procurement function and resource strategies employed by the organization. For example, depending on volume, specific risk exposures, and geographic distribution, risk expertise may be built into the VRM organization or it may be leveraged from other areas on an as-needed basis. Technology: A critical aspect of VRM is the effective management and analysis of information and data supporting the program. VRM is typically a highly data-intensive program Key components to consider: Vendor segmentation and associated models Risk filtering and associated tools Vendor due diligence Contract development, Contract Management tools Ongoing Vendor risk management Vendor off-boarding Vendor Master ownership and management Vendor information database structure and capabilities Integration with GRC/ERM processes and technology Integration with procurement technology. 13
VRM processes VRM includes a series of processes covering the SS&P lifecycle. The VRM process should be differentiated based on vendor segmentation to help optimize available resources and create a risk-focused approach. Periodic Ongoing Risk segmentation Risk filtering Due diligence Contracting Vendor monitoring Off-boarding Purpose: Purpose: Purpose: Purpose: Purpose: Purpose: Provide a consistent and efficient means to segment existing or potential 3 rd party provider relationships based on risk assessments Identify risks inherent to the good/service being purchased Evaluate effectiveness of vendor (or vendor candidates) to manage inherent risks prior to the vendor selection and contracting processes To help ensure that appropriate legal protections and assurances are incorporated into vendor contracts and are reviewed and approved by the necessary functions/responsibl e parties To help ensure that vendors are appropriately monitored, managed, and reported on throughout the vendor lifecycle To help ensure that there is a process in place to off-board vendors who are no longer providing services/products to the organization that takes into account: physical and virtual access, data ownership, and other contractual obligations 14
VRM processes risk segmentation and filtering October 29-30, 2012 Hotel Pennsylvania A segmentation model creates differentiation that allows for effective resource allocation across risk management activities such as varying the level of engagement and flexibility in conducting due diligence and ongoing vendor monitoring. Key diagnostics: Are vendors segmented based on risk? Is the segmentation model consistent with the risk profile and tolerances established by the ERM program? Data security requirements Vendor viability and business continuity validation Reputational considerations What are the components of the segmentation model? How often is the risk filtering process applied? How are potential new vendors filtered to identify inherent and residual risk? Does the segmentation model drive other components of the VRM program? The most common segmentation model includes three levels: Strategic Vendors Critical to business performance, tightly integrated with internal processes Multiple risk areas including business continuity risk Operational Vendors Some processes integrated Difficult to transition Poses a single risk exposure Commodity Vendors Easily transitioned Not integrated with internal processes Relationship solely driven by total cost and vendor performance 15
VRM processes due diligence The due diligence process allows for differentiated levels of effort based on vendor risk segment and is typically conducted initially to vet potential vendors and periodically to manage ongoing risk exposure. Key diagnostics: What due diligence activities are undertaken when evaluating vendors? Are they differentiated by segment? Who conducts due diligence? At what point in the solicitation/negotiation process is due diligence conducted? What activities are included in site visits? For example: IT security testing Procedure reviews BCM review Data management procedures HR considerations (e.g., turnover, background checks) Are findings from due diligence activities effectively communicated and addressed? Are Vendor sustainability issues considered in the due diligence process? How? 16
VRM processes contracting Key diagnostics: Contract development Are standard contract templates and terms used? How do they vary based on category and risk assessments? How are regulatory inputs captured in the contract development process? Is there an enterprise wide contract development process? Are sustainability considerations and standards included in the contract? If so, how? Contract management Who reviews and approves contracts? Are the right responsible parties engaged? How are amendments to contracts tracked and the relevant monitoring requirements updated? How is contract documentation managed and stored? Is there an enterprise wide contract management process/system? Are monitoring points set up when the contract is archived? Contract compliance management Who reviews contract compliance? What is done with the results of compliance management activities? Structure does not facilitate end-to-end view, multiplies hand-offs Limited clarity of roles and responsibilities Lack of credibility and trust in the process and between functions Clearly defined roles and responsibilities Challenges to an Effective Contract Management process No 1-to-N list of contracts Lack of standardized work processes Primarily focused on termination and renewal Organization Structure People & Culture Contract Lifecycle Management Contract Management Ownership Control & Governance Financial and Operational Systems Global Vendor Risk Management Lack of overall accountability and KPIs Inability to tie original business plan to contract performance Do not interface with ERP in realtime Not designed to handle complex agreements Lack of visibility or availability of data to support decisions Lack standard definitions of risk Rarely consider all socio-economic and cultural factors Contract monitoring disconnected to real-time changes 17
VRM processes ongoing vendor monitoring October 29-30, 2012 Hotel Pennsylvania Effective ongoing vendor activities should be differentiated based on the vendor segmentation model. Key diagnostics: What activities are included in ongoing monitoring? How do they vary based on segment? How frequently are monitoring activities conducted? How are they reporting? Are sufficient resources dedicated to ongoing vendor monitoring activities based on the segmentation and monitoring requirements? Is third-party support used for ongoing monitoring or due diligence? If sustainability activities are included, are data boundaries defined? How is the data managed (for example through an EMS)? Is there a framework to measure/monitor accuracy? Is the data verified? Recommended Activities: Performance monitoring (Ongoing, KPIs dependent on service/good provided) Refresh basic due diligence (Previously conducted due diligence augmented with new information. Example: credit report, Insurance certificates, financial analysis, vendor self-certification that minimum requirements are met, etc.) Risk incident management (Vendor Risk Team, Risk SMEs, and Legal engaged as needed) Vendor performance reporting 2 (e.g., Risk events, performance to KPIs and SLA s, assessment of process controls) Assessment of Risk Area Controls (e.g., IT Security, Data Privacy) Conducted by: Risk Segment Tier 1 Tier 2 Tier 3 Business Area Sourcing/ Procurement Annually Annually Biannually Business Area Business Area Quarterly Quarterly Annually Business Area (Risk SME support) Annually Annually Contractual Reviews Business Area Annually Bi- Annually Every 3 years 18
VRM processes off-boarding Off-boarding procedures extend from the contract management cycle and help ensure that proprietary information shared with vendors is reclaimed and security credentials revoked after the completion of agreed upon services. Key diagnostics: Are there documented procedures for off-boarding vendors? Who is responsible for executing these procedures? Are these procedures differentiated according to risk segment and type of relationship? How does the client know when a vendor needs to be off-boarded? Are contract expiration dates monitored to provide sufficient lead time for off-boarding procedures? What are the procedures for reclaiming proprietary data? What mechanisms are in place to ensure that the vendor has not copied sensitive information? Are there time-sensitive expirations on security/access credentials and passwords? Are public notices sent out to notify termination of supplier when relevant? Are sustainability obligations identified during the off-boarding process (for example requirements to restore property to specified condition, removal of equipment or land reclamation etc.)? Is the completion of off-boarding Sustainability obligations monitored through completion? If so, how? 19
VRM organizational structure The Vendor Risk Management organizations will vary in their use of dedicated versus leveraged risk experts and geographic coverage. Key diagnostics: Are roles and responsibilities clearly defined? Are there sufficient resources to achieve program objectives? Are roles characterized by functional expertise (e.g., contract specialist, data analyst)? Are there matrix reporting relationships? How do they impact the ability of the organization to execute? How are resources distributed geographically? Is there sufficient training to develop capabilities? Is there adequate leadership representation and from related groups (e.g., legal)? 20
Enabling technology Technology supporting a VRM program may include a robust database to manage vendor information and support reporting requirements as well as enabling tools and work flow. Key diagnostics: What is the overall IT environment (e.g., ERP)? Is there a contract management tool and what are the capabilities? What are the vendor monitoring tool capabilities? What are the ERM/ GRC tool capabilities? What is the technology roadmap for supporting tools/capabilities? Do the available tools sufficiently support strategy, policy, and process? Is sustainability data managed through supporting IT systems integrated with existing ERP infrastructure? Tool Characteristics: Provide quantitative, auditable means for measuring risk, assigning segmentation, and identifying specific risk areas Manage risk filtering activities Manage contract development, storage, compliance, audit and renewal Tools Segmentation Model Risk Filter Reporting Capability Characteristics: Aggregate and individual Vendor information Query capability Ability to integrate / extract from CMS and AP Reports Database Workflow Workflow Characteristics: Manage review and approval activities for vendor selection, contracting, and ongoing vendor management Support cross-functional collaboration (e.g., due diligence) Database Characteristics: Provide repository for Vendor information Retain segmentation information Record and manage due diligence activities Record and manage ongoing vendor management information Support reporting requirements Role-based interface and access to accommodate all process participants (e.g., SVM, VR Team, Vendor Managers, Business Areas) 21
VRM program effectiveness Description The purpose of this diagnostic component is to assess our client s current VRM capabilities and the effectiveness of those capabilities. This component focuses on identifying evidence of potential VRM process failings and determining the related impact on VRM. Contract compliance is a transactional monitoring element of VRM contract management that measures the performance of vendors against the transparent terms and conditions of contracts such as pricing, rebates, and discounts. Contract compliance seeks to enhance the transparency of contractual relationships by exploring compliance with service level agreements, most favored pricing clauses, and other self-reported elements. Scorecards are developed for strategic vendors on a quarterly basis to review various aspect of vendor performance including review of risk areas. Risk reviews are conducted for key vendors on an annual basis as a component of vendor monitoring. KPMG services/methodologies to leverage Contract Compliance IT Security Vendor Relationship Management Key components/diagnostics to consider: VRM program compliance Does the organization monitor compliance with VRM policies? If so: Is there evidence of this compliance monitoring? Have compliance incidents been identified, and how were these addressed? What practices are in place to encourage continuous improvement? Vendor risk segmentation Evaluate the results of the segmentation model. Were the criteria accurately captured? Were vendors accurately categorized based on the criteria? Where did the segmentation model produce incorrect results? Identify realized risk issues Is there evidence of vendor risks that have materialized (e.g., reputation issue, vendor financial failures etc.)? Is there a mechanism to track this? Specifically identify: Number and types of risk incidents How were these risk incidents indentified? What does this tell us about the VRM process? Evidence of inaccurate/incomplete reporting or documentation Contract compliance monitoring Is there a contract compliance program in place, and have contract reviews taken place? If so: Were self-reporting differences identified? Were SLA issues identified? What does this tell us about the proactive contract monitoring process? Does the organization utilize KPIs and scorecards to monitor vendor? If so, have issues been proactively identified? 22
Business continuity management (BCM) overview October 29-30, 2012 Hotel Pennsylvania Overview of BCM KPMG s BCM services take a broad view taking into account changes across people, business process, infrastructure, and enabling technologies. Our services include: Contingency and business resumption planning Emergency response and crisis management planning Business continuity planning Disaster recovery planning High/Continuous availability assessment Application interdependency analysis Business risk analysis IT risk analysis Enterprise resource planning (ERP) systems change planning IT management processes How BCM can assist in VRM BCM professionals and their support toolkit can assist VRM engagements from two perspectives: 1. For critical vendors, BCM professionals can be deployed to review the vendor s business continuity management capabilities. The focus of the review will be on the vendor. 2. For highly integrated supply chains and strategic business partners, BCM services help to evaluate and reduce client risk exposure-due to integration of vendors into the clients processes and operations. The scope of the review may include elements such as how the client has addressed the business continuity risks attributable to the manner in which they have integrated the vendors into the supply chain; and review of third-party business continuity programs and effectiveness of testing approach. BCM VRM-related activities Business impact analysis identifying the interactions, processes and systems most critical to the continuation of the vendor or client operations. Business continuity planning reviews reviewing how well business continuity plans address the business resumption needs of the vendor or a client with a highly integrated supply chain. Disaster recovery planning reviews determining the adequacy of the vendor or client s plans to address potential disasters. Identifying how BCM considerations impact the client s business risk portfolio Assessing the impact of changes to enterprise systems on third-party relationships Evaluating how well IT management processes incorporate third-party relationship considerations When to include BCM in VRM Where the client s business resilience is dependent on the third party s BCM capability or when disruptions at the third party would significantly impact the client. 23
2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS 110442 The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.