Vendor Risk Management



Similar documents
System Requirements. BWise 4.1 SP3.5. Document Version: 4135-REQ-D01-EN

RISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA PHONE:

OBLIGATION MANAGEMENT

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

Industry Solutions Oil and Gas Engineering Document Control and Project Collaboration Solutions for Oil and Gas

WHITE PAPER Third-Party Risk Management Lifecycle Guide

Continuous Monitoring?

Simplify the Complexity of Managing 3rd Party Anti-Bribery / FCPA Compliance

Compliance Management, made easy

COMPLIANCE MANAGEMENT SOLUTIONS THOMSON REUTERS ACCELUS COMPLIANCE MANAGEMENT SOLUTIONS

KNOW YOUR THIRD PARTY

building a business case for governance, risk and compliance

INTERNAL AUDIT SOFTWARE BUYER S GUIDE

Best Practices in Contract Migration

10 Best Practices for IT Vendor Financial Management

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Enterprise Risk Management in Compliance 360

Governance, Risk, and Compliance (GRC) White Paper

Fieldglass industry-leading Vendor Management System (VMS) powers the flexible workforce.

Paisley Enterprise GRC Audit Profile. Linda Bergs

LogRhythm and HIPAA Compliance

IT Asset Inventory and Outsourcing: The Value of Visibility

Vendor Management Program Office Onshore or offshore?

FLEXIBILITY SCALABILITY CONFIGURABILITY RISKMASTER ACCELERATOR IMPROVE SERVICE REDUCE COSTS COMPETE EFFECTIVELY

2014 Vendor Risk Management Benchmark Study

Industry Solutions Process Manufacturing Flexible and Agile Engineering Document Control for Efficient, Safe and Compliant Plants

IT Insights. Managing Third Party Technology Risk

McLaren FusionLive. Comprehensive SaaS Solution for Construction Document Project Collaboration

IDENTIFYING VENDOR RISK THE CRITICAL FIRST STEP IN CREATING AN EFFECTIVE VENDOR RISK MANAGEMENT PROGRAM

Thought Leadership White Paper

E2 COLLABORATIVE SUPPLY PLANNING

Information Security Management System for Microsoft s Cloud Infrastructure

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Reducing Cost and Risk Through Software Asset Management

ACCELUS COMPLIANCE MANAGER FOR FINANCIAL SERVICES

VARONIS CASE STUDY. Philip Morris International (PMI)

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

Enterprise ITSM software

Emptoris Contract Management Solution for Healthcare Providers

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

How To Manage It Asset Management On Peoplesoft.Com

THIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s

Reduce risk. Reduce cost. Raise performance.

Transforming life sciences contract management operations into sustainable profit centers

A proven 5-step framework for managing supplier performance

Leveraging a Maturity Model to Achieve Proactive Compliance

Take control of lending credit risk

AccTech's vast experience and understanding of government requirements allows us to assist any government agency in:

How Can I Better Manage My Software Assets And Mitigate The Risk Of Compliance Audits?

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER

Epicor Financial Services Overview. Business without Barriers

Vendor risk management leading practices Glenn Siriano KPMG LLP DRAFT

Outsourcing & Regulatory Compliance Risks

THE UH OH MOMENT. Financial Services Enterprises Focus on Governance, Transparency and Supply Chain Risk

Integrated global treasury management

White Paper: The Seven Elements of an Effective Compliance and Ethics Program

Industry Solutions Mining Engineering Document Control and Project Collaboration Solutions for the Mining Industry Provide Flexibility and Simplicity

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

HP Software Licensing and Management Solutions (SLMS) Helping organizations maximize their software investment.

A collaborative and customized approach to sourcing testing and quality assurance services Performance driven. Quality assured.

Testing the Security of your Applications

The Power of Risk, Compliance & Security Management in SAP S/4HANA

VENDOR MANAGEMENT. General Overview

Is your Contract Management just Good Enough?

Directory of. Advertising Supplement

Third-Party Cybersecurity and Data Loss Prevention

CA Service Desk On-Demand

Global Supply Chain Control Towers

Third Party Risk Management 12 April 2012

DATASHEET CONTROL COMPLIANCE SUITE VENDOR RISK MANAGER 11.1

Testing the Security of your Applications

Strengthen security with intelligent identity and access management

Bringing Safe and Cost Effective Products to Market

Address IT costs and streamline operations with IBM service desk and asset management.

Procurement Capability Standards

Foreign business partners under the FCPA

Transportation Management. Transportation Procurement. Transportation Planning & Execution. Fleet Management. Audit, Payment & Claims

Securing Critical Information Assets: A Business Case for Managed Security Services

How To Understand And Implement Pas 55

LEVERAGE TECHNOLOGY TO EMPOWER INTERNAL AUDIT

ERM Standards of Practice and Shared Risk Principles

Ensuring Optimal Governance and Relationship Management Between Parties

A Guide to the Cyber Essentials Scheme

opinion piece Eight Simple Steps to Effective Software Asset Management

White Paper. An Overview of the Kalido Data Governance Director Operationalizing Data Governance Programs Through Data Policy Management

PEOPLESOFT IT ASSET MANAGEMENT

NetSuite The Sarbanes-Oxley Compliance Engine

Sparta Systems. Proven Enterprise Quality Management Solutions

Procurement Transformation: Towards Sourcing & Procurement Excellence

DATA ANALYSIS: THE CORNERSTONE OF EFFECTIVE INTERNAL AUDITING. A CaseWare IDEA Research Report

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

Optimizing Your Accounting Process with Electronic Invoicing. A GXS White Paper for the Active Business

How To Buy Nitro Security

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

Transcription:

Vendor Risk Many risk programs have only an internal focus to ensure all people, processes and systems are in control. However, as organizations rely more heavily on outsourcing key business processes, a comprehensive risk strategy requires awareness of both internal and external risks. Executives have more and more reason to be concerned about external risks as they read the news. Market dynamics, currency fluctuations, global stability, and supply chain risks including outsourcing and business partners are all making headlines. In fact, an organization s ability to effectively deliver products and services to its customers depends heavily on these factors. Vendors that do not adhere to the same moral, ethical and overall quality standards can quickly damage an organization s reputation with existing customers as well as the general public. BWise Vendor Risk allows an organization to optimize performance for each of its vendors by managing vendor relationships and monitoring risks that may adversely impact the organization s day-to-day operations. BWise offers an integrated enterprise Governance, Risk and Compliance (GRC) solution which includes Vendor Risk as a key component to the overall GRC framework. Vendor Risk Lifecycle The Vendor Risk Lifecycle involves managing and monitoring the overall vendor relationship which includes identifying risks prior to vendor selection, maintaining a current business profile for all vendors, performing targeted and ongoing risk assessments, monitoring Service Level Agreements, and eventually, managing the vendor off-boarding process. Vendor Evaluation The Vendor Lifecycle starts with evaluating vendors and determining which ones best support the organization s business needs. Risk management must be incorporated at this stage of the process to help ensure a successful business relationship. Key questions must be answered to minimize risks such as: What is the financial strength of this vendor? Does the vendor have an acceptable business continuity plan if their operations fail while supporting our business? How will this vendor secure our data if they are granted access to sensitive information? These questions, and many others, must be addressed to effectively evaluate vendors and mitigate risk once a vendor is selected. 1

Vendor Business Profiles A critical component in the Vendor Risk Lifecycle is understanding who an organization s current vendors are. This involves maintaining a comprehensive, centralized list of all vendors and business partners supporting the organization s business operations. BWise provides a central repository of all vendors along with their business profile information. This is comprised of key information such as products and services provided, address information, and primary contact persons. BWise is able to leverage this basic business profile information to perform targeted risk assessments based on the vendor s product and service offerings, geographical locations, and people involved. Contract Once a vendor is selected as a business partner, a contract must be negotiated including the terms of products and services to be delivered and costs associated with these offerings. BWise allows organizations to manage the entire contract management process from initial drafting to reviews by internal resources and vendor resources, and ultimately, final approval. Often, Procurement and Legal teams already maintain this information in one or more data sources throughout the organization. BWise is able to simply link to these data sources rather than re-entering contract information in multiple locations. Whether managing contracts directly within BWise or linking to contracts in separate data sources, BWise provides a clear overview of all vendors and any historical, current, and upcoming contracts established with each vendor. SLA Though not commonly part of individual risk management solutions or broader egrc solutions, BWise offers Service Level Agreement (SLA) management to help organizations track overall vendor performance. SLA s are typically included within the contract itself. However, BWise allows organizations to capture key SLA objectives that can be measured and monitored through the use of key performance indicators (KPI)s and key risk indicators (KRI)s. Information for these KPI s and KRI s are regularly provided by the vendor, either directly into BWise via secure interface, or via pre-defined data sheets that can be uploaded. Information housed in BWise can be made available for status reporting, trending, and even showing benchmarks compared to similar vendors. These reports may also be provided to the respective vendor, via secure reporting interface or automated email alerts with the report included as attachments. Initial Vendor Assessments Organizations typically work with hundreds, if not, thousands of vendors to support their business operations. However, all vendors are not necessarily equally critical, and also do not pose the same amount of potential risk to the organization. Ranking vendors by the level of criticality is accomplished by performing criticality assessments to help keep vendor risk management scalable and relevant. For example, a vendor who is a strategic supply chain partner will be more critical than a vendor providing occasional part supplies. Vendor risk management also involves assessing risks based not only on the criticality of the vendor, but also on other factors such as products and services being delivered, geographical location, and people associated with each vendor. For example, 2

vendors providing physical security services will be assessed differently than vendors providing information security services. Additionally, vendors providing offshore services will present different risks than vendors providing localized services. BWise Vendor Risk allows organizations to determine the criticality of vendors based on their level of involvement with the organization. In addition, vendors can undergo targeted risk assessments based on any information related to the vendor s business profile. This versatility provides an unparalleled assessment capability to apply the correct actions for each vendor. Continuous Vendor Assessments A key component of Vendor Risk is continuously collecting accurate information from each vendor. Collecting this information is typically performed by distributing self-assessment questionnaires or checklists that can be completed by the vendor or the internal relationship manager for an organization. Assessments can be focused on a number of risk factors such as financial stability, physical safety, information security, ethical conduct, and many other areas. BWise offers an easy-to-use assessment capability for vendors to securely enter their data directly into the BWise online system. Alternatively, BWise provides offline tools such as a downloadable application or a secured Excel spreadsheet allowing vendors to enter their information and submit to an internal resource for importing into BWise. Standardized Assessments With the ever-increasing number of risk assessments vendors are required to complete, it comes as no surprise companies are looking for more standardized and efficient approaches for assessing vendor risks. One of the most commonly adopted approaches is the Shared Assessments Program. This program is comprised of two primary assessment tools, the Standardized Information Gathering (SIG) Questionnaire and the Agreed Upon Procedures (AUP). BWise is able to support these and other similar standard assessments, and it even allows vendors to upload their SIG response documentation to improve efficiency. With the vendor risk management market maturing, the need for better and more standards will increase; BWise will follow this trend by continuously supporting new and emerging standards. Information for these KPI s and KRI s are regularly provided by the vendor, either directly into BWise via secure interface, or via pre-defined data sheets that can be uploaded. Information housed in BWise can be made available for status reporting, trending, and even showing benchmarks compared to similar vendors. These reports may also be provided to the respective vendor, via secure reporting interface or automated email alerts with the report included as attachments. Vendor Audits Vendor Audits are becoming more commonplace as a collaborative effort between Internal Audit and Enterprise Risk (ERM) teams, particularly for an organization s highest risk vendors. These vendors may include vital supply chain partners, resellers and distributors, or IT partners. BWise seamlessly supports vendor audits by managing work papers, collecting evidence, and capturing findings. BWise Internal Audit capabilities enhance and complement the activities performed by other groups also involved with assessing vendors such as ERM, Procurement, Legal, Information Security, and Compliance. In addition, BWise can also provide strong offline audit capabilities that allow all audit activities to be performed on the vendor premises such as factories, data centers, and branch locations. 3

Issue Tracking Whether collecting information via risk questionnaires or audits, the primary purpose of these activities is to proactively identify issues before they become an actual incident. BWise provides a centralized repository where all issues are categorized, tracked, and managed as a result of the completed risk assessments and audits. Issues can be assigned specific owners with due dates to ensure they are remediated as efficiently as possible. Additionally, action plans can be assigned to multiple groups in order to help resolve a single issue. Vendors are able to access the BWise system to respond to issues and upload evidence that the issue was resolved. Incident Although the organizations may do a solid job of conducting risk assessments, performing audits, and proactively resolving issues with each vendor, incidents will still occur that can adversely impact the organization. An organization must be able to quickly respond to these incidents in order to minimize financial losses, avoid legal consequences, and limit its reputational impact to the business. The integrated nature of BWise helps organizations to collaborate across departments to resolve each incident as quickly as possible and also ensure appropriate measures are put in place to avoid similar incidents from occurring in the future. These measures can be incorporated into future risk assessments and audits for the same vendor or similar vendors. Vendor Off-Boarding Vendor relationships begin and end on a daily basis. However, many organizations do not have a strategy in place to ensure the vendor relationship is appropriately terminated. Vendors are often left with a significant amount of the company s intellectual property. It is critical for organizations to be able to track the off-boarding process to ensure its property is delivered back to the company or completely destroyed. BWise provides the ability for internal off-boarding checklists to be completed across all teams involved. For example: Has Information Security appropriately removed the vendor s access to internal networks? Has Legal ensured all contractual obligations were fulfilled based on payments made to the vendor? Has the vendor certified that all physical artifacts have been delivered back to the organization and soft copy documentation destroyed? BWise allows organizations to effectively manage the off-boarding process by providing internal checklists as well as certifications for vendors to complete indicating they are no longer in possession of the organization s assets. Comprehensive Dashboards and Reporting With hundreds or thousands of vendors, each with their own criticality level, risk ratings, SLA objectives, regulatory impacts, and numerous interactions across the organization, managing risk exposure can be daunting, BWise provides visibility across all of these areas for executives and managers to understand the true risk posture of their business operations based on current vendor relationships. Additionally, all teams involved with monitoring the vendor relationship including Procurement, Legal, Information Security, Internal Audit, and many others can share information and work from a common view of each vendor, including next steps involved in the Vendor Risk Lifecycle. 4

About BWise BWise, a NASDAQ OMX company, is a global leader in Enterprise Governance, Risk and Compliance (GRC) software. Based on a strong heritage in business process management, the BWise GRC platform provides companies with highly-rated, proven software solutions for Risk, Internal Control, Internal Audit, Compliance & Policy, IT GRC and Sustainability Performance. BWise s end-to-end solutions support an organization s ability to understand, track, measure, and manage key organizational risks. BWise helps companies truly be in control by balancing performance with their financial and reputational risks, improving corporate accountability, increasing financial, strategic and operating efficiencies. Using BWise, organizations are able to efficiently comply with anti-corruption regulations like FCPA and the UK Bribery Act, the Sarbanes-Oxley Act, European Corporate Governance Codes, ISAE3402/SAS-70, PCI-DSS, Solvency II, Basel II and III, Dodd-Frank, ISO-standards, and many more. BWise sales, service and support offices around the globe provide for the GRC needs of hundreds of clients, including: adidas, AEGON, Ahold, AngloGold Ashanti, Connexxion, Health Alliance Plan (HAP) of Michigan, LeapFrog, Liebherr, Marathon Oil, Southern Company, Swiss Life, and Transcontinental. For more information, visit www.bwise.com. BWise GRC Platform BWise offers multiple role-based software solutions for Risk, Internal Control, Internal Audit, Compliance & Policy, IT GRC and Sustainability Performance. Each solution derived from the BWise integrated Governance, Risk management, and Compliance Platform supports the end-to-end process of a given role. Gerard Parker Chief Risk Officer (Risk ) Michael Bauer Corporate Group Controller (Internal Control over Financial Reporting) BWise Risk Control BWise Risk Control Ann Green Internal Auditor Internal Audit (IA) Jackie McLaren Compliance Officer (Compliance & Policy ) Damian Thomson Chief Information Security Officer (IT GRC) Kim Lee VP Corporate Sustainability (Sustainability Performance ) Audit BWise Compliance & Policy BWise IT GRC BWise Sustainability Performance Audit BWise Compliance & Policy BWise IT GRC BWise Sustainability Performance 5

Contact Information BWise has sales, service and support offices worldwide. To contact us at our local offices in Asia, Australia, Europe, South Africa and the United States, visit www.bwise.com/offices. BWise Headquarters Rietbeemdenborch 14-18 5241 LG Rosmalen The Netherlands +31 (0)73-6464911 BWise, Inc. 1450 Broadway, 38th Floor New York, NY 10018 USA +1 212-584-2260 BWise France 19, boulevard Malesherbes 75008 Paris France +33 (0) 1 55 27 37 28 BWise Germany GmbH Kaiserswerther Strasse 115 40880 Ratingen Germany +49 (0)2102 420 663 BWise South Africa 2nd Floor, West Tower Maude Street Nelson Mandela Square Johannesburg 2196 South Africa +27 (0) 11 881 5436 BWise Thailand 36/F CRC Tower, All Seasons Place 87/2 Wireless Road, Phatumwan Bangkok, 10330 Thailand +66 2 625 3087 BWise United Kingdom 1 Bell Street Maidenhead Berkshire, SL6 1BU United Kingdom +44 (0)1628 421750 6 Legal Notice This document may be part of a written agreement between BWise and its customer, in which case the terms and conditions of that agreement apply hereto. In the event that this document was provided by BWise without any reference to a written agreement with BWise, to the maximum extent permitted by applicable law this document and its contents are provided as general information as-is only, which may not be accurate, correct and/or complete and BWise shall not be responsible for any damage or loss of any nature related thereto. All rights are reserved. Unauthorized use, disclosure or copying of this document or any part thereof is prohibited.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information