moj-governance.azurewebsites.net · Web viewMOJ has established vendor management document to provide comprehensive process aspects of vendor management, which will enable MOJ to

Ministry of Justice Deputyship of Digital

Transformation م13/04/2020

Vendor Management Policy, Process and Procedure

Version 0.1

Release

Document0.1Version

Infrastructure Process OwnerDate

Table of Contents

DOCUMENT INFORMATION.......................................................................REVISION DETAILS...................................................................................DOCUMENT VERSION HISTORY................................................................DEFINITIONS & ABBREVIATIONS..............................................................EXECUTIVE SUMMARY..............................................................................VENDOR MANAGEMENT SCOPE................................................................VENDOR MANAGEMENT PURPOSE AND OBJECTIVES................................VENDOR MANAGEMENT VALUE TO MOJ...................................................VENDOR MANAGEMENT POLICIES............................................................VENDOR MANAGEMENT INPUTS & OUTPUTS..........................................VENDOR MANAGEMENT PROCESS WORKFLOW.....................................ROLES & RESPONSIBILITIES...................................................................CRITICAL SUCCESS FACTORS (CSF) & KEY PERFORMANCE

INDICATORS (KPI)..............................................................................VENDOR MANAGEMENT IMPLEMENTATION CONSIDERATIONS...............REFERENCES..........................................................................................

Document Information

Document Vendor Management ProcessVendor Management Policy, Process and ProcedureCopyright © MOJ. All rights reserved. Unauthorized copy or use of this document is strictly prohibited. Printed version of this document is only valid as long as the revision number and issue date correspond with the relevant information on the MOJ Intranet Portal/file system.MOJ does not warrant that this document is error-free.Printed version of this document will be treated as an uncontrolled copy.

Page 2 of 21

Document0.1Version


Title:Document Number:

Document Status:

Process Owner

Infrastructure Department Release Date

Document Owner

Governance Team

Document Type

Internal Review Interval Annually

Revision Details

Version Particulars Name Title Signature

0.1

Document Version History

Version Number

Version Date Published By Description

0.1 Initial Draft-

Vendor Management Policy, Process and ProcedureCopyright © MOJ. All rights reserved. Unauthorized copy or use of this document is strictly prohibited. Printed version of this document is only valid as long as the revision number and issue date correspond with the relevant information on the MOJ Intranet Portal/file system.MOJ does not warrant that this document is error-free.Printed version of this document will be treated as an uncontrolled copy.

Page 3 of 21

Document0.1Version


Definitions & Abbreviations


Page 4 of 21

ITEM DESCRIPTIONMOJ Ministry of Justice

CI Configuration Item.

CSF Critical Success Factor.KPI Key Performance Indicator.

CMS Configuration Management System.

SLA Service Level Agreement.

OLA Operational Level Agreement.

UC Underpinning Contract.RFC Request for Change.RFI Request for Information RFP Request for ProposalSCD Supplier Contract DatabaseAPO Align, Plan and Organise

Process OwnerAn individual accountable for the performance of a process in realizing its objectives, driving process improvement and approving process changes

Responsible, Accountable, Consulted, Informed (RACI) Matrix

A matrix that identifies who is responsible, accountable, consulted and informed with respect to each of the base practices within the process.

IT Environment

Includes enterprise architecture, IT processes & procedures, IT organization structure, external service provision, governance of IT and IT related skills and competencies.

CapabilityThe ability of an organization, person, process, application, configuration item or IT service to carry out an activity.

ServiceMeans of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks.

Document0.1Version


Executive Summary

MOJ has established vendor management document to provide comprehensive process aspects of vendor management, which will enable MOJ to achieve the objectives with respect to this process. This document has been formulated to accommodate an “Integrated Digital Delivery Framework” and hence, Enterprise Architecture, Digital, COBIT 5.0, ISO27001 and ITIL V3.0 related applicable processes and underpinning base practices have been mapped together in this process document.

Vendor Management OverviewVendor Management is a component of Service Design phase of ITIL V3 service lifecycle. This process is mapped to APO 10 (Manage suppliers) base practice of COBIT 5.0 along with Enterprise Architecture process. Vendor Management is one of the service design processes, and MOJ is going to use it to ensure that:

• Contracts with suppliers are managed throughout their lifecycle.• Vendors are performing as agreed in the contract.• Supplier relationships are seamlessly managed.• Contracts with suppliers are aligned to business needs.

Vendor Management Scope

The scope of Vendor Management includes the following:• MOJ processes, systems and functions managed and accessed by 3rd party

suppliers. • All 3rd party contract employees deployed onsite on MOJ’s premises.• All 3rd party contract employees who remotely connect to MOJ network for

supporting or managing MOJ’s information systems.

Vendor Management Purpose and Objectives

The purpose of the Vendor Management process ensure that vendors and services Vendor Management Policy, Process and ProcedureCopyright © MOJ. All rights reserved. Unauthorized copy or use of this document is strictly prohibited. Printed version of this document is only valid as long as the revision number and issue date correspond with the relevant information on the MOJ Intranet Portal/file system.MOJ does not warrant that this document is error-free.Printed version of this document will be treated as an uncontrolled copy.

Page 5 of 21

Document0.1Version


provided by them are managed to support service targets and business objectives of MOJ

The objectives of the Vendor Management process are to:• To negotiate and agree contracts with suppliers and manage them through their

lifecycle.• To ensure that the suppliers perform as agreed.• To obtain value for money from suppliers and contracts.• To ensure supplier management risk are identified and managed.• To ensure the seamless and effective supplier relationship management in place.• To ensure there is a strong link between sourcing strategies and supplier

management across the organisation.• To ensure that contracts with suppliers are aligned to business needs, and support

and align with agreed targets in SLRs and SLAs. To ensure that assets of MOJ that are accessed by vendors are protected to

preserve availability, integrity and confidentiality of MOJ Information.Vendor Management Value to MOJ

Effective Vendor Management enables MOJ to add value to their DT Services by: Delivering services and at optimum cost and minimized risk. Assuring that services provided by the vendors are in alignment with strategic

objectives of the organisation. Improving overall efficiency by outsourcing services to qualified vendors. Regular monitoring and tracking of vendor performance can help MOJ to

proactively identify issues and areas of improvement. Well-planned and implemented vendor management process will make a significant difference to MOJ service costs.


Page 6 of 21

Document0.1Version


Vendor Management Policies

Vendor management policies should be in place to help MOJ achieve the correct balance between cost, service stability and agility.Policies that support Vendor Management include:

Contractual Requirement

Security controls, service definitions and delivery levels with the third party shall be monitored and reviewed to ensure that they complied with the agreements.

Contracts between MOJ and the supplier shall consider business requirements and key risk factors identified during the risk assessment.

Contracts shall be clearly written and sufficiently detailed to provide assurances for scope, duration, performance, reliability, security, protection of Intellectual Property Rights and reporting.

Scope of Service

The contract shall clearly describe the rights and responsibilities of parties to the contract including timeframes and activities for implementation.

Implementation provisions shall take into consideration other existing systems or interrelated systems to be developed by different suppliers and guidelines for adding new or different services and for contract re-negotiation.

Duration

MOJ shall consider the type of technology and current state of the industry when negotiating the appropriate length of the contract and its renewal periods.

MOJ shall consider the appropriate length of time required to notify the supplier of MOJ’s intent not to renew the contract prior to expiration.

The contract shall document all security requirements identified during risk assessment for hardware and software services.


Page 7 of 21

Document0.1Version


The contract shall address the supplier’s responsibility for security and confidentiality of MOJ’s information resources.

The Supplier shall sign non-disclosure agreements with MOJ to prohibit the supplier and its agents from using or disclosing any information related to MOJ which they might get access to during the support. This should be covered as part of contract with the supplier.

In case the information system is managed by suppliers, the contract should address the supplier’s responsibility for maintenance of disaster recovery, contingency plans and business recovery time frames that meet MOJ business requirements.

The contract should include provisions for addressing control over operations such as:

• Compliance with applicable regulatory requirement• Compliance with IPR (Intellectual Proprietary Rights) of information systems

accessed

Sub-contracting

Certain suppliers may contract with suppliers in providing services to MOJ. Prior written approval shall be obtained from MOJ before any subcontracting. MOJ shall evaluate all subcontractors before giving approval.

MOJ shall include a provision specifying that the contracting supplier is responsible for the service provided to MOJ regardless of which entity is conducting the operations. The contracting supplier is also responsible for ensuring the sub-contractors comply with all security requirements of the contract and MOJ can obtain an independent audit report for the same.


Page 8 of 21

Document0.1Version


MOJ may also want to consider including notification and approval requirements regarding changes to the supplier’s significant subcontractors.

Ownership and License

The contract should address ownership and allowable use by the supplier of MOJ’s data, equipment/hardware, system documentation, system and application software, and other Intellectual Property Rights.

Intellectual Property Rights may include MOJ’s name and logo; its trademark or copyrighted material; domain names; web sites design; and other work products owned MOJ.

When outsourcing software development, MOJ should consider either obtaining full ownership of the software or establishing escrow agreements. These escrow agreements may provide MOJ access to source code and documentation under pre-defined conditions.

Performance

MOJ should include performance standards defining minimum service level agreements (SLA) and remedies for failure to meet standards in the contract.

MOJ shall consider including in the contract a provision for a dispute resolution process that attempts to resolve problems in an expeditious manner as well as provide for continuation of services during the dispute resolution period.

Periodic meetings shall be conducted with the suppliers and their performance should be reviewed and audited.

Any changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, considering the criticality of business information, systems and


Page 9 of 21

Document0.1Version


processes involved. Also, re-assessment of risks should be done in such cases.

Contract shall identify situations in which Ministry may be liable for claims arising due to non-performance of supplier or resulting out of security breaches and specify indemnification of MOJ by the supplier

Termination

The contract shall state termination and notification requirements with time frames to allow the orderly conversion to another supplier. Where applicable, the contract must provide for return of Ministry’s data, as well as other resources, in a timely manner and in proper format. Any costs associated with transition assistance should be clearly stated.

Contract shall include provision for arbitration. All contracts with suppliers shall be managed by the Legal team. Backup copies of the contracts shall be maintained at a secure offsite location. The contract shall be reviewed independently by Legal department to ensure that

adequate provisions for protecting MOJ’s interests are incorporated.

Risk Assessment

If any of MOJ’s activity is outsourced or when external support is required a risk assessment should be carried out to determine the security implication and control requirement.

The risk assessment should consider the type of access required and the value of information, controls employed by the supplier and the implications of this access to the security of MOJ’s information.

All security requirements identified from risk assessment should be reflected as security conditions in supplier contract.

Vendor Management Inputs & OutputsVendor Management Policy, Process and ProcedureCopyright © MOJ. All rights reserved. Unauthorized copy or use of this document is strictly prohibited. Printed version of this document is only valid as long as the revision number and issue date correspond with the relevant information on the MOJ Intranet Portal/file system.MOJ does not warrant that this document is error-free.Printed version of this document will be treated as an uncontrolled copy.

Page 10 of 21

Document0.1Version


PROCESS MAIN INPUTS

PROCESS MAIN OUTPUTS

High level development plans Supplier evaluation criteriaSupplier contracts Supplier catalogueThird party risk assessments Request for Information (RFI)Supplier catalogue Request for Proposals (RFP)

Supplier monitoring review results


Page 11 of 21

Document0.1Version


Process Main InputsHigh level development plans and Service requirementsHigh level development plans and service requirements will enable future planning of the service delivery and the scope of vendor support required for the service delivery.

Supplier contractsSupplier contracts are identified, recorded, categorized and maintained in a detailed database, along with supplier details.

Third party risk assessmentsSupplier Manager shall identify and monitor the risk relating to the supplier’s ability to deliver service efficiently, effectively, securely, reliably and continually.

Supplier Evaluation criteriaThe parameters to evaluate Supplier is established, based on the factors that are important to MOJ service delivery. The selection criteria for comparing similar ranked suppliers include but not limited to • Technology requirement • Service Level Agreements • Cost • Advantages, disadvantages of suppliers • Company profile • Experience • Adherence to RFP instructions • Project Management Approach • Service Quality • Risk Identification


Page 12 of 21

Document0.1Version


Process Main OutputsSupplier PolicySupplier Manager will create and maintain a supplier policy containing the following.• Supplier evaluation criteria• Delivery requirements• Ethical requirements• Quality requirements• Financial Information• NDA information

Supplier catalogueA supplementary system that typically identifies suppliers and associated contracts and categorizes them into type, significance and criticality. Supplier and contract evaluation criteria should be established.

Request for InformationRFI is floated to receive written information about the capabilities of the potential

suppliers.

Request for ProposalRFP is the process of requesting bids from qualified vendors. RFPs include the specifications of the projects or service for which the proposal is invited.

Supplier monitoring review resultsSupplier status will be reviewed as per the deliverables specified in the contract. Based on the monitoring results, feedback will be given to the supplier to improve the performance.


Page 13 of 21

Document0.1Version


Vendor Management Process Workflow


Page 14 of 21

Document0.1Version



Page 15 of 21

Document0.1Version


Create vendor management policyThe MOJ supplier manager will create and maintain a vendor management policy containing the following sections:

Selection criteria of a vendor Delivery requirements Ethical requirements Quality requirements Financial Information NDA information

Identify services to be outsourcedMOJ supplier manager will identify the services which need to be outsourced by considering

MOJ IT and business needs MOJ internal capabilities (people, infrastructure) Availability of superior delivery capabilities with external suppliers. Cost incurred for delivering the services Quality of service delivery.

An in-depth analysis will be carried out for each of the services identified after the decision is taken. The analysis will consist of:

Integration aspects of the services to be outsourced with the existing services being supported by vendors

What aspects of the IT services need to be outsourced Legal aspects of outsourcing Conflict of interest Cost benefit analysis

Identify the list of potential suppliersBased on the requirements, MOJ supplier manager will identify a list of potential suppliers. The list would be created, maintained and owned by supplier manager.Vendor Management Policy, Process and ProcedureCopyright © MOJ. All rights reserved. Unauthorized copy or use of this document is strictly prohibited. Printed version of this document is only valid as long as the revision number and issue date correspond with the relevant information on the MOJ Intranet Portal/file system.MOJ does not warrant that this document is error-free.Printed version of this document will be treated as an uncontrolled copy.

Page 16 of 21

Document0.1Version

InfrastructureProcess OwnerDate

Create supplier databaseThe verified information about existing suppliers would be maintained in the supplier database. The supplier database contains key attributes of all existing contracts with the suppliers. This enables the supplier manager to manage suppliers and contracts throughout their lifecycle.

Float RFI to get information about potential suppliersFrom the list of potential suppliers, those suitable and relevant for the services identified to be outsourced, but if MOJ doesn’t have complete information about them, an RFI is floated.Request for Information (RFI) is sent to potential vendors to gather information about their capabilities from the perspective of the service requirements of MOJ

Float RPFs to identified suppliersRequest for proposal (RFP) is sent out to all the identified vendors, to understand how they intend to deliver the services requested by MOJ.Request for Proposal (RFP) is a techno-legal document compiled by the Supplier Manager detailing the work that they expect to contract to the vendors.Apart from service requirements and detail technical information, RFP will contain detailed evaluation criteria based on which the supplier is evaluated. It will also list Terms and Conditions that the selected supplier will have to comply with. The RFP will include, but not limited to, the following:

Detailed Service Requirements • Service Support Window • Service Delivery and Provisioning Details • Service Level Requirements

Proposal Submission date (Latest by) Proposal document format


Page 17 of 21

Document0.1Version


Supplier Selection Process Type of billing response expected - Time & Material or Fixed Price Program Acceptance Criteria Penalty clauses

Select suppliers based on established selection criteriaThe vendors who respond to the RFP will be evaluated by the MOJ supplier manager and team, subject matter experts, legal and business finance teams. The parameters to evaluate vendor will be established. These parameters will be based on the factors that are important to the success of the services managed by MOJ. The selection criteria for comparing similar ranked suppliers include but not limited to:

• Technology requirement of MOJ• Service Level Agreements with MOJ• Cost • Advantages, disadvantages of suppliers • Company profile • Experience • Adherence to RFP instructions • Project Management Approach • Service Quality • Size relative to the business being placed. • People and their capabilities• Processes/procedures being followed• Tools usage, maturity • Risk Identification

Discuss and negotiate the agreementMOJ Supplier Manager will call the shortlisted suppliers for discussion and negotiation. The SLA, applicable conditions and commercial terms will be discussed in this


Page 18 of 21

Document0.1Version


meeting.

Review and validate the services agreedServices will be reviewed by the MOJ Supplier Manager and feedback will be sought from all MOJ stakeholders and the terms and conditions of services from the vendors will be validated.

Amend existing contract after negotiationIn cases where the supplier is already with the organization and an amendment to the existing work or a new work is allocated to the supplier, the contract will be amended and signed off.

Establish supplier agreement after negotiationIf the supplier identified is a new supplier, establish new supplier agreements. The supplier and the MOJ Supplier Manager will jointly and clearly define activities and tasks to be performed by the Supplier. The contract will include:

• Standards and procedures that will be followed • Contact details • Procedures for handling changes.• Roles and responsibilities & escalation mechanisms for resolution of

issues • List of issues, risks, dependencies. • Procedures and evaluation criteria for monitoring supplier

performance • SLAs for services being offered • Acceptance criteria and acceptance review procedures for deliveries

from the vendor.• Procedures/action plan for deliverables that do not pass acceptance

test Vendor Management Policy, Process and ProcedureCopyright © MOJ. All rights reserved. Unauthorized copy or use of this document is strictly prohibited. Printed version of this document is only valid as long as the revision number and issue date correspond with the relevant information on the MOJ Intranet Portal/file system.MOJ does not warrant that this document is error-free.Printed version of this document will be treated as an uncontrolled copy.

Page 19 of 21

Document0.1Version


Monitor and report service levels provided by the vendorThe identified Supplier will work closely with the delivery / IT teams of MOJ and MOJ Supplier Manager in delivering the services.

• Vendor status will be reviewed as per the deliverables specified in the contract.

• Performance of the vendor will be analysed and reviewed as per the agreed SLA.

• Joint reviews and audits will be triggered as agreed.• Where available an associated ticket will be logged in the vendor tool

and the details are updated in MOJ tools and databases • All the discussion and conversations that take place with the supplier

towards the solution provision will also be documented.

Conduct performance reviews with the vendorPeriodic Reviews will be conducted and will cover;

• Service delivery against the service levels agreed.• Risks and how they are mitigated• Critical dependencies and how they are handled• Compliance

MOJ Supplier Manager will track all action items to closure. Feedback will be given to the vendor, wherever opportunities are identified to improve the performance. The output of management reviews will be reported to the vendor as well as MOJ stakeholders. The RCA and Corrective actions will be discussed with the vendors and monitored for continuous improvement. The contract will be revised based on changes due to:

• Service Requirements


Page 20 of 21

Document0.1Version


• Supplier Performance

RCA and corrective actionsThe MOJ supplier manager will monitor the performance to check if there are any major deviations against the contract signed. The vendor will be requested to initiate an RCA and trigger corrective actions, whenever deviations are found from the agreed contract.

Monitor vendor for improvementsMOJ Supplier Manager will monitor the supplier for improvement in the performance and report these improvements in the regular reporting cycle.

Renew or close the contractMOJ Supplier Manager will check if the vendor’s performance is satisfactory and the contract can be extended. If the vendor performance is satisfactory, the MOJ Supplier Manager will trigger the contract renewal activities.

End of contractIf the vendor’s performance is not satisfactory or if the vendor’s services are not required any further, the contract is terminated, and supplier database is updated.Roles & Responsibilities

ROLE RESPONSIBILITIES

MOJ Supplier Manager (MOJ)

Manage and approve new vendors Define criteria for vendor evaluation Approve & Sign Off Supplier requests for information

(RFIs) and requests for proposals (RFPs) Approve and sign off Supplier roles and responsibilities Signs off contract terms and conditions Manage supplier risks


Page 21 of 21

Document0.1Version


Monitor vendor performance and suggests areas of improvement

Approves extension or termination of contract

MOJ Vendor Management Team

• Creates vendor management policy• Update contract requirements to minimise risks• Periodically report vendor performance to MOJ supplier

manager, vendor and all MOJ stakeholders• Documents and sends out RFIs and RFPs• Update supplier database whenever there are changes• Identify, document and inform MOJ supplier manager on

vendor related risks• Document the Supplier roles and responsibilities

MOJ Approved Vendors

• Provide information requested in RFP / RFI• Deliver services as agreed • Provide periodic service reports to MOJ• Implement and close service improvements and

corrective actions

Note: Responsibilities may be delegated or overlapped.Critical Success Factors (CSF) & Key Performance Indicators (KPI)

The purpose of collecting, analysing Vendor Management measurements is to make MOJ-DT services more effective and efficient. In addition, Vendor Management is used to provide reports in a non-technical language and to show where improvements could be made.

CSF – Establishment of a suitable of Vendor management process KPIs

• Number of new contracts created for the period• Time lapse between floating an RFP and establishing the vendor• Number of contract reviews for the period


Page 22 of 21

Document0.1Version


• Number of identified contract breaches • Number of early supplier terminations due to non-adherence of service levels.

Vendor Management Implementation Considerations

The following implementation considerations will keep the implementation process smooth and compatible with MOJ Vendor Management process, these considerations may include but not limited to:

• Define clear objectives and deliverables.• Involve and consult MOJ process owners and procurement team.• Decide how Supplier Management will interface with other functions.• Define the roles and responsibilities.• Create supplier database and ensure that all the approved and latest

vendor related documentation are uploaded to the database.• Decide the level of access to MOJ systems, that would be given to vendors.• Decide on the frequency of vendor performance reviews• Decide and document the criteria for vendor evaluation, contract extension

and termination.

References

• ITIL V3 Service Design – Supplier Management• COBIT 5.0 – APO 10 Manage Suppliers• ISO 27001:

• A. 15.1 Information security in supplier relationships• A.15.2 Supplier service delivery management


Page 23 of 21