Embed Size (px)
Citation preview
Vendor Risk Management: The Good, the Bad, and the
Very, Very, Ugly
Today’s Agenda – Learning Objectives
• Understand the importance and benefits of Vendor Risk Management (VRM)
• Develop a Framework and Process to Categorize (Segment) Vendors by Risk Exposure
• Building a Vendor Risk Profile • Employ an Enterprise Risk Management Approach to
VRM• Build Vendor Risk Management into Procurement
Processes
• Vendor risk is a type of operational risk and refers to the risks associated with outsourcing products and/or services to a third-party.
What is meant by vendor risk?
• There are five key drivers of vendor risk:– Inherent sourcing risk (nature of services/goods provided)– Due diligence used in vendor selection– Contracting form utilized and deviation processes– Performance measurement, monitoring, & corrective action– Maturity and effectiveness of vendor’s internal policies,
procedures, and processes
Key Drivers of Vendor Risk
• What is vendor risk management?
Vendor Risk Management – Definition
• Vendor risk management is a formal way to evaluate, track and measure third-party risk; to assess its impact on all aspects of your business; and to develop compensating controls or other forms of mitigation to lessen the impact on your business if something should happen. (ProcessUnity, Inc.)
Vendor Risk Management – Definition
• Why is Vendor Risk Management becoming a compelling priority to institutions?– Focus has shifted from hazard risk to enterprise risk
management– Penalties associated with compliance risks – Ever-changing nature of outsourcing
Importance and Benefits of VRM
• What are the benefits of Vendor Risk Management?
– “The real value is in the operational and financial data, the interpretation of the data, and the business process that takes that knowledge and drives action.” ~ Joe Yacura, Former CPO, American Express and InterContinental Hotels
Importance and Benefits of VRM
• Outcomes of strong vendor risk management programs?– Better sourcing decisions – Increased risk awareness– Alignment of vendor management strategy with risk exposure– Deeper understanding of vendors’ operations
Importance and Benefits of VRM
• Damage to property• Physical harm or death• Financial harm• Reputational damage• Liability for acts or omissions of vendor
Why is Vendor Risk Management Important?
• Best in class institutions segment their vendors by risk exposure and focus on the small percentage of the overall vendor base that may present a serious risk to the institution.
Creating a Risk Exposure Framework
• Goal of risk exposure framework is to create a quick, easy to use process for University internal customers to select vendors for a “deeper dive” risk identification and assessment process.
Creating a Risk Exposure Framework
• A vendor risk intelligence system can be created from the compilation of three types of information and data:– Supplier provided data and information– Internal customer data and feedback– Third party resources
Creating a Vendor Risk Intelligence System
Vendor Risk Intelligence System Components
Internal
• One-on-one interactions with vendors
• Vendor “scorecards” or surveys
• Key Performance Indicators (KPI’s)
• Internal departments – observational data
Vendor
• Vendor Certification Form
• Meetings with vendor’s key executive management
• Site visits to vendor’s corporate headquarters or to customer facilities
Third Party
• Service Organizational Controls (SOC) Reports
• Dun and Bradstreet reports
• Moody’s• Google searches• Glass Door• Etc.
Vendor Risk Intelligence (cont’d)
Vendor Intelligence Database
Vendor Provided
Data
Internal Data
Third Party Data
Vendor Risk Profile
Vendor Certification Form
What is a Vendor Risk Profile?
• A centralized, cohesive report that can include information from multiple sources used to analyze and assess vendor risk
• Used to communicate to key stakeholders (e.g. – consumers of the service/product and senior leadership) key risk attributes of each vendor
Creating a Vendor Risk Profile
Enterprise Risk Management Approach to VRM
• Context: Vendor Risk• Risk Assessment– Identify risks using
Vendor Risk Intelligence– Evaluate those risks
against risk appetite• Risk Management– Determine appropriate
risk treatment strategy
Enterprise Risk Management Approach to VRM
• Diverse information• Reviewed in the
context of the services being provided to the organization (e.g. – aligned with strategy)
• Leveraged in a way to enable the organization to make better decisions
Enterprise Risk Management Approach to VRM
Vendor Intelligence Database
Vendor Provided
Data
Internal Data Third
Party Data
Vendor Risk Profile
Frequency of Vendor Assessment
• Facilitate ongoing, real time vendor risk assessment by:– Creating a vendor risk intelligence data base that facilitates
continual entry of “leading” risk indicators
– Building vendor risk management (assessment and mitigation) into key procurement processes
Building VRM into Procurement Processes
• Three Key Areas:– Supplier Certification Process – RFX Process– Contracting
Build VRM into Procurement Processes
• Contracting – four critical concerns:– Contract Form– Contracting Process– Risky Provisions– Contract Management
Build VRM into Procurement Processes
• “Risk comes from not knowing what you are doing.” ~ Warren Buffet
Summary - Thoughts for the Day
• Lisanne Sison, Bickmore Email: [email protected] Telephone: 916-244-1119
• Ruth Rauluk, Point Park University Email: [email protected] Telephone: 412-392-3996
Questions and Contact Information
