2. Today’s Agenda – Learning Objectives
• Understand the importance and benefits of Vendor Risk
Management (VRM)
• Develop a Framework and Process to Categorize
(Segment) Vendors by Risk Exposure
• Building a Vendor Risk Profile
• Employ an Enterprise Risk Management Approach to
VRM
• Build Vendor Risk Management into Procurement
Processes
3. • Vendor risk is a type of operational risk and refers to the
risks associated with outsourcing products and/or
services to a third-party.
What is meant by vendor risk?
4. • There are five key drivers of vendor risk:
– Inherent sourcing risk (nature of services/goods provided)
– Due diligence used in vendor selection
– Contracting form utilized and deviation processes
– Performance measurement, monitoring, & corrective action
– Maturity and effectiveness of vendor’s internal policies,
procedures, and processes
Key Drivers of Vendor Risk
5. • What is vendor risk management?
Vendor Risk Management – Definition
6. • Vendor risk management is a formal way to evaluate,
track and measure third-party risk; to assess its impact
on all aspects of your business; and to develop
compensating controls or other forms of mitigation to
lessen the impact on your business if something should
happen. (ProcessUnity, Inc.)
Vendor Risk Management – Definition
7. • Why is Vendor Risk Management becoming a
compelling priority to institutions?
– Focus has shifted from hazard risk to enterprise risk
management
– Penalties associated with compliance risks
– Ever-changing nature of outsourcing
Importance and Benefits of VRM
8. • What are the benefits of Vendor Risk Management?
– “The real value is in the operational and financial data, the
interpretation of the data, and the business process that takes
that knowledge and drives action.” ~ Joe Yacura, Former CPO,
American Express and InterContinental Hotels
Importance and Benefits of VRM
9. • Outcomes of strong vendor risk management programs?
– Better sourcing decisions
– Increased risk awareness
– Alignment of vendor management strategy with risk exposure
– Deeper understanding of vendors’ operations
Importance and Benefits of VRM
10. • Damage to property
• Physical harm or death
• Financial harm
• Reputational damage
• Liability for acts or omissions of vendor
Why is Vendor Risk Management Important?
11. • Best in class institutions segment their vendors by risk
exposure and focus on the small percentage of the
overall vendor base that may present a serious risk to
the institution.
Creating a Risk Exposure Framework
12. • Goal of risk exposure framework is to create a quick,
easy to use process for University internal customers to
select vendors for a “deeper dive” risk identification and
assessment process.
Creating a Risk Exposure Framework
13. • A vendor risk intelligence system can be created from
the compilation of three types of information and data:
– Supplier provided data and information
– Internal customer data and feedback
– Third party resources
Creating a Vendor Risk Intelligence System
14. Vendor Risk Intelligence System Components
Internal
• One-on-one
interactions with
vendors
• Vendor
“scorecards” or
surveys
• Key Performance
Indicators (KPI’s)
• Internal
departments –
observational data
Vendor
• Vendor Certification
Form
• Meetings with
vendor’s key
executive
management
• Site visits to vendor’s
corporate
headquarters or to
customer facilities
Third Party
• Service
Organizational
Controls (SOC)
Reports
• Dun and Bradstreet
reports
• Moody’s
• Google searches
• Glass Door
• Etc.
15. Vendor Risk Intelligence (cont’d)
Vendor
Intelligence
Database
Vendor
Provided
Data
Internal
Data
Third
Party Data
Vendor Risk Profile
17. What is a Vendor Risk Profile?
• A centralized, cohesive report that can include
information from multiple sources used to analyze and
assess vendor risk
• Used to communicate to key stakeholders (e.g. –
consumers of the service/product and senior
leadership) key risk attributes of each vendor
Creating a Vendor Risk Profile
19. • Context: Vendor Risk
• Risk Assessment
– Identify risks using
Vendor Risk Intelligence
– Evaluate those risks
against risk appetite
• Risk Management
– Determine appropriate
risk treatment strategy
Enterprise Risk Management Approach to VRM
20. • Diverse information
• Reviewed in the
context of the services
being provided to the
organization (e.g. –
aligned with strategy)
• Leveraged in a way to
enable the
organization to make
better decisions
Enterprise Risk Management Approach to VRM
Vendor
Intelligence
Database
Vendor
Provided
Data
Internal
Data
Third
Party Data
Vendor Risk Profile
22. • Facilitate ongoing, real time vendor risk
assessment by:
– Creating a vendor risk intelligence data base that facilitates
continual entry of “leading” risk indicators
– Building vendor risk management (assessment and mitigation)
into key procurement processes
Building VRM into Procurement Processes
23. • Three Key Areas:
– Supplier Certification Process
– RFX Process
– Contracting
Build VRM into Procurement Processes
24. • Contracting – four critical concerns:
– Contract Form
– Contracting Process
– Risky Provisions
– Contract Management
Build VRM into Procurement Processes
25. • “Risk comes from not knowing what you are doing.”
~ Warren Buffet
Summary - Thoughts for the Day
26. • Lisanne Sison, Bickmore
Email: lsison@Bickmore.net
Telephone: 916-244-1119
• Ruth Rauluk, Point Park University
Email: rrauluk@pointpark.edu
Telephone: 412-392-3996
Questions and Contact Information
Editor's Notes
Today I’m going to talk with you about vendor risk and the importance of understanding and managing this risk.
Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.
In this part of the discussion, we can ask the audience “What is vendor risk?” and ask for examples of vendor risk.
We can also talk about the Target data breach and how this was caused by a third party vendor.
The first four drivers can be controlled by the institution; the fifth driver (in red as in Caution!!) are controlled by the third party vendor and in unknown or not mitigated can cause major issues for the institution
Inherent nature – sometimes the nature of the service provided can create a risk – e.g., child care can be risky because children can be unpredictable and do not necessarily understand what is dangerous to them.
Due Diligence – checking references – checking reviews (sometimes) – checking with sites such as Better Business Bureau or Dun & Bradstreet. Also – obtaining insurance certificate
Contracting form – your agreement or the vendors. Do you read the agreement? Do you have certain agreements reviewed by legal counsel? Do you negotiate out terms? Beware the boilerplate agreements that are for sale or free on the internet. Buyer beware.
How is the vendor’s performance measured and how often is it measured? Do you take corrective action as soon as issues are noticed?
We can control to some degree all of the risk drivers in white – but the driver in red is entirely controlled by the vendor or contractor you select. This is the danger zone, the “unknown” that must become knowable – as much as possible. Target example . . . . HVAC vendor’s software was hacked. Child care – understand screening processes and also training processes – e.g.. – how to recognize characteristics of a pedophile . . . Home contractors – clearances, SAFETY training, OSHA violations . . You do not want a contractor’s problem to become your problem.
(Speaker – ask for audience participation)
Vendor risk management (VRM) is a comprehensive plan for identifying and decreasing potential business uncertainties and legal liabilities regarding the hiring of 3rd party vendors to provide goods and services.
A rigorous, analytical process to identify, assess, mitigate, and monitor the risks associated with hiring third party vendors who provide critical or risk-inherent goods and services to your institution.
ERM – looks at the institution’s institutional and operating risks. Vendor risk is a type of operational risk. Many institutions are now being mandated to engage in ERM – and a deep dive into operational risks point to vendor risks.
Dodd-Frank Act and other consumer protection acts equate to greater regulatory scrutiny of suppliers – especially those that interact directly with customers or have customer data. Regulatory scrutiny causes managerial focus on compliance risks.
Institutions have typically outsourced a number of mission-critical services (e.g. – food service, housekeeping, bookstore). Now the trend is to outsource an increasing number of sensitive functions (e.g. – student refunds, international payment processors, developing curriculum for on-line classeses) which materially increase the need for better vendor risk management. Additionally, the growth of cloud computing and other technologies present new challenges around data storage and protection of this data – as well as privacy concerns.
What did Mr. Yacura mean by this statement?
VRM provides the opportunity to obtain detailed information regarding critical supplier risk; to use this information to mitigate risk to the extent possible; and to potentially lessen or avoid the negative impact of risks that become reality.
Ask for audience participation using white pads w/markers.
Selecting the vendor that will provide the best service for the best evaluated price (meaning the vendor who provides the best service with the lowest price with the lowest risk or risk that is manageable). Not always the cheapest!
Makes us all aware of the risk associated with outsourcing – we cannot assume that contractors are necessarily the experts and let them perform without the necessary due diligence
Meaning that we don’t “over control” situations with low risk exposure – like . . . . Someone hired to mulch your flower beds . .
Better understanding of a vendor’s operations enables you to see opportunities for cost reduction – carpeting example.
To answer this question – we can ask another question – what could happen if you don’t manage vendor risk?
ASK for audience participation
Having a framework to segment and prioritize the most critical suppliers is necessary to ensure that risk management efforts and resources are focused on the critical few rather than the trivial many.
Key points:
Most internal users should be able to think about the vendors they manage on a departmental basis and move through the risk exposure framework quickly and accurately.
Framework bullet points should be modified to include institution-specific risk exposures. Example: a research institution may have different “prompts” under each category – or may have an additional category – such as “Grants Related Exposures.”
Example of risk exposure framework in handouts package
Vendor Risk Certification/Assessment Form Example
Information obtained from vendor (vendor risk assessment/qualifications) can be obtained using a PDF fillable form, but an excel document available online would be best – particularly a form that could integrate calculate raw risk score of the vendor.
Other examples of 3rd Party Data:
SOC Reports (Attestation reports, replace SAS 70 Reports and discuss Financial and system controls)
Public information reviews, e.g., financial condition, past and pending litigation, bad press, customer complaints, etc.
Credit reports
Google searches
Better Business Bureau
Investment sites (if publicly traded)
Glass Door
So now that you have all of this data, what do you do with it? Create a supplier risk intelligence data base – that can be updated frequently by multiple users to share observations, include data updates and sources, etc.
Creating a supplier risk intelligence data base complete with “observational” fields that can be used by various departments off campus to record vendor “alerts.” Use data garnered from vendor profile creation and allow for continual entry of “leading” risk indicator.
As you can see from this visual, the data are inputs to the Supplier Risk Intelligence Data Base. The “outputs” of this data base are Supplier Risk Profiles that can be shared across the organization (particularly with those pesky auditors) and that can be used to make sourcing decisions and to perform risk/reward analysis where applicable.
Lisanne Narrative Suggestions:
What does the Vendor risk Profile have that the Assessment does not? To illustrate, let’s walk through the process.
One of the most important pieces of information provided by the Vendor is usually a certification form that provides details about the vendor, including their name, licensing, finances, processes, etc.
The procurement officer would then take this information from the Certification form, and evaluate it against a set of criteria and assign a rating to each of these factors, saying whether the information meets, maybe meets, or does not meet the university / organization’s expectations using the Assessment Form. (These factors can be weighted and designed to give a score if desired, but it isn’t absolutely necessary, but threshold indicators are very helpful.)
So for example, a vendor may not have sufficient insurance to cover their scope of duties. This may result in a “red flag” that should be considered carefully by the procurement official, and escalated to leadership if needed. Another example could be they are required to have a SOC report, but it hasn’t been updated for 2 years. If after going through the Vendor Assessment there are a lot of red flags, that would be an indicator to the Procurement Official to generate a Vendor Risk Profile.
Vendor Profile is optional additional review. So if you go through the assessment, and it is all green. Stop there. Say it is a bunch of Red, then you use the Vendor risk Profile to review.
The Vendor Risk Profile would include information from all three data sources (Vendor, Internal and Third Party) to provide an overview of the risks of the vendor as they relate to the services the vendor is providing to the university/organization, so the procurement officer can make a recommendation regarding whether to do business with the vendor, or what controls need to be in place in order to do business with that vendor to leadership.
After you’ve used the risk exposure framework to determine which suppliers are your critical few, the next step is to obtain the necessary information, feedback, and data to create a vendor risk profile that can be shared across University departments.
So what does all this have to do with Enterprise Risk Management?
Before we get into it, lets do a quick level setting on what Enterprise Risk Management actually is, because you ask a room of 5 people to define ERM, you are going to get 8 different answers.
I’m not going to go into too much detail, but there are basically two ERM frameworks out there. COSO and ISO. [I’ll do a 5 minute discussion on ERM highlighting the process. I will end with the ISO Risk Management process and correlate it with the process we are following for VRM on the next slide.]
The other part of VRM that relates to ERM is the way we take information from across the organization and from different sources to identify and manage risk
We talked a lot about assessing and managing vendor risk – but how often should we do this? Here is a dashboard report released recently by ISM – the Institute for Supply Management. The data comes from CAPS research. One way to routinely reassess vendor risk and incorporate management of that risk is by building vendor risk management into your routine procurement processes.
We mentioned earlier that it is important to facilitate ongoing, “real time” vendor risk assessment. Real time assessment can be achieved through two means:
By creating a supplier risk intelligence database that can be consistently used to record vendor “alerts”
By integrating vendor risk management into key procurement processes
Supplier Certification – as discussed and as shown through example, revise the certification process to include provision of data by vendor that can quantitatively and objectively be used to assess vendor risk and pinpoint areas for mitigation. The “stodgy, traditional stuff” typically requested a supplier certification process doesn’t do the job. Note that the supplier certification process, if done correctly, can drive sourcing strategy and sourcing decisions.
RFX Process – incorporate the vendor certification/assessment form into your RFP and require completion by “known” vendors each and every time they compete for the University’s business. Essentially, their raw risk score derived from their responses to the risk assessment questions and the scores assigned on the assessment matrix should be incorporated into the evaluation process as an evaluation criteria.
Contract Form – Using the correct form based on the nature and inherent risk of the relationship. Concerned with the completeness and sufficiency of the vendor agreement. Example: using the right form when the vendor/consultant is developing IP for the institution.
Contracting Process – corporate governance; the internal processes (if any!) to deviate from standard contract language and/or insurance requirements; adequacy of review based on nature of agreement – e.g. – a junior buyer versus external counsel. Specialized counsel versus general.
Risky provisions – those that allocate risk; those that transfer risk; those that limit risk; those that deal with access to and disposal of confidential information; etc. Your institutions should have both optimal and “acceptable” positions for all key provisions.
Contract management – refers to how effectively an institution manages a vendor during the term of the agreement and the tools, policies, and procedures used to manage the relationship. Contract management should operate from four primary perspectives: 1) Performance to contract requirements – KPI’s; 2. Financial relative to pricing, invoicing, etc.; 3. Contract compliance, intepretations, etc., and 4) Relationship with supplier for resolving issues, communication, forecasting demand, etc.
This is a famous quote from Warren Buffet. I’d like to amend this quote by saying “Risk comes from not knowing what vendors are doing.”
Think about all of the risks associated with using a vendor or contractor to provide services that we’ve discussed today . . . and the benefits of knowing where the potential minefields are . . . .
Now that we understand vendor risk and the importance of vendor risk management, we are better prepared to identify risks that can negatively impact our personal and professional lives and act intelligently to mitigate these risks by incorporating vendor risk management into our procurement processes.
Thank you.