SlideShare a Scribd company logo

Information Technology Vendor Risk Management

Deepak Bansal, CPA CISSP
Deepak Bansal, CPA CISSP

Information Technology Vendor Risk Management Identified Risks Throughout the Sourcing and Vendor Management Life Cycle

Technology
1 of 12
Download to read offline
Information Technology Vendor Risk Management Identified Risks Throughout the Sourcing and Vendor Management Life Cycle
i | P a g e Table of Contents 1.0 Overview of IT Vendor Risk Management ....................................................................................... 2 2.0 Relationship Vendor Risk Management ............................................................................................ 3 2.1 Human Capital ..................................................................................................................3 2.2 Communication .................................................................................................................4 3.0 Contract Vendor Risk Management................................................................................................... 5 3.1 Compliance........................................................................................................................5 3.2 Transition Risk..................................................................................................................5 4.0 Financial Vendor Risk Management .................................................................................................. 6 4.1 Value Leakage ...................................................................................................................7 4.2 Financial Transactional Risk .............................................................................................8 5.0 Performance Vendor Risk Management ........................................................................................... 9 5.1 Performance/Service Level Agreements.............................................................................9 5.2 Security............................................................................................................................10 6.0 Summary .................................................................................................................................................11
2 | P a g e Information Technology Vendor Risk Management 1.0 Overview of IT Vendor Risk Management As mature organizations begin to implement IT Sourcing Strategy & Vendor Management Offices, these initiatives must begin to account and operate in areas of uncertainty that comes along with developing new relationships for sourced products or services. Sourcing Strategy comprises of the philosophy, decisions, and implementation approach in dealing with potential service providers in an organization to achieve its business objectives. Vendor Management empowers an organization to benefit from the excellent service contracted service provider’s offer, while managing costs and mitigation of risks. A mature Information Technology Vendor Management Office, “IT VMO,” will result in a greater value in engagements, and create mutually beneficial relationships between the organization and service providers. As the Sourcing environment becomes global, perhaps with many unique set of interacting partners, the importance of a proper risk approach management becomes more essential. The risk management of potential third party IT Vendors is not only to establish a framework in which sourcing partners and an organization’s VMO will identify risks, but to develop strategies to mitigate and avoid those risks. However, before IT third party risks can be identified and managed within the IT VMO, there are preliminary elements which must be accounted and measured by each sourcing provider to the organization. The foundation of an effective IT VMO relies on the maturity and implementation of four key processes risk areas. Within each of these key processes there are two subareas of Vendor Management, each with their own set of risks that can occur during the life of an organization’s IT VMO. Within the Sourcing & VMO lifecycle, these risk areas need to be constantly assessed and mitigated. ü Relationship Vendor Risk Management • Human Capital • Communication ü Contract Vendor Risk Management • Transition • Compliance ü Financial Vendor Risk Management • Value Leakage • Invoice Processing ü Performance Vendor Risk Management • Service Level Agreements • Security
3 | P a g e “Train people well enough so they can leave, treat them well enough so they don’t want to.” -Richard Branson Financial Risk consists of managing the contract Value Leakage, and transactional invoices for completeness against the contract and accuracy. Relationship Risk consists of managing human capital and communication to both internal and external stakeholders. Contract Risk relates to managing the vendor transition from in- house to sourced environment, and a vendor’s compliance to the organization’s policies and governing regulations. Performance Risk oversees a vendor’s adherence to contract Service Level Agreement and capturing of Security Requirements & Risks in case of unforeseen service disruption. 2.0 Relationship Vendor Risk Management When managing the IT Relationship Risks, an organization must consider the gain or loss of the organization’s human capital during transition from in-house to the sourced environment. Proper communication to all stakeholders must be consistent and transparent to avoid the rumor spiral, where “appearance becomes fact.” 2.1 Human Capital Once a contract has been signed, and before the service provider on boarding process has been initiated, attrition of human capital must be considered for the organization resource in defining and identifying the retained employees. During the transition phase, attrition of the key original organization resources is expected to reach high levels, with potential internal challenges of labor unions. A carefully defined retained organization, with a new set of roles and responsibilities for the remaining organization employees, must reach a form of consensus with all higher level stakeholders. Risk of the retained staff being underutilized to optimal advantages occurs when a significant portion of highly qualified employees are focused on purely administrative activities. A proper flight risk and skills overlap assessment of the original enterprise will assist in determining the retained organization versus displaced employees. Over the course of the contract, there is always the tendency of distrust of new service provider. The level of distrust can result in an over staffed retained organization mimicking the new service provider’s organization, “man- mark.” The result of man marking will diminishing business returns, fuels job dissatisfaction, and fails to employ people with skills to the best advantage. The IT VMO should ensure the retained staff is conversant in discussing around agreed innovation, process improvement support, and defining solutions to address future challenges. There should be continuous investing into training the retained organization staff, while monitoring the service provider training metrics and turnover rate. Finally, the VMO should also leverage communication tools such as an incentive plan to retain the key resources, and highlight opportunities and benefits. Subsequent to the service provider being fully on board, the IT VMO must monitor staffing of the service provider to ensure service quality does not decline over the life of the contract. The IT VMO should be periodically obtaining current and historical attrition rates from all tiered service providers for monitoring this fluctuation. Turnover at the new service provider can be both considered negative and positive in service delivery. A high sourced turnover rate greater than 15% would lead to a decline in efficiency of team results, delay in service delivery, and result in inconsistent service quality as new staff are on boarded and off boarded. There becomes a potential loss of knowledge transfer, partner relationship credibility, and can eventually lead to impacting the overall contact value. A low turnover rate of less than 2-3% could result in a lack of new ideas in innovation to stale problems. It also indicates a service provider not leveraging from other existing client knowledge bases, and not bringing fresh ideas to old processes. Human Capital Risks ü Service Provider and Organization Attrition ü Suboptimal Sourced Turnover Rate ü Fragmented Retained Organization
4 | P a g e “A lie can travel half way around the world while the truth is putting on its shoes.”- Mark Twain Human Capital Mitigations ü Defined Retained Organization with Flight Risk Assessment ü Monitor of Service Provider Employee Turnover Rate ü Continuous Training of Retained Organization 2.2 Communication The risk and importance of communication by the IT VMO between the transforming organization to its internal staff, incumbent service provider, and/or the new service provider cannot be understated. The concept of rumors and nervousness reaches its pinnacle height within the transforming organization internal staff during the period of transition from in-house to outsource. This is when the rumor mill is the strongest, and any form of communication leak results in fear, uncertainty, and elevated attrition rates. A dysfunctional IT VMO communication would result in incorrect information being disseminated to both internal staff and relevant stakeholders. The potential dysfunction will solidify any doubt of the original sourcing strategy amongst internal business leaders, while decreasing the value of the entire sourcing initiative. In the case of international sourcing, there is an additional risk of domestic perceptions of jobs being sent offshore. The foreign accent, general ignorance, or lack of background of different cultures and international exposure can be risks in a global service delivery model. There are several opportunities of mitigating the risks associated in communication by the organization’s IT VMO. Develop a thorough change and a communication plan engaging both internal and external stakeholders, while documenting a Relationship Peer Group Diagram for roles between the vendor and the retained organization. This Peer Group diagram describes roles with clear terms of references and specific accountability, while defining an escalation hierarchy. For clarity of process and interaction between the vendor and organization, a Shared Operations Manual should be in place detailing processes for the general operation of the services delivered through the contract. Within this manual, it will contain reporting schedules and frequency, on boarding/off boarding personnel, and standard operational agendas. These plans and diagrams are to be based from the organization policies and culture, and ensuring the sourcing strategy is aligned with corporate strategy. A successful set of mitigating approaches consist of identifying the proper stakeholders, conduct numerous town hall meetings, deliver a consistent message of the overall objective, benefits, and timing of the transition within the organization. During this phase, the organization must publishing timely Frequently Asked Questions and Answers to the relevant portion of the organization, while being as transparent as possible. In cases of international sourcing, there have been effective instances of creating a cultural exposition between the transforming organization and the new service provider to build a better life style and understanding of one another. Communication Risks ü Rumors Proliferation ü International Perceptions Communication Mitigations ü Transparency ü Updated Frequently Asked Questions ü International Expositions
5 | P a g e “If you think compliance is expensive, try non-compliance.”-Paul McNutty “There is no more difficult transition from Sunday to Monday.”-Unknown ü Town Hall Meetings 3.0 Contract Vendor Risk Management Proper contract management and service provider compliance must be consistent with organizational policies and regulations. When managing the IT Contract Risks, an organization must consider the gain or loss of knowledge transfer transition from in-house to the sourced environment. The IT VMO acts as the point of co- coordination and governance over both the vendor and the organization to track the delivery of obligations detailed within the contract. When drafting the contract an Obligation Tracker should be created. This would primarily be focused on the one-off or quarterly/annual deliveries (E.G SOC report, Environmental report), and not the day to day service delivery aspect, but it would cover obligations for both the vendor and retained organization. 3.1 Compliance There is always difficulty in navigating the complexity of regulations in transitioning from in-house services to outsourced services. If an organization accepts a sourcing service provider, with a lack of industry experience in regulations, there can be an unforeseen cost impact of not meeting requirements. An unskilled service provider can position the transforming organization in being non- conformant in the laws, rules, and regulations, resulting in significant financial and reputational costs. The IT VMO needs to ensure the engagement for contracted services complies with country/regional laws and regulations affecting financial reporting, accounting, data protection, and software licensing. Involving the essential stakeholders, such as Legal, Human Resource, and Tax are often important to ensure compliance. During the Sourcing phases of strategy development, service provider evaluation, selection, and contract negotiations, the service provider and organizational risk managers must identify the compliance and audit risks. These assurances are not only at the initiation phase, but during the entire life of the contract. Proper procedures must be defined and accounted, but be aligned with regulations such as SOX 404 Third Party Compliance. SOX Section 404 ensures Third Party Compliance procedures and processes are in place of controls and presentation of financial statements. The IT VMO should assist with each of the Sourcing phases to ensure these compliance requirements are seamlessly integrated within the delivery model by the service provider and appropriately governed. The selected service provider corporate compliance must be clearly spelled out, and the transition organization must be prepared to conduct or facilitate the necessary regular or ad hoc audit cycles. Compliance Risks ü Nonconformance to Regulations ü Financial Fines for Non-Compliance Compliance Mitigations ü Clearly Defining Compliance Regulations during the early Sourcing Phases ü Conduct or Facilitate Audits of the Service Provider 3.2 Transition Risk Identifying and selecting the appropriate Service provider is only half the battle in Sourcing Life Cycle. The transition from the incumbent service
6 | P a g e provider to the new selected vendor must be seamless while minimizing disruptions. There should be a complete transition vision, with a fully transparent communication plan laid out to all stakeholders. At the end of transition phase and for clarity purposes, this when the Shared Operations Manual be created. This manual should detail the processes for general operations of services delivered through the contract, such as work order and on/off boarding of personnel. The transition phase has the highest degree of margin of error and contains the most risk of potential service interruption. There is a risk of initial service degradation during transition, or possible misalignment of service provider solutions with its own capabilities. One key step of transition is the facilitation of proper knowledge transfer. Risks associated to an ineffective knowledge transfer from incumbent service provider or client to the new service provider can be related to steep learning curves, or the amount of knowledge to be transferred in a short period of time. “Knowledge stickiness” is an inherit risk and characteristic of a specialized, personal, and tacit knowledge, which are components that inhibit easy knowledge transfer. The potential causes of this stickiness are due to strained relationships, lack of motivation, lack of absorptive capacity, and actual extent of knowledge being understood. There are also risks of an inadequate retained organization with duplicative skill sets, and not accounting for flight risk of transformation organization employees. The potential lack of availability of resources from the transforming organization will hinder the service provider in conducting face to face shadowing, and enhance the inability to share or gain access to incumbent service provider/transforming organization information. Upon the transition from an incumbent service provider to a newly selected one, there is a risk of failure of the incumbent service provider to support or cooperate with a graceful transition to a new service provider. All these factors can lead to a delay of all parties to quickly accept operational responsibilities in the event of termination or reduction of incumbent services. To assist in minimizing the impact of knowledge loss, the service provider and organization must clearly define roles and responsibilities of all stakeholders. There should be required increases in knowledge transfers sessions and ample shadowing. A clear set of Run Books documentation, with updates, should be available and aligned with the shadowing process. Within the sourcing contract, a detailed and proactive transition plan should be defined, with financial incentives for quality and meeting milestones. The overall goal for the transition phase is to move the transforming organization from an operational focus to a managed focus. Transition Risks ü Improper Knowledge Transfer ü Displaced Employees Flight Risk Transition Mitigations ü Defined Retained Organization ü Defined Transition Plan ü Shadowing and Run Books ü Shared Operations Manual 4.0 Financial Vendor Risk Management Proper financial management entails the governance of the service provider’s financial footprint in the transforming organization through monitoring the Value Leakage at the Financial Transactional level. Value Leakage is monitoring the overall cost impact of the contract is seeking ensure the capture of saving opportunities.
7 | P a g e “It is not the money that is important, but the people attached to it.”- Unknown 4.1 Value Leakage The main pillar in conducting the original sourcing initiative is the result of expected savings from in-house functions to outsourced functions. As the relationship with a sourced vendor matures from one stage to the next, the risk of the expected savings for the transformational organization can evaporate. This evaporation is called “Value Leakage,” and is portrayed as both hard and soft metrics. Value Leakage can be the result of poorly defined statements of work, unmeasurable service levels, inaccurate collection of vendor pricing, incorrect baselines or financial base case, inaccurate benchmarking, and the use of specialized skills not on the rate card with a service provider’s tendency of resource upskilling. All these scenarios will directly impact the amount of expected savings identified during the sourcing strategy stage, and lead to the contract Value Leakage. Many recent international sourcing agreements expect resources to be offshore to drive the savings. There are risks where the supplier may inflate costs due to inefficient onshore/offshore resource availability mix. The potential impact of an inaccurate statement of work or resource upskilling will lead to challenges in project scheduling and budget slippage, and higher costs of services due to change orders in post contract execution. These higher costs can eventually cause loss of goodwill and a negative financial impact to both the service provider and the transitional organization. One of the baseline components in deriving the sourcing strategy is the original set of current spending numbers of the sourcing initiative, financial “Base Case.” The current spending in an organization must be data derived from the transforming organization to ensure the financial sourcing strategy is aligned with corporate strategy. This base case must be created during the early sourcing strategy phase, justifiable with realistic assumptions, and be challengeable with difference scenarios. There also must be consideration for adjusting baselines, such as commissioning and decommissioning of applications in application development service providers. During the sourcing selection phase, this base case will account for different vendor Request For Proposal,”RFP,” pricing to project a proper service provider cost comparison and leverage into opportunities of negotiation. This base case is the starting point in maintaining an accurate Value Leakage report. Some risk mitigating approaches consist of capturing the components to implement a real-time Value Leakage report, while creating a clear Statements of Work to track the financial and performance health of the sourcing vendor relationship. Also, there should be significant effort to normalize rate cards amongst all the vendors in the transforming organization, which would allow oversight of the use of service provider’s tendency of upskilling resources or deviated roles from the rate card. There should also be business case justification for the commercial arrangement being supported by a milestone driven Benefit Realization plan. This plan should then be pro-actively reviewed throughout the agreed term, during which benefits should be realized and on- going to track any additional value over and above the original expectation. This would typically be led by an internal meeting of the retained organization and communicated to leadership. Value Leakage Risks ü Loss of Initial Savings Opportunities ü Upskilling and Resources ü Unmeasurable Service Level Agreements Value Leakage Mitigations ü Clear Financial Base Case ü Monitoring Resource Mix
8 | P a g e “Life is like Accounting, everything must be in balance.”-Unknown ü Normalized Rate Cards ü Benefits Realization Plan 4.2 Financial Transactional Risk Once Service Providers are selected and integrated within the transformation organization, there is the organization’s responsibility to continuously monitor a service provider’s financial viability. There are risks of service provider’s financial “going concern”, or taking into account any potential lawsuits in the horizon. The transforming organization financial position within the service provider needs to be taken into consideration. The transformational organization should be no less than 5% or greater than 15% of the service provider’s base yearly revenue. If revenues to the service provider are less than 5%, there is a risk of the transformational organization being insignificant to the service provider. If revenues are greater than 15% to the service provider, there is a risk of its financial health being dependent to the current relationship. Any disruptions to the transformational organization or service provider relationship would have a severe impact to the existence of the service provider. Part of SOX Section 404 governance on the transformation entity’s financial statements, there is a requirement for proper accounting of purchase orders and validations of performance invoices. A transformational organization’s purchase order signifies proper budgeting has been assigned, and allows the service provider to initiate services. Services being performed without a purchase order can create legal and financial risks, as a purchase order serves as a legal bounding document. There are tendencies of service providers to work on projects before the contract is fully signed and/or the purchase order is issued. These tendencies can be due to pressure from the service provider, or even the organizational internal stakeholders to meet project deadlines. A potential pitfall in creating the Purchase Order is not defining clear and measurable project or performance metrics. Project managers tend to insert ambiguous “behavior” attributes as deliverables, without proper acceptance criteria. Prior to issuing a purchase order, a work order must be created. The combination of these two artifacts is jointly taken for execution and issuance to the vendor, as work and budget are continuously being defined. Upon the transformation organization’s receipt of invoices, there must be processes in referring to the contract, and be cognizant of the Additional Resources Consumed (ARC) and Reduced Resources Consumed (RRC) calculations. Charges for additional resources (“ARC’s”) above the threshold are priced at rates to reflect the marginal cost of the additional production. Credits (“RRC’s”) granted for reduction in resources consumed or provided offer the enterprise customer some comfort, but the savings on credits tend not to be equivalent to the increased costs when paying for incremental resources in excess of the threshold1 . Once proper financial validation has been completed, a performance approval must be obtained. Without performance acceptance, there is a risk of payment for services not being performed up to the transformation organization’s standards. Some mitigating approaches to lessen delays in payment, is to better streamline the Purchase Order creation and Invoice approval process. Upon the receipt of the invoice, it should immediately be gain its approval by the project management to validate the satisfaction of services. In parallel, finance is to obtain approval of performance satisfaction and verify if the cumulative invoices do not exceed the original purchase order amount. Enterprises have a tendency of requiring a duplicative approval within finance to process the payment to Accounts Payable. This delay can result in the risk of late fees and possible performance disruption of services. As the service provider and transitional organization relationship matures, there is a tendency to use Staff Augmentation/Time & Materials for projects in service delivery. The overuse of Staff Augmentations will lead 1 Outsourcing Law Global, LLC
9 | P a g e “An ounce of performance is worth a pound of promises.”-Mae West to runaway projects and costs, and difficulty in measuring the benefit of the services being provided. Staff Augmentation efforts should be moved to a defined project delivery to better account for progress of efforts and provide financial forecasting. Financial Transactions Risks ü Overuse of Staff Augmentation ü Service Provider Financial Position Financial Transactions Mitigations ü Migration to Project Defined Delivery ü Timely Issue of Purchase Orders ü Monitor of Service Provider Footprint in the Organization ü Performance Acceptance ü Monitor Service Provider Financial Health 5.0 Performance Vendor Risk Management Managing Service Providers performance service level agreements is essential in ensuring an organization is receiving true value from the relationship. These agreements must be aligned with the organizations corporate strategy, while taking account the impact to security during any changes in requirements. 5.1 Performance/Service Level Agreements One of the key components of performance governance is to establish a fact- based reporting mechanism that goes beyond the tradition SLA agreement dashboards. A poor performance of a service provider in the transforming organization will result in a negative impact to its processes, systems, and will adversely affect the ongoing business operations. A Service Provider must ensure there are limited potential service disruptions, reduced level of risk of reputational hardship, diminishing potential of failure to perform, and the availability of a service credit. A service credit regime should drive a value of penalty that is meaningful to the severity of the missed SLA, in order to encourage the correct behavior by the vendor to operate within the agreed service levels in the contract. However, the Service Credit Regime should not penalize a vendor in such a way it is a threat to the relationship. If a threat, the vendor could divert valuable resources from other aspects of the relationship in order to ensure service levels are met. This could result in a lack of innovation or other aspects of the contract being delivered late if they are not covered by SLA. In the process of down selecting potential service providers, there must be consideration of the transformation organization growth rate. A steep growth rate may lead to a service provider’s inability to adapt or use economies of scale in providing high level service performance. With a lack of defined performance measures, there is risk of the service provider running the transformation organization’s entire process without any proper governance. Performance mitigating approaches can be conducted by monitoring service level agreement compliance while educating stakeholders of the scope of services. The scope of services should be clearly defined, consolidated, and not fragmented. The transforming organization must build a performance contract structure with service
10 | P a g e “If they want what you got, don’t give it to them.”-Unknown level agreements that are measurable, with reportable non-compliance. These service level agreements must be clear and defined SLAs, while being measurable and tracked for trend analysis. Performance Risks ü Negative Impact to Operations ü Service Provider Inability to be Nimble ü Fragmented Scope of Services. Performance Risk Mitigations ü Build Performance Contract Structure ü Clear Defined Service Level Agreements ü Define Performance Penalties 5.2 Security Vendor security can relate to both information security and physical security. Service providers will maintain the transforming organization’s vital data in remote locations. Inadequate data privacy, physical security, and disaster recovery can all lead to a major disruption in services and brand management. During the selection process, it must be validated that potential service providers has extensive set of experiences in complex environments, and their policies and procedures are aligned with the organization’s enterprise risk strategy. The transformational organization must build extensive audit rights for aspects of security services that the vendor is expected to provide as a part of in-scope services. The transforming organization and service provider works closely with security leads in building-specific security requirements of service delivery, while continuing to be engaging during work order changes. Capturing these risk and mitigation strategies, using a fully defined Risk Register, should focus on potential unauthorized access to enterprise data, disclosure of data, service disruption, modification, and recording or destruction of information. In managing risk, related to service delivery from remote and underdeveloped areas of the world, the service provider must have the same delivery maturity across the globe. This delivery maturity should contain mitigating risk strategies for geopolitical challenges, natural disasters, volatile infrastructure, and security of intellectual property. The transformational organization should remain continuously aware of the political landscape of countries relating to the service provider headquarters and location of services being performed. A service provider may be responsible for much of the transformational organization’s enterprise data. Therefore, documentation and procedures surrounding access controls would be a necessity. During the sourcing vendor assessment phase, these documents are to be understood at the vendor site, while processes for disaster recovery and past trial runs must be reviewed. Within the Master Service Agreement, there must be verbiage about on/off boarding of personnel with viewable background checks. This includes a robust Operations Manual, and periodic review of the service provider employee’s access to sensitive information. Security Risks ü Information Security Risk ü Physical Risk ü Data Disclosure
11 | P a g e Security Risk Mitigations ü Enterprise Risk Management ü Risk Register 6.0 Summary As the upward trend line for new Sourcing initiatives continue, there are increased risks organizations must consider. The establishment of an IT Vendor Management Office helps with assessing and mitigates many of these risks, but only with the establishment of formal standard processes and procedures. These procedures must account and operate in areas of uncertainty that comes along with developing new relationships for sourced products or services. As the organizational IT VMO does mature, addressing risks will result in a greater value in engagements and create a mutually beneficial relationship. About the Authors Deepak is currently serving as a Director Level of Technology Vendor Management, for a global multinational risk management, and insurance brokerage in developing the VMO from a start up to a Managed Governance Services Steady State. Deepak has significant consulting experience in developing and managing approaches for strategic outsourcing and vendor relationship management. As Director, Deepak currently manages service level agreements to exceed standards, creates accountability with IT partners, and designs operational metrics and dashboards. He coordinates with each technology functional area of their sourcing requirements and expectations, and has significant interactions with all of the key leaders in the organization and key vendor executives. Deepak completed his undergraduate from University of Maryland in Accounting, and graduate education in Information Technology at The George Washington University. He was appointed by Governor Martin O’Malley to the Business Economic Development Commission, and is a Member of the Academy of Magical Arts. Deepak Bansal, CPA, CISSP Director of Vendor Relationship & Performance Management (U.S.) Richard is currently serving as the Director of Vendor Relationship & Performance Management for a global risk management, insurance brokerage and developing the IT VMO to full steady state governance function. Richard has an IT carreer spanning 3 decades ranging from IT Operations and Infrastructure, IT Service Management, Procurement, and Supplier Performance Management, exercised predominantly in the UK with some exposure to North America. The day to day activities of Richard’s role sees him create strategic partnership with IT Vendor, their key stakeholders/consumers ensuring optimal value delivery from all aspects of the commercial agreements in place. Richard’s role within the IT VMO ensure the vendors are well governed, contracts and performance delivered as designed whilst assisting key stakeholders with further requirements definition for contract renewals, changes ro requirements to the support a tender process Richard Oliver Director of Vendor Relationship & Performance Management (U.K.)

Recommended

Business Continuity Management or Risk Management? Aligning Expectations for ...
Business Continuity Management or Risk Management? Aligning Expectations for ...Business Continuity Management or Risk Management? Aligning Expectations for ...
Business Continuity Management or Risk Management? Aligning Expectations for ...BCM Institute
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management systemsubbusai82
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity ManagementDiane Christina
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Risk Management - Business Continuity Planning and Management
Risk Management - Business Continuity Planning and ManagementRisk Management - Business Continuity Planning and Management
Risk Management - Business Continuity Planning and ManagementCody Shive
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planninggcleary
 
Business Continuity Plan Development
Business Continuity Plan DevelopmentBusiness Continuity Plan Development
Business Continuity Plan DevelopmentDavid Nichols
 
Cyber Crisis Management - Kloudlearn
Cyber Crisis Management - KloudlearnCyber Crisis Management - Kloudlearn
Cyber Crisis Management - KloudlearnKloudLearn
 

Recommended

Business Continuity Management or Risk Management? Aligning Expectations for ...
Business Continuity Management or Risk Management? Aligning Expectations for ...Business Continuity Management or Risk Management? Aligning Expectations for ...
Business Continuity Management or Risk Management? Aligning Expectations for ...BCM Institute
 
Business continuity management system
Business continuity management systemBusiness continuity management system
Business continuity management systemsubbusai82
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity ManagementDiane Christina
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Risk Management - Business Continuity Planning and Management
Risk Management - Business Continuity Planning and ManagementRisk Management - Business Continuity Planning and Management
Risk Management - Business Continuity Planning and ManagementCody Shive
 
Business Continuity Planning
Business Continuity PlanningBusiness Continuity Planning
Business Continuity Planninggcleary
 
Business Continuity Plan Development
Business Continuity Plan DevelopmentBusiness Continuity Plan Development
Business Continuity Plan DevelopmentDavid Nichols
 
Cyber Crisis Management - Kloudlearn
Cyber Crisis Management - KloudlearnCyber Crisis Management - Kloudlearn
Cyber Crisis Management - KloudlearnKloudLearn
 
Business continuity planning and disaster recovery
Business continuity planning and disaster recoveryBusiness continuity planning and disaster recovery
Business continuity planning and disaster recoverymadunix
 
Business continuity
Business continuityBusiness continuity
Business continuityAlka Mehar
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop FinalBill Lisse
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)James W. De Rienzo
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity ManagementECC International
 
Business Impact Analysis - Clause 4 Of BS25999 In Practice
Business Impact Analysis - Clause 4 Of BS25999 In PracticeBusiness Impact Analysis - Clause 4 Of BS25999 In Practice
Business Impact Analysis - Clause 4 Of BS25999 In PracticeDipankar Ghosh
 
Crisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksCrisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksPECB
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Rochester Security Summit
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideSlideTeam
 
Business Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesBusiness Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesSlideTeam
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETTravarsaPrivateLimit
 
Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery PlanningJohn Wilson
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
 
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & ComplianceAmazon Web Services
 
Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016CBIZ, Inc.
 
SUPPLY CHAIN RISK MANAGEMENT
SUPPLY CHAIN RISK MANAGEMENTSUPPLY CHAIN RISK MANAGEMENT
SUPPLY CHAIN RISK MANAGEMENTPaul Authachinda
 

More Related Content

What's hot

Business continuity planning and disaster recovery
Business continuity planning and disaster recoveryBusiness continuity planning and disaster recovery
Business continuity planning and disaster recoverymadunix
 
Business continuity
Business continuityBusiness continuity
Business continuityAlka Mehar
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop FinalBill Lisse
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)James W. De Rienzo
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity ManagementECC International
 
Business Impact Analysis - Clause 4 Of BS25999 In Practice
Business Impact Analysis - Clause 4 Of BS25999 In PracticeBusiness Impact Analysis - Clause 4 Of BS25999 In Practice
Business Impact Analysis - Clause 4 Of BS25999 In PracticeDipankar Ghosh
 
Crisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksCrisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksPECB
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Rochester Security Summit
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideSlideTeam
 
Business Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesBusiness Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesSlideTeam
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETTravarsaPrivateLimit
 
Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery PlanningJohn Wilson
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance frameworkCeyeap
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
 
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB
 

What's hot (20)

Business continuity planning and disaster recovery
Business continuity planning and disaster recoveryBusiness continuity planning and disaster recovery
Business continuity planning and disaster recovery
 
Business continuity
Business continuityBusiness continuity
Business continuity
 
Business Continuity Workshop Final
Business Continuity Workshop FinalBusiness Continuity Workshop Final
Business Continuity Workshop Final
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
 
Business Impact Analysis - Clause 4 Of BS25999 In Practice
Business Impact Analysis - Clause 4 Of BS25999 In PracticeBusiness Impact Analysis - Clause 4 Of BS25999 In Practice
Business Impact Analysis - Clause 4 Of BS25999 In Practice
 
Crisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksCrisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber Attacks
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
 
Business Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation SlidesBusiness Continuity Management PowerPoint Presentation Slides
Business Continuity Management PowerPoint Presentation Slides
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
 
Disaster Recovery Planning
Disaster Recovery PlanningDisaster Recovery Planning
Disaster Recovery Planning
 
Governance, risk and compliance framework
Governance, risk and compliance frameworkGovernance, risk and compliance framework
Governance, risk and compliance framework
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
 
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk MethodologyPECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
 

Similar to Information Technology Vendor Risk Management

Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016CBIZ, Inc.
 
SUPPLY CHAIN RISK MANAGEMENT
SUPPLY CHAIN RISK MANAGEMENTSUPPLY CHAIN RISK MANAGEMENT
SUPPLY CHAIN RISK MANAGEMENTPaul Authachinda
 
opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...
opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...
opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...Opus
 
EAI Checklist
EAI ChecklistEAI Checklist
EAI ChecklistIdeba
 
CRM and National Security: Five Essential Software Capabilities
CRM and National Security: Five Essential Software CapabilitiesCRM and National Security: Five Essential Software Capabilities
CRM and National Security: Five Essential Software CapabilitiesRightNow Technologies
 
Five myths of supplying talent through a third-party provider model
Five myths of supplying talent through a third-party provider modelFive myths of supplying talent through a third-party provider model
Five myths of supplying talent through a third-party provider modelKelly Services
 
Strategic Management and Information Technology Outsourcing
Strategic Management and Information Technology OutsourcingStrategic Management and Information Technology Outsourcing
Strategic Management and Information Technology OutsourcingFarooq Omar
 
Captive Insurance Company eBook
Captive Insurance Company eBookCaptive Insurance Company eBook
Captive Insurance Company eBookGlenn Peake
 
Fraud, bribery and corruption: Protecting reputation and value
Fraud, bribery and corruption: Protecting reputation and valueFraud, bribery and corruption: Protecting reputation and value
Fraud, bribery and corruption: Protecting reputation and valueDavid Graham
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)
Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)
Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)Richard Brooks
 
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023incmagazineseo
 
Board matters quarterly – volume 3
Board matters quarterly – volume 3Board matters quarterly – volume 3
Board matters quarterly – volume 3elithomas202
 
Digitizing Insurance - Transforming Legacy Systems to Adopt Modern and Emergi...
Digitizing Insurance - Transforming Legacy Systems to Adopt Modern and Emergi...Digitizing Insurance - Transforming Legacy Systems to Adopt Modern and Emergi...
Digitizing Insurance - Transforming Legacy Systems to Adopt Modern and Emergi...RapidValue
 
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016CBIZ, Inc.
 

Similar to Information Technology Vendor Risk Management (20)

Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016Risk & Advisory Services: Quarterly Risk Advisor May 2016
Risk & Advisory Services: Quarterly Risk Advisor May 2016
 
SUPPLY CHAIN RISK MANAGEMENT
SUPPLY CHAIN RISK MANAGEMENTSUPPLY CHAIN RISK MANAGEMENT
SUPPLY CHAIN RISK MANAGEMENT
 
opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...
opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...
opustechglobal-com-key-risks-to-consider-when-implementing-real-time-payments...
 
EAI Checklist
EAI ChecklistEAI Checklist
EAI Checklist
 
CRM and National Security: Five Essential Software Capabilities
CRM and National Security: Five Essential Software CapabilitiesCRM and National Security: Five Essential Software Capabilities
CRM and National Security: Five Essential Software Capabilities
 
Five myths of supplying talent through a third-party provider model
Five myths of supplying talent through a third-party provider modelFive myths of supplying talent through a third-party provider model
Five myths of supplying talent through a third-party provider model
 
Strategic Management and Information Technology Outsourcing
Strategic Management and Information Technology OutsourcingStrategic Management and Information Technology Outsourcing
Strategic Management and Information Technology Outsourcing
 
Your Third-Party Vendor's Risk Is Your Risk, Too
Your Third-Party Vendor's Risk Is Your Risk, Too Your Third-Party Vendor's Risk Is Your Risk, Too
Your Third-Party Vendor's Risk Is Your Risk, Too
 
Captive Insurance Company eBook
Captive Insurance Company eBookCaptive Insurance Company eBook
Captive Insurance Company eBook
 
Fraud, bribery and corruption: Protecting reputation and value
Fraud, bribery and corruption: Protecting reputation and valueFraud, bribery and corruption: Protecting reputation and value
Fraud, bribery and corruption: Protecting reputation and value
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)
Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)
Vendor Governance - Alyne Operational & Cyber Resilience White Paper (part 2)
 
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023Why Accountants Can’t Afford to Ignore Cyber Security in 2023
Why Accountants Can’t Afford to Ignore Cyber Security in 2023
 
Risk_Technology
Risk_TechnologyRisk_Technology
Risk_Technology
 
Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and control
 
Top online frauds 2010
Top online frauds 2010Top online frauds 2010
Top online frauds 2010
 
Board matters quarterly – volume 3
Board matters quarterly – volume 3Board matters quarterly – volume 3
Board matters quarterly – volume 3
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
Digitizing Insurance - Transforming Legacy Systems to Adopt Modern and Emergi...
Digitizing Insurance - Transforming Legacy Systems to Adopt Modern and Emergi...Digitizing Insurance - Transforming Legacy Systems to Adopt Modern and Emergi...
Digitizing Insurance - Transforming Legacy Systems to Adopt Modern and Emergi...
 
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
Risk & Advisory Services: Quarterly Risk Advisor Feb. 2016
 

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Recently uploaded (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Information Technology Vendor Risk Management

  • 1. Information Technology Vendor Risk Management Identified Risks Throughout the Sourcing and Vendor Management Life Cycle
  • 2. i | P a g e Table of Contents 1.0 Overview of IT Vendor Risk Management ....................................................................................... 2 2.0 Relationship Vendor Risk Management ............................................................................................ 3 2.1 Human Capital ..................................................................................................................3 2.2 Communication .................................................................................................................4 3.0 Contract Vendor Risk Management................................................................................................... 5 3.1 Compliance........................................................................................................................5 3.2 Transition Risk..................................................................................................................5 4.0 Financial Vendor Risk Management .................................................................................................. 6 4.1 Value Leakage ...................................................................................................................7 4.2 Financial Transactional Risk .............................................................................................8 5.0 Performance Vendor Risk Management ........................................................................................... 9 5.1 Performance/Service Level Agreements.............................................................................9 5.2 Security............................................................................................................................10 6.0 Summary .................................................................................................................................................11
  • 3. 2 | P a g e Information Technology Vendor Risk Management 1.0 Overview of IT Vendor Risk Management As mature organizations begin to implement IT Sourcing Strategy & Vendor Management Offices, these initiatives must begin to account and operate in areas of uncertainty that comes along with developing new relationships for sourced products or services. Sourcing Strategy comprises of the philosophy, decisions, and implementation approach in dealing with potential service providers in an organization to achieve its business objectives. Vendor Management empowers an organization to benefit from the excellent service contracted service provider’s offer, while managing costs and mitigation of risks. A mature Information Technology Vendor Management Office, “IT VMO,” will result in a greater value in engagements, and create mutually beneficial relationships between the organization and service providers. As the Sourcing environment becomes global, perhaps with many unique set of interacting partners, the importance of a proper risk approach management becomes more essential. The risk management of potential third party IT Vendors is not only to establish a framework in which sourcing partners and an organization’s VMO will identify risks, but to develop strategies to mitigate and avoid those risks. However, before IT third party risks can be identified and managed within the IT VMO, there are preliminary elements which must be accounted and measured by each sourcing provider to the organization. The foundation of an effective IT VMO relies on the maturity and implementation of four key processes risk areas. Within each of these key processes there are two subareas of Vendor Management, each with their own set of risks that can occur during the life of an organization’s IT VMO. Within the Sourcing & VMO lifecycle, these risk areas need to be constantly assessed and mitigated. ü Relationship Vendor Risk Management • Human Capital • Communication ü Contract Vendor Risk Management • Transition • Compliance ü Financial Vendor Risk Management • Value Leakage • Invoice Processing ü Performance Vendor Risk Management • Service Level Agreements • Security
  • 4. 3 | P a g e “Train people well enough so they can leave, treat them well enough so they don’t want to.” -Richard Branson Financial Risk consists of managing the contract Value Leakage, and transactional invoices for completeness against the contract and accuracy. Relationship Risk consists of managing human capital and communication to both internal and external stakeholders. Contract Risk relates to managing the vendor transition from in- house to sourced environment, and a vendor’s compliance to the organization’s policies and governing regulations. Performance Risk oversees a vendor’s adherence to contract Service Level Agreement and capturing of Security Requirements & Risks in case of unforeseen service disruption. 2.0 Relationship Vendor Risk Management When managing the IT Relationship Risks, an organization must consider the gain or loss of the organization’s human capital during transition from in-house to the sourced environment. Proper communication to all stakeholders must be consistent and transparent to avoid the rumor spiral, where “appearance becomes fact.” 2.1 Human Capital Once a contract has been signed, and before the service provider on boarding process has been initiated, attrition of human capital must be considered for the organization resource in defining and identifying the retained employees. During the transition phase, attrition of the key original organization resources is expected to reach high levels, with potential internal challenges of labor unions. A carefully defined retained organization, with a new set of roles and responsibilities for the remaining organization employees, must reach a form of consensus with all higher level stakeholders. Risk of the retained staff being underutilized to optimal advantages occurs when a significant portion of highly qualified employees are focused on purely administrative activities. A proper flight risk and skills overlap assessment of the original enterprise will assist in determining the retained organization versus displaced employees. Over the course of the contract, there is always the tendency of distrust of new service provider. The level of distrust can result in an over staffed retained organization mimicking the new service provider’s organization, “man- mark.” The result of man marking will diminishing business returns, fuels job dissatisfaction, and fails to employ people with skills to the best advantage. The IT VMO should ensure the retained staff is conversant in discussing around agreed innovation, process improvement support, and defining solutions to address future challenges. There should be continuous investing into training the retained organization staff, while monitoring the service provider training metrics and turnover rate. Finally, the VMO should also leverage communication tools such as an incentive plan to retain the key resources, and highlight opportunities and benefits. Subsequent to the service provider being fully on board, the IT VMO must monitor staffing of the service provider to ensure service quality does not decline over the life of the contract. The IT VMO should be periodically obtaining current and historical attrition rates from all tiered service providers for monitoring this fluctuation. Turnover at the new service provider can be both considered negative and positive in service delivery. A high sourced turnover rate greater than 15% would lead to a decline in efficiency of team results, delay in service delivery, and result in inconsistent service quality as new staff are on boarded and off boarded. There becomes a potential loss of knowledge transfer, partner relationship credibility, and can eventually lead to impacting the overall contact value. A low turnover rate of less than 2-3% could result in a lack of new ideas in innovation to stale problems. It also indicates a service provider not leveraging from other existing client knowledge bases, and not bringing fresh ideas to old processes. Human Capital Risks ü Service Provider and Organization Attrition ü Suboptimal Sourced Turnover Rate ü Fragmented Retained Organization
  • 5. 4 | P a g e “A lie can travel half way around the world while the truth is putting on its shoes.”- Mark Twain Human Capital Mitigations ü Defined Retained Organization with Flight Risk Assessment ü Monitor of Service Provider Employee Turnover Rate ü Continuous Training of Retained Organization 2.2 Communication The risk and importance of communication by the IT VMO between the transforming organization to its internal staff, incumbent service provider, and/or the new service provider cannot be understated. The concept of rumors and nervousness reaches its pinnacle height within the transforming organization internal staff during the period of transition from in-house to outsource. This is when the rumor mill is the strongest, and any form of communication leak results in fear, uncertainty, and elevated attrition rates. A dysfunctional IT VMO communication would result in incorrect information being disseminated to both internal staff and relevant stakeholders. The potential dysfunction will solidify any doubt of the original sourcing strategy amongst internal business leaders, while decreasing the value of the entire sourcing initiative. In the case of international sourcing, there is an additional risk of domestic perceptions of jobs being sent offshore. The foreign accent, general ignorance, or lack of background of different cultures and international exposure can be risks in a global service delivery model. There are several opportunities of mitigating the risks associated in communication by the organization’s IT VMO. Develop a thorough change and a communication plan engaging both internal and external stakeholders, while documenting a Relationship Peer Group Diagram for roles between the vendor and the retained organization. This Peer Group diagram describes roles with clear terms of references and specific accountability, while defining an escalation hierarchy. For clarity of process and interaction between the vendor and organization, a Shared Operations Manual should be in place detailing processes for the general operation of the services delivered through the contract. Within this manual, it will contain reporting schedules and frequency, on boarding/off boarding personnel, and standard operational agendas. These plans and diagrams are to be based from the organization policies and culture, and ensuring the sourcing strategy is aligned with corporate strategy. A successful set of mitigating approaches consist of identifying the proper stakeholders, conduct numerous town hall meetings, deliver a consistent message of the overall objective, benefits, and timing of the transition within the organization. During this phase, the organization must publishing timely Frequently Asked Questions and Answers to the relevant portion of the organization, while being as transparent as possible. In cases of international sourcing, there have been effective instances of creating a cultural exposition between the transforming organization and the new service provider to build a better life style and understanding of one another. Communication Risks ü Rumors Proliferation ü International Perceptions Communication Mitigations ü Transparency ü Updated Frequently Asked Questions ü International Expositions
  • 6. 5 | P a g e “If you think compliance is expensive, try non-compliance.”-Paul McNutty “There is no more difficult transition from Sunday to Monday.”-Unknown ü Town Hall Meetings 3.0 Contract Vendor Risk Management Proper contract management and service provider compliance must be consistent with organizational policies and regulations. When managing the IT Contract Risks, an organization must consider the gain or loss of knowledge transfer transition from in-house to the sourced environment. The IT VMO acts as the point of co- coordination and governance over both the vendor and the organization to track the delivery of obligations detailed within the contract. When drafting the contract an Obligation Tracker should be created. This would primarily be focused on the one-off or quarterly/annual deliveries (E.G SOC report, Environmental report), and not the day to day service delivery aspect, but it would cover obligations for both the vendor and retained organization. 3.1 Compliance There is always difficulty in navigating the complexity of regulations in transitioning from in-house services to outsourced services. If an organization accepts a sourcing service provider, with a lack of industry experience in regulations, there can be an unforeseen cost impact of not meeting requirements. An unskilled service provider can position the transforming organization in being non- conformant in the laws, rules, and regulations, resulting in significant financial and reputational costs. The IT VMO needs to ensure the engagement for contracted services complies with country/regional laws and regulations affecting financial reporting, accounting, data protection, and software licensing. Involving the essential stakeholders, such as Legal, Human Resource, and Tax are often important to ensure compliance. During the Sourcing phases of strategy development, service provider evaluation, selection, and contract negotiations, the service provider and organizational risk managers must identify the compliance and audit risks. These assurances are not only at the initiation phase, but during the entire life of the contract. Proper procedures must be defined and accounted, but be aligned with regulations such as SOX 404 Third Party Compliance. SOX Section 404 ensures Third Party Compliance procedures and processes are in place of controls and presentation of financial statements. The IT VMO should assist with each of the Sourcing phases to ensure these compliance requirements are seamlessly integrated within the delivery model by the service provider and appropriately governed. The selected service provider corporate compliance must be clearly spelled out, and the transition organization must be prepared to conduct or facilitate the necessary regular or ad hoc audit cycles. Compliance Risks ü Nonconformance to Regulations ü Financial Fines for Non-Compliance Compliance Mitigations ü Clearly Defining Compliance Regulations during the early Sourcing Phases ü Conduct or Facilitate Audits of the Service Provider 3.2 Transition Risk Identifying and selecting the appropriate Service provider is only half the battle in Sourcing Life Cycle. The transition from the incumbent service
  • 7. 6 | P a g e provider to the new selected vendor must be seamless while minimizing disruptions. There should be a complete transition vision, with a fully transparent communication plan laid out to all stakeholders. At the end of transition phase and for clarity purposes, this when the Shared Operations Manual be created. This manual should detail the processes for general operations of services delivered through the contract, such as work order and on/off boarding of personnel. The transition phase has the highest degree of margin of error and contains the most risk of potential service interruption. There is a risk of initial service degradation during transition, or possible misalignment of service provider solutions with its own capabilities. One key step of transition is the facilitation of proper knowledge transfer. Risks associated to an ineffective knowledge transfer from incumbent service provider or client to the new service provider can be related to steep learning curves, or the amount of knowledge to be transferred in a short period of time. “Knowledge stickiness” is an inherit risk and characteristic of a specialized, personal, and tacit knowledge, which are components that inhibit easy knowledge transfer. The potential causes of this stickiness are due to strained relationships, lack of motivation, lack of absorptive capacity, and actual extent of knowledge being understood. There are also risks of an inadequate retained organization with duplicative skill sets, and not accounting for flight risk of transformation organization employees. The potential lack of availability of resources from the transforming organization will hinder the service provider in conducting face to face shadowing, and enhance the inability to share or gain access to incumbent service provider/transforming organization information. Upon the transition from an incumbent service provider to a newly selected one, there is a risk of failure of the incumbent service provider to support or cooperate with a graceful transition to a new service provider. All these factors can lead to a delay of all parties to quickly accept operational responsibilities in the event of termination or reduction of incumbent services. To assist in minimizing the impact of knowledge loss, the service provider and organization must clearly define roles and responsibilities of all stakeholders. There should be required increases in knowledge transfers sessions and ample shadowing. A clear set of Run Books documentation, with updates, should be available and aligned with the shadowing process. Within the sourcing contract, a detailed and proactive transition plan should be defined, with financial incentives for quality and meeting milestones. The overall goal for the transition phase is to move the transforming organization from an operational focus to a managed focus. Transition Risks ü Improper Knowledge Transfer ü Displaced Employees Flight Risk Transition Mitigations ü Defined Retained Organization ü Defined Transition Plan ü Shadowing and Run Books ü Shared Operations Manual 4.0 Financial Vendor Risk Management Proper financial management entails the governance of the service provider’s financial footprint in the transforming organization through monitoring the Value Leakage at the Financial Transactional level. Value Leakage is monitoring the overall cost impact of the contract is seeking ensure the capture of saving opportunities.
  • 8. 7 | P a g e “It is not the money that is important, but the people attached to it.”- Unknown 4.1 Value Leakage The main pillar in conducting the original sourcing initiative is the result of expected savings from in-house functions to outsourced functions. As the relationship with a sourced vendor matures from one stage to the next, the risk of the expected savings for the transformational organization can evaporate. This evaporation is called “Value Leakage,” and is portrayed as both hard and soft metrics. Value Leakage can be the result of poorly defined statements of work, unmeasurable service levels, inaccurate collection of vendor pricing, incorrect baselines or financial base case, inaccurate benchmarking, and the use of specialized skills not on the rate card with a service provider’s tendency of resource upskilling. All these scenarios will directly impact the amount of expected savings identified during the sourcing strategy stage, and lead to the contract Value Leakage. Many recent international sourcing agreements expect resources to be offshore to drive the savings. There are risks where the supplier may inflate costs due to inefficient onshore/offshore resource availability mix. The potential impact of an inaccurate statement of work or resource upskilling will lead to challenges in project scheduling and budget slippage, and higher costs of services due to change orders in post contract execution. These higher costs can eventually cause loss of goodwill and a negative financial impact to both the service provider and the transitional organization. One of the baseline components in deriving the sourcing strategy is the original set of current spending numbers of the sourcing initiative, financial “Base Case.” The current spending in an organization must be data derived from the transforming organization to ensure the financial sourcing strategy is aligned with corporate strategy. This base case must be created during the early sourcing strategy phase, justifiable with realistic assumptions, and be challengeable with difference scenarios. There also must be consideration for adjusting baselines, such as commissioning and decommissioning of applications in application development service providers. During the sourcing selection phase, this base case will account for different vendor Request For Proposal,”RFP,” pricing to project a proper service provider cost comparison and leverage into opportunities of negotiation. This base case is the starting point in maintaining an accurate Value Leakage report. Some risk mitigating approaches consist of capturing the components to implement a real-time Value Leakage report, while creating a clear Statements of Work to track the financial and performance health of the sourcing vendor relationship. Also, there should be significant effort to normalize rate cards amongst all the vendors in the transforming organization, which would allow oversight of the use of service provider’s tendency of upskilling resources or deviated roles from the rate card. There should also be business case justification for the commercial arrangement being supported by a milestone driven Benefit Realization plan. This plan should then be pro-actively reviewed throughout the agreed term, during which benefits should be realized and on- going to track any additional value over and above the original expectation. This would typically be led by an internal meeting of the retained organization and communicated to leadership. Value Leakage Risks ü Loss of Initial Savings Opportunities ü Upskilling and Resources ü Unmeasurable Service Level Agreements Value Leakage Mitigations ü Clear Financial Base Case ü Monitoring Resource Mix
  • 9. 8 | P a g e “Life is like Accounting, everything must be in balance.”-Unknown ü Normalized Rate Cards ü Benefits Realization Plan 4.2 Financial Transactional Risk Once Service Providers are selected and integrated within the transformation organization, there is the organization’s responsibility to continuously monitor a service provider’s financial viability. There are risks of service provider’s financial “going concern”, or taking into account any potential lawsuits in the horizon. The transforming organization financial position within the service provider needs to be taken into consideration. The transformational organization should be no less than 5% or greater than 15% of the service provider’s base yearly revenue. If revenues to the service provider are less than 5%, there is a risk of the transformational organization being insignificant to the service provider. If revenues are greater than 15% to the service provider, there is a risk of its financial health being dependent to the current relationship. Any disruptions to the transformational organization or service provider relationship would have a severe impact to the existence of the service provider. Part of SOX Section 404 governance on the transformation entity’s financial statements, there is a requirement for proper accounting of purchase orders and validations of performance invoices. A transformational organization’s purchase order signifies proper budgeting has been assigned, and allows the service provider to initiate services. Services being performed without a purchase order can create legal and financial risks, as a purchase order serves as a legal bounding document. There are tendencies of service providers to work on projects before the contract is fully signed and/or the purchase order is issued. These tendencies can be due to pressure from the service provider, or even the organizational internal stakeholders to meet project deadlines. A potential pitfall in creating the Purchase Order is not defining clear and measurable project or performance metrics. Project managers tend to insert ambiguous “behavior” attributes as deliverables, without proper acceptance criteria. Prior to issuing a purchase order, a work order must be created. The combination of these two artifacts is jointly taken for execution and issuance to the vendor, as work and budget are continuously being defined. Upon the transformation organization’s receipt of invoices, there must be processes in referring to the contract, and be cognizant of the Additional Resources Consumed (ARC) and Reduced Resources Consumed (RRC) calculations. Charges for additional resources (“ARC’s”) above the threshold are priced at rates to reflect the marginal cost of the additional production. Credits (“RRC’s”) granted for reduction in resources consumed or provided offer the enterprise customer some comfort, but the savings on credits tend not to be equivalent to the increased costs when paying for incremental resources in excess of the threshold1 . Once proper financial validation has been completed, a performance approval must be obtained. Without performance acceptance, there is a risk of payment for services not being performed up to the transformation organization’s standards. Some mitigating approaches to lessen delays in payment, is to better streamline the Purchase Order creation and Invoice approval process. Upon the receipt of the invoice, it should immediately be gain its approval by the project management to validate the satisfaction of services. In parallel, finance is to obtain approval of performance satisfaction and verify if the cumulative invoices do not exceed the original purchase order amount. Enterprises have a tendency of requiring a duplicative approval within finance to process the payment to Accounts Payable. This delay can result in the risk of late fees and possible performance disruption of services. As the service provider and transitional organization relationship matures, there is a tendency to use Staff Augmentation/Time & Materials for projects in service delivery. The overuse of Staff Augmentations will lead 1 Outsourcing Law Global, LLC
  • 10. 9 | P a g e “An ounce of performance is worth a pound of promises.”-Mae West to runaway projects and costs, and difficulty in measuring the benefit of the services being provided. Staff Augmentation efforts should be moved to a defined project delivery to better account for progress of efforts and provide financial forecasting. Financial Transactions Risks ü Overuse of Staff Augmentation ü Service Provider Financial Position Financial Transactions Mitigations ü Migration to Project Defined Delivery ü Timely Issue of Purchase Orders ü Monitor of Service Provider Footprint in the Organization ü Performance Acceptance ü Monitor Service Provider Financial Health 5.0 Performance Vendor Risk Management Managing Service Providers performance service level agreements is essential in ensuring an organization is receiving true value from the relationship. These agreements must be aligned with the organizations corporate strategy, while taking account the impact to security during any changes in requirements. 5.1 Performance/Service Level Agreements One of the key components of performance governance is to establish a fact- based reporting mechanism that goes beyond the tradition SLA agreement dashboards. A poor performance of a service provider in the transforming organization will result in a negative impact to its processes, systems, and will adversely affect the ongoing business operations. A Service Provider must ensure there are limited potential service disruptions, reduced level of risk of reputational hardship, diminishing potential of failure to perform, and the availability of a service credit. A service credit regime should drive a value of penalty that is meaningful to the severity of the missed SLA, in order to encourage the correct behavior by the vendor to operate within the agreed service levels in the contract. However, the Service Credit Regime should not penalize a vendor in such a way it is a threat to the relationship. If a threat, the vendor could divert valuable resources from other aspects of the relationship in order to ensure service levels are met. This could result in a lack of innovation or other aspects of the contract being delivered late if they are not covered by SLA. In the process of down selecting potential service providers, there must be consideration of the transformation organization growth rate. A steep growth rate may lead to a service provider’s inability to adapt or use economies of scale in providing high level service performance. With a lack of defined performance measures, there is risk of the service provider running the transformation organization’s entire process without any proper governance. Performance mitigating approaches can be conducted by monitoring service level agreement compliance while educating stakeholders of the scope of services. The scope of services should be clearly defined, consolidated, and not fragmented. The transforming organization must build a performance contract structure with service
  • 11. 10 | P a g e “If they want what you got, don’t give it to them.”-Unknown level agreements that are measurable, with reportable non-compliance. These service level agreements must be clear and defined SLAs, while being measurable and tracked for trend analysis. Performance Risks ü Negative Impact to Operations ü Service Provider Inability to be Nimble ü Fragmented Scope of Services. Performance Risk Mitigations ü Build Performance Contract Structure ü Clear Defined Service Level Agreements ü Define Performance Penalties 5.2 Security Vendor security can relate to both information security and physical security. Service providers will maintain the transforming organization’s vital data in remote locations. Inadequate data privacy, physical security, and disaster recovery can all lead to a major disruption in services and brand management. During the selection process, it must be validated that potential service providers has extensive set of experiences in complex environments, and their policies and procedures are aligned with the organization’s enterprise risk strategy. The transformational organization must build extensive audit rights for aspects of security services that the vendor is expected to provide as a part of in-scope services. The transforming organization and service provider works closely with security leads in building-specific security requirements of service delivery, while continuing to be engaging during work order changes. Capturing these risk and mitigation strategies, using a fully defined Risk Register, should focus on potential unauthorized access to enterprise data, disclosure of data, service disruption, modification, and recording or destruction of information. In managing risk, related to service delivery from remote and underdeveloped areas of the world, the service provider must have the same delivery maturity across the globe. This delivery maturity should contain mitigating risk strategies for geopolitical challenges, natural disasters, volatile infrastructure, and security of intellectual property. The transformational organization should remain continuously aware of the political landscape of countries relating to the service provider headquarters and location of services being performed. A service provider may be responsible for much of the transformational organization’s enterprise data. Therefore, documentation and procedures surrounding access controls would be a necessity. During the sourcing vendor assessment phase, these documents are to be understood at the vendor site, while processes for disaster recovery and past trial runs must be reviewed. Within the Master Service Agreement, there must be verbiage about on/off boarding of personnel with viewable background checks. This includes a robust Operations Manual, and periodic review of the service provider employee’s access to sensitive information. Security Risks ü Information Security Risk ü Physical Risk ü Data Disclosure
  • 12. 11 | P a g e Security Risk Mitigations ü Enterprise Risk Management ü Risk Register 6.0 Summary As the upward trend line for new Sourcing initiatives continue, there are increased risks organizations must consider. The establishment of an IT Vendor Management Office helps with assessing and mitigates many of these risks, but only with the establishment of formal standard processes and procedures. These procedures must account and operate in areas of uncertainty that comes along with developing new relationships for sourced products or services. As the organizational IT VMO does mature, addressing risks will result in a greater value in engagements and create a mutually beneficial relationship. About the Authors Deepak is currently serving as a Director Level of Technology Vendor Management, for a global multinational risk management, and insurance brokerage in developing the VMO from a start up to a Managed Governance Services Steady State. Deepak has significant consulting experience in developing and managing approaches for strategic outsourcing and vendor relationship management. As Director, Deepak currently manages service level agreements to exceed standards, creates accountability with IT partners, and designs operational metrics and dashboards. He coordinates with each technology functional area of their sourcing requirements and expectations, and has significant interactions with all of the key leaders in the organization and key vendor executives. Deepak completed his undergraduate from University of Maryland in Accounting, and graduate education in Information Technology at The George Washington University. He was appointed by Governor Martin O’Malley to the Business Economic Development Commission, and is a Member of the Academy of Magical Arts. Deepak Bansal, CPA, CISSP Director of Vendor Relationship & Performance Management (U.S.) Richard is currently serving as the Director of Vendor Relationship & Performance Management for a global risk management, insurance brokerage and developing the IT VMO to full steady state governance function. Richard has an IT carreer spanning 3 decades ranging from IT Operations and Infrastructure, IT Service Management, Procurement, and Supplier Performance Management, exercised predominantly in the UK with some exposure to North America. The day to day activities of Richard’s role sees him create strategic partnership with IT Vendor, their key stakeholders/consumers ensuring optimal value delivery from all aspects of the commercial agreements in place. Richard’s role within the IT VMO ensure the vendors are well governed, contracts and performance delivered as designed whilst assisting key stakeholders with further requirements definition for contract renewals, changes ro requirements to the support a tender process Richard Oliver Director of Vendor Relationship & Performance Management (U.K.)