Vendor Management - Compliance Checklist Manifesto Series

10,476 views

Published on

Regulatory examiners are expecting to see and review your financial institution's vendor management program, which is to include a process for assessing specific vendor risk, vendor selection, contracting, and ongoing oversight. This webinar will demonstrate that implementing a repeatable process will provide consistency and reduce your institution's Compliance Tax by saving you time and resources, including helping to ensure your valuable dollars are spent wisely.

Objectives:
- Understanding of the regulatory requirements for the vendor management program
- High level overview of the key elements
- Provide guidance in developing your program

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
10,476
On SlideShare
0
From Embeds
0
Number of Embeds
27
Actions
Shares
0
Downloads
2
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • 04/01/10
  • 04/01/10
  • 04/01/10
  • 04/01/10
  • 04/01/10
  • 04/01/10
  • 04/01/10
  • 04/01/10
  • 04/01/10
  • 04/01/10
  • 04/01/10
  • 04/01/10
  • Vendor Management - Compliance Checklist Manifesto Series

    1. 1. Vendor Management Compliance Checklist Manifesto May 20, 2010
    2. 2. Today’s Presenters <ul><li>Susan Orr , CISA, CISM, CRP </li></ul><ul><li>Founder, Susan Orr Consulting </li></ul><ul><li>Former FDIC examiner </li></ul><ul><li>Leading financial services expert </li></ul><ul><li>Auditor and consultant </li></ul><ul><li>Over 18 years experience in the IT regulatory field </li></ul><ul><li>Speaks regularly on risk management and security </li></ul><ul><li>Jim Kisch, </li></ul><ul><li>CSO, Continuity Control </li></ul><ul><li>Over 18 years banking experience </li></ul><ul><li>Faculty member at Graduate School of Banking CU-Boulder, former faculty member at GSB, UW Madison </li></ul><ul><li>12 years of focus in the disciplines of bank operations and information technology management </li></ul>
    3. 3. Agenda <ul><li>Overview of Vendor Management Regulatory landscape </li></ul><ul><li>What is the Compliance Tax™? </li></ul><ul><li>Power of a checklist to combat the Compliance Tax™ </li></ul><ul><li>Your Vendor Management Checklist </li></ul><ul><li>Implementing an Vendor Management checklist </li></ul><ul><li>Summary and Q & A </li></ul>
    4. 4. Overview Vendor Management Regulatory landscape
    5. 5. Vendor Management Program Vendor Management Program The responsibility to properly oversee outsourced relationships lies with the board of directors and senior management. FFIEC Outsourcing Technology Services June 2004
    6. 6. Why Vendor Management Why Vendor Management <ul><li>Increased regulatory scrutiny </li></ul><ul><ul><li>GLBA </li></ul></ul><ul><ul><li>ID Theft Red Flags Program </li></ul></ul><ul><ul><li>Regulatory guidance </li></ul></ul><ul><ul><ul><li>FDIC FIL 44-2008 Guidance for Managing Third-Party Risk </li></ul></ul></ul><ul><ul><ul><li>OCC 2008-16 Information Security – Application Security </li></ul></ul></ul>
    7. 7. The notion of a Compliance Tax The notion of a Compliance Tax
    8. 8. What is the Compliance Tax? Compliance Tax ™ : the ever-growing amount of work, resources and costs (internal staffing, consulting fees, training and employee productivity loss) required for a financial institution to meet regulatory requirements Based on Asset Size: 500 million Average amount of employee time spent on compliance activities: 3%
    9. 9. The Checklist Approach The Checklist Approach
    10. 10. Power of a checklist What’s the Checklist Manifesto? <ul><li>John’s Hopkins University – 2001 </li></ul><ul><li>Peter J. Pronovost, MD, PhD </li></ul><ul><li>Central Line Infections Checklist </li></ul><ul><li>Doctor Wash Hands </li></ul><ul><li>Clean Patient’s Skin </li></ul><ul><li>Drape Patient Completely </li></ul><ul><li>Mask, Hat, Gown, Gloves </li></ul><ul><li>Sterile Dressing Over Insertion Site </li></ul><ul><li>After 1 year, the 10 day infection rate for Central Lines dropped from 11% to 0. </li></ul><ul><li>During the 27 month study, the checklist prevented 43 infections & 8 deaths and saved $2 million in costs for this one hospital. </li></ul>
    11. 11. Power of a checklist What’s the Checklist Manifesto? Boeing “Checklist Factory” Aviation is the origin of the checklist Boeing develops 100 checklists a year Take weeks to develop, but are adopted by the industry
    12. 12. Applying the Checklist Manifesto to Vendor Management Key Factors and Elements
    13. 13. Key Factors of Vendor Management Program <ul><li>BOD and senior management awareness </li></ul><ul><li>Prudence of outsourcing relationship </li></ul><ul><li>Needs assessment </li></ul><ul><li>Implementation of effective controls </li></ul><ul><li>Ongoing monitoring </li></ul><ul><li>Documentation of procedures, responsibilities, reporting </li></ul>
    14. 14. Vendor Risk Management Program Elements <ul><li>Risk Assessment </li></ul><ul><li>Policy/Written Program </li></ul><ul><li>Repeatable Process/Procedures </li></ul><ul><ul><li>Needs requirements </li></ul></ul><ul><ul><li>Service provider selection and due diligence </li></ul></ul><ul><ul><li>Contract </li></ul></ul><ul><ul><li>Ongoing monitoring </li></ul></ul>
    15. 15. Vendor Risk Assessment Vendor Risk Assessment <ul><li>Identify all service providers and vendors </li></ul><ul><li>Identify risk </li></ul><ul><li>Identify risk mitigation strategies </li></ul><ul><li>Risk rating and ranking </li></ul>
    16. 16. Classification Factors Classification Factors <ul><li>Mission critical </li></ul><ul><li>Access to sensitive or confidential information </li></ul><ul><li>Information controlled by service provider </li></ul><ul><li>Volume of transactions </li></ul><ul><li>New activity for institution </li></ul><ul><li>New provider </li></ul><ul><li>Markets products or services </li></ul><ul><li>High risk activities </li></ul>
    17. 17. Performing the Risk Assessment Performing the Risk Assessment <ul><li>Business owners </li></ul><ul><li>Audit </li></ul><ul><li>Compliance and Risk Officers </li></ul><ul><li>Technology Officer </li></ul><ul><li>Legal counsel </li></ul>
    18. 18. Policy/Written Program Policy/Written Program <ul><li>Overview of program </li></ul><ul><li>Risk management </li></ul><ul><ul><li>Risk assessment </li></ul></ul><ul><ul><li>Needs assessment </li></ul></ul><ul><ul><li>Ongoing oversight </li></ul></ul><ul><li>Selection process </li></ul><ul><ul><li>Due diligence </li></ul></ul><ul><ul><li>Contracting </li></ul></ul>
    19. 19. Applying Checklists to the Process Applying Checklists to the Process
    20. 20. Vendor Selection Checklist <ul><li>Needs assessment </li></ul><ul><li>Financial review </li></ul><ul><li>Setting performance expectations </li></ul><ul><li>Company research/internal research </li></ul><ul><li>Review references </li></ul><ul><li>Preliminary risk assessment </li></ul><ul><li>Strategic business plans (current and future), including succession planning </li></ul>
    21. 21. Vendor Selection Checklist <ul><li>Outsource vendor review list? </li></ul><ul><ul><li>SAS70 </li></ul></ul><ul><ul><li>Independent security audits </li></ul></ul><ul><ul><li>Financial review </li></ul></ul><ul><ul><li>Insurance coverage </li></ul></ul><ul><ul><li>Disaster Recovery Plan testing </li></ul></ul>
    22. 22. Contract Review Checklist <ul><li>Highlights – not a complete list </li></ul><ul><ul><li>Time-frames and duration of activities clearly stated. Hours of support too. </li></ul></ul><ul><ul><li>Term, notice, and auto-renew clear and accurate </li></ul></ul><ul><ul><li>Addresses performance standards, or SLA </li></ul></ul><ul><ul><li>Security, confidentiality, and privacy requirements </li></ul></ul><ul><ul><li>Addresses applicable regulations </li></ul></ul><ul><ul><li>Installation and training cost coverage </li></ul></ul><ul><ul><li>Are you comfortable subcontractor terms? </li></ul></ul>
    23. 23. Vendor Performance Checklist <ul><li>1. Track it - document system downtime, customer complaints, poor response to inquiries, failure to deliver on promises. </li></ul><ul><li>2. Monitor it – monitor performance monthly </li></ul><ul><li>3. Review it - feedback during contract review </li></ul>
    24. 24. Implementing Your Own Compliance Checklists
    25. 25. <ul><ul><li>Good checklists (according to the Boeing Checklist Factory) </li></ul></ul><ul><ul><ul><li>Easy to use </li></ul></ul></ul><ul><ul><ul><li>Precise </li></ul></ul></ul><ul><ul><ul><li>Efficient </li></ul></ul></ul><ul><ul><li>Bad checklists </li></ul></ul><ul><ul><ul><li>Too much detail </li></ul></ul></ul><ul><ul><ul><li>Gawande says &quot;Checklists are not comprehensive how-to guides” </li></ul></ul></ul><ul><ul><ul><li>Vague </li></ul></ul></ul><ul><ul><ul><li>Inaccurate </li></ul></ul></ul>Implementing Your Own Checklists
    26. 26. Stepping you Through the Process Stepping you Through the Process
    27. 27. Step by Step Directions
    28. 28. Step by Step Directions The What: Vendor Risk Assessments The Who: Operations Officer And When: Annual What: Vendor Performance Monitoring Who: IT Manager When: Weekly Search written procedures for :
    29. 29. Step by Step Directions Organizing Checklists: 1 st Oversight Activities Annual Vendor Risk Assessment 2 nd Periodic Activities Monthly and quarterly Review contract renewals 3 rd Routine Activities Daily and weekly Monitoring vendors
    30. 31. Summary and Q & A
    31. 32. Thank You! <ul><li>Contact info </li></ul><ul><li>Susan Orr </li></ul><ul><li>Susan Orr Consulting </li></ul><ul><li>http://www.susanorrconsulting.com/ </li></ul><ul><li>[email_address] </li></ul><ul><li>Jim Kisch </li></ul><ul><li>Continuity Control </li></ul><ul><li>http://www.continuity.net </li></ul><ul><li>[email_address] </li></ul>

    ×