Six Sigma Session For Production And Project Team By Lt Col Vikram Bakshi
Vendor_Mgmt_101_IIMC_v2
1. Vendor Management 101
Steven C. Markey,MSIS,PMP,CISSP,CIPP,CISM,CISA,STS-EV,CCSK
Principal,nControl,LLC
AdjunctProfessor
2. • Presentation Overview
– Vendor Management Overview
• General
• Processes
• Financials
• Tools
• Service-Level Agreements (SLAs)
• Security & Privacy Due Diligence
• Business Continuity / Disaster Recovery
• Project-based Work Versus Staff Augmentation
– Case Studies
• SEPTA VVS
Vendor Management
3. • What is Vendor Management?
– Process of managing outside firms that provide
goods or services.
• A process not a procurement task.
Vendor Management
4. • Who Performs Vendor Management?
– Dedicated Function
• Procurement
– Shared Function
• Legal
• Project Management
• Business
• IT Security
Vendor Management
5. • Vendor Management Realities
– Not All Vendors Are the Same
• Cloud
• Business Process Outsourcing (BPO)
• Outside Counsel
• Staff Augmentation
– Mirrored Staff Can Really Help
• Client Project Manager = Vendor Project Manager
– Process Can Be Painful
• Divorces Usually Are!
– You Need a Written Contract Agreement
• Things Go Wrong
Vendor Management
6. • Vendor Management Processes
– Onboarding
• Business Case
• Project Management
– Annual Re-evaluation
• Syncs to Onboarding
– Off-boarding “the Break-up”
• Documenting Reasons Why
• Cleanup
– Badges & Physical Access
– Orphaned System Accounts & Data
Vendor Management
7. • Onboarding
– Business Case
• Feasibility
• Risk Assessment
• Financial Analysis
– Project Management
• Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO)
• System Development Lifecycle (SDLC)
• Funding Gates: Pilot, Proof of Concept (POC)
• Procurement: Request for Proposal (RFP), Request for Info (RFI)
• Change Management: Requests, Scope, Budget, Schedule
Vendor Management
17. • RFP/RFI
– RFP
• More Prevalent
• Drive Structure of Submission
• Incumbent/Separate Vendor Can Develop Materials
– RFI
• Less Prevalent
• More Iterative – Flushes Details Out
• Usually Feeds Into RFP Process
Vendor Management
18. • Onboarding
– Business Case
• Feasibility
• Risk Assessment
• Financial Analysis
– Project Management
• Project Portfolio Mgmt (PPM), Project Mgmt Office (PMO)
• System Development Lifecycle (SDLC)
• Funding Gates: Pilot, Proof of Concept (POC)
• Procurement: Request for Proposal (RFP), Request for Info (RFI)
• Change Management: Requests, Scope, Budget, Schedule
Vendor Management
20. • Annual Re-evaluation
– Feed Subsequent Business Cases
• Market Assessment
– Pricing Points
– Low-Cost Leader
– Time to Market
• Metrics
– Aligned with SLA
• 360° Feedback
– Lessons Learned
» Internal & External Processes
• Determine Need for Process Improvement
– RFP / RFI
– Vendor Questionnaire
Vendor Management
21. • Off-boarding “the Break-up”
– Documenting the Reasons Why
– Cleanup
• Badges & Physical Access
• Orphaned System Accounts & Data
Vendor Management
22. • Financials
– Total Cost of Ownership, TCO
• IT = 60%~ Maintenance
– Return on Investment, ROI
• Internal Mandate
– Cost-Benefit Analysis, CBA
• Payback Period
– Opportunity Cost
• Expense of Choosing One Option versus Another
– Sunk Cost
• Outsourcing Does Not Yield Benefits
– Capital versus Operating (Budgets, Expenses)
Vendor Management
23. • Tools
– Software
• Web Services
– Custom Software Traversing Different Networks
• Vendor Management System (VMS)
– Enterprise Resource Planning (ERP) Module
» SAP Ariba eBuyer
• Change Management
• Project Management
• Business Activity Monitoring (BAM)
– Call Center Metrics
– Artifacts
• Microsoft Office® Documents
• Adobe PDF®
Vendor Management
24. • Tools
– Research
• Google
• Company Literature (White Papers, Presentations)
• Advisory Firms (Gartner, IDC, etc.)
Vendor Management
25. Vendor Management
• SLA Overview
– What is an SLA?
– SLA Best Practices
– SLA Lifecycle
– Realistic Expectations with SLAs
26. Vendor Management
• What is an SLA?
– Temporal Service Contract
– Un / Negotiated Bilateral Agreement
–Dictates Service Provisions / Expectations / Metrics
–Dictates Exit / Divorce Clause(s)
–Dictates Refunds, Credits & Surcharges
–Dictates Extenuating Circumstances (Force Majeure)
– Not An End User License Agreement (EULA)
– Not An Operational-Level Agreement (OLA)
27. Vendor Management
• What is an SLA?
– Specific Sections
–Term
–Metrics
–Definitions (Outage, Interruption or Failure)
–Change Management for SLA
–Cause for:
–Termination
–Refund
–Surcharge
–Credit
28. Vendor Management
• What is an SLA?
– Specific Sections
–Cause for:
–Credit
–Threshold: Outage lasts for x hours / minutes.
–Pro-Rated: Rolling credits for downtime.
–Percentage: $ per x hours / minutes.
29. Vendor Management
• What is an SLA?
– Examples of Metrics
–Mean Time To Repair / Recovery (MTTR)
–Mean Time Between Failures (MTBR)
–Time To Market (TTM) / Time to Implement (TTI)
–Backlog Size
–Rework Levels
–Service Uptime / Availability
–Data Throughput
–Service Satisfaction
–Quality of Service (QoS)
30. Vendor Management
• SLA Best Practices
– Use it for Vendor Selection
– Adhere to it Internally
– Leverage Change Management
– Ensure the Metrics & Definitions Are Understood
–Have an Attorney Interpret the Language / Verbiage
– Get References / Do Research
– Educate, Inform & Make Aware
– Retain All Contract Documents
32. Vendor Management
• Realistic Expectations with SLAs
– Size Matters
– Reputation Matters
– Necessary Evil
– Vested Interest for Vendor
– Outages Happen
–Risk Mitigation Versus Risk Removal
– Everybody Loses Something In Litigation
– Most Cloud Providers SLAs Are Not Negotiable
–Amazon, Microsoft, etc.
–Smaller Providers Cater to Custom Needs
33. Vendor Management
• Security & Privacy Due Diligence
– Existing Certifications / Attestations
• SAS 70 Type II / SSAE 16 SOC I-II-III / ISAE 3402
• ISO 27001 / 2
• ISO 27036
• BITS Shared Assessments
• PCI DSS
• HIPAA / HITECH
• COPPA
• US Safe Harbor
– Others
• Generally Accepted Recordkeeping Principles, GARP®
• ISO 9000 / 15489
• Capability Maturity Model Integration, CMMi
• Better Business Bureau, BBB
34. Vendor Management
• Security & Privacy Due Diligence
– Create Your Own Checklist
–“Have you been breached?”
–“Do you have an Information Security Officer?”
– Have an Approved Third Party Assess Them
– Place the Sales / Account Person on the Hook
–Vested Interest with Commission
35. Vendor Management
• Business Continuity Planning / Disaster Recovery
– SLA Should Drive Your
–Recovery Time Objective (RTO)
–Recovery Point Objective (RPO)
– Plans in Place?
–Add to Vendor Questionnaire
– Annual Testing
–Add to Questionnaire
–Do They Include Their Vendors?
36. Vendor Management
• Project-based Work Versus Staff Augmentation
– Projects
–Clearly Defined Scope
–Firm Fixed Price
–Resource Neutral
– Staff Augmentation
–Ambiguous Scope
–Hourly
–Resource Specific
– Hybrids
–Best of Both Worlds
40. • Case Study: SEPTA VVS
– Risks
–Privacy Laws
–Retention Requirements
–Security Regulations
– Lessons Learned
–Understand Strategic Direction of Vendor
–Understand Ecosystem
–Subcontractors
Vendor Management
41. Vendor Management
• Presentation Take Aways
– Vendor Management = Iterative Process
–Improve Over Time
– Strategy & Due Diligence Are VERY Important
–Must Consider the Business Ecosystem