The document presents a comprehensive vendor management compliance checklist aimed at helping financial institutions meet regulatory requirements. It highlights the importance of vendor management programs, the concept of a compliance tax, and the effectiveness of checklists in reducing errors. Key components include risk assessment, due diligence, ongoing monitoring, and the roles of senior management in overseeing outsourced relationships.

1. Vendor Management Compliance Checklist Manifesto May 20, 2010

2. Today’s Presenters Susan Orr , CISA, CISM, CRP Founder, Susan Orr Consulting Former FDIC examiner Leading financial services expert Auditor and consultant Over 18 years experience in the IT regulatory field Speaks regularly on risk management and security Jim Kisch, CSO, Continuity Control Over 18 years banking experience Faculty member at Graduate School of Banking CU-Boulder, former faculty member at GSB, UW Madison 12 years of focus in the disciplines of bank operations and information technology management

3. Agenda Overview of Vendor Management Regulatory landscape What is the Compliance Tax™? Power of a checklist to combat the Compliance Tax™ Your Vendor Management Checklist Implementing an Vendor Management checklist Summary and Q & A

4. Overview Vendor Management Regulatory landscape

5. Vendor Management Program Vendor Management Program The responsibility to properly oversee outsourced relationships lies with the board of directors and senior management. FFIEC Outsourcing Technology Services June 2004

6. Why Vendor Management Why Vendor Management Increased regulatory scrutiny GLBA ID Theft Red Flags Program Regulatory guidance FDIC FIL 44-2008 Guidance for Managing Third-Party Risk OCC 2008-16 Information Security – Application Security

7. The notion of a Compliance Tax The notion of a Compliance Tax

8. What is the Compliance Tax? Compliance Tax ™ : the ever-growing amount of work, resources and costs (internal staffing, consulting fees, training and employee productivity loss) required for a financial institution to meet regulatory requirements Based on Asset Size: 500 million Average amount of employee time spent on compliance activities: 3%

9. The Checklist Approach The Checklist Approach

10. Power of a checklist What’s the Checklist Manifesto? John’s Hopkins University – 2001 Peter J. Pronovost, MD, PhD Central Line Infections Checklist Doctor Wash Hands Clean Patient’s Skin Drape Patient Completely Mask, Hat, Gown, Gloves Sterile Dressing Over Insertion Site After 1 year, the 10 day infection rate for Central Lines dropped from 11% to 0. During the 27 month study, the checklist prevented 43 infections & 8 deaths and saved $2 million in costs for this one hospital.

11. Power of a checklist What’s the Checklist Manifesto? Boeing “Checklist Factory” Aviation is the origin of the checklist Boeing develops 100 checklists a year Take weeks to develop, but are adopted by the industry

12. Applying the Checklist Manifesto to Vendor Management Key Factors and Elements

13. Key Factors of Vendor Management Program BOD and senior management awareness Prudence of outsourcing relationship Needs assessment Implementation of effective controls Ongoing monitoring Documentation of procedures, responsibilities, reporting

14. Vendor Risk Management Program Elements Risk Assessment Policy/Written Program Repeatable Process/Procedures Needs requirements Service provider selection and due diligence Contract Ongoing monitoring

15. Vendor Risk Assessment Vendor Risk Assessment Identify all service providers and vendors Identify risk Identify risk mitigation strategies Risk rating and ranking

16. Classification Factors Classification Factors Mission critical Access to sensitive or confidential information Information controlled by service provider Volume of transactions New activity for institution New provider Markets products or services High risk activities

17. Performing the Risk Assessment Performing the Risk Assessment Business owners Audit Compliance and Risk Officers Technology Officer Legal counsel

18. Policy/Written Program Policy/Written Program Overview of program Risk management Risk assessment Needs assessment Ongoing oversight Selection process Due diligence Contracting

19. Applying Checklists to the Process Applying Checklists to the Process

20. Vendor Selection Checklist Needs assessment Financial review Setting performance expectations Company research/internal research Review references Preliminary risk assessment Strategic business plans (current and future), including succession planning

21. Vendor Selection Checklist Outsource vendor review list? SAS70 Independent security audits Financial review Insurance coverage Disaster Recovery Plan testing

22. Contract Review Checklist Highlights – not a complete list Time-frames and duration of activities clearly stated. Hours of support too. Term, notice, and auto-renew clear and accurate Addresses performance standards, or SLA Security, confidentiality, and privacy requirements Addresses applicable regulations Installation and training cost coverage Are you comfortable subcontractor terms?

23. Vendor Performance Checklist 1. Track it - document system downtime, customer complaints, poor response to inquiries, failure to deliver on promises. 2. Monitor it – monitor performance monthly 3. Review it - feedback during contract review

24. Implementing Your Own Compliance Checklists

25. Good checklists (according to the Boeing Checklist Factory) Easy to use Precise Efficient Bad checklists Too much detail Gawande says "Checklists are not comprehensive how-to guides” Vague Inaccurate Implementing Your Own Checklists

26. Stepping you Through the Process Stepping you Through the Process

27. Step by Step Directions

28. Step by Step Directions The What: Vendor Risk Assessments The Who: Operations Officer And When: Annual What: Vendor Performance Monitoring Who: IT Manager When: Weekly Search written procedures for :

29. Step by Step Directions Organizing Checklists: 1 st Oversight Activities Annual Vendor Risk Assessment 2 nd Periodic Activities Monthly and quarterly Review contract renewals 3 rd Routine Activities Daily and weekly Monitoring vendors

31. Summary and Q & A

32. Thank You! Contact info Susan Orr Susan Orr Consulting http://www.susanorrconsulting.com/ [email_address] Jim Kisch Continuity Control http://www.continuity.net [email_address]