SlideShare a Scribd company logo

Vendor Risk Management - Find It Before It Finds You

C
Chad Kreimendahl

Onspring shares some practical guidance for identifying risk in vendor relationships, defining and managing policies and procedures, finding risk in the vendor selection process, and monitoring vendors over time.

Business
1 of 28
Download to read offline
Practical Guidance for: ▪ Identifying Risk in Vendor Relationships ▪ Defining Policies and Procedures to Manage It ▪ Finding Risk in the Vendor Selection Process ▪ Monitoring Vendors Over Time VENDOR RISK Find It Before It Finds You Presented By: onspring.com | 1©2018 Onspring Technologies, LLC
onspring.com | 2 Reality of risk Every business is a web of relationships between employees, clients and third parties. We rely on outside providers of products and services to help us achieve our strategic objectives, deliver value to our customers and empower our teams to succeed. But where we have vendor relationships, we also have risk! ©2018 Onspring Technologies, LLC
onspring.com | 3 The truth is... We can’t eliminate vendor risk unless we eliminate our vendor relationships. And we certainly do not recommend this. After all, vendors help us stay focused on what we do best. However, we can take steps to identify and manage third-party risk to levels we can accept. This presentation provides some practical advice for accomplishing just that. ©2018 Onspring Technologies, LLC
onspring.com | 4 So take a close look There’s more to vendor risk than data breaches and fraud, though these two headline-grabbing issues are certainly top of mind. It’s also essential to consider more subtle forms of vendor risk. Remember, an issue with a vendor may not cripple your operations, but it could have deep and lasting impact on your brand and customer goodwill. Consider the following questions... ©2018 Onspring Technologies, LLC
onspring.com | 5 Access to sensitive information Will the vendor handle your client or employee data, financial statements, intellectual property or other confidential information? ©2018 Onspring Technologies, LLC
onspring.com | 6 Business impact Would a disruption to the vendor’s products or services harm your ability to carry out your own operations or significantly impact your ability to generate revenue? ©2018 Onspring Technologies, LLC
onspring.com | 7 Reputational impact Could misdeeds, negligence or malpractice on the part of the vendor damage your organization’s reputation? (Think in terms of your clients, employees and the public at large.) ©2018 Onspring Technologies, LLC
onspring.com | 8 Regulatory impact Does the vendor relationship expose you to additional regulatory requirements (HIPAA, PCI, GDPR, etc.)? Would a disruption to the vendor’s products or services impair your own ability to demonstrate regulatory compliance? ©2018 Onspring Technologies, LLC
Additional risk factors For more guidance on identifying third-party risk, get the e-book at onspring.com. onspring.com | 9©2018 Onspring Technologies, LLC
onspring.com | 10 Next, define your policy Document your process for evaluating, selecting and monitoring vendors, and ensure that relationship owners understand their responsibilities. Your vendor management policy should cover (at minimum): ▪ Human resources security ▪ Physical and environmental security ▪ Network and system security ▪ Data security ▪ Access control ▪ IT acquisition and maintenance ▪ Vendor management ▪ Incident management ▪ Business continuity / disaster recovery ▪ Compliance ©2018 Onspring Technologies, LLC
onspring.com | 11 Assess your vendors–diligently How much time and effort should you spend on vendor due diligence? The answer is (annoyingly), “it depends.” The level of scrutiny you should apply depends on the nature of the vendor relationship. Vendors that have access to confidential data or who deliver business-critical products or services require a high degree of scrutiny. The effort is worth the investment. ©2018 Onspring Technologies, LLC
onspring.com | 12 Areas to evaluate Vendors that want to do business with you should be prepared to supply information about the following (at minimum): ▪ Relevant business processes ▪ Policies and procedures ▪ Security, privacy and anti-fraud controls ▪ Insurance coverage ▪ Certifications ▪ Client references ▪ Any pending legal action Online vendor questionnaires make it easy to collect and score responses. ©2018 Onspring Technologies, LLC
onspring.com | 13 Look internally, too It’s also wise to ask relationship owners within your organization to evaluate new vendors. These surveys don’t need to be burdensome, but they should cover some basic areas: Watch out for any mismatch between vendor and relationship owner responses. ▪ Vendor experience ▪ Ability to execute ▪ Reputation ▪ Service-level agreements ▪ Compliance and controls ▪ Internal resource impact ©2018 Onspring Technologies, LLC
onspring.com | 14 Call on the experts Once you have collected information from vendors and relationship owners, it’s important to get the “right eyeballs” on it. The review process is probably not a job for a single person. You may need to route information to legal, compliance, information security or IT for their expertise.
onspring.com | 15 Dig a layer deeper in contract review By the time you reach the contract review stage with a vendor, it can feel like the point of no return. You’ve gone through the selection and assessment process, and the relationship owner and vendor are eager to push the agreement across the finish line. But before you sign, carefully review all documents for red flags. Consider the following questions... ©2018 Onspring Technologies, LLC
onspring.com | 16 Vendor termination What are your options for termination if the vendor fails to fulfill its obligations? Under what conditions can the vendor sever its agreement with you? What happens after termination? ©2018 Onspring Technologies, LLC
onspring.com | 17 Contract value What is the total cost of the agreement, and what are the payment terms? How is your organization protected from overages? (Think about data storage, services hours, user licenses, equipment failure, etc.) ©2018 Onspring Technologies, LLC
onspring.com | 18 Performance tracking How will the vendor prove that it’s meeting its obligations? Are there defined milestones? Will you receive status updates or other documentation of completed work? By what measures will you hold the vendor accountable? ©2018 Onspring Technologies, LLC
Additional criteria For more guidance on vendor evaluation, get the e-book at onspring.com. onspring.com | 19©2018 Onspring Technologies, LLC
onspring.com | 20 Now it’s time to monitor The ink on the contract is dry and your vendor relationship has begun. You’re ready to get down to business, but don’t take your foot off the gas when it comes to risk evaluation and monitoring. To manage vendor risk effectively, you need to monitor performance and adherence to your standards throughout the relationship. ©2018 Onspring Technologies, LLC
onspring.com | 21 Onboard carefully Depending on the nature of the vendor relationship, you may need a formal onboarding process. During this time, you should ensure that the vendor profile is complete (contacts, deliverables, timelines, NDAs, W-9s, insurance certificates, etc.). Also, you’ll want to carefully track which data or systems the vendor can access and for what reasons. ©2018 Onspring Technologies, LLC
onspring.com | 22 Resolve vendor findings If you identified issues during vendor evaluation that remain open after the contract is executed, be sure to stay on top of those contingent items. It’s easy to lose track of findings once the vendor relationship is underway. To prevent this, require regular updates from the vendor until all issues are resolved to your satisfaction. ©2018 Onspring Technologies, LLC
onspring.com | 23 Stay up to speed Also require the vendor to provide regular updates on the status of the project or engagement. This doesn’t need to be overly burdensome, but the vendor should keep you updated on work completed, progress toward milestones and any project risks. ©2018 Onspring Technologies, LLC
onspring.com | 24 Go onsite It may be necessary to go onsite with a vendor to monitor their adherence to your standards. For example, do their employees follow the clean desk / clear screen policy? Do they have adequate controls on physical access points and surveillance equipment? Under certain circumstances, you may need to “see it to believe it.” ©2018 Onspring Technologies, LLC
onspring.com | 25 Gauge satisfaction On an annual basis (and certainly before you renew a contract with a vendor), conduct internal surveys to determine whether the vendor has fulfilled its obligations and met your organization’s needs. You’ll be surprised how often you find that your internal stakeholders do not like a vendor! In these cases, why continue the relationship? Small problems that annoy your team could be a warning sign of bigger issues. ©2018 Onspring Technologies, LLC
onspring.com | 26 The role of tech Spreadsheets, email and shared drives can take you only so far. If you’re dealing with a handful of vendors, these tools will probably suffice, but as your vendor relationships expand, you may find yourself in need to greater visibility, efficiency and control. There’s no single technology that will facilitate every aspect of vendor risk management. However, modern Vendor Management solutions can handle much of the heavy lifting. ©2018 Onspring Technologies, LLC
onspring.com | 27 Lean on technology to… ▪ Collect information and documentation from vendors ▪ Perform and score vendor risk assessments ▪ Manage vendor profiles and track outstanding tasks or issues ▪ Facilitate the contract review process with automated workflow ▪ Find the information and documents you need at a moment’s notice ▪ Report on vendors by status, risk rating, criticality, usage, spend and other criteria ©2018 Onspring Technologies, LLC
Learn more For additional guidance on vendor risk management, get the e-book at onspring.com. onspring.com | 28©2018 Onspring Technologies, LLC

Recommended

HunterMaclean: Fit Test Your Business
HunterMaclean: Fit Test Your BusinessHunterMaclean: Fit Test Your Business
HunterMaclean: Fit Test Your Business
Andrea Dove
 
Combating Fraud: Six Principles for Security
Combating Fraud: Six Principles for Security Combating Fraud: Six Principles for Security
Combating Fraud: Six Principles for Security
Strategic Treasurer
 
Integrc: Turning GRC vision into reality
Integrc: Turning GRC vision into realityIntegrc: Turning GRC vision into reality
Integrc: Turning GRC vision into reality
Integrc
 
Memo to CEOs
Memo to CEOsMemo to CEOs
Memo to CEOs
Keith Darcy
 
Secrets of crm success 2016 presentation
Secrets of crm success 2016 presentationSecrets of crm success 2016 presentation
Secrets of crm success 2016 presentation
Martha Lord
 
Lets understand the GRC market well with Ponemon analysis- FixNix
Lets understand the GRC market well with Ponemon analysis- FixNixLets understand the GRC market well with Ponemon analysis- FixNix
Lets understand the GRC market well with Ponemon analysis- FixNix
FixNix Inc.,
 
Vc us v4.0
Vc us v4.0Vc us v4.0
Vc us v4.0
FixNix Inc.,
 
Reducing the pain of Purchasing in construction
Reducing the pain of Purchasing in constructionReducing the pain of Purchasing in construction
Reducing the pain of Purchasing in construction
Periphery Group
 

Recommended

HunterMaclean: Fit Test Your Business
HunterMaclean: Fit Test Your BusinessHunterMaclean: Fit Test Your Business
HunterMaclean: Fit Test Your Business
Andrea Dove
 
Combating Fraud: Six Principles for Security
Combating Fraud: Six Principles for Security Combating Fraud: Six Principles for Security
Combating Fraud: Six Principles for Security
Strategic Treasurer
 
Integrc: Turning GRC vision into reality
Integrc: Turning GRC vision into realityIntegrc: Turning GRC vision into reality
Integrc: Turning GRC vision into reality
Integrc
 
Memo to CEOs
Memo to CEOsMemo to CEOs
Memo to CEOs
Keith Darcy
 
Secrets of crm success 2016 presentation
Secrets of crm success 2016 presentationSecrets of crm success 2016 presentation
Secrets of crm success 2016 presentation
Martha Lord
 
Lets understand the GRC market well with Ponemon analysis- FixNix
Lets understand the GRC market well with Ponemon analysis- FixNixLets understand the GRC market well with Ponemon analysis- FixNix
Lets understand the GRC market well with Ponemon analysis- FixNix
FixNix Inc.,
 
Vc us v4.0
Vc us v4.0Vc us v4.0
Vc us v4.0
FixNix Inc.,
 
Reducing the pain of Purchasing in construction
Reducing the pain of Purchasing in constructionReducing the pain of Purchasing in construction
Reducing the pain of Purchasing in construction
Periphery Group
 
4 common headaches with sales compensation management
4 common headaches with sales compensation management4 common headaches with sales compensation management
4 common headaches with sales compensation management
IBM Analytics
 
Independent Attorney Survival Guide by LexisNexis Firm Manager
Independent Attorney Survival Guide by LexisNexis Firm ManagerIndependent Attorney Survival Guide by LexisNexis Firm Manager
Independent Attorney Survival Guide by LexisNexis Firm Manager
LexisNexis Software Division
 
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Enterprise Management Associates
 
IAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to WasteIAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to Waste
Dave Steer
 
Key Insights from the 2021 Legal Trends Report
Key Insights from the 2021 Legal Trends ReportKey Insights from the 2021 Legal Trends Report
Key Insights from the 2021 Legal Trends Report
Clio - Cloud-Based Legal Technology
 
A Lack of IT Controls= Fraud Opportunities
A Lack of IT Controls= Fraud OpportunitiesA Lack of IT Controls= Fraud Opportunities
A Lack of IT Controls= Fraud Opportunities
WhitleyPenn
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
Jeremiah Grossman
 
3 Secrets to Becoming a Predictive Enterprise
3 Secrets to Becoming a Predictive Enterprise3 Secrets to Becoming a Predictive Enterprise
3 Secrets to Becoming a Predictive Enterprise
Decision Management Solutions
 
CRM Loyalty
CRM LoyaltyCRM Loyalty
CRM Loyalty
Harish Lunani
 
HEMISPHERE SMB Case Study
HEMISPHERE SMB Case StudyHEMISPHERE SMB Case Study
HEMISPHERE SMB Case Study
Carter Schoenberg
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
Jeremiah Grossman
 
White-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdf
White-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdfWhite-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdf
White-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdf
Ouheb Group
 
Tackling the-challenges-of-third-party-risk-management
Tackling the-challenges-of-third-party-risk-managementTackling the-challenges-of-third-party-risk-management
Tackling the-challenges-of-third-party-risk-management
Charles Steve
 
Supplier Assurance During COVID-19
Supplier Assurance During COVID-19Supplier Assurance During COVID-19
Supplier Assurance During COVID-19
SureCloud
 
ThirdPartyOversight
ThirdPartyOversightThirdPartyOversight
ThirdPartyOversight
Molly Dowdy
 
An Actionable Roadmap to Stronger Vendor Relationships.pdf
An Actionable Roadmap to Stronger Vendor Relationships.pdfAn Actionable Roadmap to Stronger Vendor Relationships.pdf
An Actionable Roadmap to Stronger Vendor Relationships.pdf
CRMJetty
 
Software Licence Audits - Facts Survival Benefits
Software Licence Audits - Facts Survival BenefitsSoftware Licence Audits - Facts Survival Benefits
Software Licence Audits - Facts Survival Benefits
Eric Chiu
 
Digital Transformation in Insurance Operations
Digital Transformation in Insurance OperationsDigital Transformation in Insurance Operations
Digital Transformation in Insurance Operations
10xDS - Exponential Digital Solutions
 
Agreement Express developing a strategic roadmap to automated underwriting
Agreement Express developing a strategic roadmap to automated underwritingAgreement Express developing a strategic roadmap to automated underwriting
Agreement Express developing a strategic roadmap to automated underwriting
Agreement Express Inc.
 
Roadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | SymmetryRoadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | Symmetry
Symmetry™
 
Third-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & ActThird-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & Act
TrustArc
 

More Related Content

What's hot

Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Jeremiah Grossman
 

What's hot (12)

4 common headaches with sales compensation management
4 common headaches with sales compensation management4 common headaches with sales compensation management
4 common headaches with sales compensation management
 
Independent Attorney Survival Guide by LexisNexis Firm Manager
Independent Attorney Survival Guide by LexisNexis Firm ManagerIndependent Attorney Survival Guide by LexisNexis Firm Manager
Independent Attorney Survival Guide by LexisNexis Firm Manager
 
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
Managed Detection and Response: Selective Outsourcing for Understaffed SOCs a...
 
IAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to WasteIAPP - Trust is Terrible Thing to Waste
IAPP - Trust is Terrible Thing to Waste
 
Key Insights from the 2021 Legal Trends Report
Key Insights from the 2021 Legal Trends ReportKey Insights from the 2021 Legal Trends Report
Key Insights from the 2021 Legal Trends Report
 
A Lack of IT Controls= Fraud Opportunities
A Lack of IT Controls= Fraud OpportunitiesA Lack of IT Controls= Fraud Opportunities
A Lack of IT Controls= Fraud Opportunities
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
3 Secrets to Becoming a Predictive Enterprise
3 Secrets to Becoming a Predictive Enterprise3 Secrets to Becoming a Predictive Enterprise
3 Secrets to Becoming a Predictive Enterprise
 
CRM Loyalty
CRM LoyaltyCRM Loyalty
CRM Loyalty
 
HEMISPHERE SMB Case Study
HEMISPHERE SMB Case StudyHEMISPHERE SMB Case Study
HEMISPHERE SMB Case Study
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 

Similar to Vendor Risk Management - Find It Before It Finds You

ThirdPartyOversight
ThirdPartyOversightThirdPartyOversight
ThirdPartyOversight
Molly Dowdy
 
Software Licence Audits - Facts Survival Benefits
Software Licence Audits - Facts Survival BenefitsSoftware Licence Audits - Facts Survival Benefits
Software Licence Audits - Facts Survival Benefits
Eric Chiu
 
Third-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & ActThird-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & Act
TrustArc
 
How to Build a Modern Law Firm
How to Build a Modern Law FirmHow to Build a Modern Law Firm
How to Build a Modern Law Firm
Clio - Cloud-Based Legal Technology
 
Supply Chain and Third-Party Risks During COVID-19
Supply Chain and Third-Party Risks During COVID-19Supply Chain and Third-Party Risks During COVID-19
Supply Chain and Third-Party Risks During COVID-19
Sophia Price
 
Ghostery Enterprise - Best Practices White Paper
Ghostery Enterprise - Best Practices White PaperGhostery Enterprise - Best Practices White Paper
Ghostery Enterprise - Best Practices White Paper
Ghostery, Inc.
 
SMCR The Chicken & The Pig with GRC2020 & SureCloud
SMCR The Chicken & The Pig with GRC2020 & SureCloudSMCR The Chicken & The Pig with GRC2020 & SureCloud
SMCR The Chicken & The Pig with GRC2020 & SureCloud
SureCloud
 

Similar to Vendor Risk Management - Find It Before It Finds You (20)

White-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdf
White-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdfWhite-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdf
White-Paper-Four-Keys-to-Creating-a-Vendor-Risk-Management-Program.pdf
 
Tackling the-challenges-of-third-party-risk-management
Tackling the-challenges-of-third-party-risk-managementTackling the-challenges-of-third-party-risk-management
Tackling the-challenges-of-third-party-risk-management
 
Supplier Assurance During COVID-19
Supplier Assurance During COVID-19Supplier Assurance During COVID-19
Supplier Assurance During COVID-19
 
ThirdPartyOversight
ThirdPartyOversightThirdPartyOversight
ThirdPartyOversight
 
An Actionable Roadmap to Stronger Vendor Relationships.pdf
An Actionable Roadmap to Stronger Vendor Relationships.pdfAn Actionable Roadmap to Stronger Vendor Relationships.pdf
An Actionable Roadmap to Stronger Vendor Relationships.pdf
 
Software Licence Audits - Facts Survival Benefits
Software Licence Audits - Facts Survival BenefitsSoftware Licence Audits - Facts Survival Benefits
Software Licence Audits - Facts Survival Benefits
 
Digital Transformation in Insurance Operations
Digital Transformation in Insurance OperationsDigital Transformation in Insurance Operations
Digital Transformation in Insurance Operations
 
Agreement Express developing a strategic roadmap to automated underwriting
Agreement Express developing a strategic roadmap to automated underwritingAgreement Express developing a strategic roadmap to automated underwriting
Agreement Express developing a strategic roadmap to automated underwriting
 
Roadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | SymmetryRoadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | Symmetry
 
Third-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & ActThird-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & Act
 
Ten Ways to Improve Specialty Lines Underwriting
Ten Ways to Improve Specialty Lines UnderwritingTen Ways to Improve Specialty Lines Underwriting
Ten Ways to Improve Specialty Lines Underwriting
 
Compliance Officer update: What you should know about your Business Partner -...
Compliance Officer update: What you should know about your Business Partner -...Compliance Officer update: What you should know about your Business Partner -...
Compliance Officer update: What you should know about your Business Partner -...
 
How to Build a Modern Law Firm
How to Build a Modern Law FirmHow to Build a Modern Law Firm
How to Build a Modern Law Firm
 
Supply Chain and Third-Party Risks During COVID-19
Supply Chain and Third-Party Risks During COVID-19Supply Chain and Third-Party Risks During COVID-19
Supply Chain and Third-Party Risks During COVID-19
 
Third-Party Oversight & Governance
Third-Party Oversight & GovernanceThird-Party Oversight & Governance
Third-Party Oversight & Governance
 
SaaS KPIs That Matter Most To Investors & Acquirers
SaaS KPIs That Matter Most To Investors & AcquirersSaaS KPIs That Matter Most To Investors & Acquirers
SaaS KPIs That Matter Most To Investors & Acquirers
 
Ghostery Enterprise - Best Practices White Paper
Ghostery Enterprise - Best Practices White PaperGhostery Enterprise - Best Practices White Paper
Ghostery Enterprise - Best Practices White Paper
 
3+ Keys to Proactive Underwriting (1).pdf
3+ Keys to Proactive Underwriting (1).pdf3+ Keys to Proactive Underwriting (1).pdf
3+ Keys to Proactive Underwriting (1).pdf
 
SMCR The Chicken & The Pig with GRC2020 & SureCloud
SMCR The Chicken & The Pig with GRC2020 & SureCloudSMCR The Chicken & The Pig with GRC2020 & SureCloud
SMCR The Chicken & The Pig with GRC2020 & SureCloud
 
Building an Effective Customer Experience within the ETA Risk Guidelines
Building an Effective Customer Experience within the ETA Risk GuidelinesBuilding an Effective Customer Experience within the ETA Risk Guidelines
Building an Effective Customer Experience within the ETA Risk Guidelines
 

Recently uploaded

Communicative rationality and the evolution of business ethics: corporate soc...
Communicative rationality and the evolution of business ethics: corporate soc...Communicative rationality and the evolution of business ethics: corporate soc...
Communicative rationality and the evolution of business ethics: corporate soc...
BOHR International Journal of Business Ethics and Corporate Governance
 
20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
tjcomstrang
 
chapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxationchapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxation
AUDIJEAngelo
 
anas about venice for grade 6f about venice
anas about venice for grade 6f about veniceanas about venice for grade 6f about venice
anas about venice for grade 6f about venice
anasabutalha2013
 

Recently uploaded (20)

IPTV Subscription in Ireland: Elevating Your Entertainment Experience
IPTV Subscription in Ireland: Elevating Your Entertainment ExperienceIPTV Subscription in Ireland: Elevating Your Entertainment Experience
IPTV Subscription in Ireland: Elevating Your Entertainment Experience
 
Communicative rationality and the evolution of business ethics: corporate soc...
Communicative rationality and the evolution of business ethics: corporate soc...Communicative rationality and the evolution of business ethics: corporate soc...
Communicative rationality and the evolution of business ethics: corporate soc...
 
Transforming Max Life Insurance with PMaps Job-Fit Assessments- Case Study
Transforming Max Life Insurance with PMaps Job-Fit Assessments- Case StudyTransforming Max Life Insurance with PMaps Job-Fit Assessments- Case Study
Transforming Max Life Insurance with PMaps Job-Fit Assessments- Case Study
 
20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
 
New Product Development.kjiy7ggbfdsddggo9lo
New Product Development.kjiy7ggbfdsddggo9loNew Product Development.kjiy7ggbfdsddggo9lo
New Product Development.kjiy7ggbfdsddggo9lo
 
Unveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdfUnveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdf
 
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxTaurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
 
chapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxationchapter 10 - excise tax of transfer and business taxation
chapter 10 - excise tax of transfer and business taxation
 
Using Generative AI for Content Marketing
Using Generative AI for Content MarketingUsing Generative AI for Content Marketing
Using Generative AI for Content Marketing
 
HR and Employment law update: May 2024.
HR and Employment law update: May 2024.HR and Employment law update: May 2024.
HR and Employment law update: May 2024.
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
 
Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
 
What are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdfWhat are the main advantages of using HR recruiter services.pdf
What are the main advantages of using HR recruiter services.pdf
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
 
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
 
Strategy Analysis and Selecting ( Space Matrix)
Strategy Analysis and Selecting ( Space Matrix)Strategy Analysis and Selecting ( Space Matrix)
Strategy Analysis and Selecting ( Space Matrix)
 
anas about venice for grade 6f about venice
anas about venice for grade 6f about veniceanas about venice for grade 6f about venice
anas about venice for grade 6f about venice
 
Lookback Analysis
Lookback AnalysisLookback Analysis
Lookback Analysis
 

Vendor Risk Management - Find It Before It Finds You

  • 1. Practical Guidance for: ▪ Identifying Risk in Vendor Relationships ▪ Defining Policies and Procedures to Manage It ▪ Finding Risk in the Vendor Selection Process ▪ Monitoring Vendors Over Time VENDOR RISK Find It Before It Finds You Presented By: onspring.com | 1©2018 Onspring Technologies, LLC
  • 2. onspring.com | 2 Reality of risk Every business is a web of relationships between employees, clients and third parties. We rely on outside providers of products and services to help us achieve our strategic objectives, deliver value to our customers and empower our teams to succeed. But where we have vendor relationships, we also have risk! ©2018 Onspring Technologies, LLC
  • 3. onspring.com | 3 The truth is... We can’t eliminate vendor risk unless we eliminate our vendor relationships. And we certainly do not recommend this. After all, vendors help us stay focused on what we do best. However, we can take steps to identify and manage third-party risk to levels we can accept. This presentation provides some practical advice for accomplishing just that. ©2018 Onspring Technologies, LLC
  • 4. onspring.com | 4 So take a close look There’s more to vendor risk than data breaches and fraud, though these two headline-grabbing issues are certainly top of mind. It’s also essential to consider more subtle forms of vendor risk. Remember, an issue with a vendor may not cripple your operations, but it could have deep and lasting impact on your brand and customer goodwill. Consider the following questions... ©2018 Onspring Technologies, LLC
  • 5. onspring.com | 5 Access to sensitive information Will the vendor handle your client or employee data, financial statements, intellectual property or other confidential information? ©2018 Onspring Technologies, LLC
  • 6. onspring.com | 6 Business impact Would a disruption to the vendor’s products or services harm your ability to carry out your own operations or significantly impact your ability to generate revenue? ©2018 Onspring Technologies, LLC
  • 7. onspring.com | 7 Reputational impact Could misdeeds, negligence or malpractice on the part of the vendor damage your organization’s reputation? (Think in terms of your clients, employees and the public at large.) ©2018 Onspring Technologies, LLC
  • 8. onspring.com | 8 Regulatory impact Does the vendor relationship expose you to additional regulatory requirements (HIPAA, PCI, GDPR, etc.)? Would a disruption to the vendor’s products or services impair your own ability to demonstrate regulatory compliance? ©2018 Onspring Technologies, LLC
  • 9. Additional risk factors For more guidance on identifying third-party risk, get the e-book at onspring.com. onspring.com | 9©2018 Onspring Technologies, LLC
  • 10. onspring.com | 10 Next, define your policy Document your process for evaluating, selecting and monitoring vendors, and ensure that relationship owners understand their responsibilities. Your vendor management policy should cover (at minimum): ▪ Human resources security ▪ Physical and environmental security ▪ Network and system security ▪ Data security ▪ Access control ▪ IT acquisition and maintenance ▪ Vendor management ▪ Incident management ▪ Business continuity / disaster recovery ▪ Compliance ©2018 Onspring Technologies, LLC
  • 11. onspring.com | 11 Assess your vendors–diligently How much time and effort should you spend on vendor due diligence? The answer is (annoyingly), “it depends.” The level of scrutiny you should apply depends on the nature of the vendor relationship. Vendors that have access to confidential data or who deliver business-critical products or services require a high degree of scrutiny. The effort is worth the investment. ©2018 Onspring Technologies, LLC
  • 12. onspring.com | 12 Areas to evaluate Vendors that want to do business with you should be prepared to supply information about the following (at minimum): ▪ Relevant business processes ▪ Policies and procedures ▪ Security, privacy and anti-fraud controls ▪ Insurance coverage ▪ Certifications ▪ Client references ▪ Any pending legal action Online vendor questionnaires make it easy to collect and score responses. ©2018 Onspring Technologies, LLC
  • 13. onspring.com | 13 Look internally, too It’s also wise to ask relationship owners within your organization to evaluate new vendors. These surveys don’t need to be burdensome, but they should cover some basic areas: Watch out for any mismatch between vendor and relationship owner responses. ▪ Vendor experience ▪ Ability to execute ▪ Reputation ▪ Service-level agreements ▪ Compliance and controls ▪ Internal resource impact ©2018 Onspring Technologies, LLC
  • 14. onspring.com | 14 Call on the experts Once you have collected information from vendors and relationship owners, it’s important to get the “right eyeballs” on it. The review process is probably not a job for a single person. You may need to route information to legal, compliance, information security or IT for their expertise.
  • 15. onspring.com | 15 Dig a layer deeper in contract review By the time you reach the contract review stage with a vendor, it can feel like the point of no return. You’ve gone through the selection and assessment process, and the relationship owner and vendor are eager to push the agreement across the finish line. But before you sign, carefully review all documents for red flags. Consider the following questions... ©2018 Onspring Technologies, LLC
  • 16. onspring.com | 16 Vendor termination What are your options for termination if the vendor fails to fulfill its obligations? Under what conditions can the vendor sever its agreement with you? What happens after termination? ©2018 Onspring Technologies, LLC
  • 17. onspring.com | 17 Contract value What is the total cost of the agreement, and what are the payment terms? How is your organization protected from overages? (Think about data storage, services hours, user licenses, equipment failure, etc.) ©2018 Onspring Technologies, LLC
  • 18. onspring.com | 18 Performance tracking How will the vendor prove that it’s meeting its obligations? Are there defined milestones? Will you receive status updates or other documentation of completed work? By what measures will you hold the vendor accountable? ©2018 Onspring Technologies, LLC
  • 19. Additional criteria For more guidance on vendor evaluation, get the e-book at onspring.com. onspring.com | 19©2018 Onspring Technologies, LLC
  • 20. onspring.com | 20 Now it’s time to monitor The ink on the contract is dry and your vendor relationship has begun. You’re ready to get down to business, but don’t take your foot off the gas when it comes to risk evaluation and monitoring. To manage vendor risk effectively, you need to monitor performance and adherence to your standards throughout the relationship. ©2018 Onspring Technologies, LLC
  • 21. onspring.com | 21 Onboard carefully Depending on the nature of the vendor relationship, you may need a formal onboarding process. During this time, you should ensure that the vendor profile is complete (contacts, deliverables, timelines, NDAs, W-9s, insurance certificates, etc.). Also, you’ll want to carefully track which data or systems the vendor can access and for what reasons. ©2018 Onspring Technologies, LLC
  • 22. onspring.com | 22 Resolve vendor findings If you identified issues during vendor evaluation that remain open after the contract is executed, be sure to stay on top of those contingent items. It’s easy to lose track of findings once the vendor relationship is underway. To prevent this, require regular updates from the vendor until all issues are resolved to your satisfaction. ©2018 Onspring Technologies, LLC
  • 23. onspring.com | 23 Stay up to speed Also require the vendor to provide regular updates on the status of the project or engagement. This doesn’t need to be overly burdensome, but the vendor should keep you updated on work completed, progress toward milestones and any project risks. ©2018 Onspring Technologies, LLC
  • 24. onspring.com | 24 Go onsite It may be necessary to go onsite with a vendor to monitor their adherence to your standards. For example, do their employees follow the clean desk / clear screen policy? Do they have adequate controls on physical access points and surveillance equipment? Under certain circumstances, you may need to “see it to believe it.” ©2018 Onspring Technologies, LLC
  • 25. onspring.com | 25 Gauge satisfaction On an annual basis (and certainly before you renew a contract with a vendor), conduct internal surveys to determine whether the vendor has fulfilled its obligations and met your organization’s needs. You’ll be surprised how often you find that your internal stakeholders do not like a vendor! In these cases, why continue the relationship? Small problems that annoy your team could be a warning sign of bigger issues. ©2018 Onspring Technologies, LLC
  • 26. onspring.com | 26 The role of tech Spreadsheets, email and shared drives can take you only so far. If you’re dealing with a handful of vendors, these tools will probably suffice, but as your vendor relationships expand, you may find yourself in need to greater visibility, efficiency and control. There’s no single technology that will facilitate every aspect of vendor risk management. However, modern Vendor Management solutions can handle much of the heavy lifting. ©2018 Onspring Technologies, LLC
  • 27. onspring.com | 27 Lean on technology to… ▪ Collect information and documentation from vendors ▪ Perform and score vendor risk assessments ▪ Manage vendor profiles and track outstanding tasks or issues ▪ Facilitate the contract review process with automated workflow ▪ Find the information and documents you need at a moment’s notice ▪ Report on vendors by status, risk rating, criticality, usage, spend and other criteria ©2018 Onspring Technologies, LLC
  • 28. Learn more For additional guidance on vendor risk management, get the e-book at onspring.com. onspring.com | 28©2018 Onspring Technologies, LLC