Starting a Vendor Assessment Program

Transcription

1 Starting a Vendor Assessment Program Kevin Brandt, CBCP Agenda Why? Wait Really Why? Overview Policies and Procedures Implementation Work Effort Assessment Tips Special Case What About? Looking Forward

2 Why? Financial institutions should establish and maintain effective vendor and third party management programs because of the increasing reliance on nonbank providers. Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring. The Federal Financial Institution Examination Council (FFIEC) Information Technology Examination Handbook Why? Financial institutions should establish and maintain effective vendor and third party management programs because of the increasing reliance on nonbank providers. Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring. The Federal Financial Institution Examination Council (FFIEC) Information Technology Examination Handbook

3 Wait Really Why? Evaluate vendors on an even playing field. Vendor B Get complete overall picture of organizational business continuity. Get complete overall picture of enterprise risk. Adjust your plans to account for vendor outages. Could strengthen partnerships with key / critical vendors. Competitive advantage? If so then why don t we? RESOURCE CONSTRAINTS! Vendor A Vendor C Best Vendor Overview What does a best in class BCM vendor assessment program look like? Policies Policies Procedures Procedures Some new concepts for the enterprise. Create a plan Implement! Simple right? The challenge: Minimizing implementation work effort.

4 Policies Vendor Management Policies All vendors must go through Vendor Management, Purchasing or some centralized entity. Before final contract negotiations (sooner for comparisons): Vendor Management must contact BCM with new vendors for possible assessment. Fact: Most companies, even large ones do NOT have enough BCM staff to assess all vendors. BCM Policies All vendors must be Qualified by BCM. BCM associates vendor(s) to business process(es) using the shortest process RTO. BCMworks with the business process to assign a Reliance (see next page). Qualified vendors w/appropriate RTO and Reliance are assessed with a questionnaire at a minimum. RTO, Risk and Reliance of certain levels require the business process to sign off on risk to contract with the vendor. Some vendors may be deemed Key and may require onsite assessment and/or joint exercises. Policies Vendor Management Policies All vendors must go through Vendor Management, Purchasing or some centralized entity. Before final contract negotiations (sooner for comparisons): Vendor Management must contact BCM with new vendors for possible assessment. Fact: Most companies, even large ones do NOT have enough BCM staff to assess all vendors. BCM Policies All vendors must be Qualified by BCM. BCM associates vendor(s) to business process(es) using the shortest process RTO. BCMworks with the business process to assign a Reliance (see next page). Qualified vendors w/appropriate RTO and Reliance are assessed with a questionnaire at a minimum. RTO, Risk and Reliance of certain levels require the business process to sign off on risk to contract with the vendor. Some vendors may be deemed Key and may require onsite assessment and/or joint exercises.

5 Procedures Qualify Vendor Associate business process(es) and RTO with vendor. Determine business process Reliance on vendor. Assess vendors associated with business processes with RTOs of 24 hrs or less plus have High or Medium Reliance on that vendor. Vendor Assessment BC Questionnaire sent to vendor. Returned questionnaire scored by BCM. Sample vendor question: How many certified BC professionals on staff? Accept boilerplate Executive Summaries, but push for more detail if needed. Risk Report Reliance and Risk report created by BCM. Reliance and Risk determines next step: High + High, Medium + High, or High + Medium Escalate for sign off. All Set up ongoing reviews. Provide checklist of key contractual terms for vendor negotiations. Ongoing Reviews Store results in BC software or central repository. Schedule follow up assessments (yearly) for monitoring. Action for special circumstances: Vendors can be deemed Key to warrant onsite assessment such as ones related to financial industry regulated business processes. Procedures Qualify Vendor Associate business process(es) and RTO with vendor. Determine business process Reliance on vendor. Assess vendors associated with business processes with RTOs of 24 hrs or less plus have High or Medium Reliance on that vendor. Vendor Assessment BC Questionnaire sent to vendor. Returned questionnaire scored by BCM. Sample vendor question: How many certified BC professionals on staff? Accept boilerplate Executive Summaries, but push for more detail if needed. Risk Report Reliance and Risk report created by BCM. Reliance and Risk determines next step: High + High, Medium + High, or High + Medium Escalate for sign off. All Set up ongoing reviews. Provide checklist of key contractual terms for vendor negotiations. Ongoing Reviews Store results in BC software or central repository. Schedule follow up assessments (yearly) for monitoring. Action for special circumstances: Vendors can be deemed Key to warrant onsite assessment such as ones related to financial industry regulated business processes.

6 Implementation! 4 Assess Appropriate Vendors 2 Create and Implement Best in Class Policies Update any Risk Assessment Policy to Include BC. Update any Risk Acceptance forms. Begin awareness work to roll out the changes. 3 Modify Procedures to Be Best In Class Conduct assessments of appropriate current vendors (based on Reliance and RTO). On an ongoing basis, conduct assessments for new vendors (based on Reliance and RTO). Create a brief BC questionnaire with risk scoring and contractual terms checklist. Work with Vendor Management (or whomever) to have them contact BCM with any new vendors being considered. New vendors get associated to business process and assessed if needed. 1 Determine Backlog of Vendors to Assess Associate vendors to processes. Determine Reliance and earliest RTO. Determine which vendors to assess. Work Effort One BC Planning Cycle (1 year?) Ongoing Determine Backlog of Vendors to Assess During the normal BC planning w/each business process, associate vendors to the process. Ask questions of the SME of the business process to determine Reliance. Focus on the earliest RTOs for your organization. Once the volume of vendors to assess is known, the work effort for the backlog can be determined. Modify Procedures Create a brief BC questionnaire with risk scoring. Start small and expand later. Important: make it as empirical as possible. Create contractual terms checklist. Work with Vendor Management (or whomever) to have them bring you any new vendors being considered. New vendors get associated to business process and talk to the SME to determine Reliance. Assess Vendors in Backlog Conduct assessments of appropriate current vendors (based on Reliance and RTO). Assess vendors during BC planning to minimize impact. Meanwhile Create and Implement New Policies While reviewing plans and discovering vendors: Update any Risk Assessment Policies to Include BC. Update any Risk Acceptance forms. Begin awareness / organizational change work to roll out the new policies. Assess New Vendors as they Arrive Prioritize new vendors being brought to you for review to help embed the new process in the enterprise. Continue to make awareness of the process a focus.

7 Assessment Tips Categorize The Questions Questions should be categorized to cover the practice areas of Business Continuity. Risk assessment, BC Planning, Exercises, etc. Questions are a proxy for seeing the vendors BC work in action. Example: Do you have certified BC professionals on staff or under contract? Make the Questions Empirical Questions should lead to a point system of some kind. Yes/ No questions or numeric questions are the most effective. Example: How many disaster recovery exercises do you undertake per year? 0 = zero points / 1 = one point etc. Having a final number (risk number or points) makes it easy to convey relative risk of selecting that vendor. Focus on Risks You Care About Start with questions in areas that are a priority to your enterprise. Example: How frequently is our customer data that you use backed up? Create contractual language terms so that they must tell you when they have an outage. Automate Later Start with a few or one question in each category just to get going and use Word if you have to. Web portals and other automated tools can come later. Special Case IT Vendors Usually associated with critical systems or disaster recovery So Do all software and infrastructure vendors require assessment? Software / System Vendor On premise? (No) XaaS? (Maybe) What about maintenance contracts? Maintenance contracts do NOT equal Reliance

8 What About?... PAS7000 (Supply chain pre-qualification) Supply chain focused Unified Prebuilt Business Continuity is a subset of the questions Questions tend to be non-empirical SOC 2 Controls focused Accounting based Looking Forward Partner with Legal Develop contract language AND remedies Partner with the business process of the vendor Develop Service Level Agreements (SLAs) not just for software! Create Key Performance Indicators (KPIs) canary in the mineshaft! Select re-evaluation points Partner with vendor management area to drive other assessment types Like financial the best plans in the world will not help if the vendor runs out of money.