Solution Track 5. Managing Vendor Risk and Contingency Plans. March 26, Strategic BCP, Inc. All rights reserved. strategicbcp.

Transcription

1 Managing Vendor Risk and Contingency Plans Terence Lee Solution Track 5 March 26, 2017 Strategic BCP, Inc. All rights reserved. strategicbcp.com 1

2 Agenda: 60 Minutes Introduction What is Third Party Vendor Management GRC and 3rd Party Management How companies manage vendor risk today Vendor Risk & Contingency Management: VRCM Defining your VRCM Program Questions Strategic BCP, Inc. All rights reserved. strategicbcp.com 2

3 Take the Survey, Receive the Report! The Evolving State of Business Continuity and Vendor Management (sneak preview of results in this session) Strategic BCP, Inc. All rights reserved. strategicbcp.com 3

4 Introduction Terence Lee Strategic BCP, Inc. VP, GRC Strategy 10 years in governance, risk, and compliance with focus on IT risk and compliance 6+ years in BCM/DR Based in Providence, Rhode Island (hint: it s not an island) Strategic BCP, Inc. All rights reserved. strategicbcp.com 4

5 What IS it? Alphabet soup: (TPM) Third Party Management (VRM) Vendor Risk Management (VRCM) Vendor Risk & Contingency Management (SCRM) Supply Chain Risk Management VRM is often considered a subset of TPM VRM tends to focus just on the assessment of vendor risk TPM usually describes the entire vendor lifecycle, from Onboarding to Offboarding Strategic BCP, Inc. All rights reserved. strategicbcp.com 5

6 Defined Vendor risk management (VRM) is the process of ensuring that the use of service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance. VRM technology supports enterprises that must assess, monitor and manage their risk exposure from third-party suppliers (TPSs) that provide IT products and services, or that have access to enterprise information. Source: Strategic BCP, Inc. All rights reserved. strategicbcp.com 6

7 From Chaos Strategic BCP, Inc. All rights reserved. strategicbcp.com 7

8 to Order (YOU ARE HERE) Strategic BCP, Inc. All rights reserved. strategicbcp.com 8

9 Who are Third Parties Anyway? IT Service Providers Distributors What is the number of critical vendors identified for your organization? (sneak preview results) Sub-contractors Consultants Suppliers Agents Strategic BCP, Inc. All rights reserved. strategicbcp.com 9

10 Lifecycle Vendor Identification Onboarding Segmentation Assessment Issues & Remediation Monitoring Offboarding Strategic BCP, Inc. All rights reserved. strategicbcp.com 10

11 The Core of Vendor Risk Management Vendor Identification Onboarding Segmentation Assessment Issues & Remediation Monitoring Offboarding Strategic BCP, Inc. All rights reserved. strategicbcp.com 11

12 Vendor Identification Vendor Identification Onboarding Segmentation Assessment Issues & Remediation Monitoring Offboarding Request to Assess Procurement, Relationship Owner, Legal, Compliance Current, Past, New Vendor Build/update their Profile Relationship Owner, Contracts, General Products and Services Strategic BCP, Inc. All rights reserved. strategicbcp.com 12

13 Onboarding Vendor Identification Onboarding Segmentation Assessment Issues & Remediation Monitoring Offboarding Complete profile and contract information Detailed product and service identification Financial and other public scoring information considered Strategic BCP, Inc. All rights reserved. strategicbcp.com 13

14 Segmentation Vendor Identification Onboarding Segmentation Assessment Issues & Remediation Monitoring Offboarding Financial commitment Information access/storage Criticality of products and services (align to your processes, products, services) Assigned a Tier Tier 1 = most critical vendor Score from segmentation should determine assessment need, and types Strategic BCP, Inc. All rights reserved. strategicbcp.com 14

15 Segmentation Vendor Identification Onboarding Segmentation Assessment Issues & Remediation Monitoring Offboarding Does your organization align vendor s products/services to the organization s functions/systems that use those products/services? (sneak preview results) Strategic BCP, Inc. All rights reserved. strategicbcp.com 15

16 Assessment Vendor Identification Onboarding Segmentation Assessment Issues & Remediation Monitoring Offboarding Different assessment types address different yet often overlapping needs Information Security: Practices, Policies, Certifications Physical Security: Locations, Countries HR Practices: Background Checks Business Continuity and DR Anti-money Laundering Foreign Corrupt Practices Act Shared Assessments SIG (The Sante Fe Group) Performed via Survey, Checklist, and/or onsite assessment Use external sources when applicable: Dow Jones Adverse Media, Rapid Ratings, D&B Financials, Clear Report, more Strategic BCP, Inc. All rights reserved. strategicbcp.com 16

17 Assessment (continued) Vendor Identification Onboarding Segmentation Assessment Issues & Remediation Monitoring Offboarding Are BCM/DR risks aligned to assessment questions Are risks aligned to your BCM/DR controls Did you develop your own, in the BCM program, or are you working with ERM, Compliance, Information Security Are your controls aligned to your authoritative documents (policies, best practices, and regulations) Strategic BCP, Inc. All rights reserved. strategicbcp.com 17

18 Issue Management & Remediation Vendor Identification Onboarding Segmentation Assessment Issues & Remediation Monitoring Offboarding Issues arise from the assessment and scoring process Issues are actioned and assigned to one or more individuals for remediation Actions are executed, evidence collected/attached as needed Issues and their actions are approved and closed accordingly Audit trail: important Strategic BCP, Inc. All rights reserved. strategicbcp.com 18

19 Monitoring: the Hard Part Vendor Identification Onboarding Segmentation Assessment Issues & Remediation Monitoring Offboarding Based on their criticality to your operational resilience Conduct assessments more frequently Update documentation Verify Controls Visit physical locations Monitor news sources Check financials regularly Measure SLA performance Confirm Policy review and attestation Report issues immediately Strategic BCP, Inc. All rights reserved. strategicbcp.com 19

20 Offboarding Vendor Identification Onboarding Segmentation Assessment Issues & Remediation Monitoring Offboarding Don t go away mad, just go away: contract termination Data collection, destruction, verification Contract requirements Actions taken, documents signed as required (legal) Strategic BCP, Inc. All rights reserved. strategicbcp.com 20

21 Revisiting the Risk Assessment Process Vendor Identification Onboarding Segmentation Assessment Issues & Remediation Monitoring Offboarding As the BCM/DR professional, do you identify and test Tier 1 Vendor recovery required for critical processes and assets in the event of a declaration, and can you ensure those actions will be successful? Do you: Conduct Contingency assessments of your Vendors Participate in your Vendor s exercises Let your clients participate in your exercises? Include your Vendor s in your exercises Identify alternative Vendors, and implement an alternative in your exercises Strategic BCP, Inc. All rights reserved. strategicbcp.com 21

22 VRCM Program Best Practices Vendor Identification Onboarding Segmentation Assessment Issues & Remediation Monitoring Offboarding As the BCM professional, understand Vendor SLA+Recovery required to recover critical processes in the event of a declaration and ensure those actions will be successful. Vendor Products and Services What are they? Who consumes them? How do they impact our recovery of processes and assets? Your operational resilience Do you know where the Vendor fits into your recovery plans? Have you tested recovery with the Vendor? What degree of confidence can you report to your leadership team that your can recover critical processes that include Vendors? Strategic BCP, Inc. All rights reserved. strategicbcp.com 22

23 VRCM Program Best Practices Vendor Identification Onboarding Segmentation Assessment Issues & Remediation Monitoring Offboarding Program participation can be challenging Why does getting a response from my vendors require a squad from the First Order?! Leverage your resources: Vendor relationship owners Super-users of Vendor products Project Managers of Vendor services Strategic BCP, Inc. All rights reserved. strategicbcp.com 23

24 The Evolving Role of the BCM Professional Does the scope of your BCM program include Vendor Risk and Recovery, Information Security, or just BCM/DR? (sneak preview results) Strategic BCP, Inc. All rights reserved. strategicbcp.com 24

25 VRCM Program Best Practices BCM/DR team is connected to the VRM team Risks and Controls are common across the company including BCM/DR Collaboration is key Vendor relationship owners are engaged and support the assessment process Vendors slow to respond to assessment requests get escalated Contract SLAs contain measurable requirements for BCM/DR Exercising with Tier 1 Vendors is difficult: resources, contract terms, and governance required But you need to do it Strategic BCP, Inc. All rights reserved. strategicbcp.com 25

26 Defining Your VRCM Program: Key Action Items 1. Program Oversight and Responsibility Ideal: create a Service Catalog to organize products and services Assign Vendor Relationship Owner: one belly-button, with an alternate 2. Capture the data: you are already describing Processes. Who are the vendors, and what products and services are critical? Line of business owners should know this and if they don t, interview one level down 3. Cross-reference Contract SLAs If the Line of business needs it, but the contract doesn t have an SLA for it <sigh> 4. Assess, Measure, Test, Verify Strategic BCP, Inc. All rights reserved. strategicbcp.com 26

27 The Focus of the BCM Professional Today Rank the priority of focus for your BCM program today (sneak preview results) Continuity of Critical Processes Recovery of Critical Applications Equal Focus on Processes & Apps Reducing Risk to the Company 4 Recovery from Cyber Incidents 5 Mitigating Third Party Risk 6 Building Better Plans 7 Doing Better BIAs 8 Getting Actionable Exercise Results 9 Integrating BCM w/other Applications 10 Strategic BCP, Inc. All rights reserved. strategicbcp.com 27

28 Take the Survey, Receive the Report! The Evolving State of Business Continuity and Vendor Management Report will be sent by April 30. Thanks for participating! Strategic BCP, Inc. All rights reserved. strategicbcp.com 28

29 VRCM Playbook: Download the Playbook: Strategic BCP, Inc. All rights reserved. strategicbcp.com 29

30 Thank You Product Demo s Mon/Tue 12:00-12:30 Coronado F Join us for Karaoke Tuesday 8pm! Come to booth 510/512 for Invitation Strategic BCP, Inc. All rights reserved. strategicbcp.com 30