Vendor Risk Management: The Good, the Bad, and the

Very, Very, Ugly

Today’s Agenda – Learning Objectives

• Understand the importance and benefits of Vendor Risk Management (VRM)

• Develop a Framework and Process to Categorize (Segment) Vendors by Risk Exposure

• Building a Vendor Risk Profile • Employ an Enterprise Risk Management Approach to

VRM• Build Vendor Risk Management into Procurement

Processes

• Vendor risk is a type of operational risk and refers to the risks associated with outsourcing products and/or services to a third-party.

What is meant by vendor risk?

• There are five key drivers of vendor risk:– Inherent sourcing risk (nature of services/goods provided)– Due diligence used in vendor selection– Contracting form utilized and deviation processes– Performance measurement, monitoring, & corrective action– Maturity and effectiveness of vendor’s internal policies,

procedures, and processes

Key Drivers of Vendor Risk

• What is vendor risk management?

Vendor Risk Management – Definition

• Vendor risk management is a formal way to evaluate, track and measure third-party risk; to assess its impact on all aspects of your business; and to develop compensating controls or other forms of mitigation to lessen the impact on your business if something should happen. (ProcessUnity, Inc.)

Vendor Risk Management – Definition

• Why is Vendor Risk Management becoming a compelling priority to institutions?– Focus has shifted from hazard risk to enterprise risk

management– Penalties associated with compliance risks – Ever-changing nature of outsourcing

Importance and Benefits of VRM

• What are the benefits of Vendor Risk Management?

– “The real value is in the operational and financial data, the interpretation of the data, and the business process that takes that knowledge and drives action.” ~ Joe Yacura, Former CPO, American Express and InterContinental Hotels

Importance and Benefits of VRM

• Outcomes of strong vendor risk management programs?– Better sourcing decisions – Increased risk awareness– Alignment of vendor management strategy with risk exposure– Deeper understanding of vendors’ operations

Importance and Benefits of VRM

• Damage to property• Physical harm or death• Financial harm• Reputational damage• Liability for acts or omissions of vendor

Why is Vendor Risk Management Important?

• Best in class institutions segment their vendors by risk exposure and focus on the small percentage of the overall vendor base that may present a serious risk to the institution.

Creating a Risk Exposure Framework

• Goal of risk exposure framework is to create a quick, easy to use process for University internal customers to select vendors for a “deeper dive” risk identification and assessment process.

Creating a Risk Exposure Framework

• A vendor risk intelligence system can be created from the compilation of three types of information and data:– Supplier provided data and information– Internal customer data and feedback– Third party resources

Creating a Vendor Risk Intelligence System

Vendor Risk Intelligence System Components

Internal

• One-on-one interactions with vendors

• Vendor “scorecards” or surveys

• Key Performance Indicators (KPI’s)

• Internal departments – observational data

Vendor

• Vendor Certification Form

• Meetings with vendor’s key executive management

• Site visits to vendor’s corporate headquarters or to customer facilities

Third Party

• Service Organizational Controls (SOC) Reports

• Dun and Bradstreet reports

• Moody’s• Google searches• Glass Door• Etc.

Vendor Risk Intelligence (cont’d)

Vendor Intelligence Database

Vendor Provided

Data

Internal Data

Third Party Data

Vendor Risk Profile

Vendor Certification Form

What is a Vendor Risk Profile?

• A centralized, cohesive report that can include information from multiple sources used to analyze and assess vendor risk

• Used to communicate to key stakeholders (e.g. – consumers of the service/product and senior leadership) key risk attributes of each vendor

Creating a Vendor Risk Profile

Enterprise Risk Management Approach to VRM

• Context: Vendor Risk• Risk Assessment– Identify risks using

Vendor Risk Intelligence– Evaluate those risks

against risk appetite• Risk Management– Determine appropriate

risk treatment strategy

Enterprise Risk Management Approach to VRM

• Diverse information• Reviewed in the

context of the services being provided to the organization (e.g. – aligned with strategy)

• Leveraged in a way to enable the organization to make better decisions

Enterprise Risk Management Approach to VRM

Vendor Intelligence Database

Vendor Provided

Data

Internal Data Third

Party Data

Vendor Risk Profile

Frequency of Vendor Assessment

• Facilitate ongoing, real time vendor risk assessment by:– Creating a vendor risk intelligence data base that facilitates

continual entry of “leading” risk indicators

– Building vendor risk management (assessment and mitigation) into key procurement processes

Building VRM into Procurement Processes

• Three Key Areas:– Supplier Certification Process – RFX Process– Contracting

Build VRM into Procurement Processes

• Contracting – four critical concerns:– Contract Form– Contracting Process– Risky Provisions– Contract Management

Build VRM into Procurement Processes

• “Risk comes from not knowing what you are doing.” ~ Warren Buffet

Summary - Thoughts for the Day

• Lisanne Sison, Bickmore Email: lsison@Bickmore.net Telephone: 916-244-1119

• Ruth Rauluk, Point Park University Email: rrauluk@pointpark.edu Telephone: 412-392-3996

Questions and Contact Information