In the age of Digital everything, organizations are looking to increase their "speed" and "velocity" which often leads to the integration of more partners rather than less. This presentation delivers an introduction to using the ISACA Publication "Vendor Management: Using COBIT 5" to assist organizations in delivering an effective Vendor solution.
3. New Guidance from ISACA
Areas covered
• IT
• Process owners and
stakeholders
• Compliance and laws
• Risk management
• Audit
• Contracts
• Service monitoring
4. Vendors
• A vendor is a third party that supplies
products or services to an enterprise.
• Most enterprises seek external vendor support
for assistance with operations for one of the
following reasons:
– Vendor expertise
– Vendor capacity
– Vendor assuming risk
– Vendor leveraging scale
5. Vendor Management
• Vendor management is a strategic process
that is dedicated to the sourcing and
management of vendor relationships so that:
– value creation is maximized and
– risk to the enterprise is minimized
6. Vendor Management Objectives
Managing vendors has many benefits, including:
• Data loss reduction
• Decrease in audit findings
• Cost optimization
• Increased availability
• Liability reduction
• Increased end-user satisfaction
• Value creation
7. Vendors to include
Play a critical role in daily operations
Can have critical impact on the success of
strategic projects
Require long-term contracts
Have potential significant financial implications
Are difficult to change overnight
Require frequent interaction and/or disputes
Access or manage substantial critical or sensitive
data
10. Contract
Contracts accomplishes the following:
• Form a common understanding of what needs to
be achieved
• Define all deliverables, relevant service levels and
metrics
• Define responsibilities and obligations
• Define the terms and conditions
• Specify how risk will be allocated between parties
• Define legal counsel and jurisdiction stipulations
11. SLAs
• An SLA is an agreement, preferably documented,
between a product or service provider and the
enterprise that defines minimum performance
targets for a deliverable and how they will be
measured and reported.
• The SLA enables customer and vendor
accountabilities and expectations to be clearly
understood. Performance can have the following
implications:
– Financial rewards (for exceeding targets)
– Financial penalties (for underperformance)
12. SLA Common Pitfalls
• Focus on the wrong objectives
• Simplistic metrics
• Inappropriate terminology
• Room for interpretation
• Labor-intensive reporting requirements
13. SLA Management Benefits
• Better alignment with business objectives
• Ability to manage services proactively
• Greater transparency of service delivery
• Lower service level management overhead
• Better relationships between the enterprise and
vendor
17. Mitigation Strategy
Threat COBIT 5 Guidance
1. Diversify sourcing strategy to avoid
overreliance or vendor lock in
T5 APO02 Manage strategy, APO10
Manage suppliers
2. Establish policies and procedures for
vendor management
T4, T5 APO11 Manage quality
– Enablers: Principles, Policies and
Frameworks; Information
3. Establish a vendor management
governance model
T4, T5 APO09 Manage service agreements,
APO10 Manage suppliers
– Enabler: Organisational Structures
4. Set up a vendor management
organization within the enterprise (VMO)
T4, T5 APO10 Manage suppliers
-- Enablers: Organisational Structures;
People, Skills and Competencies
5. Forecast requirements regarding
the skills and competencies of the
vendor employees
T2 APO10 Manage suppliers
– Enablers: People, Skills and
Competencies
6. Use standard documents and
templates
T2 – Enabler: Information
18. Mitigation Strategy
Threat COBIT 5 Guidance
7. Formulate clear requirements T3, T5 BAI02 Manage requirements
definition, BAI03 Manage solutions
identification and build
– Enabler: Information
8. Perform adequate vendor
selection
T1, T5 APO10 Manage suppliers, APO12
Manage risk
– Enablers: People, Skills and
Competencies
9. Cover all relevant life-cycle events
during contract drafting
T2 APO11 Manage quality, APO12
Manage risk
– Enabler: Information
10. Determine the adequate security
and controls needed during the
relationship
T4, T2 APO11 Manage quality; APO12
Manage risk, MEA01 Monitor,
evaluate and assess performance and
conformance
– Enablers: Service, Infrastructure and
Applications; Information
19. Mitigation Strategy
Threat COBIT 5 Guidance
11. Set up SLAs T2 APO09 Manage service agreements
– Enabler: Information
12. Set up operating level
agreements (OLAs) and underpinning
contracts
T2 APO09 Manage service agreements
– Enabler: Information
13. Set up appropriate vendor
performance/service level
monitoring and reporting
T2, T4 APO09 Manage service agreements,
APO10 Manage suppliers,
MEA01 Monitor, evaluate and assess
performance and conformance
– Enabler: Information
14. Establish a penalties and reward
model with the vendor
T2 APO09 Manage service agreements,
APO10 Manage suppliers
20. Mitigation Strategy
Threat COBIT 5 Guidance
15. Conduct adequate vendor
relationship management during the
life cycle
T4 APO08 Manage relationships, APO10
Manage suppliers
– Enablers: Ethics, Culture and
Behaviour
16. Review contracts and SLAs on a
periodic basis
T4, T5 APO09 Manage service agreements,
MEA01 Monitor, evaluate
and assess performance and
conformance
– Enabler: Information
17. Conduct vendor risk management T4, T5 APO10 Manage suppliers, APO12
Manage risk
– Enabler: Organisational Structures
21. Mitigation Strategy
Threat COBIT 5 Guidance
18. Perform an evaluation of
compliance with enterprise policies
T4 APO10 Manage suppliers; MEA01
Monitor, evaluate and assess
performance and conformance;
MEA03 Monitor, evaluate and assess
compliance with external requirements
– Enablers: Principles, Policies and
Frameworks; Information
19. Perform an evaluation of vendor
internal controls
T4 APO10 Manage suppliers; APO12
Manage risk; MEA01
Monitor, evaluate and assess
performance and conformance
– Enabler: Organisational Structures;
Information
22. Mitigation Strategy
Threat COBIT 5 Guidance
20. Plan and manage the end of the
relationship
T2, T4,
T5
APO09 Manage service agreements;
APO10 Manage suppliers;
APO12 Manage risk
– Enabler: Services, Infrastructure and
Applications; People, Skills and
Competencies; Information
21. Use a vendor management
system
T1, T2,
T3, T4
APO08 Manage relationships; APO09
Manage service
agreements; APO11 Manage quality;
APO12 Manage risk
– Enabler: Services, Infrastructure and
Applications
22. Create data and hardware
disposal stipulations
T2, T4 APO12 Manage risk
– Enablers: Services, Infrastructure and
Applications; Information; Principles,
Policies and Frameworks