SlideShare una empresa de Scribd logo

Vendor management using COBIT 5

Descargar como PPTX, PDF
Robert Stroud
Robert Stroud

In the age of Digital everything, organizations are looking to increase their "speed" and "velocity" which often leads to the integration of more partners rather than less. This presentation delivers an introduction to using the ISACA Publication "Vendor Management: Using COBIT 5" to assist organizations in delivering an effective Vendor solution.

Tecnología
1 de 23
Vendor Management: Using COBIT 5
Introduction
New Guidance from ISACA Areas covered • IT • Process owners and stakeholders • Compliance and laws • Risk management • Audit • Contracts • Service monitoring
Vendors • A vendor is a third party that supplies products or services to an enterprise. • Most enterprises seek external vendor support for assistance with operations for one of the following reasons: – Vendor expertise – Vendor capacity – Vendor assuming risk – Vendor leveraging scale
Vendor Management • Vendor management is a strategic process that is dedicated to the sourcing and management of vendor relationships so that: – value creation is maximized and – risk to the enterprise is minimized
Vendor Management Objectives Managing vendors has many benefits, including: • Data loss reduction • Decrease in audit findings • Cost optimization • Increased availability • Liability reduction • Increased end-user satisfaction • Value creation
Vendors to include  Play a critical role in daily operations  Can have critical impact on the success of strategic projects  Require long-term contracts  Have potential significant financial implications  Are difficult to change overnight  Require frequent interaction and/or disputes  Access or manage substantial critical or sensitive data
Important Documents
Contract Lifecycle
Contract Contracts accomplishes the following: • Form a common understanding of what needs to be achieved • Define all deliverables, relevant service levels and metrics • Define responsibilities and obligations • Define the terms and conditions • Specify how risk will be allocated between parties • Define legal counsel and jurisdiction stipulations
SLAs • An SLA is an agreement, preferably documented, between a product or service provider and the enterprise that defines minimum performance targets for a deliverable and how they will be measured and reported. • The SLA enables customer and vendor accountabilities and expectations to be clearly understood. Performance can have the following implications: – Financial rewards (for exceeding targets) – Financial penalties (for underperformance)
SLA Common Pitfalls • Focus on the wrong objectives • Simplistic metrics • Inappropriate terminology • Room for interpretation • Labor-intensive reporting requirements
SLA Management Benefits • Better alignment with business objectives • Ability to manage services proactively • Greater transparency of service delivery • Lower service level management overhead • Better relationships between the enterprise and vendor
SLA Diagram
Stakeholder Responsibilities
Risk – 5 Threat Categories • T1 – Selection: Wrong vendor • T2 – Contract: Incomplete | Static • T3 – Requirements: Poorly defined • T4 – Governance: Inadequate vendor management • T5 – Strategy: Vendor lock-in
Mitigation Strategy Threat COBIT 5 Guidance 1. Diversify sourcing strategy to avoid overreliance or vendor lock in T5 APO02 Manage strategy, APO10 Manage suppliers 2. Establish policies and procedures for vendor management T4, T5 APO11 Manage quality – Enablers: Principles, Policies and Frameworks; Information 3. Establish a vendor management governance model T4, T5 APO09 Manage service agreements, APO10 Manage suppliers – Enabler: Organisational Structures 4. Set up a vendor management organization within the enterprise (VMO) T4, T5 APO10 Manage suppliers -- Enablers: Organisational Structures; People, Skills and Competencies 5. Forecast requirements regarding the skills and competencies of the vendor employees T2 APO10 Manage suppliers – Enablers: People, Skills and Competencies 6. Use standard documents and templates T2 – Enabler: Information
Mitigation Strategy Threat COBIT 5 Guidance 7. Formulate clear requirements T3, T5 BAI02 Manage requirements definition, BAI03 Manage solutions identification and build – Enabler: Information 8. Perform adequate vendor selection T1, T5 APO10 Manage suppliers, APO12 Manage risk – Enablers: People, Skills and Competencies 9. Cover all relevant life-cycle events during contract drafting T2 APO11 Manage quality, APO12 Manage risk – Enabler: Information 10. Determine the adequate security and controls needed during the relationship T4, T2 APO11 Manage quality; APO12 Manage risk, MEA01 Monitor, evaluate and assess performance and conformance – Enablers: Service, Infrastructure and Applications; Information
Mitigation Strategy Threat COBIT 5 Guidance 11. Set up SLAs T2 APO09 Manage service agreements – Enabler: Information 12. Set up operating level agreements (OLAs) and underpinning contracts T2 APO09 Manage service agreements – Enabler: Information 13. Set up appropriate vendor performance/service level monitoring and reporting T2, T4 APO09 Manage service agreements, APO10 Manage suppliers, MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Information 14. Establish a penalties and reward model with the vendor T2 APO09 Manage service agreements, APO10 Manage suppliers
Mitigation Strategy Threat COBIT 5 Guidance 15. Conduct adequate vendor relationship management during the life cycle T4 APO08 Manage relationships, APO10 Manage suppliers – Enablers: Ethics, Culture and Behaviour 16. Review contracts and SLAs on a periodic basis T4, T5 APO09 Manage service agreements, MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Information 17. Conduct vendor risk management T4, T5 APO10 Manage suppliers, APO12 Manage risk – Enabler: Organisational Structures
Mitigation Strategy Threat COBIT 5 Guidance 18. Perform an evaluation of compliance with enterprise policies T4 APO10 Manage suppliers; MEA01 Monitor, evaluate and assess performance and conformance; MEA03 Monitor, evaluate and assess compliance with external requirements – Enablers: Principles, Policies and Frameworks; Information 19. Perform an evaluation of vendor internal controls T4 APO10 Manage suppliers; APO12 Manage risk; MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Organisational Structures; Information
Mitigation Strategy Threat COBIT 5 Guidance 20. Plan and manage the end of the relationship T2, T4, T5 APO09 Manage service agreements; APO10 Manage suppliers; APO12 Manage risk – Enabler: Services, Infrastructure and Applications; People, Skills and Competencies; Information 21. Use a vendor management system T1, T2, T3, T4 APO08 Manage relationships; APO09 Manage service agreements; APO11 Manage quality; APO12 Manage risk – Enabler: Services, Infrastructure and Applications 22. Create data and hardware disposal stipulations T2, T4 APO12 Manage risk – Enablers: Services, Infrastructure and Applications; Information; Principles, Policies and Frameworks
Q&A

Recomendados

Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT management
Christian F. Nissen
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
Sherri Booher
 
ArchiMate technology layer - Simplify the models
ArchiMate technology layer - Simplify the modelsArchiMate technology layer - Simplify the models
ArchiMate technology layer - Simplify the models
COMPETENSIS
 
Project scope management 1
Project scope management 1Project scope management 1
Project scope management 1
Mohammad Ashraf Khan, PMP
 
IT Enterprise architecture ppt
IT Enterprise architecture pptIT Enterprise architecture ppt
IT Enterprise architecture ppt
Monsif sakienah
 
COBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdfCOBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdf
MartinPatrici
 
New ISO 20000-1:2018 Changes, Implementation Steps
New ISO 20000-1:2018 Changes, Implementation StepsNew ISO 20000-1:2018 Changes, Implementation Steps
New ISO 20000-1:2018 Changes, Implementation Steps
Integration Technologies Group Inc
 
10. Project Quality Management
10. Project Quality Management 10. Project Quality Management
10. Project Quality Management
BhuWan Khadka
 

Recomendados

Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT management
Christian F. Nissen
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
Sherri Booher
 
ArchiMate technology layer - Simplify the models
ArchiMate technology layer - Simplify the modelsArchiMate technology layer - Simplify the models
ArchiMate technology layer - Simplify the models
COMPETENSIS
 
Project scope management 1
Project scope management 1Project scope management 1
Project scope management 1
Mohammad Ashraf Khan, PMP
 
IT Enterprise architecture ppt
IT Enterprise architecture pptIT Enterprise architecture ppt
IT Enterprise architecture ppt
Monsif sakienah
 
COBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdfCOBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdf
MartinPatrici
 
New ISO 20000-1:2018 Changes, Implementation Steps
New ISO 20000-1:2018 Changes, Implementation StepsNew ISO 20000-1:2018 Changes, Implementation Steps
New ISO 20000-1:2018 Changes, Implementation Steps
Integration Technologies Group Inc
 
10. Project Quality Management
10. Project Quality Management 10. Project Quality Management
10. Project Quality Management
BhuWan Khadka
 
Requirements lifecycle management
Requirements lifecycle managementRequirements lifecycle management
Requirements lifecycle management
OD Ali
 
IT Governance
IT GovernanceIT Governance
IT Governance
Carlos Chalico
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
jiricejka
 
IT4IT / DevOps Tooling Landscape 2022
IT4IT / DevOps Tooling Landscape 2022 IT4IT / DevOps Tooling Landscape 2022
IT4IT / DevOps Tooling Landscape 2022
Rob Akershoek
 
IT4IT and DevOps Tools Landscape (2020).
IT4IT and DevOps Tools Landscape (2020).IT4IT and DevOps Tools Landscape (2020).
IT4IT and DevOps Tools Landscape (2020).
Rob Akershoek
 
Togaf Roadshow
Togaf RoadshowTogaf Roadshow
Togaf Roadshow
Unicorn College
 
ITIL-4-Framework-2021.pptx
ITIL-4-Framework-2021.pptxITIL-4-Framework-2021.pptx
ITIL-4-Framework-2021.pptx
Exlit
 
7 Steps to a successful ServiceNow Implementation
7 Steps to a successful ServiceNow Implementation7 Steps to a successful ServiceNow Implementation
7 Steps to a successful ServiceNow Implementation
Navvia
 
Business Architecture Explained
Business Architecture ExplainedBusiness Architecture Explained
Business Architecture Explained
aaronwilliamson
 
Will They Blend? - Agile, TOGAF and Enterprise Architecture
Will They Blend? - Agile, TOGAF and Enterprise ArchitectureWill They Blend? - Agile, TOGAF and Enterprise Architecture
Will They Blend? - Agile, TOGAF and Enterprise Architecture
ITpreneurs
 
ITIL Continual Service Improvement
ITIL Continual Service ImprovementITIL Continual Service Improvement
ITIL Continual Service Improvement
Marvin Sirait
 
Project Scope Management
Project Scope ManagementProject Scope Management
Project Scope Management
Andersson Lujan Ojeda
 
ITIL vs. COBIT
ITIL vs. COBITITIL vs. COBIT
ITIL vs. COBIT
Mohsen Yousefi
 
ITIL Introduction
ITIL IntroductionITIL Introduction
ITIL Introduction
Ravi Kiran
 
BPO Transition Framework visuals toolbox PPT
BPO Transition Framework visuals toolbox PPTBPO Transition Framework visuals toolbox PPT
BPO Transition Framework visuals toolbox PPT
Peter Zvirinsky
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001
Burcu Pelin TELLİ
 
Togaf introduction and core concepts
Togaf introduction and core conceptsTogaf introduction and core concepts
Togaf introduction and core concepts
Paul Sullivan
 
ITIL,COBIT and IT4IT Mapping
ITIL,COBIT and IT4IT MappingITIL,COBIT and IT4IT Mapping
ITIL,COBIT and IT4IT Mapping
Rob Akershoek
 
Digital Operating Model & IT4IT
Digital Operating Model & IT4ITDigital Operating Model & IT4IT
Digital Operating Model & IT4IT
David Favelle
 
ITIL 4 service value chain data flows (input and outputs)
ITIL 4 service value chain data flows (input and outputs)ITIL 4 service value chain data flows (input and outputs)
ITIL 4 service value chain data flows (input and outputs)
Rob Akershoek
 
Vendor Management Systems Best Practices
Vendor Management Systems Best PracticesVendor Management Systems Best Practices
Vendor Management Systems Best Practices
jeffmonaghan
 
Agility under Control - SCRUM vs COBIT
Agility under Control - SCRUM vs COBITAgility under Control - SCRUM vs COBIT
Agility under Control - SCRUM vs COBIT
Przemek Wysota
 

Más contenido relacionado

La actualidad más candente

IT4IT / DevOps Tooling Landscape 2022
IT4IT / DevOps Tooling Landscape 2022 IT4IT / DevOps Tooling Landscape 2022
IT4IT / DevOps Tooling Landscape 2022
Rob Akershoek
 

La actualidad más candente (20)

Requirements lifecycle management
Requirements lifecycle managementRequirements lifecycle management
Requirements lifecycle management
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
 
IT4IT / DevOps Tooling Landscape 2022
IT4IT / DevOps Tooling Landscape 2022 IT4IT / DevOps Tooling Landscape 2022
IT4IT / DevOps Tooling Landscape 2022
 
IT4IT and DevOps Tools Landscape (2020).
IT4IT and DevOps Tools Landscape (2020).IT4IT and DevOps Tools Landscape (2020).
IT4IT and DevOps Tools Landscape (2020).
 
Togaf Roadshow
Togaf RoadshowTogaf Roadshow
Togaf Roadshow
 
ITIL-4-Framework-2021.pptx
ITIL-4-Framework-2021.pptxITIL-4-Framework-2021.pptx
ITIL-4-Framework-2021.pptx
 
7 Steps to a successful ServiceNow Implementation
7 Steps to a successful ServiceNow Implementation7 Steps to a successful ServiceNow Implementation
7 Steps to a successful ServiceNow Implementation
 
Business Architecture Explained
Business Architecture ExplainedBusiness Architecture Explained
Business Architecture Explained
 
Will They Blend? - Agile, TOGAF and Enterprise Architecture
Will They Blend? - Agile, TOGAF and Enterprise ArchitectureWill They Blend? - Agile, TOGAF and Enterprise Architecture
Will They Blend? - Agile, TOGAF and Enterprise Architecture
 
ITIL Continual Service Improvement
ITIL Continual Service ImprovementITIL Continual Service Improvement
ITIL Continual Service Improvement
 
Project Scope Management
Project Scope ManagementProject Scope Management
Project Scope Management
 
ITIL vs. COBIT
ITIL vs. COBITITIL vs. COBIT
ITIL vs. COBIT
 
ITIL Introduction
ITIL IntroductionITIL Introduction
ITIL Introduction
 
BPO Transition Framework visuals toolbox PPT
BPO Transition Framework visuals toolbox PPTBPO Transition Framework visuals toolbox PPT
BPO Transition Framework visuals toolbox PPT
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001
 
Togaf introduction and core concepts
Togaf introduction and core conceptsTogaf introduction and core concepts
Togaf introduction and core concepts
 
ITIL,COBIT and IT4IT Mapping
ITIL,COBIT and IT4IT MappingITIL,COBIT and IT4IT Mapping
ITIL,COBIT and IT4IT Mapping
 
Digital Operating Model & IT4IT
Digital Operating Model & IT4ITDigital Operating Model & IT4IT
Digital Operating Model & IT4IT
 
ITIL 4 service value chain data flows (input and outputs)
ITIL 4 service value chain data flows (input and outputs)ITIL 4 service value chain data flows (input and outputs)
ITIL 4 service value chain data flows (input and outputs)
 

Destacado

Vendor Management Systems Best Practices
Vendor Management Systems Best PracticesVendor Management Systems Best Practices
Vendor Management Systems Best Practices
jeffmonaghan
 
IT Strategic Vendor Management
IT Strategic Vendor ManagementIT Strategic Vendor Management
IT Strategic Vendor Management
Bill Whetstone
 
Outsourcing and Vendor management
Outsourcing and Vendor managementOutsourcing and Vendor management
Outsourcing and Vendor management
Raminder Pal Singh
 
Top 10 Procurement KPI\'s
Top 10 Procurement KPI\'sTop 10 Procurement KPI\'s
Top 10 Procurement KPI\'s
amberkar
 
BravoConnect 2014: Risk Management
BravoConnect 2014: Risk ManagementBravoConnect 2014: Risk Management
BravoConnect 2014: Risk Management
BravoSolution
 
Tactica advanced sourcing solution
Tactica advanced sourcing solutionTactica advanced sourcing solution
Tactica advanced sourcing solution
Chee Wee Loke
 

Destacado (20)

Vendor Management Systems Best Practices
Vendor Management Systems Best PracticesVendor Management Systems Best Practices
Vendor Management Systems Best Practices
 
Agility under Control - SCRUM vs COBIT
Agility under Control - SCRUM vs COBITAgility under Control - SCRUM vs COBIT
Agility under Control - SCRUM vs COBIT
 
Vendor Management
Vendor ManagementVendor Management
Vendor Management
 
Vendor Management
Vendor ManagementVendor Management
Vendor Management
 
Vendor Management - Compliance Checklist Manifesto Series
Vendor Management - Compliance Checklist Manifesto SeriesVendor Management - Compliance Checklist Manifesto Series
Vendor Management - Compliance Checklist Manifesto Series
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 FrameworkGovernance and Management of Enterprise IT with COBIT 5 Framework
Governance and Management of Enterprise IT with COBIT 5 Framework
 
IT Strategic Vendor Management
IT Strategic Vendor ManagementIT Strategic Vendor Management
IT Strategic Vendor Management
 
Outsourcing and Vendor management
Outsourcing and Vendor managementOutsourcing and Vendor management
Outsourcing and Vendor management
 
It governance & cobit 5
It governance & cobit 5It governance & cobit 5
It governance & cobit 5
 
Top 10 Procurement KPI\'s
Top 10 Procurement KPI\'sTop 10 Procurement KPI\'s
Top 10 Procurement KPI\'s
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?Jeffrey Sweet - Third Party Risk Governance - Why? and How?
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
 
Equipo Interno de Implementacion ERP
Equipo Interno de Implementacion ERPEquipo Interno de Implementacion ERP
Equipo Interno de Implementacion ERP
 
Horizon 2013 Zycus Vision
Horizon 2013 Zycus Vision Horizon 2013 Zycus Vision
Horizon 2013 Zycus Vision
 
BravoConnect 2014: Risk Management
BravoConnect 2014: Risk ManagementBravoConnect 2014: Risk Management
BravoConnect 2014: Risk Management
 
Talend Data Preparation Overview
Talend Data Preparation OverviewTalend Data Preparation Overview
Talend Data Preparation Overview
 
Procurement Solutions - Paul Turner
Procurement Solutions - Paul TurnerProcurement Solutions - Paul Turner
Procurement Solutions - Paul Turner
 
Introduction to Val IT
Introduction to Val ITIntroduction to Val IT
Introduction to Val IT
 
Tactica advanced sourcing solution
Tactica advanced sourcing solutionTactica advanced sourcing solution
Tactica advanced sourcing solution
 
Key Challenges Facing Vendor Risk Management Programs
Key Challenges Facing Vendor Risk Management ProgramsKey Challenges Facing Vendor Risk Management Programs
Key Challenges Facing Vendor Risk Management Programs
 
Negotiation
NegotiationNegotiation
Negotiation
 

Similar a Vendor management using COBIT 5

The Journey to World Class Presentation Contract Management - IACCM Sydney Co...
The Journey to World Class Presentation Contract Management - IACCM Sydney Co...The Journey to World Class Presentation Contract Management - IACCM Sydney Co...
The Journey to World Class Presentation Contract Management - IACCM Sydney Co...
David Gee
 
Vendor Management Best Practices: Is Your Program Up to Par?
Vendor Management Best Practices: Is Your Program Up to Par?Vendor Management Best Practices: Is Your Program Up to Par?
Vendor Management Best Practices: Is Your Program Up to Par?
EDR
 
Vendor Selection Process
Vendor Selection ProcessVendor Selection Process
Vendor Selection Process
grinehart
 
Danforth Intl Presentation
Danforth Intl PresentationDanforth Intl Presentation
Danforth Intl Presentation
kendan4th
 
Improve Regulatory Compliance & Risk Management Using Best Practices
Improve Regulatory Compliance & Risk Management Using Best PracticesImprove Regulatory Compliance & Risk Management Using Best Practices
Improve Regulatory Compliance & Risk Management Using Best Practices
Lavante Inc.
 

Similar a Vendor management using COBIT 5 (20)

How to implement a strategic IT vendor management program
How to implement a strategic IT vendor management programHow to implement a strategic IT vendor management program
How to implement a strategic IT vendor management program
 
Post Award Contract Management for IT Suppliers v1.0 20200701
Post Award Contract Management for IT Suppliers v1.0 20200701Post Award Contract Management for IT Suppliers v1.0 20200701
Post Award Contract Management for IT Suppliers v1.0 20200701
 
The Journey to World Class Presentation Contract Management - IACCM Sydney Co...
The Journey to World Class Presentation Contract Management - IACCM Sydney Co...The Journey to World Class Presentation Contract Management - IACCM Sydney Co...
The Journey to World Class Presentation Contract Management - IACCM Sydney Co...
 
Vendor selection
Vendor selectionVendor selection
Vendor selection
 
Outsource.ppt
Outsource.pptOutsource.ppt
Outsource.ppt
 
Procurement-Contract_Management_v2
Procurement-Contract_Management_v2Procurement-Contract_Management_v2
Procurement-Contract_Management_v2
 
The Enterprise Supply Chain View
The Enterprise Supply Chain ViewThe Enterprise Supply Chain View
The Enterprise Supply Chain View
 
The biggest problems caused by suppliers and how to prevent them
The biggest problems caused by suppliers and how to prevent themThe biggest problems caused by suppliers and how to prevent them
The biggest problems caused by suppliers and how to prevent them
 
Iso 20000 presentation
Iso 20000 presentationIso 20000 presentation
Iso 20000 presentation
 
EFS Facilities Services Group | Performance Management
EFS Facilities Services Group | Performance ManagementEFS Facilities Services Group | Performance Management
EFS Facilities Services Group | Performance Management
 
EFS Facilities Services Group | Performance Management
EFS Facilities Services Group | Performance ManagementEFS Facilities Services Group | Performance Management
EFS Facilities Services Group | Performance Management
 
Supplier Relationship & Performance Management
Supplier Relationship & Performance ManagementSupplier Relationship & Performance Management
Supplier Relationship & Performance Management
 
Vendor Management Best Practices: Is Your Program Up to Par?
Vendor Management Best Practices: Is Your Program Up to Par?Vendor Management Best Practices: Is Your Program Up to Par?
Vendor Management Best Practices: Is Your Program Up to Par?
 
Vendor Selection Process
Vendor Selection ProcessVendor Selection Process
Vendor Selection Process
 
The Enterprise Supply Chain View
The Enterprise Supply Chain ViewThe Enterprise Supply Chain View
The Enterprise Supply Chain View
 
The Enterprise Supply Chain View
The Enterprise Supply Chain ViewThe Enterprise Supply Chain View
The Enterprise Supply Chain View
 
Danforth Intl Presentation
Danforth Intl PresentationDanforth Intl Presentation
Danforth Intl Presentation
 
Governance in Outsourcing Made Simple
Governance in Outsourcing Made SimpleGovernance in Outsourcing Made Simple
Governance in Outsourcing Made Simple
 
Improve Regulatory Compliance & Risk Management Using Best Practices
Improve Regulatory Compliance & Risk Management Using Best PracticesImprove Regulatory Compliance & Risk Management Using Best Practices
Improve Regulatory Compliance & Risk Management Using Best Practices
 
Business procurement audit
Business procurement auditBusiness procurement audit
Business procurement audit
 

Último

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Vendor management using COBIT 5

  • 3. New Guidance from ISACA Areas covered • IT • Process owners and stakeholders • Compliance and laws • Risk management • Audit • Contracts • Service monitoring
  • 4. Vendors • A vendor is a third party that supplies products or services to an enterprise. • Most enterprises seek external vendor support for assistance with operations for one of the following reasons: – Vendor expertise – Vendor capacity – Vendor assuming risk – Vendor leveraging scale
  • 5. Vendor Management • Vendor management is a strategic process that is dedicated to the sourcing and management of vendor relationships so that: – value creation is maximized and – risk to the enterprise is minimized
  • 6. Vendor Management Objectives Managing vendors has many benefits, including: • Data loss reduction • Decrease in audit findings • Cost optimization • Increased availability • Liability reduction • Increased end-user satisfaction • Value creation
  • 7. Vendors to include  Play a critical role in daily operations  Can have critical impact on the success of strategic projects  Require long-term contracts  Have potential significant financial implications  Are difficult to change overnight  Require frequent interaction and/or disputes  Access or manage substantial critical or sensitive data
  • 10. Contract Contracts accomplishes the following: • Form a common understanding of what needs to be achieved • Define all deliverables, relevant service levels and metrics • Define responsibilities and obligations • Define the terms and conditions • Specify how risk will be allocated between parties • Define legal counsel and jurisdiction stipulations
  • 11. SLAs • An SLA is an agreement, preferably documented, between a product or service provider and the enterprise that defines minimum performance targets for a deliverable and how they will be measured and reported. • The SLA enables customer and vendor accountabilities and expectations to be clearly understood. Performance can have the following implications: – Financial rewards (for exceeding targets) – Financial penalties (for underperformance)
  • 12. SLA Common Pitfalls • Focus on the wrong objectives • Simplistic metrics • Inappropriate terminology • Room for interpretation • Labor-intensive reporting requirements
  • 13. SLA Management Benefits • Better alignment with business objectives • Ability to manage services proactively • Greater transparency of service delivery • Lower service level management overhead • Better relationships between the enterprise and vendor
  • 16. Risk – 5 Threat Categories • T1 – Selection: Wrong vendor • T2 – Contract: Incomplete | Static • T3 – Requirements: Poorly defined • T4 – Governance: Inadequate vendor management • T5 – Strategy: Vendor lock-in
  • 17. Mitigation Strategy Threat COBIT 5 Guidance 1. Diversify sourcing strategy to avoid overreliance or vendor lock in T5 APO02 Manage strategy, APO10 Manage suppliers 2. Establish policies and procedures for vendor management T4, T5 APO11 Manage quality – Enablers: Principles, Policies and Frameworks; Information 3. Establish a vendor management governance model T4, T5 APO09 Manage service agreements, APO10 Manage suppliers – Enabler: Organisational Structures 4. Set up a vendor management organization within the enterprise (VMO) T4, T5 APO10 Manage suppliers -- Enablers: Organisational Structures; People, Skills and Competencies 5. Forecast requirements regarding the skills and competencies of the vendor employees T2 APO10 Manage suppliers – Enablers: People, Skills and Competencies 6. Use standard documents and templates T2 – Enabler: Information
  • 18. Mitigation Strategy Threat COBIT 5 Guidance 7. Formulate clear requirements T3, T5 BAI02 Manage requirements definition, BAI03 Manage solutions identification and build – Enabler: Information 8. Perform adequate vendor selection T1, T5 APO10 Manage suppliers, APO12 Manage risk – Enablers: People, Skills and Competencies 9. Cover all relevant life-cycle events during contract drafting T2 APO11 Manage quality, APO12 Manage risk – Enabler: Information 10. Determine the adequate security and controls needed during the relationship T4, T2 APO11 Manage quality; APO12 Manage risk, MEA01 Monitor, evaluate and assess performance and conformance – Enablers: Service, Infrastructure and Applications; Information
  • 19. Mitigation Strategy Threat COBIT 5 Guidance 11. Set up SLAs T2 APO09 Manage service agreements – Enabler: Information 12. Set up operating level agreements (OLAs) and underpinning contracts T2 APO09 Manage service agreements – Enabler: Information 13. Set up appropriate vendor performance/service level monitoring and reporting T2, T4 APO09 Manage service agreements, APO10 Manage suppliers, MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Information 14. Establish a penalties and reward model with the vendor T2 APO09 Manage service agreements, APO10 Manage suppliers
  • 20. Mitigation Strategy Threat COBIT 5 Guidance 15. Conduct adequate vendor relationship management during the life cycle T4 APO08 Manage relationships, APO10 Manage suppliers – Enablers: Ethics, Culture and Behaviour 16. Review contracts and SLAs on a periodic basis T4, T5 APO09 Manage service agreements, MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Information 17. Conduct vendor risk management T4, T5 APO10 Manage suppliers, APO12 Manage risk – Enabler: Organisational Structures
  • 21. Mitigation Strategy Threat COBIT 5 Guidance 18. Perform an evaluation of compliance with enterprise policies T4 APO10 Manage suppliers; MEA01 Monitor, evaluate and assess performance and conformance; MEA03 Monitor, evaluate and assess compliance with external requirements – Enablers: Principles, Policies and Frameworks; Information 19. Perform an evaluation of vendor internal controls T4 APO10 Manage suppliers; APO12 Manage risk; MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Organisational Structures; Information
  • 22. Mitigation Strategy Threat COBIT 5 Guidance 20. Plan and manage the end of the relationship T2, T4, T5 APO09 Manage service agreements; APO10 Manage suppliers; APO12 Manage risk – Enabler: Services, Infrastructure and Applications; People, Skills and Competencies; Information 21. Use a vendor management system T1, T2, T3, T4 APO08 Manage relationships; APO09 Manage service agreements; APO11 Manage quality; APO12 Manage risk – Enabler: Services, Infrastructure and Applications 22. Create data and hardware disposal stipulations T2, T4 APO12 Manage risk – Enablers: Services, Infrastructure and Applications; Information; Principles, Policies and Frameworks
  • 23. Q&A