1 / 28

How do I incorporate Business Continuity Management into Vendor Management?

How do I incorporate Business Continuity Management into Vendor Management?. Resiliency DC – April 19, 2011. Margaret J. Millett, MBCP, MBCI eBay, Inc. - Director of Global Continuity Services mmillett@ebay.com. Agenda. What is Vendor Management Top 10 Risks for 2010

astin
Télécharger la présentation

How do I incorporate Business Continuity Management into Vendor Management?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How do I incorporate Business Continuity Management into Vendor Management? Resiliency DC – April 19, 2011 Margaret J. Millett, MBCP, MBCIeBay, Inc. - Director of Global Continuity Servicesmmillett@ebay.com

  2. Agenda • What is Vendor Management • Top 10 Risks for 2010 • Risk in Vendor Management • Vendor Management Models • Vendor Management Assessments

  3. What is Vendor Management • Vendor management is a working relationship between your company and your vendors. The goal is to have a relationship which allows both companies to gain from the relationship.

  4. Top 10 Risks for 2010http://www.cfo.com/article.cfm/14467748 1. Strategic change management. The upheaval of the past year and the desire to seize opportunities during the recovery will make for a lot of changes, including mergers, acquisitions, and divestitures. These shifts leave a lot of room for controls to fall through the cracks and can create new liabilities. 2. Capacity. Faced with uncertain demand, companies risk both over- and understaffing. Timing capital expenditures, such as new facilities or equipment, will also pose a challenge.

  5. Top 10 Risks for 2010 3. Incentive plans. Compensation is under extreme scrutiny in the wake of the recession and could pose a risk for public companies. 4. Human resources. Layoffs have left many companies with skill gaps and possible holes in their compliance structures. 5. Fraud. Widely thought to pick up (or be revealed) in down times, fraud can be easier to commit at companies that are short-staffed and under pressure, which would describe most businesses today.

  6. Top 10 Risks for 2010 6. Innovation/R&D. Companies that have cut back in this area during the downturn risk falling behind their competitors. 7. Third-party relationships. The collapse of Lehman Brothers opened CFOs' eyes to just how careful and far-reaching they need to be in evaluating third parties. 8. Shared services. Under pressure to cut costs, finance executives are exploring new locations for their back-office functions. These changes can affect companies' control structures and processes.

  7. Top 10 Risks for 2010 9. Inflation/Deflation. Currency risk remains an open question for 2010. 10. Tax management. Recession-scarred states are looking to raise funds through new taxes and stricter enforcement of existing tax laws.

  8. Risk in Vendor Management • Lack of end to end process and tools which impair deployment of effective risk management • Diverse and uncoordinated efforts to address gaps in overall program management (for example, Info Security, Business Impact Analysis, Insurance, and Contingency Planning) • Unclear end to end ownership and exposure tolerance for key vendors • Lack of guidance on materiality criteria for vendors at business unit or company level

  9. Executive Management • Risk Mitigation Strategy • Controls - evaluate the effectiveness of controls that ensure vendor service levels are being measured, monitored and reported to management and the vendor. • Risk specific mitigations – receive recommendations on risk mitigation actions. • Efficiency Gains – What, if any, significant opportunities are there for improving efficiency?

  10. Executive Management • What organizational structure is best suited to address the risk? • Centralized • Business unit • Hybrid

  11. BU BU BU BU GlobalProcurement Buyer Supplier Relationship Manager Supplier Relationship Manager Category Manager Category Supplier Supplier Recommendations:Centralized model

  12. Centralized model Pros • High degree of standardization • Streamlines communication and decision making Cons • Difficult to build and maintain internal business partner buy-in • Risk of disconnect with needs of the business

  13. Global Procurement Supply Relationship Manager (SRM) Office BU BU BU BU Supplier Relationship Manager Supplier Relationship Manager Cross-BU SRM team Supplier Supplier Supplier Center-led model

  14. Center-led model Pros • Supports alignment of Supplier Relationship Manager Office with needs of business • Balances standardization and sharing best practices with high stakeholder engagement Cons • Creates governance complexity and requires a high degree of effectiveness in cross-business unit collaboration

  15. Decentralized model Global Procurement BU BU BU BU Supplier Relationship Manager Supplier Relationship Manager Supplier Relationship Manager Supplier Relationship Manager Supplier Supplier Supplier

  16. Decentralized model Pros • Supports alignment of Supply Relationship Manager with needs of the business unit Cons • Effectiveness of collaboration with suppliers is variable • Undermines alignment between sourcing and management of post-award interactions with suppliers • Relationships with cross-business unit suppliers significantly sub-optimized

  17. New Vendor Profile/Assessment Executive Summary • Basic information on the relationship between the company and the Vendor profiled. Sponsor Compliance Statement • Detail gathered and authenticated by the Sponsor, leading to compliance sign-off of all interested parties at your company

  18. New Vendor Profile/Assessment Legal Compliance Statement • Detail provided for and authenticated by the Sponsor and the Corporate Legal representative, leading to compliance sign-off of all interested parties at your company. Vendor Compliance Statement • Detail provided directly by the Vendor and authenticated by the Sponsor, leading to compliance sign-off of all interested parties at your company.

  19. Vendor Profile/Assessment • Executive Summary • Relationship sponsor • Relationship summary • Current state • Dependencies • Future considerations • Alternatives • Expenditure history

  20. Vendor Profile/Assessment • Sponsor Compliance Statement • Product/service information • Responsible Parties • Company operations and controls • Service level agreement management • Fee management • Reports • User groups/influential parties

  21. Vendor Profile/Assessment • Legal compliance statement • General information • Service contract provisions • Service levels

  22. New Vendor Profile/Assessment • Vendor compliance information • Administrative • Responsible parties • Experience summary • Published documents • Governance summary • Operations and controls (includes a Business Continuity sub-section)

  23. New Vendor Profile/Assessment • Functional area review statements • Overview • Compliance • Information Security • Business Continuity • Internal Audit • Risk Management

  24. New Vendor Profile/Assessment • Functional area review statements • Legal • Vendor Management • Corporate Sponsor • All areas listed should consider: • Process overview • Issues, concerns and strengths identified • Exceptions

  25. Existing Vendor Profile/Assessment • Vendor compliance information • Administrative • Responsible parties • Experience summary • Published documents • Governance summary • Vendor Operations and Controls

  26. Monthly Vendor Profile/Assessment • Completed by Vendor Relationship Owner • Performance / service levels • Operational disruptions • Breach notification • Monitoring and testing

  27. Reminder on why organizations need Vendor Management • Global increase in outsourcing • Risk is unavoidable and is present in all parts of a company • High-level officers must know they are responsible for risk management

  28. Thank you for attending the session. I hope everyone learns a lot at the Resiliency DC event.Margaret Millettmmillett@ebay.com

More Related