rules to receive cpe credit · rules to receive cpe credit. november 12, 2019 vendor due diligence...
TRANSCRIPT
This live session is eligible for 1 CPE Credit.
In order to receive this credit, the following items MUST be completed:
Each person wishing to receive CPE Credit must log into the session individually with their credentials
You MUST answer ALL of the polling questions throughout the presentation
You MUST be in attendance for the entire live session
You MUST complete the follow-up survey regarding the session
Rules to Receive CPE Credit
November 12, 2019
Vendor Due Diligence and Contract Management Best Practices
Presented by Gordon RuddThird Party Risk Officer at Venminder [email protected]
3
SESSION AGENDA
Importance of vendor due diligence and contract management
Key vendor due diligence themes and major traps
What is vendor contract management – Who’s involved and why it’s important
Major vendor contract management elements and best practices
Tailoring oversight and hazards of falling asleep at the wheel
Common contract management deficiencies and mistakes
4
THE IMPORTANCE OF VENDOR DUE DILIGENCE
Required by regulatory guidance
Sound business practice
Can make or break the relationship
5
KEY THEMES IN VENDOR DUE DILIGENCE
Timely
Pre-Contract
Risk-based and tailored to the product or service
Document guidelines in program requirements
Make note of all attempts to gather
Update periodically
6
MAJOR TRAPS TO AVOID
• “We’ve never been asked that before”
• One size fits all never works in clothing or risk management
• Dusty due diligence
• Checklist mentality
• Do NOT EVER, EVER, EVER allow someone else to set your standards
7
POLL QUESTION
When does your organization do due diligence?
a. Initial due diligence b. Periodically after boarding a new
vendor c. Both at initial due diligence and
periodically afterwards d. Nevere. Not sure
8
THE IMPORTANCE OF ONGOING VENDOR OVERSIGHT
• Required by regulatory guidance
• Often the forgotten pillar
• Once the honeymoon is over, who’s keeping the relationship going?
9
HAZARDS OF FALLING ASLEEP AT THE WHEEL
• Third party stops reporting
• No one notices until the car runs off the road
• Customers complain but no one is listening
• Regulators notice issues before your organization
• Many enforcement actions tied to inadequate oversight
• Not listening to management advice
10
TAILORING VENDOR MONITORING
• SLAs
• Seeing through the transaction
• Make individuals accountable
• Require regular updates to senior management and the board
• Ensure the type of oversight makes sense to the product or service outsourced
• Complaint management
11
WHERE IT FITS INTO THE LIFECYCLE WHEEL
OVERSIGHT AND ACCOUNTABILITYSource: OCC
12
LET’S NOW DIVE INTO EFFECTIVE VENDOR CONTRACT MANAGEMENT
13
POLL QUESTION
Do you currently vet your vendors before signing a contract?
a. Yesb. Noc. Not applicable d. Not sure
14
WHAT IS VENDOR CONTRACT MANAGEMENT?
Vendor contract management is the oversight of written agreements with vendors that provide an organization with products or services.
Vendor Contract Management Includes:
Negotiating the terms of contracts and ensuring compliance
Change management
Ongoing maintenance of the relationship
15
WHO IS GENERALLY INVOLVED?
Legal
Vendor Management
Lines of Business
Information Technology
Information Security
Business Continuity Management
Compliance
Operations
Risk
Finance
Procurement
16
WHY EFFECTIVE CONTRACT MANAGEMENT IS IMPORTANT
Your contract is the single most important control in the outsourcing process.
Good contract management can:
Protect your organization, shareholders, customers and the confidential information you’re exchanging
Be used as a negotiation tool pre-execution to guarantee you’re entering a new vendor relationship as strongly as possible
Save money, time, expense and avoid unnecessary headaches
17
WHEN SHOULD YOU BE REVIEWING CONTRACTS?
Vendor Selection
Ongoing Monitoring
Negotiation
18
REGULATORY GUIDANCE AND INDUSTRY STANDARDS
Your vendor contracts should be in compliance with industry regulations and standards.
The following regulations can be used as a guide:
FFIEC IT Examination Handbook
OCC Bulletin 2013-29
FDIC FIL 44-2008
*Other regulators have released guidance pertaining to contract management. The above list represents just a few helpful resources.
19
POLL QUESTION
Do your contracts identify what will happen to your data upon termination?
a. Yesb. Noc. Not sure
20
MAJOR ELEMENTS THAT SHOULD BE INCLUDED
Business terms
Term, notice and automatic renewals
Identify and mitigate risks
Confidentiality provisions
Disposition of data throughout the relationship (post-termination)
Harmless and indemnification provisions
Events of default
Remedies
Cause for termination
Termination assistance
Dates and deadlines
Warranties and representations
Dispute resolution
21
COMMON DEFICIENCIES THAT WE SEE CALLED OUT
SLAs
Security and confidentiality provisions
Sub-contractor/fourth party identification
Third party compliance documents
Business continuity and disaster recovery plans
22
COMMON MISTAKES TO AVOID
Don’t let these happen to you! Regulators and auditors are looking for well-developed and organized programs. They will likely find contract management issues with any of the following:
No senior management/board approval
A decentralized contract process
Contract execution without documented vendor vetting
Roles and responsibilities are not clearly identified
Lack of proper contract tracking
23
GETTING VENDOR CONTRACT MANAGEMENT IN ORDER
If you have not had a practice at your organization of reviewing your contracts, then:
• Define the process for all contracts and who should be involved
• Prioritize which contracts to review (recommended start with your critical and high-risk vendors)
• Ensure process is followed for new contracts
24
9 BEST PRACTICES FOR CONTRACT SUCCESS
Document the process within your vendor management program
Plan the negotiation and strategy prior to engagement
Clearly identify all areas that are involved
Negotiate the terms of the agreement –understand regulatory requirements
Actively manage the delivery of the product or service
Contract management does not end with contract signing
Manage the risks identified
Understand renewal and termination terms
Understand terms for notification provisions and remedy provisions
25
ALSO JOIN US AT OUR UPCOMING WEBINARS:
December 10, 2019:Third Party Risk Management Best Practices for 2020
Click here to view our Webinars Page.
Thank You
Manage Vendors. Mitigate Risk. Reduce Workload.
venminder.com
Follow us on: Join the conversation in: