vendor management using cobit 5
TRANSCRIPT
![Page 1: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/1.jpg)
Vendor Management: Using COBIT 5
![Page 2: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/2.jpg)
Introduction
![Page 3: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/3.jpg)
New Guidance from ISACA
Areas covered
• IT
• Process owners and stakeholders
• Compliance and laws
• Risk management
• Audit
• Contracts
• Service monitoring
![Page 4: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/4.jpg)
Vendors
• A vendor is a third party that supplies
products or services to an enterprise.
• Most enterprises seek external vendor support for assistance with operations for one of the following reasons:
– Vendor expertise
– Vendor capacity
– Vendor assuming risk
– Vendor leveraging scale
![Page 5: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/5.jpg)
Vendor Management
• Vendor management is a strategic process
that is dedicated to the sourcing and
management of vendor relationships so that:
– value creation is maximized and
– risk to the enterprise is minimized
![Page 6: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/6.jpg)
Vendor Management Objectives
Managing vendors has many benefits, including:
• Data loss reduction
• Decrease in audit findings
• Cost optimization
• Increased availability
• Liability reduction
• Increased end-user satisfaction
• Value creation
![Page 7: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/7.jpg)
Vendors to include
Play a critical role in daily operations
Can have critical impact on the success of strategic projects
Require long-term contracts
Have potential significant financial implications
Are difficult to change overnight
Require frequent interaction and/or disputes
Access or manage substantial critical or sensitive data
![Page 8: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/8.jpg)
Important Documents
![Page 9: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/9.jpg)
Contract Lifecycle
![Page 10: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/10.jpg)
Contract
Contracts accomplishes the following:• Form a common understanding of what needs to
be achieved
• Define all deliverables, relevant service levels and metrics
• Define responsibilities and obligations
• Define the terms and conditions
• Specify how risk will be allocated between parties
• Define legal counsel and jurisdiction stipulations
![Page 11: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/11.jpg)
SLAs
• An SLA is an agreement, preferably documented, between a product or service provider and the enterprise that defines minimum performance targets for a deliverable and how they will be measured and reported.
• The SLA enables customer and vendor accountabilities and expectations to be clearly understood. Performance can have the following implications:– Financial rewards (for exceeding targets)
– Financial penalties (for underperformance)
![Page 12: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/12.jpg)
SLA Common Pitfalls
• Focus on the wrong objectives
• Simplistic metrics
• Inappropriate terminology
• Room for interpretation
• Labor-intensive reporting requirements
![Page 13: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/13.jpg)
SLA Management Benefits
• Better alignment with business objectives
• Ability to manage services proactively
• Greater transparency of service delivery
• Lower service level management overhead
• Better relationships between the enterprise and vendor
![Page 14: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/14.jpg)
SLA Diagram
![Page 15: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/15.jpg)
Stakeholder Responsibilities
![Page 16: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/16.jpg)
Risk – 5 Threat Categories
• T1 – Selection: Wrong vendor
• T2 – Contract: Incomplete | Static
• T3 – Requirements: Poorly defined
• T4 – Governance: Inadequate vendor management
• T5 – Strategy: Vendor lock-in
![Page 17: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/17.jpg)
Mitigation Strategy
Threat COBIT 5 Guidance
1. Diversify sourcing strategy to avoid overreliance or vendor lock in
T5 APO02 Manage strategy, APO10 Manage suppliers
2. Establish policies and procedures for vendor management
T4, T5 APO11 Manage quality– Enablers: Principles, Policies and Frameworks; Information
3. Establish a vendor management governance model
T4, T5 APO09 Manage service agreements, APO10 Manage suppliers– Enabler: Organisational Structures
4. Set up a vendor management organization within the enterprise (VMO)
T4, T5 APO10 Manage suppliers-- Enablers: Organisational Structures; People, Skills and Competencies
5. Forecast requirements regarding the skills and competencies of thevendor employees
T2 APO10 Manage suppliers– Enablers: People, Skills and Competencies
6. Use standard documents and templates
T2 – Enabler: Information
![Page 18: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/18.jpg)
Mitigation Strategy
Threat COBIT 5 Guidance
7. Formulate clear requirements T3, T5 BAI02 Manage requirements definition, BAI03 Manage solutionsidentification and build– Enabler: Information
8. Perform adequate vendor selection
T1, T5 APO10 Manage suppliers, APO12 Manage risk– Enablers: People, Skills and Competencies
9. Cover all relevant life-cycle events during contract drafting
T2 APO11 Manage quality, APO12 Manage risk– Enabler: Information
10. Determine the adequate security and controls needed during the relationship
T4, T2 APO11 Manage quality; APO12 Manage risk, MEA01 Monitor,evaluate and assess performance and conformance– Enablers: Service, Infrastructure and Applications; Information
![Page 19: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/19.jpg)
Mitigation Strategy
Threat COBIT 5 Guidance
11. Set up SLAs T2 APO09 Manage service agreements– Enabler: Information
12. Set up operating level agreements (OLAs) and underpinning contracts
T2 APO09 Manage service agreements– Enabler: Information
13. Set up appropriate vendor performance/service level monitoring and reporting
T2, T4 APO09 Manage service agreements, APO10 Manage suppliers,MEA01 Monitor, evaluate and assess performance and conformance– Enabler: Information
14. Establish a penalties and reward model with the vendor
T2 APO09 Manage service agreements, APO10 Manage suppliers
![Page 20: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/20.jpg)
Mitigation Strategy
Threat COBIT 5 Guidance
15. Conduct adequate vendor relationship management during the life cycle
T4 APO08 Manage relationships, APO10 Manage suppliers– Enablers: Ethics, Culture and Behaviour
16. Review contracts and SLAs on a periodic basis
T4, T5 APO09 Manage service agreements, MEA01 Monitor, evaluateand assess performance and conformance– Enabler: Information
17. Conduct vendor risk management T4, T5 APO10 Manage suppliers, APO12 Manage risk– Enabler: Organisational Structures
![Page 21: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/21.jpg)
Mitigation Strategy
Threat COBIT 5 Guidance
18. Perform an evaluation of compliance with enterprise policies
T4 APO10 Manage suppliers; MEA01 Monitor, evaluate and assessperformance and conformance; MEA03 Monitor, evaluate and assesscompliance with external requirements– Enablers: Principles, Policies and Frameworks; Information
19. Perform an evaluation of vendor internal controls
T4 APO10 Manage suppliers; APO12 Manage risk; MEA01Monitor, evaluate and assess performance and conformance– Enabler: Organisational Structures; Information
![Page 22: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/22.jpg)
Mitigation Strategy
Threat COBIT 5 Guidance
20. Plan and manage the end of the relationship
T2, T4, T5
APO09 Manage service agreements; APO10 Manage suppliers;APO12 Manage risk– Enabler: Services, Infrastructure and Applications; People, Skills andCompetencies; Information
21. Use a vendor management system
T1, T2, T3, T4
APO08 Manage relationships; APO09 Manage serviceagreements; APO11 Manage quality; APO12 Manage risk– Enabler: Services, Infrastructure and Applications
22. Create data and hardware disposal stipulations
T2, T4 APO12 Manage risk– Enablers: Services, Infrastructure and Applications; Information; Principles,Policies and Frameworks
![Page 23: Vendor management using COBIT 5](https://reader034.vdocuments.us/reader034/viewer/2022050616/55a5c9711a28ab3f4e8b45a7/html5/thumbnails/23.jpg)
Q&A