Vendor management using COBIT 5
Download as PPTX, PDF14 likes69,751 views
The document outlines best practices for vendor management using COBIT 5, emphasizing the strategic importance of building and maintaining effective vendor relationships. It highlights objectives such as value creation, risk minimization, and the enhancement of service delivery through well-defined contracts and Service Level Agreements (SLAs). The guidance provided includes risk management strategies and recommendations for establishing a governance model to improve vendor selection, communication, and performance monitoring.
Vendor management using COBIT 5
- 2. Introduction
- 3. New Guidance from ISACA Areas covered • IT • Process owners and stakeholders • Compliance and laws • Risk management • Audit • Contracts • Service monitoring
- 4. Vendors • A vendor is a third party that supplies products or services to an enterprise. • Most enterprises seek external vendor support for assistance with operations for one of the following reasons: – Vendor expertise – Vendor capacity – Vendor assuming risk – Vendor leveraging scale
- 5. Vendor Management • Vendor management is a strategic process that is dedicated to the sourcing and management of vendor relationships so that: – value creation is maximized and – risk to the enterprise is minimized
- 6. Vendor Management Objectives Managing vendors has many benefits, including: • Data loss reduction • Decrease in audit findings • Cost optimization • Increased availability • Liability reduction • Increased end-user satisfaction • Value creation
- 7. Vendors to include Play a critical role in daily operations Can have critical impact on the success of strategic projects Require long-term contracts Have potential significant financial implications Are difficult to change overnight Require frequent interaction and/or disputes Access or manage substantial critical or sensitive data
- 10. Contract Contracts accomplishes the following: • Form a common understanding of what needs to be achieved • Define all deliverables, relevant service levels and metrics • Define responsibilities and obligations • Define the terms and conditions • Specify how risk will be allocated between parties • Define legal counsel and jurisdiction stipulations
- 11. SLAs • An SLA is an agreement, preferably documented, between a product or service provider and the enterprise that defines minimum performance targets for a deliverable and how they will be measured and reported. • The SLA enables customer and vendor accountabilities and expectations to be clearly understood. Performance can have the following implications: – Financial rewards (for exceeding targets) – Financial penalties (for underperformance)
- 12. SLA Common Pitfalls • Focus on the wrong objectives • Simplistic metrics • Inappropriate terminology • Room for interpretation • Labor-intensive reporting requirements
- 13. SLA Management Benefits • Better alignment with business objectives • Ability to manage services proactively • Greater transparency of service delivery • Lower service level management overhead • Better relationships between the enterprise and vendor
- 14. SLA Diagram
- 16. Risk – 5 Threat Categories • T1 – Selection: Wrong vendor • T2 – Contract: Incomplete | Static • T3 – Requirements: Poorly defined • T4 – Governance: Inadequate vendor management • T5 – Strategy: Vendor lock-in
- 17. Mitigation Strategy Threat COBIT 5 Guidance 1. Diversify sourcing strategy to avoid overreliance or vendor lock in T5 APO02 Manage strategy, APO10 Manage suppliers 2. Establish policies and procedures for vendor management T4, T5 APO11 Manage quality – Enablers: Principles, Policies and Frameworks; Information 3. Establish a vendor management governance model T4, T5 APO09 Manage service agreements, APO10 Manage suppliers – Enabler: Organisational Structures 4. Set up a vendor management organization within the enterprise (VMO) T4, T5 APO10 Manage suppliers -- Enablers: Organisational Structures; People, Skills and Competencies 5. Forecast requirements regarding the skills and competencies of the vendor employees T2 APO10 Manage suppliers – Enablers: People, Skills and Competencies 6. Use standard documents and templates T2 – Enabler: Information
- 18. Mitigation Strategy Threat COBIT 5 Guidance 7. Formulate clear requirements T3, T5 BAI02 Manage requirements definition, BAI03 Manage solutions identification and build – Enabler: Information 8. Perform adequate vendor selection T1, T5 APO10 Manage suppliers, APO12 Manage risk – Enablers: People, Skills and Competencies 9. Cover all relevant life-cycle events during contract drafting T2 APO11 Manage quality, APO12 Manage risk – Enabler: Information 10. Determine the adequate security and controls needed during the relationship T4, T2 APO11 Manage quality; APO12 Manage risk, MEA01 Monitor, evaluate and assess performance and conformance – Enablers: Service, Infrastructure and Applications; Information
- 19. Mitigation Strategy Threat COBIT 5 Guidance 11. Set up SLAs T2 APO09 Manage service agreements – Enabler: Information 12. Set up operating level agreements (OLAs) and underpinning contracts T2 APO09 Manage service agreements – Enabler: Information 13. Set up appropriate vendor performance/service level monitoring and reporting T2, T4 APO09 Manage service agreements, APO10 Manage suppliers, MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Information 14. Establish a penalties and reward model with the vendor T2 APO09 Manage service agreements, APO10 Manage suppliers
- 20. Mitigation Strategy Threat COBIT 5 Guidance 15. Conduct adequate vendor relationship management during the life cycle T4 APO08 Manage relationships, APO10 Manage suppliers – Enablers: Ethics, Culture and Behaviour 16. Review contracts and SLAs on a periodic basis T4, T5 APO09 Manage service agreements, MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Information 17. Conduct vendor risk management T4, T5 APO10 Manage suppliers, APO12 Manage risk – Enabler: Organisational Structures
- 21. Mitigation Strategy Threat COBIT 5 Guidance 18. Perform an evaluation of compliance with enterprise policies T4 APO10 Manage suppliers; MEA01 Monitor, evaluate and assess performance and conformance; MEA03 Monitor, evaluate and assess compliance with external requirements – Enablers: Principles, Policies and Frameworks; Information 19. Perform an evaluation of vendor internal controls T4 APO10 Manage suppliers; APO12 Manage risk; MEA01 Monitor, evaluate and assess performance and conformance – Enabler: Organisational Structures; Information
- 22. Mitigation Strategy Threat COBIT 5 Guidance 20. Plan and manage the end of the relationship T2, T4, T5 APO09 Manage service agreements; APO10 Manage suppliers; APO12 Manage risk – Enabler: Services, Infrastructure and Applications; People, Skills and Competencies; Information 21. Use a vendor management system T1, T2, T3, T4 APO08 Manage relationships; APO09 Manage service agreements; APO11 Manage quality; APO12 Manage risk – Enabler: Services, Infrastructure and Applications 22. Create data and hardware disposal stipulations T2, T4 APO12 Manage risk – Enablers: Services, Infrastructure and Applications; Information; Principles, Policies and Frameworks
- 23. Q&A