What Is Vendor Management And Why Is It Important To You? Matt Luongo – CLS Bank International June 17, 2015

Who manages third party vendors at your organization? Is there a vendor management framework that consistently manages third party risks? Do you know all of your vendors? Do they have a contract?

Agenda Vendor Management Key Components Effective Vendor Management Framework Regulator Expectations Focus Areas

Disclaimer The opinions expressed in this presentation and on the following slides are solely those of the presenter and not those of CLS Bank. Concepts used have been adapted based on Gartner and Deloitte research and noted as such.

Home Depot’s 56 Million Card Breach Bigger Than Target’s -2014 In The News Target Investigates Credit Card Breach - 2013 Home Depot’s 56 Million Card Breach Bigger Than Target’s -2014 St. Louis Federal Reserve URLs Hijacked - 2015 Effective Vendor Management “In 2013, American Express, Capital One, and Discover Bank paid a total of more than $530 million to settle complaints of deceptive selling and predatory behavior by their third-party suppliers.” - McKinsey & Company July 2013 Data breaches at vendors and other third-parties continue to have a high profile in the news. Target – hacked through an HVAC company IRS – Hacked through a third party hosting website Home Depot – hacked through checkout terminals And it’s not just data hacks – Back in 2013, American Express, Capital One and Discover Bank paid $530m to settle complaints by their third-party suppliers Common link – third parties In today’s environment, it would be nearly impossible to find a company that doesn’t contract with a vendor. But the convenience and flexibility of outsourcing to third parties comes with a significant risks, including the potential for regulatory penalties related to vendor incidents. Preventing risk events at third parties providers has always been a challenge, but now the stakes are far higher. So, how do we companies effective manage vendors and the risks associated in dealing with them. Today, No one ever remembers the vendor’s name

What is Vendor Management? Vendor Management is the ongoing management of third-party providers of products or services The goal of VM is to ensure the organization continuously obtains the best value from external providers of products and services while controlling exposure to vendor-related risk Lifecycle Description Governance & Process Establish strategy and governance. Define SOPs, documentation, system, roles and responsibilities Select Vendors Select vendors in accordance with a formal, unbiased practice. Ensure the best fit for the product/service requirements and the best value at the optimal exposure to vendor risk Manage Vendor Contracts Manage vendor contracts through the contract lifecycle Manage Vendor Risk Manage vendor risk to protect the organization from negative effects that can be caused by events on the vendor’s side Manage Vendor Relationships Maintain effective relationships with vendors Manage Vendor Performance Ensure vendors perform as contracted Vendor Manager Business Owner Procurement Finance Legal Sr. Mgmt.

Why is it important? Reliance Value Risk Because we must measure, manage, and scrutinize the vendors we rely on to deliver value Reliance Need vendors to deliver critical specialized services Over half of a company’s expenditure is with vendors Vendors globally help us achieve our mission Our Contracts are a Strategic Asset Vendor Management is a Core Competence Value Maximise value and deliver great commercial outcomes through our relationships Risk Increased regulatory and member scrutiny on how financial institutions manage third party vendor risk - operational, cyber security, supply chain, compliance, strategic, financial and reputational Importance has evolved with changing business environment 2000 2005 2008 2013 2015 Y2k Offshore Financial Crisis Nearshore Digital / Internet of Things Oversight

Government Organizations What is a third party vendor? Any individual or entity, which is not a direct employee, which provides a produce/service to, or behalf of, the organization Typically managed at both the engagement and relationship levels Vendors Service Providers Agencies Affiliates Partnerships Law firms Contractors Joint Ventures Government Organizations One service, one contract, provided to one line of business Multiple engagements with the same company Engagement Relationship

Vendors may present a combination of risks Description Cyber Ensuring confidentiality, integrity, availability of information assets Compliance/legal Actions inconsistent with legal, policy or regulatory requirements Service delivery Third party failures resulting in impact to the service Contractual Inability to deliver services per contract Business continuity Inability to continue providing services Intellectual property Inappropriate use of intellectual property Financial Inability to meet contractual obligations due to financial difficulties Reputation Issues impacting an organization’s brand and reputation Geopolitical Region/country-specific factors Strategic Third party not aligned with the organization’s strategic objectives Credit Inability to make obligated payments Quality Inability to deliver a quality service/produce Inherent risk to the product/ service Risks unique to the third party Source: Deloitte

How do you manage all the vendor activity? Vendor Management Framework provides an end-to-end view to identifying and managing vendors and the risk across the vendor lifecycle Source: Gartner Vendor Management Framework

Maturity Model Many models that benchmark the program’s maturity Source: Gartner Vendor Management Maturity Model

Regulatory Expectations

Governance and accountability End-to-end risk management Regulatory Expectations Regulators globally have issued heightened standards and guidance for third party’s. These cover most regulatory expectations…. Expanded scope Oversee all service providers, affiliates, partnerships and other third parties Governance and accountability Define responsibilities of the board, senior management, and relationships managers End-to-end risk management Formalize risk management across the life-cycle and risk domains. Greater scrutiny with high risk vendors. Due Diligence Access how vendors are sought, vetted, selected Contracts Do you have them? Do they have the appropriate clauses? Execute a contract inventory. Monitoring Timely and effective reporting in vendor relationships. Demonstrate you have sufficient visibility and control. Use of scorecards and dashboards Compliance Identify all relevant compliance requirements and document how they are being met Independent Reviews Do your vendors…’Say what they do?’ and ‘Do what they say’. Risks are documented and controls in place. Business Continuity Consider the systemic implications of outsourcing and potential third party failures Regulators globally have issued heightened standards and guidance for third party’s. These cover most regulatory expectations.

Vendor / Operations Committee Governance Executive and Board engagement Defined roles and responsibility Drive and approve policy Monitor and oversee vendor portfolio Two tier governance model General awareness of vendors… is no longer an acceptable Sets the tone… Strategic Alignment Policy Risk appetite Vendor oversight Escalations Executive Committee Vendor / Operations Committee Drives Vendor…. Performance Compliance Demand pipeline Business Continuity Audits

Risk Classification Formal risk management across the life cycle and risk domains Risk- based segmentation tool Risk is not based on value alone Apply resources based on level of segmentation Risks Considerations Reputational Info Security and Privacy Contractual Service Delivery Financial Business Continuity Geopolitical Regulatory Exit Strategy Other Considerations Domestic/Offshore Core / Non-core

Monitoring Governance Account Plans Performance Dashboards Dept. Sourcing plans Pipeline Supplier Account plans: Engagements Improvement plans Innovation Investment Stakeholder maps Governance meetings Performance Dashboards Vendor Risk Dashboards Consolidated reporting : Commercial Performance Risk Financials Relationship Portfolio reporting Segmentation Aligned governance and resources

Regulatory Guidance Snapshot of regulatory bulletins and guidance that provide additional direction for managing risks related to engaging with third parties FFIEC IT Examination Handbook – Appendix J – Resilience of Outsourced Technology Services (Feb 2015) Asserts the financial institution's responsibility to control business continuity risks with third parties Must consider the potential impact of disruptions and the ability to restore services Validation of business continuity plans with third parties and considerations for third party testing FRB SR 14-1 Recovery and Resolution Preparation (Jan 2014) Identification of internal and external dependencies, and contingency planning for these dependencies Firms must have clearly documented agreements with vendors SEC Reg SCI – Regulation Systems Compliance and Integrity (Nov 2014) Requires supplier selection and auditing of vendor services NIST 800-161- Supply Chain Risk Management Practices (June 2014) Defines requirements on identifying, assessing and mitigating supply chain risks for information and communicating technology products and services OCC Bulletin 2013-29 – Third-Party Relationships (Oct 2013) Same responsibilities for in-house and out of house services Adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships An effective risk management process throughout the life cycle of the vendor relationship

Takeaways Third-party relationships must be good for the company, its vendors and consumers Understand how vendors are being managed at your organization Are you focused on the right things? Familiarize yourself with the latest regulatory guidance Regularly assess and monitor the effectiveness of vendor program, not just at the vendor selection stage Include vendor risk management as a function within the vendor management program Would you buy a company or even a house with a contract? No, why. Because a