1. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All Rights Reserved. © 2014 McGladrey LLP. All Rights Reserved. Managing Vendor Risk & Compliance

2. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Presenter John MacDonald McGladrey Risk Advisory Services Manager John.MacDonald@mcgladrey.com 816-289-1826

3. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Overview 2 Risk Assessment & Due Diligence

4. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Governance, Risk & Compliance 3  Governance  Policy Making  Risk  Assessment and Identification  Compliance  External - Regulatory  Internal - Policy

5. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Risk Assessment & Opportunity 4 Risk Assessment & Due Diligence

6. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Data Classification 5  Restricted/ Private  Confidential  Internal  Public

7. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Risk Taxonomy 6 CATEGORYEXAMPLES IT/security– Privacy breach – Identity fraud – IP theft – Data corruption – Denial/loss of service – Data loss Financial– Vendor bankruptcy – Exchange rate – Price instability – Money laundering – Unrealized ROI – Transaction fraud Operational – Late delivery – Safety incident – Poor quality – Environmental incident – Damage to assets – Theft Brand/reputation– Brand damage – Communication crisis – Customer dissatisfaction – Loss of investor confidence – Competitive pressure – Loss of employee confidence Legal– Contract liability – HR incident – Contract dispute – Labor dispute/grievance – Regulatory action – International law conflict

8. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Risk Identification 7  Core IT Suppliers – All Data  Marketing – Customer Data  Payroll/ HR – Employee Data  Demand Planning – Strategy Data  BC/DR – All Data  Benefits Providers – Employee Data  Audit Firms – All Data

9. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Vendor Risk Management Program 8 Risk Assessment & Due Diligence

10. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Interaction 9 Does your company regularly visit suppliers? Yes or No If yes – what is the trigger? If no, do you know why?

11. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Vendor Management Program 10 -Supplier Vetting and Selection - Impact Assessments - Background Checks - Examples of Work - Prior Experience

12. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Reference Documents 1.Discuss Vendor Assessment Form 11

13. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Case Study: Manufacturer  Context: Understood need for security/risk involvement in selection and credentialing of IT vendors and providing ongoing security oversight.  Approach: Security team is involved in procurement process, conducting mini-assessments to determine whether a more detailed evaluation is warranted based on Data Classification.  Result: Documented agreement that business process owners own the risk and make the decision whether to accept, avoid, mitigate, etc. 12

14. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Case Study: Manufacturer  Context: Clear need to improve oversight of risk- related to third-party relationships, standardize risk measurement, and compliance assessments.  Approach: Simplify initial assessments - straightforward (primarily yes/no) questions to determine potential categories and estimated level of impact.  Result: Better participation from vendor management and business. Enabled classification of vendors to develop an audit plan for continuous monitoring. 13

15. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Recommendations 14  Be very clear about the different types of third party risk you’re tracking, and who has responsibility for each.  Create triggers to make sure risk and compliance efforts occur reliably within standard vendor relationship processes.  Consider ways to open up communication with and among vendors about trends, patterns, best practices, etc.

16. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Integration with GRC 15 Risk Assessment & Due Diligence

17. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Governance, Risk & Compliance 16  Governance  Policy Making  Involvement of Decision Makers  Risk  Assessment and Identification  Compliance  External - Regulatory  Internal - Policy

18. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Reference Documents Define and document up front the responsibilities of: Business Owner Legal Vendor Management facilitator Information Security IT Audit Risk Management Compliance 17

19. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Key Stakeholders  Internal Audit  Chief Risk Officer  Chief Financial Officer  Head of IT / CISO  Chief Compliance Officer  Chief Information Officer  General Counsel (Legal)  Enterprise Risk Steering Committee 18

20. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Audit Plan 19 Risk Assessment & Due Diligence

21. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Audit Plan Requirements  Maintaining a complete list of vendors  Evaluate vendor compliance – SSAE16s, ISO  Evaluate vendor data classification  Assign risk classification for each vendor  Define audit schedule for each vendor based on risk classification Assign Vendor risk classification of the vendor

22. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Reference Documents 1.Discuss SSAE16 Review 21

23. © 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. Q & A John MacDonald McGladrey Risk Advisory Services Manager John.MacDonald@mcgladrey.com 816-289-1826