L33: The Challenge of Assessing Supplier Reliability

Transcription

1 L33: The Challenge of Assessing Supplier Reliability Kathleen Lucey, FBCI President, Montague Risk Management President, BCI-USA Eric Staffin VP, Global Head of Product & Infrastructure Risk Management Thomson Reuters, Investment & Advisory JJ Coughlin Supply Chain Integrity SC-ISAC

2 Eric Staffin, MBCI, CISSP Vice President, Global Head of Product & Infrastructure Risk Management Thomson Reuters, Investment & Advisory

3 Business Resiliency Program Key Drivers Thomson Reuters clients in the Corporate and Financial Industries are the most advanced in the world in terms of managing risk and in the maturity of their business resiliency programs. Thomson Reuters operates in highly competitive (and in some cases commoditized) industry segments where market prices cannot always support the most advanced and resilient infrastructure, and where customers often prefer to pay for utility and performance warranties over inter site resiliency and geographic redundancy. Client requests for SLAs are numerous and can be exacting.

4 Evolution to Resiliency Long Maturation Process Increased Integration Over Time Sustainability & Repeatability Becomes Embedded in Enterprise Risk Management Framework Availability Performance Security Process Maturity Reliability Recoverability Continuity Strategic Obj.

5 Stakeholder Requirements Drive All Other Requirements! Customers Customer #1 Customer #2 Customer #3 Customer #4 Customer # 5 Customer # 6 Products & Services Prod #1 Prod #2 Svc #1 Svc #2 Prod #3 Prod #4 Svc #3 Svc #4 Prod #5 Svc #5 Processes Process #1 Process #2 Process #3 Process #4 Process #5 Sites Site #1 Site #2 People Site #3 Site #4 Process Platforms & Resources Technology Facilities Data Suppliers Supplier #1 Supplier #2 Supplier #3 Supplier #4 Supplier #n Copyright Vigilant Services Group. All rights reserved.

6 Optimization Strategies Optimize Utility * Warranty * Maximum Competitiveness Optimize Cost ** Resiliency ** Optimal Product Resiliency * ITIL Service Management ** Don t Over Spend or Under Spend

7 Typical Story Lines Reactive / Defensive A major product experiences a significant disruption One or more significant penalties are assessed based on SLA triggers that have been tripped BCM and RM people are brought in to try to minimize the damage Discovery that client and supplier SLAs are all different and disconnected from resiliency and recovery strategies Efforts are made ad hoc to Reduce the penalties Improve product resiliency Impose go forward penalty language on suppliers

8 Proactive Approach to Customer & Supplier SLAs Customer and supplier warranty requirements are integrated into product design Ensure that performance guarantees extend to key internal and external suppliers BCM/RM people are at the table with clients and suppliers and have intervention rights Gatekeeper! Incorporate Supplier RTOs into the Incident Management Timeline Only sign or accept SLAs that match the organizational model and risk / resiliency strategies Reassess annually with comprehensive supplier questionnaires

9 Service Level Agreements Balanced Approach From Legal Problem Technical Avoidance Owned by Sales/Product Client Leverage Deal centric Value Leakage Commercial Exposure Enterprise Headache Lose Lose To Business Concern Organizational Ownership Owned by CRO / BCM Buyer/Supplier Power Process centric Utility & Warranty Managed Risk Enterprise Survival Win Win

10 L33: The Challenge of Assessing Supplier Reliability J.J. Coughlin Director of Law Enforcement Services Supply Chain Integrity

11 Assessing Suppliers Contracts Use for all main suppliers Lay out terms, minimum requirements and guidelines Provide for right to audit compliance Provide control of any subbing of services Assessment of Insurance

12 Assessing Suppliers Supply Chain contract should require provider to: Have a security contact/group Have a written security plan/driver Awareness Have employee background/drug screens Have facility and in transit security guidelines Conduct employee awareness/security training Notify immediately of all major losses/thefts Partner with you in recovery of loss response Conduct loss review/corrective action plan

13 Assessing Suppliers Supply Chain Partners/Suppliers Brokers Carriers Sub Carriers (If allowed) Security Guards and Providers Personnel (temp) Providers

14 Assessing Suppliers Auditing methods which can be used On site inspection Record inspection Covert monitoring

15 J.J. Coughlin Office Cell integrity.net integrity.net

16 L33: The Challenge of Assessing Supplier Reliability Kathleen Lucey, FBCI Montague Risk Management tel:

17 Threats Supplier has an interruption and goes out of business. No other supplier exists. Supplier does not deliver product/service as promised.too many interruptions, recovery too late, too many times. CONTRACT SURPRISES

18 Commonly Overlooked Facilities Lease Details of payment during period of forced vacancy: verify that your BI insurance is sufficient. Suppliers to your suppliers: private security firms, supplemental power service, servicing of fuel supply. Alternate sites: verify that your insurance covers equipment at these sites.

19 Knowledge is Power First, know your suppliers and sometimes their suppliers. On site visits. Companies may distort the truth. Examine results of past incidents: program maturity. Repeatable exercise protocols and maturity of the continuity capability.

20 Contracts A contract is a hostile dance between two self interested parties. Pursue your own self interest. Read ALL of the fine print, even if it is in light gray ink in 8 point type. Get what you need or walk away!

21 Available Tools Questionnaires On site inspections Audit SAS 70 Reports Test audit / review of test results Contract terms

22 If you are looking to lease new premises Questionnaire: On site inspection: sub basements, DMARC Review of maintenance records: electrical, plumbing, HVAC Review of past infrastructure incidents Evacuation feasibility Read and understand ALL of the fine print in the lease agreement

23 Promises are Easy Delivery is Hard SAS 70 Audit: Type I vs. Type II General reliability of operation Does not audit suppliers Does not verify maturity of EM or BC programs Does NOT validate contract promises Read it. Do an on site inspection anyway.

24 Ability to deliver on promises Carrier redundancy: Physical pathing? Review of past incidents Contract out clause Audit of BC and EM testing: Frequency and type of exercise Governing exercise Protocol Verisimilitude

25 Knowledge Costs $, Time, and Thought Read ALL of the fine print. And understand it. Perform on site visits. Read audits of any kind. Grade the maturity of the supplier s continuity program: Repeatable protocol Verisimilitude Ongoing business function

26 Contact me at: Office: Mobile:

27 QUESTIONS FOR THE PANEL?