Secure Operations in High-Risk Jurisdictions

Assessments often omit jurisdictional risks. Are your assets exposed?

EXECUTIVE BRIEF

Analyst Perspective

Operations in high-risk jurisdictions face unique security scenarios.

Michel Hébert

Research Director

Security and Privacy

Info-Tech Research Group

Alan Tang

Principal Research Director

Security and Privacy

Info-Tech Research Group

Traditional approaches to security strategies may miss key risk scenarios that critical assets face in high-risk jurisdictions. These include high-risk travel, heightened insider threats, advanced persistent threats, and complex compliance environments. Most organizations have security strategies and risk management practices in place, but securing global operations requires its own effort. Assess the security risk that global operations pose to critical assets. Consider the unique assets, threats, and vulnerabilities that come with operations in high-risk jurisdictions. Focus on the business activities you support and integrate your insights with existing risk management practices to ensure the controls you propose get the visibility they need. Your goal is to build a plan that mitigates the unique security risks that global operations pose and secures critical assets in high-risk areas. Don’t leave security to chance.

Executive Summary

Your Challenge

• Security leaders who support operations in many countries struggle to mitigate security risks to critical assets. Operations in high-risk jurisdictions contend with complex threat environments and security risk scenarios that often require a unique response.
• Security leaders need to identify critical assets, assess vulnerabilities, catalog threats, and identify the security controls necessary to mitigate related operational risks.

Common Obstacles

• Securing operations in high-risk jurisdictions requires additional due diligence. Each jurisdiction involves a different risk context, which complicates efforts to identify, assess, and mitigate security risks to critical assets.
• Security leaders need to engage the organization with the right questions and identify high-risk vulnerabilities and security risk scenarios to help stakeholders make an informed decision about how to assess and treat the security risks they face in high-risk jurisdictions.

Info-Tech’s Approach

Info-Tech has developed an effective approach to protecting critical assets in high-risk jurisdictions.

This approach includes tools for:

• Evaluating the security context of your organization’s high-risk jurisdictions.
• Identifying security risk scenarios unique to high-risk jurisdictions and assessing the exposure of critical assets.
• Planning and executing a response.

Info-Tech Insight

Organizations with global operations must contend with a more diverse set of assets, threats, and vulnerabilities when they operate in high-risk jurisdictions. Security leaders need to take additional steps to secure operations and protect critical assets.

Business operations in high-risk jurisdictions face a more complex security landscape

Information security risks to business operations vary widely by region.

The 2022 Allianz Risk Barometer surveyed 2,650 business risk specialists in 89 countries to identify the most important risks to operations. The report identified cybercrime, IT failures, outages, data breaches, fines, and penalties as the most important global business risks in 2022, but their results varied widely by region. The standout finding of the 2022 Allianz Risk Barometer is the return of security risks as the most important threat to business operations. Security risks will continue to be acute beyond 2022, especially in Africa, the Middle East, Europe, and the Asia-Pacific region, where they will dwarf risks of supply chain interruptions, natural catastrophe, and climate change.

Global operations in high-risk jurisdictions contend with more diverse threats. These security risk scenarios are not captured in traditional security strategies.

Figures represent the number of cybersecurity risks business risk specialists selected as a percentage of all business risks (Allianz, 2022). Higher scores indicate jurisdictions with higher security-related business risks. Jurisdictions without data are in grey.

Different jurisdictions’ commitment to cybersecurity also varies widely, which increases security risks further

The Global Cybersecurity Index (GCI) provides insight into the commitment of different countries to cybersecurity.

The index assesses a country’s legal framework to identify basic requirements that public and private stakeholders must uphold and the legal instruments prohibiting harmful actions.

The 2020 GCI results show overall improvement and strengthening of the cybersecurity agenda globally, but significant regional gaps persist. Of the 194 countries surveyed:

• 33% had no data protection legislation.
• 47% had no breach notification measures in place.
• 50% had no legislation on the theft of personal information.
• 19% still had no legislation on illegal access.

Not every jurisdiction has the same commitment to cybersecurity. Protecting critical assets in high-risk jurisdictions requires additional due diligence.

The diagram sets out the score and rank for each country that took part in the Global Cybersecurity Index (ITU, 2021)

Higher scores show jurisdictions with a lower rank on the CGI, which implies greater risk. Jurisdictions without data are in grey.

Securing critical assets in high-risk jurisdictions requires additional effort

Traditional approaches to security strategy may miss these key risk scenarios.

As a result, security leaders who support operations in many countries need to take additional steps to mitigate security risks to critical assets.

Guide stakeholders to make informed decisions about how to assess and treat the security risks and secure operations.

• Engage the organization with the right questions.
• Identify critical assets and assess vulnerabilities.
• Catalogue threats and build risk scenarios.
• Identify the security controls necessary to mitigate risks.

Work with your organization to analyze the threat landscape, assess security risks unique to high-risk jurisdictions, and execute a response to mitigate them.

This project blueprint works through this process using the two most prevalent risk scenarios in high-risk jurisdictions: high-risk travel and compliance risk.

Key Risk Scenarios

• High-Risk Travel
• Compliance Risk
• Insider Threat
• Advanced Persistent Threat
• Commercial Surveillance

Travel risk is the first scenario we use as an example throughout the blueprint

• This project blueprint outlines a process to identify, assess, and mitigate key risk scenarios in high-risk jurisdictions. We use two common key risk scenarios as examples throughout the deck to illustrate how you create and assess your own scenarios.
• Supporting high-risk travel is the first scenario we will study in-depth as an example. Business growth, service delivery, and mergers and acquisitions can lead end users to travel to high-risk jurisdictions where staff, devices, and data are at risk.
• Compromised or stolen devices can provide threat actors with access to data that could compromise the organization’s strategic, economic, or competitive advantage or expose the organization to regulatory risk.

The project blueprint includes template guidance in Phase 3 to help you build and deploy your own travel guidelines to protect critical assets and support end users before they leave, during their trip, and when they return.

Before you leave

• Identify high-risk countries.
• Enable controls.
• Limit what you pack.

During your trip

• Assume you are monitored.
• Limit access to systems.
• Prevent theft.

When you return

• Change your password.
• Restore your devices.

Compliance risk is the second scenario we use as an example

• Mitigating compliance risk is the second scenario we will study as an example in this blueprint. The legal and regulatory landscape is evolving rapidly to keep step with the pace of technological change. Security and privacy leaders are expected to mitigate the risk of noncompliance as the organization expands to new jurisdictions.
• Later sections will show how to think through at least four compliance risks, including:
  • Cross-border data transfer
  • Third-party risk management
  • Data breach notification
  • Data residency

The project blueprint includes template guidance in Phase 3 to help you deploy your own compliance governance controls as a risk mitigation measure.

Secure Operations in High-Risk Jurisdictions: Info-Tech’s methodology

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Business Security Requirements

Identify the context for the global security risk assessment, including risk appetite and risk tolerance.

Jurisdictional Risk Register and Heatmap

Identify critical global assets and the threats they face in high-risk jurisdictions and assess exposure.

Mitigation Plan

Roadmap of initiatives and security controls to mitigate global risks to critical assets. Tools and templates to address key security risk scenarios.

Key deliverable:

Jurisdictional Risk Register and Heatmap

Use the Jurisdictional Risk Register and Heatmap Tool to capture information security risks to critical assets in high-risk jurisdictions. The tool generates a world chart that illustrates the risks global operations face to help you engage the business and execute a response.

Blueprint benefits

Protect critical assets in high-risk jurisdictions

IT Benefits

Assess and remediate information security risk to critical assets in high-risk jurisdictions.

Easily integrate your risk assessment with enterprise risk assessments to improve communication with the business.

Illustrate key information security risk scenarios to make the case for action in terms the business understands.

Business Benefits

Develop mitigation plans to protect staff, devices, and data in high-risk jurisdictions.

Support business growth in high-risk jurisdictions without compromising critical assets.

Mitigate compliance risk to protect your organization’s reputation, avoid fines, and ensure business continuity.

Quantify the impact of securing global operations

The tool included with this blueprint can help you measure the impact of implementing the research

• Use the Jurisdictional Risk Register and Heatmap Tool to describe the key risk scenarios you face, assess their likelihood and impact, and estimate the cost of mitigating measures. Working through the project in this way will help you quantify the impact of securing global operations.

Establish Baseline Metrics

• Review existing information security and risk management metrics and the output of the tools included with the blueprint.
• Identify metrics to measure the impact of your risk management efforts. Focus specifically on high-risk jurisdictions.
• Compare your results with those in your overall security and risk management program.

Info-Tech offers various levels of support to best suit your needs.

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical GI on this topic look like?

Phase 1

Call #1: Scope project requirements, determine assessment scope, and discuss challenges.

Phase 2

Call #2: Conduct initial risk assessment and determine risk tolerance.

Call #3: Evaluate security pressures in high-risk jurisdictions.

Call #4: Identify risks in high-risk jurisdictions.

Call #5: Assess risk exposure.

Phase 3

Call #6: Treat security risks in high-risk jurisdictions.

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

Workshop Overview

Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

No safe jurisdictions

Stakeholders sometimes ask information security and privacy leaders to produce a list of safe jurisdictions from which to operate. We need to help them see that there are no safe jurisdictions, only relatively risky ones. As you build your security program, deepen the scope of your risk assessments to include risk scenarios critical assets face in different jurisdictions. These risks do not need to rule out operations, but they may require additional mitigation measures to keep staff, data, and devices safe and reduce potential reputational harms.

Traditional approaches to security strategy often omit jurisdictional risks.

Global operations must contend with a more complex security landscape. Secure critical assets in high-risk jurisdictions with a targeted risk assessment.

The two greatest risks are high-risk travel and compliance risk.

You can mitigate them with small adjustments to your security program.

Support High-Risk Travel

When securing travel to high-risk jurisdictions, you must consider personnel safety as well as data and device security. Put measures and guidelines in place to protect them before, during, and after travel.

Mitigate Compliance Risk

Think through data residency requirements, data breach notification, cross-border data transfer, and third-party risks to support business growth and mitigate compliance risks in high-risk jurisdictions to protect your organization’s reputation and avoid hefty fines or business disruptions.

Phase 1

Identify Context

This phase will walk you through the following activities:

• Assess business requirements to understand the goals of the organization’s global operations, as well as its risk governance, policies, and practices.
• Evaluate jurisdictional security pressures to understand threats to critical assets and capture the expectations of external stakeholders, including customers, regulators, legislators, and business partners, and assess risk tolerance.

This phase involves the following participants:

• Business stakeholders
• IT leadership
• Security team
• Risk and Compliance

Step 1.1

Assess Business Requirements

Activities

1.1.1 Determine assessment scope

1.1.2 Identify enterprise goals in high-risk jurisdictions

1.1.3 Identify compliance obligations

This step involves the following participants:

• Business stakeholders
• IT leadership
• Security team
• Risk and Compliance

Outcomes of this step

• Assess business requirements to understand the goals of the organization’s global operations, as well as its risk governance, policies, and practices.

Focus the risk assessment on high-risk jurisdictions

Traditional approaches to information security strategy often miss threats to global operations

• Successful security strategies are typically sensitive to risks to different IT systems and lines of business.
• However, securing global operations requires additional focus on high-risk jurisdictions, considering what makes them unique.
• This first phase of the project will help you evaluate the business context of operations in high-risk jurisdictions, including:
  • Enterprise and security goals.
  • Lines of business, physical locations, and IT systems that need additional oversight.
  • Unique compliance obligations.
  • Unique risks and security pressures.
  • Organizational risk tolerance in high-risk jurisdictions.

Focus your risk assessment on the business activities security supports in high-risk jurisdictions and the unique threats they face to bridge gaps in your security strategy.

Identify jurisdictions with higher inherent risks

Your security strategy may not describe jurisdictional risk adequately.

• Security strategies list lines of business, physical locations, and IT systems the organization needs to secure and those whose security will depend on a third-party. You can find additional guidance on fixing the scope and boundaries of a security strategy in Phase 1 of Build an Information Security Strategy.
• However, security risks vary widely from one jurisdiction to another according to:
  • Active cyber threats.
  • Legal and regulatory frameworks.
  • Regional security and preparedness capabilities.
• Your first task is to identify high-risk jurisdictions to target for additional oversight.

Work closely with your enterprise risk management function.

Enterprise risk management functions are often tasked with developing risk assessments from composite sources. Work closely with them to complete your own assessment.

Countries at heightened risk of money laundering and terrorism financing are examples of high-risk jurisdictions. The Financial Action Task Force and the U.S. Treasury publish reports three times a year that identify Non-Cooperative Countries or Territories.

Develop a robust jurisdictional assessment

Design an intelligence collection strategy to inform your assessment

• Relying on a single source may lead you to miscalculate risk exposure and miss relevant factors. Use a range of internal, external, and outsourced resources to identify higher-risk jurisdictions.
• Focus your jurisdictional assessment on:
• Strategic intelligence, which sheds light on trends and motivations that affect the threat landscape. For instance:
• Countries that national law enforcement identifies as posing a higher travel risk
• Third-party assessments of business and cybersecurity risk by jurisdiction
• Third-party assessment of jurisdictional commitment to information security
• Tactical intelligence, which identifies the extent of incidents in each jurisdiction. For instance:
• Vendor report on % of security attacks by type and country
• You can find additional guidance on designing a threat intelligence collection strategy in Phase 2 of Integrate Threat Intelligence into your Security Operations.

Strategic Intelligence

White papers, briefings, reports. Audience: C-Suite, board members

Tactical Intelligence

Internal reports, vendor reports. Audience: Security leaders

Operational intelligence

Indicators of compromise. Audience: IT Operations

Operational intelligence focuses on machine-readable data used to block attacks, triage and validate alerts, and eliminate threats from the network. It becomes outdated in a matter of hours and is less useful for this exercise.

Determine travel risks to bolster your assessments

Not all locations and journeys will require the same security measures.

• Travel risks vary significantly according to destination, the nature of the trip, and traveler profile.
• Access to an up-to-date country risk rating system enables your organization and individual staff to quickly determine the overall level of risk in a specific country or location.
• Based on this risk rating, you can specify what security measures are required prior to travel and what level of travel authorization is appropriate, in line with the organization's security policy or travel security procedures.
• While some larger organizations can maintain their own country risk ratings, this requires significant capacity, particularly to obtain the necessary information to keep these regularly updated.
• It may be more effective for your organization to make use of the travel risk ratings provided by an external security information provider, such as a company linked to your travel insurance or travel booking service, if available.
• Alternatively, various open-source travel risk ratings are available via embassy travel sites or other website providers.

Without a flexible system to account for the risk exposures of different jurisdictions, staff may perceive measures as a hindrance to operations.

Develop a tiered risk rating

The example below outlines potential risk indicators for high-risk travel.

Ratings are formulated by assessing several types of risk, including conflict, political/civil unrest, terrorism, crime, and health and infrastructure risks.

1.1.1 Determine assessment scope

1 – 2 hours

1. As a group, brainstorm a list of high-risk jurisdictions to target for additional assessment. Write down as many items as possible to include in:

• Lines of business
• Physical locations
• IT systems

Pay close attention to elements of the assessment that are not in scope.

Download the Information Security Requirements Gathering Tool

Position your efforts in a business context

Securing critical assets in high-risk jurisdictions is a business imperative

• Many companies relegate their information security strategies to their IT department. Aside from the strain the choice places on a department that already performs many different functions, it wrongly implies that mitigating information security risk is simply an IT problem.
• Managing information security risks is a business problem. It requires that organizations identify their risk appetite, prioritize relevant threats, and define risk mitigation initiatives. Business leaders can only do these activities effectively in a context that recognizes the business and financial benefits of implementing protections.
• This is notably true of businesses with operations in many different countries. Each jurisdiction has its own set of security risks the organization must account for, as well as unique local laws and regulations that affect business operations.
• In high-risk jurisdictions, your efforts must consider the unique operational challenges your organization may not face in its home country. Your efforts to secure critical assets will be most successful if you describe key risk scenarios in terms of their impact on business goals.
• You can find additional guidance on assessing the business context of a security strategy in Phase 1 of Build an Information Security Strategy.

Do you understand the unique business context of operations in high-risk jurisdictions?

1.1.2 Identify business goals

Estimated Time: 1-2 hours

1. As a group, brainstorm the primary and secondary business goals of the organization. Focus your assessment on operations in high-risk jurisdictions you identified in Exercise 1.1.1. Review:

• Relevant corporate and IT strategies.
• The business goal definitions and indicator metrics in tab 2, “Goals Definition,” of the Information Security Requirements Gathering Tool.

Download the Information Security Requirements Gathering Tool

Record business goals

Capture the results in the Information Security Requirements Gathering Tool

1. Record the primary and secondary business goals you identified in tab 3, “Goals Cascade,” of the Information Security Requirements Gathering Tool.
2. Next, record the two security alignment goals you selected for each business goal based on the tool’s recommendations.
3. Finally, review the graphic diagram that illustrates your goals on tab 6, “Results,” of the Information Security Requirements Gathering Tool.
4. Revisit this exercise whenever operations expands to a new jurisdiction to capture how they contribute to the organization’s mission and vision and how the security program can support them.

Tab 3, Goals Cascade

Tab 6, Results

Analyze business goals

Assess how operating in multiple jurisdictions adds nuance to your business goals

• Security leaders need to understand the direction of the business to propose relevant security initiatives that support business goals in high-risk jurisdictions.
• Operating in different jurisdictions carries its own degree of risk. The organization is subject not only to the information security risks and legal frameworks of its country of origin but also to those associated with international jurisdictions.
• You need to understand where your organization operates and how these different jurisdictions contribute to your business goals to support their performance and protect the firm’s reputation.
• This exercise will make an explicit link between security and privacy concerns in high-risk jurisdictions, what the business cares about, and what security is trying to accomplish.

If the organization is considering a merger and acquisition project that will expand operations in jurisdictions with different travel risk profiles, the security organization needs to revise the security strategy to ensure the organization can support high-risk travel and mitigate risks to critical assets.

Identify compliance obligations

Data compliance obligations loom large in high-risk jurisdictions

Security leaders are familiar with most conventional regulatory obligations that govern financial, personal, and healthcare data in North America and Europe.

Data privacy concerns, nationalism, and the economic value of data are all driving jurisdictions to adopt data residency and data localization and to shut down the cross-border transfer of data.

The next step requires you to consider the compliance obligations the organization needs to meet to support the business as it expands to other jurisdictions through natural growth, mergers, and acquisitions.

1.1.3 Identify compliance obligations

Estimated Time: 1-2 hours

1. As a group, brainstorm compliance obligations in target jurisdictions. Focus your assessment on operations in high-risk jurisdictions.

Include:

• Laws
• Governing regulations
• Industry standards
• Contractual agreements

Download the Information Security Requirements Gathering Tool

Step 1.2

Evaluate Security Pressures

Activities

1.2.1 Conduct initial risk assessment

1.2.2 Conduct pressure analysis

1.2.3 Determine risk tolerance

This step involves the following participants:

• Security team
• Risk and Compliance
• IT leadership (optional)

Outcomes of this step

Identify threats to global assets and capture the security expectations of external stakeholders, including customers, regulators, legislators, and business partners, and determine risk tolerance.

Evaluate security pressures to set the risk context

Perform an initial assessment of high-risk jurisdictions to set the context.

Assess:

• The threat landscape.
• The security pressures from key stakeholders.
• The risk tolerance of your organization.

You should be able to find the information in your existing security strategy. If you don’t have the information, work through the next three steps of the project blueprint.

Some jurisdictions carry inherent risks

• Jurisdictional risks stem from legal, regulatory, or political factors that exist in different countries or regions. They can also stem from unexpected legal changes in regions where critical assets have exposure. Understanding jurisdictional risks is critical because they can require additional security controls.
• Jurisdictional risk tends to be higher in jurisdictions:
• Where the organization:
• Conducts high-value or high-volume financial transactions.
• Supports and manages critical infrastructure.
• Has high-cost data or data whose compromise could undermine competitive advantage.
• Has a high percentage of part-time employees and contractors.
• Experiences a high rate of employee turnover.
• Where state actors:
• Have a low commitment to cybersecurity, financial, and privacy legislation and regulation.
• Support cybercrime organizations within their borders.

Jurisdictional risk is often reduced to countries where money laundering and terrorist activities are high. In this blueprint, the term refers to the broader set of information security risks that arise when operating in a foreign country or jurisdiction.

Five key risk scenarios are most prevalent

Key Risk Scenarios

• High-Risk Travel
• Compliance Risk
• Insider Threat
• Advanced Persistent Threat
• Commercial Surveillance

Security leaders who support operations in many countries need to take additional steps to mitigate security risks to critical assets. The goal of the next two exercises is to analyze the threat landscape and security pressures unique to high-risk jurisdictions, which will inform the construction of key scenarios in Phase 2. These five scenarios are most prevalent in high-risk jurisdictions. Keep them in mind as you go through the exercises in this section.

1.2.1 Assess jurisdictional risk

1-3 hours

1. As a group, review the questions on tab 2, “Risk Assessment,” of the Information Security Pressure Analysis Tool.
2. Gather the required information from subject matter experts on the following risk elements with a focus on high-risk jurisdictions:
3. Review each question in tab 2 of the Information Security Pressure Analysis Tool and select the most appropriate response.

For more information on how to complete the risk assessment questionnaire, see Step 1.2.1 of Build an Information Security Strategy.

1.2.2 Conduct pressure analysis

1-3 hours

1. As a group, review the questions on tab 3, “Pressure Analysis,” of the Information Security Pressure Analysis Tool.
2. Gather the required information from subject matter experts on the following pressure elements with a focus on high-risk jurisdictions:

• Compliance and oversight
• Customer expectations
• Business expectations
• IT expectations

For more information on how to complete the pressure analysis questionnaire, see Step 1.3 of Build an Information Security Strategy.

A low security pressure means that your stakeholders do not assign high importance to information security. You may need to engage stakeholders with the right key risk scenarios to illustrate jurisdictional risk and generate support for new security controls.

Download the Information Security Pressure Analysis Tool

Assess risk tolerance

• Risk tolerance expresses the types and amount of risk the organization is willing to accept in pursuit of its goals.
• These expectations can help you identify, manage, and report on key risk scenarios in high-risk jurisdictions.
• For instance, an organization with a low risk tolerance will require a stronger information security program to minimize operational security risks.
• It’s up to business leaders to determine the risks they are willing to accept. They may need guidance to understand how system-level risks affect the organization’s ability to pursue its goals.

A formalized risk tolerance statement can help:

• Support risk-based security decisions that align with business goals.
• Provide a meaningful rationale for security initiatives.
• Improve the transparency of investments in the organization’s security program.
• Provide guidance for monitoring inherent risk and residual risk exposure.

The role of security professionals is to identify and analyze key risk scenarios that may prevent the organization from reaching its goals.

1.2.3 Determine risk tolerance

1-3 hours

1. As a group, review the questions on tab 4, “Risk Tolerance,” of the Information Security Pressure Analysis Tool.
2. Gather the required information from subject matter experts on the following risk tolerance elements:

• Recent IT problems, especially downtime and data recovery issues
• Historical security incidents

• Existing security strategy
• Business impact assessments
• Service-level agreements

For more information on how to complete the risk tolerance questionnaire, see Step 1.4 of Build an Information Security Strategy.

Download the Information Security Pressure Analysis Tool

Review the output of the results tab

• The organizational risk assessment provides a high-level assessment of inherent risks in high-risk jurisdictions. Use the results to build and assess key risk scenarios in Phase 2.
• Use the security pressure analysis to inform stakeholder management efforts. A low security pressure indicates that stakeholders do not yet grasp the impact of information security on organizational goals. You may need to communicate its importance before you discuss additional security controls.
• Jurisdictions in which organizations have a low risk tolerance will require stronger information security controls to minimize operational risks.

Phase 2

Assess Security Risks to Critical Assets

This phase will walk you through the following activities:

• Identify critical assets, their vulnerabilities to relevant threats, and the adverse impact a successful threat event would have on the organization.
• Assess risk exposure of critical assets in high-risk jurisdictions for each risk scenario through an analysis of its likelihood and impact.

This phase involves the following participants:

• Security team
• Risk and Compliance
• IT leadership (optional)

Step 2.1

Identify Risks

Activities

2.1.1 Identify assets

2.1.2 Identify threats

This step involves the following participants:

• Security team
• Risk and Compliance
• IT leadership (optional)

Outcomes of this step

• Define risk scenarios that identify critical assets, their vulnerabilities to relevant threats, and the adverse impact a successful threat event would have on the organization.

This blueprint focuses on mitigating jurisdictional risks

For a deeper dive into building a risk management program, see Info-Tech’s core project blueprints on risk management:

Build an IT Risk Management Program

Combine Security Risk Management Components Into One Program

Draft key risk scenarios to illustrate adverse events

Risk scenarios help decision-makers understand how adverse events affect business goals.

• Risk-scenario building is the process of identifying the critical factors that contribute to an adverse event and crafting a narrative that describes the circumstances and consequences if it were to happen.
• Risk scenarios set up the risk analysis stage of the risk assessment process. They are narratives that describe in detail:
• The asset at risk.
• The threat that can act against the asset.
• Their intent or motivation.
• The circumstances and threat actor model associated with the threat event.
• The potential effect on the organization.
• When or how often the event might occur.

Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.

Well-crafted risk scenarios have four components

The second phase of the project will help you craft meaningful risk scenarios

Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events. Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address and treat security risks in high-risk jurisdictions.

The next slides review five key risk scenarios prevalent in high-risk jurisdictions. Use them as examples to develop your own.

Travel to high-risk jurisdictions requires special measures to protect staff, devices, and data

Governmental, academic, and commercial advisors compile lists of jurisdictions that pose greater travel risks annually.

For instance, in the US, these lists might include countries that are:

• Subjects of travel warnings by the US Department of State.
• Identified as high risk by other US government sources such as:
• The Department of the Treasury Office of Foreign Assets Control (OFAC).
• The Federal Bureau of Investigation (FBI).
• The Office of the Director of National Intelligence (ODNI).
• Compiled from academic and commercial sources, such as Control Risks.

When securing travel to high-risk jurisdictions, you must consider personnel safety as well as data and device security.

The diagram presents high-risk jurisdictions based on US governmental sources (2021) listed on this slide.

High-risk travel

Likelihood: Medium

Impact: Medium

Key Risk Scenario #1

Malicious state actors, cybercriminals, and competitors can threaten staff, devices, and data during travel to high-risk jurisdictions. Device theft or compromise may occur while traveling through airports, accessing hotel computer and phone networks, or in internet cafés or other public areas. Threat actors can exploit data from compromised or stolen devices to undermine the organization’s strategic, economic, or competitive advantage. They can also infect compromised devices with malware that delivers malicious payloads once they reconnect with home networks.

Threat Actor:

• Malicious state actors
• Cybercriminals
• Competitors

Assets:

• Staff
• IT systems
• Sensitive data

Effect:

• Compromised staff health and safety
• Loss of data
• Lost of system integrity

Methods:

• Identify, steal, or target mobile devices.
• Compromise network, wireless, or Bluetooth connections.
• Leverage stolen devices as a means of infecting other networks.
• Access devices to track user location.
• Activate microphones on devices to collect information.
• Intercept electronic communications users send from high-risk jurisdictions.

The data compliance landscape is a jigsaw puzzle of data protection and data residency requirements

Since the EU passed the GDPR in 2016, jurisdictions have turned to data regulations to protect citizen data

Data privacy concerns, nationalism, and the economic value of data are all driving jurisdictions to adopt data residency, breach notification, and cross-border data transfer regulations. As 2021 wound down to a close, nearly all the world’s 30 largest economies had some form of data regulation in place. The regulatory landscape is shifting rapidly, which complicates operations as organizations grow into new markets or engage in merger and acquisition activities.

Global operations require special attention to data-residency requirements, data breach notification requirements, and cross-border data transfer regulations to mitigate compliance risk.

Compliance risk

Likelihood: Medium

Impact: High

Key Risk Scenario #2

Rapid changes in the privacy and security regulatory landscape threaten organizations’ ability to meet their compliance obligations from local legal and regulatory frameworks. Organizations risk reputational damage, administrative fines, criminal charges, and loss of market share. In extreme cases, organizations may lose their license to operate in high-risk jurisdictions. Shifts in the regulatory landscape can involve additional requirements for data residency, cross-border data transfer, data breach notification, and third-party risk management.

Threat Actor:

• Local, regional, and national state actors

Asset:

• Reputation, market share
• License to operate

Effect:

• Administrative fines
• Loss of reputation, brand trust, and consumer loyalty
• Loss of market share
• Suspension of business operations
• Lawsuits due to collective actions and claims
• Criminal charges

Methods:

• Shifts in the privacy and security regulatory landscape, including requirements for:
• Data residency.
• Cross-border data transfer.
• Data breach notification.
• Third-party security and privacy risk management.

The incidence of insider threats varies widely by jurisdiction in unexpected ways

On average, companies in North America, the Middle East, and Africa had the most insider incidents in 2021, while those in the Asia-Pacific region had the least.

The Ponemon Institute set out to understand the financial consequences that result from insider threats and gain insight into how well organizations are mitigating these risks.

In the context of this research, insider threat is defined as:

• Employee or contractor negligence.
• Criminal or malicious insider activities.
• Credential theft (imposter risk).

On average, the total cost to remediate insider threats in 2021 was US$15.4 million per incident.

In all regions, employee or contractor negligence occurred most frequently. Organizations in North America and in the Middle East and Africa were most likely to experience insider threat incidents in 2021.

The diagram represents the average number of insider incidents reported per organization in 2021. The results are analyzed in four regions (Ponemon Institute, 2022)

Insider threat

Likelihood: Low to Medium

Impact: High

Key Risk Scenario #3

Malicious insiders, negligent employees, and credential thieves can exploit inside access to information systems to commit fraud, steal confidential or commercially valuable information, or sabotage computer systems. Insider threats are difficult to identify, especially when security is geared toward external threats. They are often familiar with the organization’s data and intellectual property as well as the methods in place to protect them. An insider may steal information for personal gain or install malicious software on information systems. They may also be legitimate users who make errors and disregard policies, which places the organization at risk.

Threat Actor:

• Malicious insiders
• Negligent employees
• Infiltrators

Asset:

• Sensitive data
• Employee credentials
• IT systems

Effects:

• Loss of system integrity
• Loss of data confidentiality
• Financial loss

Methods:

• Infiltrators may compromise credentials.
• Malicious or negligent insiders may use corporate email to steal or share sensitive data, including:
  • Regulated data.
  • Intellectual property.
  • Critical business information.
• Malicious agents may facilitate data exfiltration, as well as open-port and vulnerability scans.

The risk of advanced persistent threats is more prevalent in Central and South America and the Asia-Pacific region

Attacks from advanced persistent threat (APT) actors are more sophisticated than traditional ones.

• More countries will use legal indictments as part of their cyber strategy. Exposing toolsets of APT groups carried out at the governmental level will drive more states to do the same.
• Expect APTs to increasingly target network appliances like VPN gateways as organizations continue to sustain hybrid workforces.
• The line between APTs and state-sanctioned ransomware groups is blurring. Expect cybercriminals to wield better tools, mount more targeted attacks, and use double-extortion tactics.
• Expect more disruption and collateral damage from direct attacks on critical infrastructure.

Top 10 Significant Threat Actors:

• Lazarus
• DeathStalker
• CactusPete
• IAmTheKing
• TransparentTribe
• StrongPity
• Sofacy
• CoughingDown
• MuddyWater
• SixLittleMonkeys

Top 10 Targets:

• Government
• Banks
• Financial Institutions
• Diplomatic
• Telecommunications
• Educational
• Defense
• Energy
• Military
• IT Companies

Top 12 countries targeted by APTs (Kaspersky, 2020)

Track notable APTs to revise your list of high-risk jurisdictions and review the latest tactics and techniques

Governmental advisors track notable APT actors that pose greater risks.

The CISA Shields Up site, SANS Storm Center site, and MITRE ATT&CK group site provide helpful and timely information to understand APT risks in different jurisdictions.

The following threat actors are currently associated with cyberattacks affiliated with the Russian government.

Sources: MITRE ATT&CK; Security Boulevard, 2022; Reuters, 2022; The Verge, 2022

Advanced persistent threat

Likelihood: Low to Medium

Impact: High

Key Risk Scenario #4

Advanced persistent threats are state actors or state-sponsored affiliates with the means to avoid detection by anti-malware software and intrusion detection systems. These highly-skilled and persistent malicious agents have significant resources with which to bypass traditional security controls, establish a foothold in the information technology infrastructure, and exfiltrate data undetected. APTs have the resources to adapt to a defender’s efforts to resist them over time. The loss of system integrity and data confidentiality over time can lead to financial losses, business continuity disruptions, and the destruction of critical infrastructure.

Threat Actor:

• State actors
• State-sponsored affiliates

Asset:

• Sensitive data
• IT systems
• Critical infrastructure

Effects:

• Loss of system integrity
• Loss of data confidentiality
• Financial loss
• Business continuity disruptions
• Infrastructure destruction

Methods:

• Persistent, consistent attacks using the most advanced threats and tactics to bypass security defenses.
• The goal of APTs is to maintain access to networks for prolonged periods without being detected.
• The median dwell time differs widely between regions. FireEye reported the mean dwell time for 2018:
  • Americas: 71 days
  • Europe, Middle East, and Africa: 177 days
  • Asia-Pacific: 204 days

Sources: Symantec, 2011; FireEye, 2019

Threat agents have deployed invasive technology for commercial surveillance in at least 76 countries since 2015

State actors and their affiliates purchased and used invasive spyware from companies in Europe, Israel, and the US.

• “Customers are predominantly repressive regimes looking for new ways to control the flow of information and stifle dissent. Less than 10% of suspected customers are considered full democracies by the Economist Intelligence Unit.” (Top10VPN, 2021)
• Companies based in economically developed and largely democratic states are profiting off the technology.
• The findings demonstrate the need to consider geopolitical realities when assessing high-risk jurisdictions and to take meaningful action to increase layered defenses against invasive malware.
• Spyware is having an increasingly well-known impact on civil society. For instance, since 2016, over 50,000 individual phone numbers have been identified as potential targets by NSO Group, the Israeli manufacturers of the notorious Pegasus Spyware. The target list contained the phone numbers of politicians, journalists, activists, doctors, and academics across the world.
• The true number of those affected by spyware is almost impossible to determine given that many fall victim to the technology and do not notice.

Countries where commercial surveillance tools have been deployed (“Global Spyware Market Index,” Top10VPN, 2021)

The risks and effects of spyware vary greatly

Spyware can steal mundane information, track a user’s every move, and everything in between.

Adware

Software applications that display advertisements while the program is running.

Keyboard Loggers

Applications that monitor and record keystrokes. Malicious agents use them to steal credentials and sensitive enterprise data.

Trojans

Applications that appear harmless but inflict damage or data loss to a system.

Mobile Spyware

Surveillance applications that infect mobile devices via SMS or MMS channels, though the most advanced can infect devices without user input.

State actors and their affiliates use system monitors to track browsing habits, application usage, and keystrokes and capture information from devices’ GPS location data, microphone, and camera. The most advanced system monitor spyware, such as NSO Group’s Pegasus, can infect devices without user input and record conversations from end-to-end encrypted messaging systems.

Commercial surveillance

Likelihood: Low to Medium

Impact: Medium

Key Risk Scenario #5

Malicious agents can deploy malware on end-user devices with commercial tools available off the shelf to secretly monitor the digital activity of users. Attacks exploit widespread vulnerabilities in telecommunications protocols. They occur through email and text phishing campaigns, malware embedded in untested applications, and sophisticated zero-click attacks that deliver payloads without requiring user interactions. Attacks target sensitive as well as mundane information. They can be used to track employee activities, investigate criminal activity, or steal credentials, credit card numbers, or other personally identifiable information.

Threat Actor:

• State actors
• State-sponsored affiliates

Asset:

• Sensitive data
• Staff health and safety
• IT systems

Effects:

• Data breaches
• Loss of data confidentiality
• Increased risk to staff health and safety
• Misuse of private data
• Financial loss

Methods:

• Email and text phishing attacks that delivery malware payloads
• Sideloading untested applications from a third-party source rather than an official retailer
• Sophisticated zero-click attacks that deliver payloads without requiring user interaction

Use the Jurisdictional Risk Register and Heatmap Tool

The tool included with this blueprint can help you draft risk scenarios and risk statements in this section.

The risk register will capture a list of critical assets and their vulnerabilities, the threats that endanger them, and the adverse effect your organization may face.

Download the Jurisdictional Risk Register and Heatmap Tool

2.1.1 Identify assets

1 – 2 hours

1. As a group, consider critical or mission-essential functions in high-risk jurisdictions and the systems on which they depend. Brainstorm a list of the organization’s mission-supporting assets in high-risk jurisdictions. Consider:

• Staff
• Critical IT systems
• Sensitive data
• Critical operational processes

• Information systems.
• Sensitive or regulated data.
• Staff health and safety.
• Critical operations and objectives.
• Organizational finances.
• Reputation and brand loyalty

Inputs for risk scenario identification

Inputs for risk scenario identification

Model threats to narrow the range of scenarios

Motives and capabilities to perform attacks on critical assets vary across different threat actors.

• Criminals, hacktivists, and insiders vary in sophistication. Some criminal groups demonstrate a high degree of sophistication; however, a large cyber event that damages critical infrastructure does not align with their incentives to make money at minimal risk.
• Proxy actors conduct offensive cyber operations on behalf of a beneficiary. They may be acting on behalf of a competitor, national government, or group of individuals.
• Nation-states engage in long-term espionage and offensive cyber operations that support geopolitical and strategic policy objectives.

2.1.2 Identify threats

1 – 2 hours

1. Review the outputs from activity 1.1.1 and activity 2.1.1.
2. Identify threat agents that could undermine the security of critical assets in high-risk jurisdictions. Include internal and external actors.
3. Assess their motives, means, and opportunities.

• Which critical assets are most attractive? Why?
• What paths and vulnerabilities can threat agents exploit to reach critical assets without going through a control?
• How could they defeat existing controls? Draw on the MITRE framework to inform your analysis.
• Once agents defeat a control, what further attack can they launch?

Inputs for risk scenario identification

2.1.2 Identify threats (continued)

1 – 2 hours

1. On a whiteboard, brainstorm how threat agents will exploit vulnerabilities in critical assets to reach their goal. Redefine attack vectors to capture what could result from a successful initial attack.

For example:

• State actors and cybercriminals may steal or compromise end-user devices during travel to high-risk jurisdictions using malware they embed in airport charging stations, internet café networks, or hotel business centers.
• Compromised devices may infect corporate networks and threaten sensitive data once they reconnect to them.

Bring together the critical risk elements into a single risk scenario

Summarize the scenario further into a single risk statement

Risk Scenario: High-Risk Travel

State actors and cybercriminals can threaten staff, devices, and data during travel to high-risk jurisdictions. Device theft or compromise may occur while traveling through airports, accessing hotel computer and phone networks, or in internet cafés or other public areas. Threat actors can exploit data from compromised or stolen devices to undermine the organization’s strategic, economic, or competitive advantage. They can also infect compromised devices with malware that delivers malicious payloads once they reconnect with home networks.

Risk Statement

Cybercriminals compromise end-user devices during travel to high-risk jurisdictions, jeopardizing staff safety and leading to loss of sensitive data.

Risk Scenario: Compliance Risk

Rapid changes in the privacy and security regulatory landscape threaten an organization’s ability to meet its compliance obligations from local legal and regulatory frameworks. Organizations that fail to do so risk reputational damage, administrative fines, criminal charges, and loss of market share. In extreme cases, organizations may lose their license to operate in high-risk jurisdictions. Shifts in the regulatory landscape can involve additional requirements for data residency, cross-border data transfer, data breach notification, and third-party risk management.

Risk Statement

Rapid changes in the privacy and security regulations landscape threaten our ability to remain compliant, leading to reputational and financial loss.

Fill out the Jurisdictional Risk Register and Heatmap Tool

The tool is populated with data from two key risk scenarios: high-risk travel and compliance risk.

1. Label the risk in Tab 3, Column B.
2. Record your risk scenario in Tab 3, Column C.
3. Record your risk statement in Tab 3, Column D.
4. Identify the applicable jurisdictions in Tab 3, Column E.
5. You can further categorize the scenario as:
   • an enterprise risk (Column G).
   • an IT risk (Column H).

Download the Jurisdictional Risk Register and Heatmap Tool

Step 2.2

Assess Risk Exposure

Activities

2.2.1 Identify existing controls

2.2.2 Assess likelihood and impact

This step involves the following participants:

• Security team
• Risk and Compliance
• IT leadership (optional)

Outcomes of this step

• Assess risk exposure for each risk scenario through an analysis of its likelihood and impact.

Brush up on risk assessment essentials

The next step will help you prioritize IT risks based on severity.

Likelihood of Occurrence X Likelihood of Impact = Risk Severity

Likelihood of occurrence: How likely the risk is to occur.

Likelihood of impact: The likely impact of a risk event.

Risk severity: The significance of the risk.

Evaluate risk severity against the risk tolerance thresholds and the cost of risk response.

Identify existing controls before you proceed

Existing controls will reduce the inherent likelihood and impact of the risk scenario you face.

Existing controls were put in place to avoid, mitigate, or transfer key risks your organization faced in the past. Without considering existing controls, you run the risk of overestimating the likelihood and impact of the risk scenarios your organization faces in high-risk jurisdictions.

For instance, the ability to remote-wipe corporate-owned devices will reduce the potential impact of a device lost or compromised during travel to high-risk jurisdictions.

As you complete the risk assessment for each scenario, document existing controls that reduce their inherent likelihood and impact.

2.2.1 Document existing controls

6-10 hours

1. Document the Risk Category and Existing Controls in the Jurisdictional Risk Register and Heatmap Tool.
   • Tactical controls apply to individual risks only. For instance, the ability to remote-wipe devices mitigates the impact of a device lost in a high-risk jurisdiction.
   • Strategic controls apply to multiple risks. For instance, deploying MFA for critical applications mitigates the likelihood that malicious actors can compromise a lost device and impedes their access in devices they do compromise.

Download the Jurisdictional Risk Register and Heatmap Tool.

Assess the risk scenarios you identified in Phase 1

The risk register is the central repository for risks in high-risk jurisdictions.

• Use the second tab of the Jurisdictional Risk Register and Heatmap Tool to create likelihood, impact, and risk tolerance assessment scales to evaluate every risk event effectively.
• Severity-level assessment is a “first pass” of your risk scenarios that will reveal your organization’s most severe risks in high-risk jurisdictions.
• You can incorporate expected cost calculations into your evaluation to assess scenarios in greater detail.
• Expected cost represents how much you would expect to pay in an average year for each risk event. Expected cost calculations can help compare IT risks to non-IT risks that may not use the same scales and communicate system-level risk to the business in a language they will understand.

Expected cost calculations may not be practical. Determining robust likelihood and impact values to produce cost estimates can be challenging and time consuming. Use severity-level assessments as a first pass to make the case for risk mitigation measures and take your lead from stakeholders.

Use the Jurisdictional Risk Register and Heatmap Tool to capture and analyze your data.

2.2.2 Assess likelihood and impact

6-10 hours

1. Assign each risk scenario a likelihood of occurrence and a likely impact level that represents the impact of the scenario on the whole organization considering existing controls. Record your results in Tab 3, column R and S, respectively.
2. You can further dissect likelihood and impact into component parameters but focus first on total likelihood and impact to keep the task manageable.
3. As you input the first few likelihood and impact values, compare them to one another to ensure consistency and accuracy. For instance, is a device lost in a high-risk jurisdiction truly more impactful than a device compromised with commercial surveillance software?
4. The tool will calculate the probability of risk exposure based on the likelihood and consequence associated with the scenario. The results are published in Tab 3, Column T.

Download the Jurisdictional Risk Register and Heatmap Tool.

Refine your risk assessment to justify your estimates

Document the rationale behind each value and the level of consensus in group discussions.

Stakeholders will likely ask you to explain some of the numbers you assigned to likelihood and impact assessments. Pointing to an assessment methodology will give your estimates greater credibility.

• Assign one individual to take notes during the assessment exercise.
• Have them document the main rationale behind each value and the level of consensus.

The goal is to develop robust intersubjective estimates of the likelihood and impact of a risk scenario.

We assigned a 50% likelihood rating to a risk scenario. Were we correct?

Assess the truth of the following statements to test likelihood assessments. In this case, do these two statements seem true?

• The risk event will likely occur once in the next two years, all things being equal.
• In two nearly identical organizations, one out of two will experience the risk event this year.

Phase 3

Execute Response

This phase will walk you through the following activities:

• Prioritize and treat global risks to critical assets based on their value and exposure.
• Build an initiative roadmap that identifies and applies relevant controls to protect critical assets. Identify key risk indicators to monitor progress.

This phase involves the following participants:

• Security team
• Risk and Compliance
• IT leadership (optional)

Step 3.1

Treat Security Risks

Activities

3.1.1 Identify and assess risk response

This step involves the following participants:

• Security team
• Risk and Compliance
• IT leadership (optional)

Outcomes of this step

• Prioritize and treat global risks to critical assets based on their value and exposure.

Analyze and select risk responses

The next step will help you treat the risk scenarios you built in Phase 2.

Identify

Identify risk responses.

Predict

Predict the effectiveness of the risk response, if implemented, by estimating the residual likelihood and impact of the risk.

Calculate

The tool will calculate the residual severity of the risk after applying the risk response.

The first part of the phase outlines project activities. The second part elaborates on high-risk travel and compliance risk, the two key risk scenarios we are following throughout the project. Use the Jurisdictional Risk Register and Heatmap Tool to capture your work.

Analyze likelihood and impact to identify response

3.1.1 Identify and assess risk response

Complete the following steps for each risk scenario.

1. Identify a risk response action that will help reduce the likelihood of occurrence or the impact if the scenario were to occur. Indicate the type of risk response (avoidance, mitigation, transfer, acceptance, or no risk exists).
2. Assign each risk response action a residual likelihood level and a residual impact level. This is the same step you performed in Activity 2.2.2, but you are now are estimating the likelihood and impact of the risk event after you implemented the risk response action successfully. The Jurisdictional Risk Register and Heatmap Tool will generate a residual risk severity level for each risk event.
3. Identify the potential Risk Action Owner (Project Manager) if the response is selected and turned into an IT project, and document this in the Jurisdictional Risk Register and Heatmap Tool .
4. For each risk event, document risk response actions, residual likelihood and impact levels, and residual risk severity level.

Download the Jurisdictional Risk Register and Heatmap Tool

Step 3.2

Mitigate Travel Risk

Activities

3.2.1 Develop a travel policy

3.2.2 Develop travel procedures

3.2.3 Design high-risk travel guidelines

This step involves the following participants:

• Security team
• Risk and Compliance
• IT leadership (optional)

Outcomes of this step

• Prioritize and treat global risks to critical assets based on their value and exposure.

Identify controls to mitigate jurisdictional risk

This section provides guidance on the most prevalent risk scenarios identified in Phase 2 and provides a more in-depth examination of the two most prevalent ones, high-risk travel and compliance risk. Determine the appropriate response to each risk scenario to keep global risks to critical assets aligned with the organization’s risk tolerance.

Key Risk Scenarios

• High-Risk Travel
• Compliance Risk
• Insider Threat
• Advanced Persistent Threat
• Commercial Surveillance

Travel risk is a common concern in organizations with global operations

• The security of staff, devices, and data is one of the biggest challenges facing organizations with a global footprint. Working and traveling in unpredictable environments will aways carry a degree of risk, but organizations can do much to develop a safer and more secure working environment.
• Compromised or stolen devices can provide threat actors with access to data that could compromise the organization’s strategic, economic, or competitive advantage or expose the organization to regulatory risk.
• For many organizations, security risk assessments, security plans, travel security procedures, security training, and incident reporting systems are a key part of their operating language.
• The following section provides a simple structure to help organizations demystify travel in high-risk jurisdictions.

Before you leave

• Identify high-risk countries.
• Enable controls.
• Limit what you pack.

During your trip

• Assume you are monitored.
• Limit access to systems.
• Prevent theft.

When you return

• Change your password.
• Restore your devices.

Case study

Higher Education: Camosun College

Interview: Evan Garland

Frame additional security controls as a value-added service.

Situation

The director of the international department at Camosun College reached out to IT security for additional support. Department staff often traveled to hostile environments. They were concerned malicious agents would either steal end-user devices or compromise them and access sensitive data. The director asked IT security for options that would better protect traveling staff, their devices, and the information they contain.

Challenges

First, controls would need to admit both work and personal use of corporate devices. Staff relied exclusively on work devices for travel to mitigate the risk of personal device theft. Personal use of corporate devices during travel was common. Second, controls needed to strike the right balance between friction and effortless access. Traveling staff had only intermittent access to IT support. Restrictive controls could prevent them from accessing their devices and data altogether.

Solution

IT consulted staff to discuss light-touch solutions that would secure devices without introducing too much complexity or compromising functionality. They then planned security controls that involved user interaction and others that did not and identified training requirements.

Results

Build a program to mitigate travel risks

There is no one-size-fits-all solution.

The most effective solution will take advantage of existing risk management policies, processes, and procedures at your organization.

• Develop a framework. Outline the organization’s approach to high-risk travel, including the policies, procedures, and mechanisms put in place to ensure safe travel to high-risk jurisdictions.
• Draft a policy. Outline the organization’s risk attitude and key security principles and define roles and responsibilities. Include security responsibilities and obligations in job descriptions of staff members and senior managers.
• Provide flexible options. Inherent travel risk will vary from one jurisdiction to another. You will likely not find an approach that works for every case. Establish locally relevant measures and plans in different security contexts and risk environments.
• Look for quick wins. Identify measures or requirements that you can establish quickly but that can have a positive effect on the security of staff, data, and devices.
• Monitor and review. Undertake periodic reviews of the organization’s security approach and management framework, as well as their implementation, to ensure the framework remains effective.

3.2.1 Develop a travel policy

1. Work with your business leaders to build a travel policy for high-risk jurisdictions. The policy should be a short and accessible document structured around four key sections:
   • A statement on the importance of staff security and safety, the scope of the policy, and who it applies to (staff, consultants, contractors, volunteers, visitors, accompanying dependants, etc.).
   • A principles section explaining the organization’s security culture, risk attitude, and the key principles that shape the organization’s approach to staff security and safety.
   • A responsibilities section setting out the organization’s security risk management structure and the roles and actions allocated to specific positions.
   • A minimal security requirements section establishing the specific security requirements that must be in place in all locations and specific locations.
2. Common security principles include:

• Shared responsibility – Managing risks to staff is a shared organizational responsibility.
• Acknowledgment of risk – Managing security will not remove all risks. Staff need to appreciate, as part of their informed consent, that they are still exposed to risk.
• Primacy of life – Staff safety is of the highest importance. Staff should never place themselves at excessive risk to meet program objectives or protect property.
• Proportionate risk – Risks must be assessed to ensure they are proportionate to the benefits organizational activities provide and the ability to manage those risks.
• Right to withdraw – Staff have the right to withdraw from or refuse to take up work in a particular area due to security concerns.
• No right to remain – The organization has the right to suspend activities that it considers too dangerous.

Develop security plans for high-risk travel

Security plans advise staff on how to manage the risk identified in assessments.

Security plans are key country documents that outline the security measures and procedures in place and the responsibilities and resources required to implement them. Security plans should be established in high-risk jurisdictions where your organization has a regular, significant presence. Security plans must remain relevant and accessible documents that address the specific risks that exist in that location, and, if appropriate, are specific about where the measures apply and who they apply to. Plans should be updated regularly, especially following significant incidents or changes in the operating environment or activities.

Key Components

Critical information – One-page summary of pertinent information for easy access and quick reference (e.g. curfew times, no-go areas, important contacts).

Overview – Purpose and scope of the document, responsibilities for security plan, organization’s risk attitude, date of completion and review date, and a summary of the security strategy and policy.

Current Context – Summary of current operating context and overall security situation; main risks to staff, assets, and operations; and existing threats and risk rating.

Procedures – Simple security procedures that staff should adhere to in order to prevent incidents and how to respond should problems arise. Standard operating procedures (SOPs) should address key risks identified in the assessment.

Security levels – The organization's security levels/phases, with situational indicators that reflect increasing risks to staff in that context and location and specific actions/measures required in response to increasing insecurity.

Incident reporting – The procedures and responsibilities for reporting security-related incidents; for example, the type of incidents to be reported, the reporting structure, and the format for incident reporting.

Determine travel risk

Tailor your risk response to the security risk assessment you conducted in earlier stages of this project.

Ratings are formulated by assessing several types of risk, including conflict, political/civil unrest, terrorism, crime, and health and infrastructure risks.

3.2.2 Develop travel procedures

1. Work with your business leaders to build travel procedures for high-risk jurisdictions. The procedures should be tailored to the risk assessment and address the risk scenarios identified in Phase 2.
2. Use the categories outlined in the next two slides to structure the procedure. Address all types of travel, detail security measures, and outline what the organization expects of travelers before, during, and after their trip.
3. Consider the implementation of special measures to limit the impact of a potential security event, including:
   • Information end-user device loaner programs.
   • Temporary travel service email accounts.
4. Specify what happens when staff add personal travel to their work trip to cover issues such as insurance, check-in, actual travel times, etc.
5. Discuss the rationale for each procedure. Ensure the components align with the policy statements outlined in the high-risk travel policy developed in the previous step.

Draft procedures to mitigate travel risks

Address all types of travel, detail security measures, and outline what the organization expects of travelers before, during, and after their trip

Travel security procedures should specify what happens when staff add personal travel to their work trip to cover issues such as insurance, check-in, actual travel times, etc.

3.2.3 Design high-risk travel guidelines

• Supplement the high-risk travel policies and procedures with guidelines to help international travelers stay safe.
• The document is intended for an end-user audience and should reflect your organization’s policies and procedures for the use of information and information systems during international travel.
• Use the Digital Safety Guidelines for International Travel template in concert with this blueprint to provide guidance on what end users can do to stay safe before they leave, during their trip, and when they return.
• Consider integrating the guidelines into specialized security awareness training sessions that target end users who travel to high-risk jurisdictions.
• The guidelines should supplement and align with existing technical controls.

Download the Digital Safety Guidelines for International Travel template

Step 3.3

Mitigate Compliance Risk

Activities

3.3.1 Identify data localization obligations

3.3.2 Integrate obligations into IT system design

3.3.3 Document data processing activities

3.3.4 Choose the right mechanism

3.3.5 Implement the appropriate controls

3.3.6 Identify data breach notification obligations

3.3.7 Integrate data breach notification into incident response

3.3.8 Identify vendor security and data protection requirements

3.3.9 Build due diligence questionnaire

3.3.10 Build appropriate data processing agreement

This step involves the following participants:

• Security team
• Risk and Compliance
• IT leadership (optional)

Outcomes of this step

• Prioritize and treat global risks to critical assets based on their value and exposure.

Compliance risk is a prevalent risk in organizations with a global footprint

• The legal and regulatory landscape is evolving rapidly to keep step with the pace of technological change. Security and privacy leaders are expected to mitigate the risk of noncompliance as the organization expands to new jurisdictions.
• Organizations with a global footprint must stay abreast of local regulations and provide risk management guidance to business leaders to support global operations.
• This sections describes four compliance risks in this context:
  • Cross-border data transfer
  • Third-party risk management
  • Data breach notification
  • Data residency

Compliance with local obligations

Likelihood: Medium to High

Impact: High

Data Residency

Gap Controls

• Identify and document the data localization obligations for the jurisdictions that the organization is operating in.
• Design and implement IT systems that satisfy the data localization requirements.
• Comply with data localization obligations within each jurisdiction.

Heatmap of Global Data Residency Regulations

Source: InCountry, 2021

Examples of Data Residency Requirements

3.3.1 Identify data localization obligations

1-2 hours

1. Work with your business leaders to identify and document the jurisdictions where your organization is operating in or providing services and products to consumers within.
2. Work with your legal team to identify and document all relevant data localization obligations for the data your organization generates, collects, and processes in order to operate your business.
3. Record your data localization obligations in the table below.

Download the Guidelines for Compliance With Local Security and Privacy Laws Template

3.3.2 Integrate obligations into your IT system design

1-2 hours

1. Work with your IT department to design the IT architecture and systems to satisfy the data localization requirements.
2. The table below provides a checklist for integrating privacy considerations into your IT systems.

Download the Guidelines for Compliance With Local Security and Privacy Laws Template

Compliance with local obligations

Likelihood: Medium to High

Impact: High

Cross-Border Transfer

Gap Controls

• Know where you transfer your data.
• Identify jurisdictions that your organization is operating in and that impose different requirements for the cross-border transfer of personal data.
• Adopt and implement a proper cross-border data transfer mechanism in accordance with applicable privacy laws and regulations.
• Re-evaluate at appropriate intervals.

Which cross-border transfer mechanism should I choose?

3.3.3 Document data processing activities

1-2 hours

1. Identify and document the following information:
   • Name of business process
   • Purposes of processing
   • Lawful basis
   • Categories of data subjects and personal data
   • Data subject categories
   • Which system the data resides in
   • Recipient categories
   • Third country/international organization
   • Documents for appropriate safeguards for international transfer (adequacy, SCCs, BCRs, etc.)
   • Description of mitigating measures

Download the Guidelines for Compliance With Local Security and Privacy Laws Template

3.3.4 Choose the right mechanism

1-2 hours

1. Identify jurisdictions that your organization is operating in and that impose different requirements for the cross-border transfer of personal data. For example, the EU’s GDPR and China’s Personal Information Protection Law require proper cross-border transfer mechanisms before the data transfers. Your organization should decide which cross-border transfer mechanism is the best fit for your cross-border data transfer scenarios.
2. Use the following table to identify and document the pros and cons of each data transfer mechanism and the final decision.

Download the Guidelines for Compliance With Local Security and Privacy Laws Template

3.3.5 Implement the appropriate controls

1-3 hours

• One of the most common mechanisms is standard contractual clauses (SCCs).
• Use Info-Tech’s Standard Contractual Clauses Template to facilitate your cross-border transfer activities.
• Identify and check whether the following core components are covered in your SCC and record the results in the table below.

Download the Guidelines for Compliance With Local Security and Privacy Laws Template

Compliance with local obligations

Likelihood: High

Impact: Medium to High

Data Breach

Gap Controls

• Identify jurisdictions that your organization is operating in and that impose different obligations for data breach reporting.
• Document the notification obligations for various business scenarios, such as controller to DPA, controller to data subject, and processor to controller.
• Integrate breach notification obligations into security incident response process.

Examples of Data Breach Notification Obligations

Summary of US State Data Breach Notification Statutes

Source: Davis Wright Tremaine

3.3.6 Identify data breach notification obligations

1-2 hours

1. Identify jurisdictions that your organization is operating in and that impose different obligations for data breach reporting.
2. Document the notification obligations for various business scenarios, such as controller to DPA, controller to data subject, and processor to controller.
3. Record your data breach obligations in the table below.

Download the Guidelines for Compliance With Local Security and Privacy Laws Template

3.3.7 Integrate data breach notification into incident response

1-2 hours

• Integrate breach notification obligations into the security incident response process. Understand the security incident management framework.
• All incident runbooks follow the same process: detection, analysis, containment, eradication, recovery, and post-incident activity.
• The table below provides a basic checklist for you to consider when implementing your data breach and incident handling process.

Download the Guidelines for Compliance With Local Security and Privacy Laws Template

Compliance with local obligations

Likelihood: High

Impact: Medium to High

Third-Party Risk

Gap Controls

• Build an end-to-end third-party security and privacy risk management process.
• Perform internal due diligence prior to selecting a service provider.
• Stipulate the security and privacy protection obligations of the third party in a legally binding document such as contract or data processing agreement, etc.

End-to-End Third-Party Security and Privacy Risk Management

1. Pre-Contract

• Due diligence check

• Data processing agreement

• Continuous monitoring
• Regular check or audit

• Data deletion
• Access deprovisioning

Examples of Vendor Security Management Requirements

3.3.8 Identify vendor security and data protection requirements

1-2 hours

• Effective vendor security risk management is an end-to-end process that includes assessment, risk mitigation, and periodic reassessments.
• An efficient and effective assessment process can only be achieved when all stakeholders are participating.
• Identify and document your vendor security and data protection requirements in the table below.

Download the Guidelines for Compliance With Local Security and Privacy Laws Template

3.3.9 Build due diligence questionnaire

1-2 hours

Perform internal due diligence prior to selecting a service provider.

1. Build and right-size your vendor security questionnaire by leveraging Info-Tech’s Vendor Security Questionnaire template.
2. Document your vendor security questionnaire in the table below.

Download the Guidelines for Compliance With Local Security and Privacy Laws Template

3.3.10 Build appropriate data processing agreement

1-2 hours

1. Stipulate the security and privacy protection obligations of the third party in a legally binding document such as contract or data processing agreement, etc.
2. Leverage Info-Tech’s Data Processing Agreement Template to put the language into your legally binding document.
3. Use the table below to check whether core components of a typical DPA are covered in your document.

Download the Guidelines for Compliance With Local Security and Privacy Laws Template

Summary of Accomplishment

Problem Solved

By following Info-Tech’s methodology for securing global operations, you have:

• Evaluated the security context of your organization’s global operations.
• Identified security risks scenarios unique to high-risk jurisdictions and assessed the exposure of critical assets.
• Planned and executed a response.

You have gone through a deeper analysis of two key risk scenarios that affect global operations:

• Travel to high-risk jurisdictions.
• Compliance risk.

If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation.

Contact your account representative for more information.

1-888-670-8889

Additional Support

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

Contact your account representative for more information.

workshops@infotech.com 1-888-670-8889

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

The following are sample activities that will be conducted by Info-Tech analysts with your team:

Identify High-Risk Jurisdictions

Develop requirements to identify high-risk jurisdictions.

Build Risk Scenarios

Build risk scenarios to capture assets, vulnerabilities, threats, and the potential effect of a compromise.

External Research Contributors

Ken Muir

CISO

LMC Security

Premchand Kurup

CEO

Paramount Computer Systems

Preeti Dhawan

Manager, Security Governance

Payments Canada

Scott Wiggins

Information Risk and Governance

CDPHP

Fritz Y. Jean Louis

CISO

Globe and Mail

Eric Gervais

CIO

Ovivo Water

David Morrish

CEO

MBS Techservices

Evan Garland

Manager, IT Security

Camosun College

Jacopo Fumagalli

CISO

Axpo

Dennis Leon

Governance and Security Manager

CPA Canada

Tero Lehtinen

CIO

Planmeca Oy

Related Info-Tech Research

Build an IT Risk Management Program

• Build a program to identify, evaluate, assess, and treat IT risks.
• Monitor and communicate risks effectively to support business decision making.

Combine Security Risk Management Components Into One Program

• Develop a program focused on assessing and managing information system risks.
• Build a governance structure that integrates security risks within the organization’s broader approach to risk management.

Build an Information Security Strategy

• Build a holistic, risk-aware strategy that aligns to business goals.
• Develop a roadmap of prioritized initiatives to implement the strategy over 18 to 36 months.

Bibliography

2022 Cost of Insider Threats Global Report.” Ponemon Institute, NOVIPRO, 9 Feb. 2022. Accessed 25 May 22.

“Allianz Risk Barometer 2022.” Allianz Global Corporate & Specialty, Jan. 2022. Accessed 25 May 22.

Bickley, Shaun. “Security Risk Management: a basic guide for smaller NGOs”. European Interagency Security Forum (EISF), 2017. Web.

“Biden Administration Warns against spyware targeting dissidents.” New York Times, 7 Jan 22. Accessed 20 Jan 2022.

Boehm, Jim, et al. “The risk-based approach to cybersecurity.” McKinsey & Company, October 2019. Web.

“Cost of a Data Breach Report 2021.” IBM Security, July 2021. Web.

“Cyber Risk in Asia-Pacific: The Case for Greater Transparency.” Marsh & McLennan Companies, 2017. Web.

“Cyber Risk Index.” NordVPN, 2020. Accessed 25 May 22

Dawson, Maurice. “Applying a holistic cybersecurity framework for global IT organizations.” Business Information Review, vol. 35, no. 2, 2018, pp. 60-67.

“Framework for improving critical infrastructure cybersecurity.” National Institute of Standards and Technology, 16 Apr 2018. Web.

“Global Cybersecurity Index 2020.” International Telecommunication Union (ITU), 2021. Accessed 25 May 22.

“Global Risk Survey 2022.” Control Risks, 2022. Accessed 25 May 22.

“International Travel Guidance for Government Mobile Devices.” Federal Mobility Group (FMG), Aug. 2021. Accessed 18 Nov 2021.

Kaffenberger, Lincoln, and Emanuel Kopp. “Cyber Risk Scenarios, the Financial System, and Systemic Risk Assessment.” Carnegie Endowment for International Peace, September 2019. Accessed 11 Jan 2022.

Koehler, Thomas R. Understanding Cyber Risk. Routledge, 2018.

Owens, Brian. “Cybersecurity for the travelling scientist.” Nature, vol. 548, 3 Aug 2017. Accessed 19 Jan. 2022.

Parsons, Fintan J., et al. “Cybersecurity risks and recommendations for international travellers.” Journal of Travel Medicine, vol. 1, no. 4, 2021. Accessed 19 Jan 2022.

Quinn, Stephen, et al. “Identifying and estimating cybersecurity risk for enterprise risk management.” National Institute of Standards and Technology (NIST), Interagency or Internal Report (IR) 8286A, Nov. 2021.

Quinn, Stephen, et al. “Prioritizing cybersecurity risk for enterprise risk management.” NIST, IR 8286B, Sept. 2021.

“Remaining cyber safe while travelling security recommendations.” Government of Canada, 27 April 2022. Accessed 31 Jan 2022.

Stine, Kevin, et al. “Integrating cybersecurity and enterprise risk management.” NIST, IR 8286, Oct. 2020.

Tammineedi, Rama. “Integrating KRIs and KPIs for effective technology risk management.” ISACA Journal, vol. 4, 1 July 2018.

Tikk, Eneken, and Mika Kerttunen, editors. Routledge Handbook of International Cybersecurity. Routledge, 2020.

Voo, Julia, et al. “National Cyber Power Index 2020.” Belfer Center for Science and International Affairs, Harvard Kennedy School, Sept. 2020. Web.

Zhang, Fang. “Navigating cybersecurity risks in international trade.” Harvard Business Review, Dec 2021. Accessed 31 Jan 22.

Appendix

Insider Threat

Key Risk Scenario

Likelihood: Medium to High

Impact: High

Gap Controls

• Identification: Effective and efficient management of insider threats begins with a threat and risk assessment to establish which assets and which employees to consider, especially in jurisdictions associated with sensitive or critical data. You need to pay extra attention to employees who are working in satellite offices in jurisdictions with loose security and privacy laws.
• Monitoring and Visibility: Organizations should monitor critical assets and groups with privileged access to defend against malicious behavior. Implement an insider threat management platform that provides your organization with the visibility and context into data movement, especially cross-border transfers that might cause security and privacy breaches.
• Policy and Awareness Training: Insider threats will persist without appropriate action and culture change. Training and consistent communication of best practices will mitigate vulnerabilities to accidental or negligent attacks. Customized training materials using local languages and role-based case studies might be needed for employees in high-risk jurisdictions.
• Cooperation: An effective insider threat management program should be built with cross-team functions such as Security, IT, Compliance and Legal, etc.

For more holistic approach, you can leverage our Reduce and Manage Your Organization’s Insider Threat Risk blueprint.

Info-Tech Insight

You can’t just throw tools at a human problem. While organizations should monitor critical assets and groups with privileged access to defend against malicious behavior, good management and supervision can help detect attacks and prevent them from happening in the first place.

Insider threats are not industry specific, but malicious insiders are

Source: Carnegie Mellon University Software Engineering Institute, 2019

Advanced Persistent Threat

Key Risk Scenario #4

Likelihood: Medium to High

Impact: High

Gap Controls

Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Effective anti-malware, diligent patching and vulnerability management, and strong human-centric security are essential.

Detect: There are two types of companies – those who have been breached and know it, and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.

Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape.

Respond: Organizations can’t rely on ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.

Best practices moving forward

Defense in Depth

Lock down your organization. Among other tactics, control administrative privileges, leverage threat intelligence, use IP whitelisting, adopt endpoint protection and two-factor authentication, and formalize incident response measures.

Block Indicators

Information alone is not actionable. A successful threat intelligence program contextualizes threat data, aligns intelligence with business objectives, and then builds processes to satisfy those objectives. Actively block indicators and act upon gathered intelligence.

Drive Adoption

Create organizational situational awareness around security initiatives to drive adoption of foundational security measures: network hardening, threat intelligence, red-teaming exercises, and zero-day mitigation, policies, and procedures.

Supply Chain Security

Security extends beyond your organization. Ensure your organization has a comprehensive view of your organizational threat landscape and a clear understanding of the security posture of any managed service providers in your supply chain.

Awareness and Training

Conduct security awareness and training. Teach end users how to recognize current cyberattacks before they fall victim – this is a mandatory first line of defense.

Additional Resources

Follow only official sources of information to help you assess risk

As misinformation is a major attack vector for malicious actors, follow only reliable sources for cyberalerts and actionable intelligence. Aggregate information from these reliable sources.

Federal Cyber Agency Alerts

• CISA (US Cybersecurity & Infrastructure Security Agency) Alerts
• Canadian Centre for Cyber Security – Cyber threat bulletin: Cyber Centre reminds Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity
• Australia Cyber Security Centre – 2022-02: Australian organisations should urgently adopt an enhanced cyber security posture

Informational Resources

• CISA Known Exploited Vulnerabilities Catalog
• SANS Internet Storm Center
• CISA Shields Up
• Computer Emergency Response Team of Ukraine (in Ukrainian)
• Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

Info-Tech Insight

The CISA Shields Up site provides the latest cyber risk updates on the Russia-Ukraine conflict and should provide the most value in staying informed.

Essentials of Vendor Management for Small Business

Create and implement a vendor management framework to begin obtaining measurable results in 90 days.

EXECUTIVE BRIEF

Analyst Perspective

Vendor Management Challenge

Small businesses are often challenged by the growth and complexity of their vendor ecosystem, including the degree to which the vendors control them. Vendors are increasing, obtaining more and more budget dollars, while funding for staff or headcount is decreasing as a result of cloud-based applications and an increase in our reliance on Managed Service Providers. Initiating a vendor management initiative (VMI) vs. creating a fully staffed vendor management office will get you started on the path of proactively controlling your vendors instead of consistently operating in a reactionary mode. This blueprint is designed with that very thought: to assist small businesses in creating the essentials of a vendor management initiative.

Steve Jeffery
Principal Research Director, Vendor Management
Info-Tech Research Group

Executive Summary

Your Challenge

Each year, IT organizations "outsource" tasks, activities, functions, and other items. During 2021:

• Spend on as-a-service providers increased 38% over 2020.*
• Spend on managed service providers increased 16% over 2020.*
• IT service providers increased their merger and acquisition numbers by 47% over 2020.*

This leads to more spend, less control, and more risk for IT organizations. Managing this becomes a higher priority for IT, but many IT organizations are ill-equipped to do this proactively.

Common Obstacles

As new contracts are negotiated and existing contracts are renegotiated or renewed, there is a perception that the contracts will yield certain results, output, performance, solutions, or outcomes. The hope is that these will provide a measurable expected value to IT and the organization. Oftentimes, much of the expected value is never realized. Many organizations don't have a VMI to help:

• Ensure at least the expected value is achieved.
• Improve on the expected value through performance management.
• Significantly increase the expected value through a proactive VMI.

Info-Tech's Approach

Vendor Management is a proactive, cross-functional lifecycle. It can be broken down into four phases:

• Plan
• Build
• Run
• Review

The Info-Tech process addresses all four phases and provides a step-by-step approach to configure and operate your VMI. The content in this blueprint helps you quickly establish your VMI and sets a solid foundation for its growth and maturity.

Info-Tech Insight

Vendor management is not a one-size-fits-all initiative. It must be configured:

• For your environment, culture, and goals.
• To leverage the strengths of your organization and personnel.
• To focus your energy and resources on your critical vendors.

Executive Summary

Your challenge

Spend on managed service providers and as-a-service providers continues to increase. In addition, IT services vendors continue to be active in the mergers and acquisitions arena. This increases the need for a VMI to help with the changing IT vendor landscape.

Source: Information Services Group, Inc., 2022.

Executive Summary

Common obstacles

When organizations execute, renew, or renegotiate a contract, there is an "expected value" associated with that contract. Without a robust VMI, most of the expected value will never be realized. With a robust VMI, the realized value significantly exceeds the expected value during the contract term.

A contract's realized value with and without a vendor management initiative

Source: Based on findings from Geller & Company, 2003.

Executive Summary

Info-Tech's approach

A sound, cyclical approach to vendor management will help you create a VMI that meets your needs and stays in alignment with your organization as they both change (i.e. mature and grow).

Info-Tech's methodology for creating and operating your vmi

Insight Summary

Insight 1

Vendor management is not "plug and play" – each organization's vendor management initiative (VMI) needs to fit its culture, environment, and goals. While there are commonalities and leading practices associated with vendor management, your initiative won't look exactly like another organization's. The key is to adapt vendor management principles to fit your needs.

Insight 2

All vendors are not of equal importance to your organization. Internal resources are a scarce commodity and should be deployed so that they provide the best return on the organization's investment. Classifying or segmenting your vendors allows you to focus your efforts on the most important vendors first, allowing your VMI to have the greatest impact possible.

Insight 3

Having a solid foundation is critical to the VMI's ongoing success. Whether you will be creating a formal vendor management office or using vendor management techniques, tools, and templates "informally", starting with the basics is essential. Make sure you understand why the VMI exists and what it hopes to achieve, what is in and out of scope for the VMI, what strengths the VMI can leverage and the obstacles it will have to address, and how it will work with other areas within your organization.

Blueprint benefits

IT benefits

• Identify and manage risk proactively.
• Reduce costs and maximize value.
• Increase visibility with your critical vendors.
• Improve vendor performance.
• Create a collaborative environment with key vendors.
• Segment vendors to allocate resources more effectively and more efficiently.

Business benefits

• Improve vendor accountability.
• Increase collaboration between departments.
• Improve working relationships with your vendors.
• Create a feedback loop to address vendor/customer issues before they get out of hand or are more costly to resolve.
• Increase access to meaningful data and information regarding important vendors.

Phase 1 - Plan

This phase will walk you through the following activity:

• Organizing your VMI and document internal processes, relationships, roles, and responsibilities. The main outcomes from this phase are organizational documents, and a desired future state for the VMI.

This phase involves the following participants:

• VMI team
• Applicable stakeholders and executives
• Procurement/Sourcing
• IT
• Others as needed

Vendor Management Initiative Basics for the Small/Medium Businesses

Phase 1 – Plan

Get Organized

Phase 1 – Plan focuses on getting organized. Foundational elements (Mission Statement, Goals, Scope, Strengths and Obstacles, Roles and Responsibilities, and Process Mapping) will help you define your VMI. These and the other elements of this Phase will follow you throughout the process of starting up your VMI and running it.

Spending time up front to ensure that everyone is on the same page will help avoid headaches down the road. The tendency is to skimp (or even skip) on these steps to get to "the good stuff." To a certain extent, the process provided here is like building a house. You wouldn't start building your dream home without having a solid blueprint. The same is true with vendor management. Leveraging vendor management tools and techniques without the proper foundation may provide some benefit in the short term, but in the long term it will ultimately be a house of cards waiting to collapse.

Step 1.1 – Mission statement and goals

Identify why the VMI exists and what it will achieve

Whether you are starting your vendor management journey or are already down the path, it is important to know why the vendor management initiative exists and what it hopes to achieve. The easiest way to document this is with a written declaration in the form of a Mission Statement and Goals. Although this is the easiest way to proceed, it is far from easy.

The Mission Statement should identify at a high level the nature of the services provided by the VMI, who it will serve, and some of the expected outcomes or achievements. The Mission Statement should be no longer than one or two sentences.

The complement to the Mission Statement is the list of goals for the VMI. Your goals should not be a reassertion of your Mission Statement in bullet format. At this stage it may not be possible to make them SMART (Specific, Measurable, Achievable/Attainable, Relevant, Time-Bound/Time-Based), but consider making them as SMART as possible. Without some of the SMART parameters attached, your goals are more like dreams and wishes. At a minimum, you should be able to determine the level of success achieved for each of the VMI goals.

Although the VMI's Mission Statement will stay static over time (other than for significant changes to the VMI or organization as a whole), the goals should be reevaluated periodically using a SMART filter, and adjusted as needed.

1.1.1 – Mission statement and goals

20 – 40 Minutes

1. Meet with the participants and use a brainstorming activity to list, on a whiteboard or flip chart, the reasons why the VMI will exist.
2. Review external mission statements for inspiration.
3. Review internal mission statements from other areas to ensure consistency.
4. Draft and document your Mission Statement in the Phase 1 Tools and Templates Compendium – Tab 1.1 Mission Statement and Goals.
5. Continue brainstorming and identify the high-level goals for the VMI.
6. Review the list of goals and make them as SMART (Specific, Measurable, Achievable/Attainable, Relevant, Time-Bound/Time-Based) as possible.
7. Document your goals in the Phase 1 Tools and Templates Compendium– Tab 1.1 Mission Statement and Goals.
8. Obtain signoff on the Mission Statement and goals from stakeholders and executives as required.

Input

• Brainstorming results
• Mission statements from other internal and external sources

Output

• Completed Mission Statement and Goals

Materials

• Whiteboard/Flip Charts
• Phase 1 Tools and Templates Compendium – Tab 1.1 Mission Statement and Goals

Participants

• VMI team
• Applicable stakeholders and executives (as needed)

Download the Info-Tech Phase 1 Tools and Templates Compendium

Step 1.2 – Scope

Determine what is in scope and out of scope for the VMI

Regardless of where your VMI resides or how it operates, it will be working with other areas within your organization. Some of the activities performed by the VMI will be new and not currently handled by other groups or individuals internally; at the same time, some of the activities performed by the VMI may be currently handled by other groups or individuals internally. In addition, executives, stakeholders, and other internal personnel may have expectations or make assumptions about the VMI. As a result, there can be a lot of confusion about what the VMI does and doesn't do, and the answers cannot always be found in the VMI's Mission Statement and Goals.

One component of helping others understand the VMI landscape is formalizing the VMI Scope. The Scope will define boundaries for the VMI. The intent is not to fence itself off and keep others out but provide guidance on where the VMI's territory begins and ends. Ultimately, this will help clarify the VMI's roles and responsibilities, improve workflow, and reduce errant assumptions.

When drafting your VMI scoping document, make sure you look at both sides of the equation (similar to what you would do when following best practices for a statement of work). Identify what is in scope and what is out of scope. Be specific when describing the individual components of the VMI Scope, and make sure executives and stakeholders are onboard with the final version.

1.2.1 – Scope

20 - 40 Minutes

1. Meet with the participants and use a brainstorming activity to list, on a whiteboard or flip chart, the activities and functions in scope and out of scope for the VMI.
   1. Be specific to avoid ambiguity and improve clarity.
   2. Go back and forth between in scope and out of scope as needed; it is not necessary to list all the in-scope items and then turn your attention to the out-of-scope items.
2. Review the lists to make sure there is enough specificity. An item may be in scope or out of scope, but not both.
3. Use the Phase 1 Tools and Templates Compendium – Tab 1.2 Scope to document the results.
4. Obtain signoff on the Scope from stakeholders and executives as required.

Input

• Brainstorming results
• Mission Statement and Goals

Output

• Completed list of items in and out of scope for the VMI

Materials

• Whiteboard/Flip Charts
• Phase 1 Tools and Templates Compendium – Tab 1.2 Scope

Participants

• VMI team
• Applicable stakeholders and executives (as needed)

Download the Info-Tech Phase 1 Tools and Templates Compendium

Step 1.3 – Strengths and obstacles

Pinpoint the VMI's strengths and obstacles

A SWOT analysis (strengths, weaknesses, opportunities, and threats) is a valuable tool, but it is overkill for your VMI at this point. However, using a modified and simplified form of this tool (strengths and obstacles) will yield significant results and benefit the VMI as it grows and matures.

Your output will be two lists: the strengths associated with the VMI and the obstacles the VMI is facing. For example, strengths could include items such as smart people working within the VMI and executive support. Obstacles could include items such as limited headcount and training required for VMI staff.

The goals are 1) to harness the strengths to help the VMI be successful and 2) to understand the impact of the obstacles and plan accordingly. The output can also be used to enlighten executives and stakeholders about the challenges associated with their directives or requests (e.g. human bandwidth may not be sufficient to accomplish some of the vendor management activities and there is a moratorium on hiring until the next budget year).

For each strength identified, determine how you will or can leverage it when things are going well or when the VMI is in a bind. For each obstacle, list the potential impact on the VMI (e.g. scope, growth rate, and number of vendors that can actively be part of the VMI).

As you do your brainstorming, be as specific as possible and validate your lists with stakeholders and executives as needed.

1.3.1 – Strengths and obstacles

20 - 40 Minutes

Meet with the participants and use a brainstorming activity to list, on a whiteboard or flip chart, the VMI's strengths and obstacles.

Be specific to avoid ambiguity and improve clarity.

Go back and forth between strengths and obstacles as needed; it is not necessary to list all the strengths first and then all the obstacles.

It is possible for an item to be a strength and an obstacle; when this happens, add details to distinguish the situations.

Review the lists to make sure there is enough specificity.

Determine how you will leverage each strength and how you will manage each obstacle.

Use the Phase 1 Tools and Templates Compendium – Tab 1.3 Strengths and Obstacles to document the results.

Obtain signoff on the strengths and obstacles from stakeholders and executives as required.

Input

• Brainstorming
• Mission Statement and Goals
• Scope

Output

• Completed list of items impacting the VMI's ability to be successful: strengths the VMI can leverage and obstacles the VMI must manage

Materials

• Whiteboard/Flip Charts
• Phase 1 Tools and Templates Compendium – Tab 1.3 Strengths and Obstacles

Participants

• VMI team
• Applicable stakeholders and executives (as needed)

Download the Info-Tech Phase 1 Tools and Templates Compendium

Step 1.4 – Roles and responsibilities

Obtain consensus on who is responsible for what

One crucial success factor for VMIs is gaining and maintaining internal alignment. There are many moving parts to an organization, and a VMI must be clear on the various roles and responsibilities related to the relevant processes. Some of this information can be found in the VMI's Scope referenced in Step 1.2, but additional information is required to avoid stepping on each other's toes; many of the processes require internal departments to work together. (For example, obtaining requirements for a request for proposal takes more than one person or department). While it is not necessary to get too granular, it is imperative that you have a clear understanding of how the VMI activities will fit within the larger vendor management lifecycle (which is comprised of many sub processes) and who will be doing what.

As we have learned through our workshops and guided implementations, a traditional RACI* or RASCI* Chart does not work well for this purpose. These charts are not intuitive, and they lack the specificity required to be effective. For vendor management purposes, a higher-level view and a slightly different approach provide much better results.

This step will lead your through the creation of an OIC* Chart to determine vendor management lifecycle roles and responsibilities. Afterward, you'll be able to say, "Oh, I see clearly who is involved in each part of the process and what their role is."

*RACI – Responsible, Accountable, Consulted, Informed

*RASCI – Responsible, Accountable, Support, Consulted, Informed

*OIC – Owner, Informed, Contributor

Step 1.4 – Roles and responsibilities (cont'd)

Obtain consensus on who is responsible for what

To start, define the vendor management lifecycle steps or process applicable to your VMI. Next, determine who participates in the vendor management lifecycle. There is no need to get too granular – think along the lines of departments, subdepartments, divisions, agencies, or however you categorize internal operational units. Avoid naming individuals other than by title; this typically happens when a person oversees a large group (e.g. the CIO [chief information officer] or the CPO [chief procurement officer]). Be thorough, but don't let the chart get out of hand. For each role and step of the lifecycle, ask whether the entry is necessary; does it add value to the clarity of understanding the responsibilities associated with the vendor management lifecycle? Consider two examples, one for roles and one for lifecycle steps. 1) Is IT sufficient or do you need IT Operations and IT Development? 2) Is "negotiate contract documents" sufficient or do you need negotiate the contract and negotiate the renewal? The answer will depend on your culture and environment but be wary of creating a spreadsheet that requires an 85-inch monitor to view it.

After defining the roles (departments, divisions, agencies) and the vendor management lifecycle steps or process, assign one of three letters to each box in your chart:

• O – Owner – who owns the process; they may also contribute to it.
• I – Informed – who is informed about the progress or results of the process.
• C – Contributor – who contributes or works on the process; it can be tangible or intangible contributions.

This activity can be started by the VMI or done as a group with representatives from each of the named roles. If the VMI starts the activity, the resulting chart should be validated by the each of the named roles.

1.4.1 – Roles and responsibilities

1 – 6 hours

1. Meet with the participants and configure the OIC Chart in the Phase 1 Tools and Templates Compendium – Tab 1.4 OIC Chart.
   1. Review the steps or activities across the top of the chart and modify as needed.
   2. Review the roles listed along the left side of the chart and modify as needed.
2. For each activity or step across the top of the chart, assign each role a letter – O for owner of that activity or step, I for informed, or C for contributor. Use only one letter per cell.
3. Work your way across the chart. Every cell should have an entry or be left blank if it is not applicable.
4. Review the results and validate that every activity or step has an O assigned to it; there must be an owner for every activity or step.
5. Obtain signoff on the OIC Chart from stakeholders and executives as required.

Input

• A list of activities or steps to complete a project starting with requirements gathering and ending with ongoing risk management.
• A list of internal areas (departments, divisions, agencies, etc.) and stakeholders that contribute to completing a project.

Output

• Completed OCI chart indicating roles and responsibilities for the VMI and other internal areas.

Materials

• Phase 1 Tools and Templates Compendium – Tab 1.4 OIC Chart

Participants

• VMI team
• Procurement/Sourcing
• IT
• Representatives from other areas as needed
• Applicable stakeholders and executives (as needed)

Download the Info-Tech Phase 1 Tools and Templates Compendium

Phase 2 - Build

Create and configure tools, templates, and processes

This phase will walk you through the following activities:

• Configuring and creating the tools and templates that will help you run the VMI. The main outcomes from this phase are a clear understanding of which vendors are important to you, the tools to manage the vendor relationships, and an implementation plan.

This phase involves the following participants:

• VMI team
• Applicable stakeholders and executives
• Human Resources
• Legal
• Others as needed

Vendor Management Initiative Basics for the Small/Medium Businesses

Phase 2 – Build

Create and configure tools, templates, and processes

Phase 2 – Build focuses on creating and configuring the tools and templates that will help you run your VMI. Vendor management is not a plug and play environment, and unless noted otherwise, the tools and templates included with this blueprint require your input and thought. The tools and templates must work in concert with your culture, values, and goals. That will require teamwork, insights, contemplation, and deliberation.

During this Phase you'll leverage the various templates and tools included with this blueprint and adapt them for your specific needs and use. In some instances, you'll be starting with mostly a blank slate; while in others, only a small modification may be required to make it fit your circumstances. However, it is possible that a document or spreadsheet may need heavy customization to fit your situation. As you create your VMI, use the included materials for inspiration and guidance purposes rather than as absolute dictates.

Step 2.1 – Classification model

Configure the COST vendor classification tool

One of the functions of a VMI is to allocate the appropriate level of vendor management resources to each vendor since not all vendors are of equal importance to your organization. While some people may be able intuitively to sort their vendors into vendor management categories, a more objective, consistent, and reliable model works best. Info-Tech's COST model helps you assign your vendors to the appropriate vendor management category so that you can focus your vendor management resources where they will do the most good.

COST is an acronym for Commodity, Operational, Strategic, and Tactical. Your vendors will occupy one of these vendor management categories, and each category helps you determine the nature of the resources allocated to that vendor, the characteristics of the relationship desired by the VMI, and the governance level used.

The easiest way to think of the COST model is as a 2 x 2 matrix or graph. The model should be configured for your environment so that the criteria used for determining a vendor's classification align with what is important to you and your organization. However, at this point in your VMI's maturation, a simple approach works best. The Classification Model included with this blueprint requires minimal configuration to get your started, and that is discussed on the activity slide associated with this Step 2.1.

Step 2.1 – Classification model (cont'd)

Configure the COST vendor classification tool

Common characteristics by vendor management category

Source: Compiled in part from Guth, Stephen. "Vendor Relationship Management Getting What You Paid for (And More)." 2015.

2.1.1 – Classification model

15 – 30 Minutes

1. Meet with the participants to configure the spend ranges in Phase 2 Vendor Classification Tool – Tab 1. Configuration for your environment.
2. Collect your vendors and their annual spend to sort by largest to lowest.
3. Update cells F14-J14 in the Classification Model based on your actual data.
   1. Cell F14 – Set the boundary at a point between the spend for your 10th and 11th ranked vendors. For example, if the 10th vendor by spend is $1,009, 850 and the 11th vendor by spend is $980,763, the range for F14 would be $1,000,00+.
   2. Cell G14 – Set the bottom of the range at a point between the spend for your 30th and 31st ranked vendors; the top of the range will be $1 less than the bottom of the range specified in F14.
   3. Cell H14 – Set the bottom of the range slightly below the spend for your 50th ranked vendor; the top of the range will be $1 less than the bottom of the range specified in G14.
   4. Cells I14 and J14 – Divide the remaining range in half and split it between the two cells; for J14 the range will be $0 to $1 less than the bottom range in I14.
4. Ignore the other variables at this time.

Input

• Phase 1 List of Vendors by Annual Spend

Output

• Configured Vendor Classification Tool

Materials

• Phase 2 Vendor Classification Tool – Tab 1. Configuration

Participants

• VMI team

Download the Info-Tech Phase 2 Vendor Classification Tool

Step 2.2 – Risk assessment tool

Identify risks to measure, monitor, and report on

One of the typical drivers of a VMI is risk management. Organizations want to get a better handle on the various risks their vendors pose. Vendor risks originate from many areas: financial, performance, security, legal, and others. However, security risk is the high-profile risk, and the one organizations often focus on almost exclusively, which leaves the organization vulnerable in other areas.

Risk management is a program, not a project; there is no completion date. A proactive approach works best and requires continual monitoring, identification, and assessment. Reacting to risks after they occur can be costly and have other detrimental effects on the organization. Any risk that adversely affects IT will adversely affect the entire organization.

While the VMI won't necessarily be quantifying or calculating the risk directly, it generally is the aggregator of risk information across the risk categories, which it then includes in its reporting function (see Steps 2.12 and 3.8).

At a minimum, your risk management strategy should involve:

• Identifying the risks you want to measure and monitor.
• Identifying your risk appetite (the amount of risk you are willing to live with).
• Measuring, monitoring, and reporting on the applicable risks.
• Developing and deploying a risk management plan to minimize potential risk impact.

Vendor risk is a fact of life, but you do have options for how to handle it. Be proactive and thoughtful in your approach, and focus your resources on what is important.

2.2.1 – Risk assessment tool

30 - 90 Minutes

1. Meet with the participants to configure the risk indicators in Phase 2 Vendor Risk Assessment Tool – Tab 1. Set parameters for your environment.
2. Review the risk categories and determine which ones you will be measuring and monitoring.
3. Review the risk indicators under each risk category and determine whether the indicator is acceptable as written, is acceptable with modifications, should be replaced, or should be deleted.
4. Make the necessary changes to the risk indicators; these changes will cascade to each of the vendor tabs. Limit the number of risk indicators to no more than seven per risk category.
5. Gain input and approval as needed from sponsors, stakeholders, and executives as required.

Input

• Scope
• OIC Chart
• Process Maps
• Brainstorming

Output

• Configured Vendor Risk Assessment Tool

Materials

• Phase 2 Vendor Risk Assessment Tool – Tab 1. Set Parameters

Participants

• VMI team

Download the Info-Tech Phase 2 Vendor Classification Tool

Step 2.3 – Scorecards and feedback

Design a two-way feedback loop with your vendors

A vendor management scorecard is a great tool for measuring, monitoring, and improving relationship alignment. In addition, it is perfect for improving communication between you and the vendor.

Conceptually, a scorecard is similar to a school report card. At the end of a learning cycle, you receive feedback on how well you do in each of your classes. For vendor management, the scorecard is also used to provide periodic feedback, but there are some nuances and additional benefits and objectives when compared to a report card.

Although scorecards can be used in a variety of ways, the focus here will be on vendor management scorecards – contract management, project management, and other types of scorecards will not be included in the materials covered in this Step 2.3 or in Step 3.4.

Step 2.3 – Scorecards and feedback (cont'd)

Design a two-way feedback loop with your vendors

Anatomy

The Info-Tech scorecard includes five areas:

• Measurement categories. Measurement categories help organize the scorecard. Limit the number of measurement categories to three to five; this allows the parties to stay focused on what's important. Too many measurement categories make it difficult for the vendor to understand the expectations.
• Criteria. The criteria describe what is being measured. Create criteria with sufficient detail to allow the reviewers to fully understand what is being measured and to evaluate it. Criteria can be objective or subjective. Use three to five criteria per measurement category.
• Measurement category weights. Not all your measurement categories may be of equal importance to you; this area allows you to give greater weight to a measurement category when compiling the overall score.
• Rating. Reviewers will be asked to assign a score to each criteria using a 1 to 5 scale.
• Comments. A good scorecard will include a place for reviewers to provide additional information regarding the rating, or other items that are relevant to the scorecard.

An overall score is calculated based on the rating for each criteria and the measurement category weights.

Step 2.3 – Scorecards and feedback (cont'd)

Design a two-way feedback loop with your vendors

Goals and objectives

Scorecards can be used for a variety of reasons. Some of the common ones are:

• Improving vendor performance.
• Conveying expectations to the vendor.
• Identifying and recognizing top vendors.
• Increasing alignment between the parties.
• Improving communication with the vendor.
• Comparing vendors across the same criteria.
• Measuring items not included in contract metrics.
• Identifying vendors for "strategic alliance" consideration.
• Helping the organization achieve specific goals and objectives.

Identifying and resolving issues before they impact performance or the relationship.

Identifying your scorecard drivers first will help you craft a suitable scorecard.

Step 2.3 – Scorecards and feedback (cont'd)

Design a two-way feedback loop with your vendors

Info-Tech recommends starting with simple scorecards to allow you and the vendors to acclimate to the new process and information. As you build your scorecards, keep in mind that internal personnel will be scoring the vendors and the vendors will be reviewing the scorecard. Make your scorecard easy for your personnel to fill out, and containing meaningful content to drive the vendor in the right direction. You can always make the scorecard more complex in the future.

Our recommendation of five categories is provided below. Choose three to five of the categories that help you accomplish your scorecard goals and objectives:

1. Timeliness – Responses, resolutions, fixes, submissions, completions, milestones, deliverables, invoices, etc.
2. Cost – Total cost of ownership, value, price stability, price increases/decreases, pricing models, etc.
3. Quality – Accuracy, completeness, mean time to failure, bugs, number of failures, etc.
4. Personnel – Skilled, experienced, knowledgeable, certified, friendly, trustworthy, flexible, accommodating, etc.
5. Risk – Adequate contractual protections, security breaches, lawsuits, finances, audit findings, etc.

Some criteria may be applicable in more than one category. The categories above should cover at least 80% of the items that are important to your organization. The general criteria listed for each category is not an exhaustive list, but most things break down into time, money, quality, people, and risk issues.

Step 2.3 – Scorecards and feedback (cont'd)

Design a two-way feedback loop with your vendors

Additional Considerations

• Even a good rating system can be confusing. Make sure you provide some examples or a way for reviewers to discern the differences between a 1, 2, 3, 4, and 5. Don't assume your "rating key" will be intuitive.
• When assigning weights, don't go lower than 10% for any measurement category. If the weight is too low, it won't be relevant enough to have an impact on the total score. If it doesn't "move the needle", don't include it.
• Final sign-off on the scorecard template should occur outside the VMI. The heavy lifting can be done by the VMI to create it, but the scorecard is for the benefit of the organization overall, and those impacted by the vendors specifically. You may end up playing arbiter or referee, but the scorecard is not the exclusive property of the VMI. Try to reach consensus on your final template whenever possible.
• You should notice improved ratings and total scores over time for your vendors. One explanation for this is the Pygmalion Effect: "The Pygmalion [E]ffect describes situations where someone's high expectations improves our behavior and therefore our performance in a given area. It suggests that we do better when more is expected of us."* Convey your expectations and let the vendors' competitive juices take over.
• While creating your scorecard and materials to explain the process to internal personnel, identify those pieces that will help you explain it to your vendors during vendor orientation (see Steps 2.6 and 3.4). Leveraging pre-existing materials is a great shortcut.

*Source: The Decision Lab, n.d.

Step 2.3 – Scorecards and feedback (cont'd)

Design a two-way feedback loop with your vendors

Vendor Feedback

After you've built your scorecard, turn your attention to the second half of the equation – feedback from the vendor. A communication loop cannot be successful without dialogue flowing both ways. While this can happen with just a scorecard, a mechanism specifically geared toward the vendor providing you with feedback improves communication, alignment, and satisfaction.

You may be tempted to create a formal scorecard for the vendor to use; avoid that temptation until later in your maturity or development of the VMI. You'll be implementing a lot of new processes, deploying new tools and templates, and getting people to work together in new ways. Work on those things first.

For now, implement an informal process for obtaining information from the vendor. Start by identifying information that you will find useful – information that will allow you to improve overall, to reduce waste or time, to improve processes, to identify gaps in skills. Incorporate these items into your business alignment meetings (see Steps 2.4 and 3.5). Create three to five good questions to ask the vendor and include these in the business alignment meeting agenda. The goal is to get meaningful feedback, and that starts with asking good questions.

Keep it simple at first. When the time is right, you can build a more formal feedback form or scorecard. Don't be in a rush; as long as the informal method works, keep using it.

2.3.1 – Scorecards and feedback

30 – 60 Minutes

1. Meet with the participants and brainstorm ideas for your scorecard measurement categories:
   1. What makes a vendor valuable to your organization?
   2. What differentiates a "good" vendor from a "bad" vendor?
   3. What items would you like to measure and provide feedback on to the vendor to improve performance, the relationship, risk, and other areas?
2. Select three, but no more than five, of the following measure categories: timeliness, cost, quality, personnel, and risk.
3. Within each measurement category, list two or three criteria that you want to measure and track for your vendors. Choose items that are as universal as possible rather than being applicable to one vendor or one vendor type.
4. Assign a weight to each measurement category, ensuring that the total weight is 100% for all measurement categories.
5. Document your results as you go in Phase 2 Tools and Templates Compendium – Tab 2.3 Scorecard.

Input

• Brainstorming

Output

• Configured Scorecard template

Materials

• Phase 2 Tools and Templates Compendium – Tab 2.3 Scorecard

Participants

• VMI team
• Applicable stakeholders and executives (as needed)

Download the Info-Tech Phase 2 Tools and Templates Compendium

2.3.2 – Scorecards and feedback

15 to 30 Minutes

1. Meet with the participants and brainstorm ideas for feedback to seek from your vendors during your business alignment meetings. During the brainstorming, identify questions to ask the vendor about your organization that will:
   1. Help you improve the relationship.
   2. Help you improve your processes or performance.
   3. Help you improve ongoing communication.
   4. Help you evaluate your personnel.
2. Identify the top five questions you want to include in your business alignment meeting agenda. (Note: you may need to refine the actual questions from the brainstorming activity before they are ready to include in your business alignment meeting agenda.)
3. Document both your brainstorming activity and your final results in Phase 2 Tools and Templates Compendium – Tab 2.3 Feedback. The brainstorming questions can be used in the future as your VMI matures and your feedback transforms from informal to formal. The results will be used in Steps 2.4 and 3.5.

Input

• Brainstorming

Output

• Feedback questions to include with the business alignment meeting agenda

Materials

• Phase 2 Tools and Templates Compendium – Tab 2.3 Feedback

Participants

• VMI team
• Applicable stakeholders and executives (as needed)

Download the Info-Tech Phase 2 Tools and Templates Compendium

Step 2.4 – Business alignment meeting agenda

Craft an agenda that meets the needs of the VMI

A business alignment meeting (BAM) is a multi-faceted tool to ensure the customer and the vendor stay focused on what is important to the customer at a high level. BAMs are not traditional operational meetings where the parties get into the details of the contracts, deal with installation problems, address project management issues, or discuss specific cost overruns. The focus of the BAM is the scorecard (see Step 2.3), but other topics are discussed, and other purposes are served. For example:

• You can use the BAM to develop the relationship with the vendor's leadership team so that if escalation is ever needed, your organization is more than just a name on a spreadsheet or customer list.
• You can learn about innovations the vendor is working on (without the meeting turning into a sales call).
• You can address high-level performance trends and request corrective action as needed.
• You can clarify your expectations.
• You can educate the vendor about your industry, culture, and organization.
• You can learn more about the vendor.

As you build your BAM Agenda, someone in your organization may say, "Oh, that's just a quarterly business review (QBR) or top-to-top meeting." In most instances, an existing QBRs or top-to-top meeting is not the same as a BAM. Using the term QBR or top-to-top meeting instead of BAM can lead to confusion internally. The VMI may say to the business unit, procurement, or another department, "We're going to start running some QBRs for our strategic vendors." The typical response is, "There's no need; we already run QBRs/top-to-top meetings with our important vendors." This may be accompanied by an invitation to join their meeting, where you may be an afterthought, have no influence, and get five minutes at the end to talk about your agenda items. Keep your BAM separate so that it meets your needs.

Step 2.4 – Business alignment meeting agenda (cont'd)

Craft an agenda that meets the needs of the VMI

As previously noted, using the term BAM more accurately depicts the nature of the VMI meeting and prevents confusion internally with other meetings already occurring. In addition, hosting the BAM yourself rather than piggybacking onto another meeting ensures that the VMI's needs are met. The VMI will set and control the BAM agenda and determine the invite list for internal personnel and vendor personnel. As you may have figured out by now, having the right customer and vendor personnel attend will be essential.

BAMs are conducted at the vendor level, not the contract level. As a result, the frequency of the BAMs will depend on the vendor's classification category (see Steps 2.1 and 3.1). General frequency guidelines are provided below, but they can be modified to meet your goals:

• Commodity vendors – Not applicable
• Operational vendors – Biannually or annually
• Strategic vendors – Quarterly
• Tactical vendors – Quarterly or biannually

BAMs can help you achieve some additional benefits not previously mentioned:

• Foster a collaborative relationship with the vendor.
• Avoid erroneous assumptions by the parties.
• Capture and provide a record of the relationship (and other items) over time.

Step 2.4 – Business alignment meeting agenda (cont'd)

Craft an agenda that meets the needs of the VMI

As with any meeting, building the proper agenda will be one of the keys to an effective and efficient meeting. A high-level BAM agenda with sample topics is set out below:

BAM Agenda

• Opening remarks
  • Welcome and introductions
  • Review of previous minutes
• Active discussion
  • Review of open issues
  • Scorecard and feedback
  • Current status of projects to ensure situational awareness by the vendor
  • Roadmap/strategy/future projects
  • Accomplishments
• Closing remarks
  • Reinforce positives (good behavior, results, and performance, value added, and expectations exceeded)
  • Recap
• Adjourn

2.4.1 – Business alignment meeting agenda

20 – 45 Minutes

1. Meet with the participants and review the sample agenda in Phase 2 Tools and Templates Compendium – Tab 2.4 BAM Agenda.
2. Using the sample agenda as inspiration and brainstorming activities as needed, create a BAM agenda tailored to your needs.
   1. Select the items from the sample agenda applicable to your situation.
   2. Add any items required based on your brainstorming.
   3. Add the feedback questions identified during Activity 2.3.2 and documented in Phase 2 Tools and Templates Compendium – Tab 2.3 Feedback.
3. Gain input and approval from sponsors, stakeholders, and executives as required or appropriate.
4. Document the final BAM agenda in Phase 2 Tools and Templates Compendium –Tab 2.4 BAM Agenda.

Input

• Brainstorming
• Phase 2 Tools and Templates Compendium – Tab 2.3 Feedback

Output

• Configured BAM agenda

Materials

• Phase 2 Tools and Templates Compendium – Tab2 .4 BAM Agenda

Participants

• VMI team
• Applicable stakeholders and executives (as needed)

Download the Info-Tech Phase 2 Tools and Templates Compendium

Step 2.5 – Relationship alignment document

Draft a document to convey important VMI information to your vendors

Throughout this blueprint, alignment is mentioned directly (e.g. business alignment meetings [Steps 2.4 and 3.3]) or indirectly implied. Ensuring you and your vendors are on the same page, have clear and transparent communication, and understand each other's expectations is critical to fostering strong relationships. One component of gaining and maintaining alignment with your vendors is the Relationship Alignment Document (RAD). Depending upon the Scope of your VMI and what your organization already has in place, your RAD will fill in the gaps on various topics.

Early in the VMI's maturation, the easiest approach is to develop a short document (1 one page) or a pamphlet (i.e. the classic trifold) describing the rules of engagement when doing business with your organization. The RAD can convey expectations, policies, guidelines, and other items. The scope of the document will depend on:

1. What you believe is important for the vendors to understand.
2. Any other similar information already provided to the vendors.

The first step to drafting a RAD is to identify what information vendors need to know to stay on your good side. You may want vendors to know about your gift policy (e.g. employees may not accept vendor gifts above a nominal value, such as a pen or mousepad). Next, compare your list of what vendors need to know and determine if the content is covered in other vendor-facing documents such as a vendor code of conduct or your website's vendor portal. Lastly, create your RAD to bridge the gap between what you want and what is already in place. In some instances, you may want to include items from other documents to reemphasize them with the vendor community.

Info-Tech Insight

The RAD can be used with all vendors regardless of classification category. It can be sent directly to the vendors or given to them during vendor orientation (see Step 3.3)

2.5.1 – Relationship alignment document

1 to 4 Hours

1. Meet with the participants and review the RAD sample and checklist in Phase 2 Tools and Templates Compendium – Tab 2.5 Relationship Alignment Doc.
2. Determine:
   1. Whether you will create one RAD for all vendors or one RAD for strategic vendors and another RAD for tactical and operational vendors; whether you will create a RAD for commodity vendors.
   2. The concepts you want to include in your RAD(s).
   3. The format for your RAD(s) – traditional, pamphlet, or other.
   4. Whether signoff or acknowledgement will be required by the vendors.
3. Draft your RAD(s) and work with other internal areas, such as Marketing to create a consistent brand for the RADS, and Legal to ensure consistent use and preservation of trademarks or other intellectual property rights and other legal issues.
4. Review other vendor-facing documents (e.g. supplier code of conduct, onsite safety and security protocols) for consistencies between them and the RAD(s).
5. Obtain signoff on the RAD(s) from stakeholders, sponsors, executives, Legal, Marketing, and others as needed.

Input

• Brainstorming
• Vendor-facing documents, policies, and procedures

Output

• Completed Relationship Alignment Document(s)

Materials

• Phase 2 Tools and Templates Compendium – Tab 2.5 Relationship Alignment Doc

Participants

• VMI team
• Marketing, as needed
• Legal, as needed

Download the Info-Tech Phase 2 Tools and Templates Compendium

Step 2.6 – Vendor orientation

Create a VMI awareness process to build bridges with your vendors

Your organization is unique. It may have many similarities with other organizations, but your culture, risk tolerance, mission, vision, and goals, finances, employees, and "customers" (those that depend on you) make it different. The same is true of your VMI. It may have similar principles, objectives, and processes to other organizations' VMIs, but yours is still unique. As a result, your vendors may not fully understand your organization and what vendor management means to you.

Vendor orientation is another means to helping you gain and maintain alignment with your important vendors, educate them on what is important to you, and provide closure when/if the relationship with the vendor ends. Vendor orientation is comprised of three components, each with a different function:

• Orientation
• Reorientation
• Debrief

Vendor orientation focuses on the vendor management pieces of the puzzle (e.g. the scorecard process) rather than the operational pieces (e.g. setting up a new vendor in the system to ensure invoices are processed smoothly).

Step 2.6 – Vendor orientation (cont'd)

Create a VMI awareness process to build bridges with your vendors

Reorientation

• Reorientation is either identical or similar to orientation, depending upon the circumstances. Reorientation occurs for several reasons, and each reason will impact the nature and detail of the reorientation content. Reorientation occurs whenever:
• There is a significant change in the vendor's products or services.
• The vendor has been through a merger, acquisition, or divestiture.
• A significant contract renewal/renegotiation has recently occurred.
• Sufficient time has passed from orientation; commonly 2 to 3 years.
• The vendor has been placed in a "performance improvement plan" or "relationship improvement plan" protocol.
• Significant turnover has occurred within your organization (executives, key stakeholders, and/or VMI personnel).
• Substantial turnover has occurred at the vendor at the executive or account management level.
• The vendor has changed vendor classification categories after the most current classification.
• As the name implies, the goal is to refamiliarize the vendor with your current VMI situation, governances, protocols, and expectations. The drivers for reorientation will help you determine the reorientation's scope, scale, and frequency.

Step 2.6 – Vendor orientation (cont'd)

Create a VMI awareness process to build bridges with your vendors

Debrief

To continue the analogy from orientation, debrief is like an exit interview for an employee when their employment is terminated. In this case, debrief occurs when the vendor is no longer an active vendor with your organization - all contracts have terminated or expired, and no new business with the vendor is anticipated within the next three months.

Similar to orientation and reorientation, debrief activities will be based on the vendor's classification category within the COST model. Strategic vendors don't go away very often; usually, they transition to operational or tactical vendors first. However, if a strategic vendor is no longer providing products or services to you, dig a little deeper into their experiences and allocate extra time for the debrief meeting.

The debrief should provide you with feedback on the vendor's experience with your organization and their participation in your VMI. Additionally, it can provide closure for both parties since the relationship is ending. Be careful that the debrief does not turn into a finger-pointing meeting or therapy session for the vendor. It should be professional and productive; if it is going off the rails, terminate the meeting before more damage can occur.

End the debrief on a high note if possible. Thank the vendor, highlight its key contributions, and single out any personnel who went above and beyond. You never know when you will be doing business with this vendor again – don't burn bridges!

Step 2.6 – Vendor orientation (cont'd)

Create a VMI awareness process to build bridges with your vendors

As you create your vendor orientation materials, focus on the message you want to convey.

• For orientation and reorientation:
  • What is important to you that vendors need to know?
  • What will help the vendors understand more about your organization and your VMI?
  • What and how are you different from other organizations overall, and in your "industry"?
  • What will help them understand your expectations?
  • What will help them be more successful?
  • What will help you build the relationship?
• For debrief:
  • What information or feedback do you want to obtain?
  • What information or feedback to you want to give?

The level of detail you provide strategic vendors during orientation and reorientation may be different from the information you provide tactical and operational vendors. Commodity vendors are not typically involved in the vendor orientation process. The orientation meetings can be conducted on a one-to-one basis for strategic vendors and a one-to-many basis for operational and tactical vendors; reorientation and debrief are best conducted on a one-to-one basis. Lastly, face-to-face or video meetings work best for vendor orientation; voice-only meetings, recorded videos, or distributing only written materials seldom hit their mark or achieve the desired results.

Step 2.7 – Three-year roadmap

Plot your path at a high level

1. The VMI exists in many planes concurrently:
2. It operates both tactically and strategically.

It focuses on different timelines or horizons (e.g., the past, the present, and the future). Creating a three-year roadmap facilitates the VMI's ability to function effectively across these multiple landscapes.

The VMI roadmap will be influenced by many factors. The work product from Phase 1 – Plan, input from executives, stakeholders, and internal clients, and the direction of the organization are great sources of information as you begin to build your roadmap.

To start, identify what you would like to accomplish in year 1. This is arguably the easiest year to complete: budgets are set (or you have a good idea what the budget will look like), personnel decisions have been made, resources have been allocated, and other issues impacting the VMI are known with a higher degree of certainty than any other year. This does not mean things won't change during the first year of the VMI, but expectations are usually lower, and the short event horizon makes things more predictable during the year-1 ramp-up period.

Years 2 and 3 are more tenuous, but the process is the same: identify what you would like to accomplish or roll out in each year. Typically, the VMI maintains the year-1 plan into subsequent years and adds to the scope or maturity. For example, you may start year 1 with BAMs and scorecards for three of your strategic vendors; during year 2, you may increase that to five vendors; and during year 3, you may increase that to nine vendors. Or, you may not conduct any market research during year 1, waiting to add it to your roadmap in year 2 or 3 as you mature.

Breaking things down by year helps you identify what is important and the timing associated with your priorities. A conservative approach is recommended. It is easy to overcommit, but the results can be disastrous and painful.

2.7.1 – Three-year roadmap

45 – 90 Minutes

1. Meet with the participants and decide how to coordinate year 1 of your three-year roadmap with your existing fiscal year or reporting year. Year 1 may be shorter or longer than a calendar year.
2. Review the VMI activities listed in Phase 2 Tools and Templates Compendium – Tab 2.7 Three-year roadmap. Use brainstorming and your prior work product from Phase 1 and Phase 2 to identify additional items for the roadmap and add them at the bottom of the spreadsheet.
3. Starting with the first activity, determine when that activity will begin and put an X in the corresponding column; if the activity is not applicable, leave it blank or insert N/A.
4. Go back to the top of the list and add information as needed.
   1. For any year-1 or year-2 activities, add an X in the corresponding columns if the activity will be expanded/continued in subsequent periods (e.g., if a Year 2 activity will continue in year 3, put an X in year 3 as well).
   2. Use the comments column to provide clarifying remarks or additional insights related to your plans or "X's". For example, "Scorecards begin in year 1 with three vendors and will roll out to five vendors in year 2 and nine vendors in year 3."
5. Obtain signoff from stakeholders, sponsors, and executives as needed.

Input

• Phase 1 work product
• Steps 2.1 – 2.6 work product
• Brainstorming

Output

• High level three-year roadmap for the VMI

Materials

• Phase 2 Tools and Templates Compendium – Tab 2.7 Three-Year Roadmap

Participants

• VMI team
• Applicable stakeholders and executives (as needed)

Download the Info-Tech Phase 2 Tools and Templates Compendium

Step 2.8 – 90-day plan

Pave your short-term path with a series of detailed quarterly plans

Now that you have prepared a three-year roadmap, it's time to take the most significant elements from the first year and create action plans for each three-month period. Your first 90-day plan may be longer or shorter if you want to sync to your fiscal or calendar quarters. Aligning with your fiscal year can make it easier for tracking and reporting purposes; however, the more critical item is to make sure you have a rolling series of four 90-day plans to keep you focused on the important activities and tasks throughout the year.

The 90-day plan is a simple project plan that will help you measure, monitor, and report your progress. Use the Info-Tech tool to help you track:

Activities.

• Tasks comprising each activity.
• Who will be performing the tasks.
• An estimate of the time required per person per task.
• An estimate of the total time to achieve the activity.
• A due date for the activity.
• A priority of the activity.

The first 90-day plan will have the greatest level of detail and should be as thorough as possible; the remaining three 90-day plans will each have less detail for now. As you approach the middle of the first 90-day plan, start adding details to the next 90-day plan; toward the end of the first quarter add a high-level 90-day plan to the end of the chain. Continue repeating this cycle each quarter and consult the three-year roadmap and the leadership team, as necessary.

2.8.1 – 90-day plan

45 – 90 Minutes

1. Meet with the participants and decide how to coordinate the first "90-day" plan with your existing fiscal year or reporting cycles. Your first plan may be shorter or longer than 90 days.
2. Looking at the year-1 section of the three-year roadmap, identify the activities that will be started during the next 90 days.
3. Using the Phase 2 Tools and Templates Compendium – Tab 2.8 90-Day Plan, enter the following information into the spreadsheet for each activity to be accomplished during the next 90 days:
   1. Activity description.
   2. Tasks required to complete the activity (be specific and descriptive).
   3. The people who will be performing each task.
   4. The estimated number of hours required to complete each task.
   5. The start date and due date for each task or the activity.
4. Validate the tasks are a complete list for each activity and the people performing the tasks have adequate time to complete the tasks by the due date(s).
5. Assign a priority to each Activity.

Input

• Three-Year Roadmap
• Phase 1 work product
• Steps 2.1 – 2.7 work product
• Brainstorming

Output

• Detailed plan for the VMI for the next quarter or "90" days

Materials

• Phase 2 Tools and Templates Compendium – Tab 2.8 90-Day Plan

Participants

• VMI team
• Applicable stakeholders and executives (as needed)

Download the Info-Tech Phase 2 Tools and Templates Compendium

Step 2.9 – Quick wins

Identify potential short-term successes to gain momentum and show value immediately

As the final step in the timeline trilogy, you are ready to identify some quick wins for the VMI. Using the first 90-day plan and a brainstorming activity, create a list of things you can do in 15 to 30 days that add value to your initiative and build momentum.

As you evaluate your list of potential candidates, look for things that:

• Are achievable within the stated timeline.
• Don't require a lot of effort.
• Involve stopping a certain process, activity, or task; this is sometimes known as a "stop doing stupid stuff" approach.
• Will reduce or eliminate inefficiencies; this is sometimes known as the war on waste.
• Have a moderate to high impact or bolster the VMI's reputation.

As you look for quick wins, you may find that everything you identify does not meet the criteria. That's okay; don't force the issue. Return your focus to the 90-day plan and three-year roadmap and update those documents if the brainstorming activity associated with Step 2.9 identified anything new.

2.9.1 – Quick wins

15 - 30 Minutes

1. Meet with the participants and review the three-year roadmap and 90-day plan. Determine if any item on either document can be completed:
   1. Quickly (30 days or less).
   2. With minimal effort.
   3. To provide or show moderate to high levels of value or provide the VMI with momentum.
2. Brainstorm to identify any other items that meet the criteria in step 1 above.
3. Compile a comprehensive list of these items and select up to five to pursue.
4. Document the list in the Phase 2 Tools and Templates Compendium – Tab 2.9 Quick Wins.
5. Manage the quick wins list and share the results with the VMI team and applicable stakeholders and executives.

Input

• Three-Year Roadmap
• 90-Day Plan
• Brainstorming

Output

• A list of activities that require low levels of effort to achieve moderate to high levels of value in a short period

Materials

• Phase 2 Tools and Templates Compendium – Tab 2.9 Quick Wins

Participants

• VMI team

Download the Info-Tech Phase 2 Tools and Templates Compendium

Step 2.10 – Reports

Construct your reports to resonate with your audience

Issuing reports is a critical piece of the VMI since the VMI is a conduit of information for the organization. It may be aggregating risk data from internal areas, conducting vendor research, compiling performance data, reviewing market intelligence, or obtaining relevant statistics, feedback, comments, facts, and figures from other sources. Holding onto this information minimizes the impact a VMI can have on the organization; however, the VMI's internal clients, stakeholders, and executives can drown in raw data and ignore it completely if it is not transformed into meaningful, easily-digested information.

Before building a report, think about your intended audience:

• What information are they looking for? What will help them understand the big picture?
• What level of detail is appropriate, keeping in mind the audience may not be like-minded?
• What items are universal to all the readers and what items are of interest to one or two readers?
• How easy or hard will it be to collect the data? Who will be providing it, and how time consuming will it be?
• How accurate, valid, and timely will the data be?
• How frequently will each report need to be issued?

Step 2.10 – Reports (cont'd)

Construct your reports to resonate with your audience

Use the following guidelines to create reports that will resonate with your audience:

• Value information over data, but sometimes data does have a place in your report.
• Use pictures, graphics, and other representations more than words, but words are often necessary in small, concise doses.
• Segregate your report by user; for example, general information up top, CIO information below that on the right, CFO information to the left of CIO information, etc.
• Send a draft report to the internal audience and seek feedback, keeping in mind you won't be able to cater to or please everyone.

2.10.1 – Reports

15 – 45 Minutes

1. Meet with the participants and review the applicable work product from Phase 1 and Phase 2; identify qualitative and quantitative items the VMI measures, monitors, tracks, or aggregates.
2. Determine which items will be reported and to whom (by category):
   1. Internally to personnel within the VMI.
   2. Internally to personnel outside the VMI.
   3. Externally to vendors.
3. Within each category above, determine your intended audiences/recipients. For example, you may have a different list of recipients for a risk report than you do a scorecard summary report. This will help you identify the number of reports required.
4. Create a draft structure for each report based on the audience and the information being conveyed. Determine the frequency of each report and person responsible for creating for each report.
5. Document your final choices in Phase 2 Tools and Templates Compendium – Tab 2.10 Reports.

Input

• Brainstorming
• Phase 1 work product
• Steps 2.1 – 2.11 work product

Output

• A list of reports used by the VMI
• For each report
  • The conceptual content
  • A list of who will receive or have access
  • A creation/distribution frequency

Materials

• Phase 2 Tools and Templates Compendium – Tab 2.10 Reports

Participants

• VMI team
• Applicable stakeholders and executives (as needed)

Download the Info-Tech Phase 2 Tools and Templates Compendium

Phase 3 - Run

Implement your processes and leverage your tools and templates

This phase will walk you through the following activity:

• Beginning to operate the VMI. The main outcomes from this phase are guidance and the steps required to initiate your VMI.

This phase involves the following participants:

• VMI team
• Applicable stakeholders and executives
• Others as needed

Vendor Management Initiative Basics for the Small/Medium Businesses

Phase 3 – Run

Implement your processes and leverage your tools and templates

All the hard work invested in Phase 1 – Plan and Phase 2 – Build begins to pay off in Phase 3 – Run. It's time to stand up your VMI and ensure that the proper level of resources is devoted to your vendors and the VMI itself. There's more hard work ahead, but the foundational elements are in place. This doesn't mean there won't be adjustments and modifications along the way, but you are ready to use the tools and templates in the real world; you are ready to begin reaping the fruits of your labor.

Phase 3 – Run guides you through the process of collecting data, monitoring trends, issuing reports, and conducting effective meetings to:

• Manage risk better.
• Improve vendor performance.
• Improve vendor relationships.
• Identify areas where the parties can improve.
• Improve communication between the parties.
• Increase the value proposition with your vendors.

Step 3.1 – Classify vendors

Begin classifying your top 25 vendors by spend

Step 3.1 sets the table for many of the subsequent steps in Phase 3 – Run. The results of your classification process will determine which vendors go through the scorecarding process (Step 3.2); which vendors participate in BAMs (Step 3.3), and which vendors you will devote relationship-building resources to (Step 3.6).

As you begin classifying your vendors, Info-Tech recommends using an iterative approach initially to validate the results from the classification model you configured in Step 2.1.

1. Identify your top 25 vendors by spend.
2. Run your top 10 vendors by spend through the classification model and review the results.
   1. If the results are what you expected and do not contain any significant surprises, go to 3. on the next page.
   2. If the results are not what you expected or do contain significant surprises, look at the configuration page of the tool (Tab 1) and adjust the weights or the spend categories slightly. Be cautious in your evaluation of the results before modifying the configuration page - some legitimate results are unexpected, or are surprises based on bias. If you modify the weighting, review the new results and repeat your evaluation. If you modify the spend categories, review the answers on the vendor tabs to ensure that the answers are still accurate; review the new results and repeat your evaluation.

Step 3.1 – Classify vendors (cont'd)

Review your results and adjust the classification tool as needed

3. Run your top 11-through-25 vendors by spend through the classification model and review the results. Identify any unexpected results. Determine if further configuration makes sense and repeat the process outlined in 2.b., previous page, as necessary. If no further modifications are required, continue to 4., below.
4. Share the preliminary results with the leadership team, executives, and stakeholders to obtain their approval or adjustments to the results.
   1. They may have questions and want to understand the process before approving the results.
   2. They may request that you move a vendor from one quadrant to another based on your organization's roadmap, the vendor's roadmap, or other information not available to you.
5. Identify the vendors that will be part of the VMI at this stage – how many and which ones. Based on this number and the VMI's scope (Step 1.2), make sure you have the resources necessary to accommodate the number of vendors participating in the VMI. Proceed cautiously and gradually increase the number of vendors participating in the VMI.

Step 3.1 – Classify vendors (cont'd)

Finalize the results and update VMI tools and templates

6. Update the vendor inventory tool (Step 1.7) to indicate the current classification status for the top 25 vendors by spend. Once your vendors have been classified, you can sort the vendor inventory tool by classification status to see all the vendors in that category at once.
7. Review your three-year roadmap (Step 2.9) and 90-day plans (Step 2.6) to determine if any modifications are needed to the activities and timelines.

Additional classification considerations:

• You should only have a few vendors that fit in the strategic category. As a rough guideline, no more than 5% to 10% of your IT vendors should end up in the strategic category. If you have many vendors, even 5% may be too many. the classification model is an objective start to the classification process, but common sense must prevail over the "math" at the end of the day.
• At this point, there is no need to go beyond the top 25 by spend. Most VMIs starting out can't handle more than three to five strategic vendors initially. Allow the VMI to run a pilot program with a small sample size, work out any bugs, make adjustments, and then ramp up the VMI's rollout in waves. Vendors can be added quarterly, biannually, or annually, depending upon the desired goals and available resources.

Step 3.1 – Classify vendors (cont'd)

Align your vendor strategy to your classification results

As your VMI matures, additional vendors will be part of the VMI. Review the table below and incorporate the applicable strategies into your deployment of vendor management principles over time. Stay true to your mission, goals, and scope, and remember that not all your vendors are of equal importance.

Step 3.1 – Classify vendors (cont'd)

Be careful when using the word "partner" with your strategic and other vendors

For decades, vendors have used the term "partner" to refer to the relationship they have with their clients and customers. This is often an emotional ploy used by the vendors to get the upper hand. To fully understand the terms "partner" and "partnership", let's evaluate them through two more objective, less cynical lenses.

If you were to talk to your in-house or outside legal counsel, you may be told that partners share in profits and losses, and they have a fiduciary obligation to each other. Unless there is a joint venture between the parties, you are unlikely to have a partnership with a vendor from this perspective.

What about a "business" partnership — one that doesn't involve sharing profits and losses? What would that look like? Here are some indicators of a business partnership (or preferably a strategic alliance):

• Trust and transparent communication exist.
• You have input into the vendor's roadmap for products and services.
• The vendor is aligned with your desired outcomes and helps you achieve success.
• You and the vendor are accountable for actions and inactions, with both parties being at risk.
• There is parity in the peer-to-peer relationships between the organizations (e.g. C-Level to C-Level).
• The vendor provides transparency in pricing models and proactively suggests ways for you to reduce costs.
• You and the vendor work together to make each party better, providing constructive feedback on a regular basis.
• The vendor provides innovative suggestions for you to improve your processes, performance, the bottom line, etc.
• Negotiations are not one-sided; they are meaningful and productive, resulting in an equitable distribution of money and risk.

Step 3.1 – Classify vendors (cont'd)

Understand the implications and how to leverage the words "partner" and "partnership"

By now you might be thinking, "What's all the fuss? Why does it matter?" At Info-Tech, we've seen firsthand how referring to the vendor as a partner can have the following impact:

• Confidences are disclosed unnecessarily.
• Negotiation opportunities and leverage are lost.
• Vendors no longer have to earn the customer's business.
• Vendor accountability is missing due to shared responsibilities.
• Competent skilled vendor resources are assigned to other accounts.
• Value erodes over time since contracts are renewed without being competitively sourced.
• One-sided relationships are established, and false assurances are provided at the highest levels within the customer organization.

Proceed with caution when using partner or partnership with your vendors. Understand how your organization benefits from using these terms and mitigate the negatives outlined above by raising awareness internally to ensure people understand the psychology behind the terms. Finally, use the term to your advantage when warranted by referring to the vendor as a partner when you want or need something that the vendor is reluctant to provide. Bottom line: be strategic in how you refer to vendors and know the risks.

Step 3.2 – Compile scorecards

Begin scoring your top vendors

The scorecard process typically is owned and operated by the VMI, but the actual rating of the criteria within the measurement categories is conducted by those with day-to-day interactions with the vendors, those using or impacted by the services and products provided by the vendors, and those with the skills to research other information on the scorecard (e.g. risk). Chances are one person will not be able to complete an entire scorecard by themselves. As a result, the scorecard process is a team sport comprised of sub-teams where necessary.

The VMI will compile the scores, calculate the final results, and aggregate all the comments into one scorecard. There are two common ways to approach this task:

1. Send out the scorecard template to those who will be scoring the vendor and ask them to return it when completed, providing them with a due date a few days before you need it; you'll need time to compile, calculate, and aggregate.
2. Invite those who will be scoring the vendor to a meeting and let the contributors use that time to score the vendors; make VMI team members available to answer questions and facilitate the process.

Step 3.2 – Compile scorecards (cont'd)

Gather input from stakeholders and others impacted by the vendors

Since multiple people will be involved in the scorecarding process or have information to contribute, the VMI will have to work with the reviewers to ensure he right mix of data is provided. For example:

• If you are tracking lawsuits filed by or against the vendor, one person from Legal may be able to provide that, but they may not be able to evaluate any other criteria on the scorecard.
• If you are tracking salesperson competencies, multiple people from multiple areas may have valuable insights.
• If you are tracking deliverable timeliness, several project managers may want to contribute across several projects.

Where one person is contributing exclusively to limited criteria, make it easy for them to identify the criteria they are to evaluate. When multiple people from the same functional area will provide insights, they can contribute individually (and the VMI will average their responses) or they can respond collectively after reaching consensus as a group.

After the VMI has compiled, calculated, and aggregated, share the results with executives, impacted stakeholders, and others who will be attending the BAM for that vendor. Depending upon the comments provided by internal personnel, you may need to create a sanitized version of the scorecard for the vendor.

Make sure your process timeline has a buffer built in. You'll be sending the final scorecard to the vendor three to five days before the BAM, and you'll need some time to assemble the results. The scorecarding process can be perceived as a low-priority activity for people outside of the VMI, and other "priorities" will arise for them. Without a timeline buffer, the VMI may find itself behind schedule and unprepared, due to things beyond its control.

Step 3.3 – Conduct business alignment meetings

Determine which vendors will participate and how long the meetings will last

At their core, BAMs aren't that different from any other meeting. The basics of running a meeting still apply, but there are a few nuances that apply to BAMs. Set out below are leading practices for conducing your BAMs; adapt them to meet your needs and suit your environment.

Who

Initially, BAMs are conducted with the strategic vendors in your pilot program. Over time you'll add vendors until all your strategic vendors are meeting with you quarterly. After that, roll out the BAMs to those tactical and operational vendors located close to the strategic quadrant in the classification model (Steps 2.1 and 3.1) and as VMI resources allow. It may take several years before you are holding regular BAMs with all your strategic, tactical, and operational vendors.

Duration

Keep the length of your meetings reasonable. The first few with a vendor may need to be 60 to 90 minutes long. After that, you should be able to trim them to 45 minutes to 60 minutes. The BAM does not have to fill the entire time. When you are done, you are done.

Step 3.3 – Conduct business alignment meetings (cont'd)

Identify who will be invited and send out invitations

Invitations

Set up a recurring meeting whenever possible. Changes will be inevitable but keeping the timeline regular works to your advantage. Also, the vendors included in your initial BAMs won't change for twelve months. For the first BAM with a vendor, provide adequate notice; four weeks is usually sufficient, but calendars will fill up quickly for the main attendees from the vendor. Treat the meeting as significant and make sure your invitation reflects this. A simple meeting request will often be rejected, treated as optional, or ignored completely by the vendor's leadership team (and maybe yours as well!).

Invitees

Internal invitees should include those with a vested interest in the vendor's performance and the relationship. Other functional areas may be invited based on need or interest. Be careful the attendee list doesn't get too big. Based on this, internal BAM attendees often include representatives from IT, Sourcing/Procurement, and the applicable business units. At times, Finance and Legal are included.

From the vendor's side, strive to have decision makers and key leaders attend. The salesperson/account manager is often included for continuity, but a director or vice president of sales will have more insights and influence. The project manager is not needed at this meeting due to the nature of the meeting and its agenda; however, a director or vice president from the product or service delivery area is a good choice. Bottom line: get as high into the vendor's organization as possible whenever possible; look at the types of contracts you have with that vendor to provide guidance on the type of people to invite.

Step 3.3 – Conduct business alignment meetings (cont'd)

Prepare for the Meetings and Maintain Control

Preparation

Send the scorecard and agenda to the vendor five days prior to the BAM. The vendor should provide you with any information you require for the meeting five days prior, as well.

Decide who will run the meeting. Some customers like to lead, and others let the vendor present. How you craft the agenda and your preferences will dictate who runs the show.

Make sure the vendor knows what materials they should bring to the meeting or have access to. This will relate to the agenda and any specific requests listed under the discussion points. You don't want the vendor to be caught off guard and unable to discuss a matter of importance to you.

Running the BAM

Regardless of which party leads, make sure you manage the agenda to stay on topic. This is your meeting – not the vendor's, not IT's, not Procurement's or Sourcing's. Don't let anyone hijack it.

Make sure someone is taking notes. If you are running this virtually, consider recording the meeting. Check with your legal department first for any concerns, notices, or prohibitions that may impact your recording the session.

Remember, this is not a sales call, and it is not a social activity. Innovation discussions are allowed and encouraged, but that can quickly devolve into a sales presentation. People can be friendly toward one another, but the relationship building should not overwhelm the other purposes.

Step 3.3 – Conduct business alignment meetings (cont'd)

Follow these additional guidelines to maximize your meetings

More leading practices

• Remind everyone that the conversation may include items covered by various confidentiality provisions or agreements.
• Publish the meeting minutes on a timely basis (within 48 hours).
• Focus on the bigger picture by looking at trends over time; get into the details only when warranted.
• Meet internally immediately beforehand to prepare – don't go in cold. Review the agenda and the roles and responsibilities for the attendees.
• Physical meetings are better than virtual meetings, but travel constraints, budgets, and pandemics may not allow for physical meetings.

Final thoughts

• When performance or the relationship is suffering, be constructive in your feedback and conversations rather than trying to assign blame; lead with the carrot rather than the stick.
• Look for collaborative solutions whenever possible and avoid referencing the contract if possible. Communicate your willingness to help resolve outstanding issues.
• Use inclusive language and avoid language that puts the vendor on the defensive.
• Make sure that your meetings are not focused exclusively on the negative, but don't paint a rosy picture where one doesn't exist.
• A vendor that is doing well should be commended. This is an important part of relationship building.

Step 3.4 – Work the 90-day plan

Monitor your progress and share your results

Having a 90-day plan is a good start, but assuming the tasks on the plan will be accomplished magically or without any oversight can lead to failure. While it won't take a lot of time to work the plan, following a few basic guidelines will help ensure the 90-day plan gets results and wasn't created in vain.

1. Measure and track your progress against the initial/current 90-day plan at least weekly; with a short timeline, any delay can have a huge impact.
2. If adjustments are needed to any elements of the plan, understand the cause and the impact of those adjustments before making them.
3. Make adjustments ONLY when warranted. The temptation will be to push activities and tasks further out on the timeline (or to the next 90-day plan!) when there is any sort of hiccup along the way, especially when personnel outside the VMI are involved. Hold true to the timeline whenever possible; once you start slipping, it often becomes a habit.
4. Report on progress every week and hold people accountable for their assignments and contributions.
5. Take the 90-day plan seriously and treat it as you would any significant project. This is part of the VMI's branding and image.

Step 3.5 – Manage the three-year roadmap

Keep an eye on the future since it will feed the present

The three-year roadmap is a great planning tool, but it is not 100% reliable. There are inherent flaws and challenges. Essentially, the roadmap is a set of three "crystal balls" attempting to tell you what the future holds. The vision for year 1 may be clear, but for each subsequent year, the crystal ball becomes foggier. In addition, the timeline is constantly changing; before you know it, tomorrow becomes today and year 2 becomes year 1.

To help navigate through the roadmap and maximize its potential, follow these principles:

• Manage each year of the roadmap differently.
  • Review the year-1 map each quarter to update your 90-day plans (See steps 2.10 and 3.4).
  • Review the year-2 map every six months to determine if any changes are necessary. As you cycle through this, your vantage point of year 2 will be 6 months or 12 months away from the beginning of year 2, and time moves quickly.
  • Review the year-3 map annually, and determine what needs to be added, changed, or deleted. Each time you review year 3, it will be a "new" year 3 that needs to be built.
• Analyze the impact on the proposed modifications from two perspectives: 1) What is the impact if a requested modification is made? 2) What is the impact if a requested modification is not made?
• Validate all modifications with leadership and stakeholders before updating the three-year roadmap to ensure internal alignment.

Step 3.6 – Develop/improve vendor relationships

Drive better performance through better relationships

One of the key components of a VMI is relationship management. Good relationships with your vendors provide many benefits for both parties, but they don't happen by accident. Do not assume the relationship will be good or is good merely because your organization is buying products and services from a vendor.

In many respects, the VMI should mirror a vendor's sales organization by establishing relationships at multiple levels within the vendor organizations, not just with the salesperson or account manager. Building and maintaining relationships is hard work, but the return on investment makes it worthwhile.

Business relationships are comprised of many components, not all of which must be present to have a great relationship. However, there are some essential components. Whether you are trying to develop, improve, or maintain a relationship with a vendor, make sure you are conscious of the following:

• Focusing your energies on strategic vendors first and then tactical and operational vendors.
• Being transparent and honest in your communications.
• Continuously building trust by being responsive and honoring commitments (timely).
• Creating a collaborative environment and build upon common ground.
• Thanking the vendor when appropriate.
• Resolving disputes early, avoiding the "blame game", and being objective when there are disagreements.

Phase 4 - Review

Keep your VMI up to date and running smoothly

This phase will walk you through the following activity:

• Helping the VMI identify what it should stop doing, start doing, and continue doing as it improves and matures. The main outcomes from this phase are ways to advance the VMI and maintain internal alignment.

This phase involves the following participants:

• VMI team
• Applicable stakeholders and executives
• Others as needed

Vendor Management Initiative Basics for the Small/Medium Businesses

Phase 4 – Review

Keep your VMI up to date and running smoothly

As the adage says, "The only thing constant in life is change." This is particularly true for your VMI. It will continue to mature, people inside and outside of the VMI will change, resources will expand or contract from year to year, your vendor base will change. As a result, your VMI needs the equivalent of a physical every year. In place of bloodwork, x-rays, and the other paces your physician may put you through, you'll assess compliance with your policies and procedures, incorporate leading practices, leverage lessons learned, maintain internal alignment, and update governances.

Be thorough in your actions during this Phase to get the most out of it. It requires more than the equivalent of gauging a person's health by taking their temperature, measuring their blood pressure, and determining their body mass index. Keeping your VMI up-to-date and running smoothly takes hard work.

Some of the items presented in this Phase require an annual review; others may require quarterly review or timely review (i.e. when things are top of mind and current). For example, collecting lessons learned should happen on a timely basis rather than annually, and classifying your vendors should occur annually rather than every time a new vendor enters the fold.

Ultimately, the goal is to improve over time and stay aligned with other areas internally. This won't happen by accident. Being proactive in the review of your VMI further reinforces the nature of the VMI itself – proactive vendor management, not reactive!

Step 4.1 – Incorporate leading practices

Identify and evaluate what external VMIs are doing

The VMI's world is constantly shifting and evolving. Some changes will take place slowly, while others will occur quickly. Think about how quickly the cloud environment has changed over the past five years versus the 15 years before that; or think about issues that have popped up and instantly altered the landscape (we're looking at you COVID and ransomware). As a result, the VMI needs to keep pace, and one of the best ways to do that is to incorporate leading practices.

At a high level, a leading practice is a way of doing something that is better at producing a particular outcome or result or performing a task or activity than other ways of proceeding. The leading practice can be based on methodologies, tools, processes, procedures, and other items. Leading practices change periodically due to innovation, new ways of thinking, research, and other factors. Consequently, a leading practice is to identify and evaluate leading practices each year.

Step 4.1 – Incorporate leading practices (cont'd)

Update your VMI based on your research

• A simple approach for incorporating leading practices into your regular review process is set out below:
• Research:
  • What other VMIs in your industry are doing.
  • What other VMIs outside your industry are doing.
  • Vendor management in general.
• Based on your results, list specific leading practices others are doing that would improve your VMI (be specific – e.g. other VMIs are incorporating risk into their classification process).
• Evaluate your list to determine which of these potential changes fit or could be modified to fit your culture and environment.
• Recommend the proposed changes to leadership (with a short business case or explanation/justification, as needed) and gain approval.

Remember: Leading practices or best practices may not be what is best for you. In some instances, you will have to modify them to fit in your culture and environment; in other instances, you will elect not to implement them at all (in any form).

Step 4.2 – Leverage lessons learned

Tap into the collective wisdom and experience of your team members

There are many ways to keep your VMI running smoothly, and creating a lessons learned library is a great complement to the other ways covered in this Phase 4 - Review. By tapping into the collective wisdom of the team and creating a safe feedback loop, the VMI gains the following benefits:

• Documented institutional wisdom and knowledge normally found only in the team members' brains.
• The ability for one team member to gain insights and avoid mistakes without having to duplicate the events leading to the insights or mistakes.
• Improved methodologies, tools, processes, procedures, skills, and relationships.

Many of the processes raised in this Phase can be performed annually, but a lessons learned library works best when the information is deposited in a timely manner. How you choose to set up your lessons learned process will depend on the tools you select and your culture. You may want to have regular input meetings to share the lessons as they are being deposited, or you may require team members to deposit lessons learned on a regular basis (within a week after they happen, monthly, or quarterly). Waiting too long can lead to vague or lost memories and specifics; timeliness of the deposits is a crucial element.

Step 4.2 – Leverage lessons learned (cont'd)

Create a library to share valuable information across the team

Lessons learned are not confined to identifying mistakes or dissecting bad outcomes. You want to reinforce good outcomes, as well. When an opportunity for a lessons-learned deposit arises, identify the following basic elements:

• A brief description of the situation and outcome.
• What went well (if anything) and why did it go well?
• What didn't go well (if anything) and why didn't it go well?
• What would/could you do differently next time?
• A synopsis of the lesson(s) learned.

Info-Tech Insights

The lessons learned library needs to be maintained. Irrelevant material needs to be culled periodically, and older or duplicate material may need to be archived.

the lessons learned process should be blameless. The goal is to share insightful information, not to reward or punish people based on outcomes or results.

Step 4.3 – Maintain internal alignment

Review the plans of other internal areas to stay in sync

Maintaining internal alignment is essential for the ongoing success of the VMI. Over time, it is easy to lose sight of the fact that the VMI does not operate in a vacuum; it is an integral component of a larger organization whose parts must work well together to function optimally. Focusing annually on the VMI's alignment within the enterprise helps reduce any breakdowns that could derail the organization.

To ensure internal alignment:

• Review the key components of the applicable materials from Phase 1 - Plan and Phase 2 - Build with the appropriate members of the leadership team (e.g. executives, sponsors, and stakeholders). Not every item from those Phases and Steps needs to be reviewed but err on the side of caution for the first set of alignment discussions, and be prepared to review each item. You can gauge the audience's interest on each topic and move quickly when necessary or dive deeper when needed. Identify potential changes required to maintain alignment.
• Review the strategic plans (e.g. 1-, 3-, and 5- year plans) for various portions of the organization if you have access to them or gather insights if you don't have access.
  • If the VMI is under the IT umbrella, review the strategic plans for IT and its departments.
  • Review the strategic plans for the areas the VMI works with (e.g. Procurement, Business Units).
  • The organization itself.
• Create and vet a list of modifications to the VMI and obtain approval.
• Develop a plan for making the necessary changes.

Summary of Accomplishment

Problem solved

Vendor management is a broad, often overwhelming, comprehensive spectrum that encompasses many disciplines. By now, you should have a great idea of what vendor management can or will look like in your organization. Focus on the basics first: Why does the VMI exist and what does it hope to achieve? What is it's scope? What are the strengths you can leverage, and what obstacles must you manage? How will the VMI work with others? From there, the spectrum of vendor management will begin to clarify and narrow.

Leverage the tools and templates from this blueprint and adapt them to your needs. They will help you concentrate your energies in the right areas and on the right vendors to maximize the return on your organization's investment in the VMI of time, money, personnel, and other resources. You may have to lead by example internally and with your vendors at first, but they will eventually join you on your path if you stay true to your course.

At the heart of a good VMI is the relationship component. Don't overlook its value in helping you achieve your vendor management goals. The VMI does not operate in a vacuum, and relationships (internal and external) will be critical.

Lastly, seek continual improvement from the VMI and from your vendors. Both parties should be held accountable, and both parties should work together to get better. Be proactive in your efforts, and you, the VMI, and the organization will be rewarded.

If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop

Contact your account representative for more information

workshops@infotech.com
1-888-670-8889

Related Info-Tech Research

Prepare for Negotiations More Effectively
Don't leave negotiation preparations and outcomes to chance. Learn how to prepare for negotiations more effectively and improve your results.

Understand Common IT Contract Provisions to Negotiate More Effectively
Info-Tech's guidance and insights will help you navigate the complex process of contract review and identify the key details necessary to maximize the protections for your organization.

Capture and Market the ROI of Your VMO
Calculating the impact or value of a vendor management office (VMO) can be difficult without the right framework and tools. Let Info-Tech's tools and templates help you account for the contributions made by your VMO.

Bibliography

Slide 5 – ISG Index 4Q 2021, Information Services Group, Inc., 2022.

Slide 6 – ISG Index 4Q 2021, Information Services Group, Inc., 2022.

Slide 7 – Geller & Company. "World-Class Procurement — Increasing Profitability and Quality." Spend Matters. 2003. Web. Accessed 4 Mar. 2019.

Slide 26 – Guth, Stephen. The Vendor Management Office: Unleashing the Power of Strategic Sourcing. Lulu.com, 2007. Print. Protiviti. Enterprise Risk Management. Web. 16 Feb. 2017.

Slide 34 – "Why Do We Perform Better When Someone Has High Expectations of Us?" The Decision Lab. Accessed January 31, 2022.

Slide 56 - Top 10 Tips for Creating Compelling Reports," October 11, 2019, Design Eclectic. Accessed March 29, 2022.

Slide 56 – "Six Tips for Making a Quality Report Appealing and Easy To Skim," Agency for Health Research and Quality. Accessed March 29, 2022.

Slide 56 –Tucker, Davis. Marketing Reporting: Tips to Create Compelling Reports, March 28, 2020, 60 Second Marketer. Accessed March 29, 2022.

The Small Enterprise Guide to People and Resource Management

Quickly start getting the right people, with the right skills, at the right time

Is this research right for you?

Research Navigation

Managing the people in your department is essential, whether you have three employees or 300. Depending on your available time, resources, and current workforce management maturity, you may choose to focus on the overall essentials, or dive deep into particular areas of talent management. Use the questions below to help guide you to the right Info-Tech resources that best align with your current needs.

Analyst Perspective

Workforce planning is even more important for small enterprises than large organizations.

It can be tempting to think of workforce planning as a bureaucratic exercise reserved for the largest and most formal of organizations. But workforce planning is never more important than in small enterprises, where every individual accounts for a significant portion of your overall productivity.

Without workforce planning, organizations find themselves in reactive mode, hiring new staff as the need arises. They often pay a premium for having to fill a position quickly or suffer productivity losses when a critical role goes unexpectedly vacant.

A workforce plan helps you anticipate these challenges, come up with solutions to mitigate them, and allocate resources for the most impact, which means a greater return on your workforce investment in the long run.

This blueprint will help you accomplish this quickly and efficiently. It will also provide you with the essential development and knowledge transfer tools to put your plan into action.

Jane Kouptsova
Senior Research Analyst, CIO Advisory
Info-Tech Research Group

Executive Summary

Your Challenge

52% of small business owners agree that labor quality is their most important problem.¹

Almost half of all small businesses face difficulty due to staff turnover.

76% of executives expect the talent market to get even more challenging.²

Common Obstacles

76% of executives expect workforce planning to become a top strategic priority for their organization.²

But…

30% of small businesses do not have a formal HR function.³

Small business leaders are often left at a disadvantage for hiring and retaining the best talent, and they face even more difficulty due to a lack of support from HR.

Small enterprises must solve the strategic workforce planning problem, but they cannot invest the same time or resources that large enterprises have at their disposal.

Info-Tech's Approach

A modular, lightweight approach to workforce planning and talent management, tailored to small enterprises

Clear activities that guide your team to decisive action

Founded on your IT strategy, ensuring you have not just good people, but the right people

Concise yet comprehensive, covering the entire workforce lifecycle from competency planning to development to succession planning and reskilling

Info-Tech Insight

Every resource counts. When one hire represents 10% of your workforce, it is essential to get it right.

¹CNBC & SurveyMonkey. ²ADP. ³Clutch.

Labor quality is small enterprise's biggest challenge

The key to solving it is strategic workforce planning

Strategic workforce planning (SWP) is a systematic process designed to identify and address gaps in today's workforce, including pinpointing the human capital needs of the future.

Linking workforce planning with strategic planning ensures that you have the right people in the right positions, in the right places, at the right time, with the knowledge, skills, and attributes to deliver on strategic business goals.

SWP helps you understand the makeup of your current workforce and how well prepared it is or isn't (as the case may be) to meet future IT requirements. By identifying capability gaps early, CIOs can prepare to train or develop current staff and minimize the need for severance payouts and hiring costs, while providing clear career paths to retain high performers.

¹CNBC & SurveyMonkey. ²Clutch. ³ADP.

Workforce planning matters more for small enterprises

You know that staffing mistakes can cost your department dearly. But did you know the costs are greater for small enterprises?

The price of losing an individual goes beyond the cost of hiring a replacement, which can range from 0.5 to 2 times that employee's salary (Gallup, 2019). Additional costs include loss of productivity, business knowledge, and team morale.

This is a major challenge for large organizations, but the threat is even greater for small enterprises, where a single individual accounts for a large proportion of IT's productivity. Losing one of a team of 10 means 10% of your total output. If that individual was solely responsible for a critical function, your department now faces a significant gap in its capabilities. And the effect on morale is much greater when everyone is on the same close-knit team.

And the threat continues when the staffing error causes you not to lose a valuable employee, but to hire the wrong one instead. When a single individual makes up a large percentage of your workforce, as happens on small teams, the effects of talent management errors are magnified.

Info-Tech Insight

One bad hire on a team of 100 is a problem. One bad hire on a team of 10 is a disaster.

Blueprint pre-step: Determine your starting point

People and Resource management is essential for any organization. But depending on your needs, you may want to start at different stages of the process. Use this slide as a quick reference for how the activities in this blueprint fit together, how they relate to other workforce management resources, and the best starting point for you.

Your IT strategy is an essential input to your workforce plan. It defines your destination, while your workforce is the vessel that carries you there. Ensure you have at least an informal strategy for your department before making major workforce changes, or review Info-Tech's guidance on IT strategy.

This blueprint covers the parts of workforce management that occur to some extent in every organization:

• Workforce planning
• Knowledge transfer
• Development planning

You may additionally want to seek guidance on contract and vendor management, if you outsource some part of your workload outside your core IT staff.

Track metrics

Consider these example metrics for tracking people and resource management success

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

“Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

Guided Implementation

“Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

Workshop

“We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

Consulting

“Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

Diagnostics and consistent frameworks used throughout all four options

Guided Implementation

What does a typical GI on this topic look like?

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is between 4 to 6 calls over the course of 3 to 4 months.

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Workshop Overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Each onsite day is structured with group working sessions from 9-11 a.m. and 1:30-3:30 p.m. and includes Open Analyst Timeslots, where our facilitators are available to expand on scheduled activities, capture and compile workshop results, or review additional components from our comprehensive approach.

Phase 1

Workforce Planning

The Small Enterprise Guide to People and Resource Management

Phase Participants

• Leadership team
• Managers
• Human resource partner (if applicable)

Additional Resources

Workforce Planning Workbook for Small Enterprises

Phase pre-step: Gather resources and participants

1. Ensure you have an up-to-date IT strategy. If you don't have a formal strategy in place, ensure you are aware of the main organizational objectives for the next 3-5 years. Connect with executive stakeholders if necessary to confirm this information.
   If you are not sure of the organizational direction for this time frame, we recommend you consult Info-Tech's material on IT strategy first, to ensure your workforce plan is fully positioned to deliver value to the organization.
2. Consult with your IT team and gather any documentation pertaining to current roles and skills. Examples include an org chart, job descriptions, a list of current tasks performed/required, a list of company competencies, and a list of outsourced projects.
3. Gather the right participants. Most of the decisions in this section will be made by senior leadership, but you will also need input from front-line managers. Ensure they are available on an as-needed basis. If your organization has an HR partner, it can also be helpful to involve them in your workforce planning process.

Formal workforce planning benefits even small teams

Strategic workforce planning (SWP) is a systematic process designed to identify and address gaps in your workforce today and plan for the human capital needs of the future.

Your workforce plan is an extension of your IT strategy, ensuring that you have the right people in the right positions, in the right places, at the right time, with the knowledge, skills, and attributes to deliver on strategic business goals.

SWP helps you understand the makeup of your current workforce and how well prepared it is or isn't (as the case may be) to meet future IT requirements. By identifying capability gaps early, CIOs can prepare to train or develop current staff and minimize the need for severance payouts and hiring costs, while providing clear career paths to retain high performers.

The smaller the business, the more impact each individual's performance has on the overall success of the organization. When a given role is occupied by a single individual, the organization's performance in that function is determined wholly by one employee. Creating a workforce plan for a small team may seem excessive, but it ensures your organization is not unexpectedly hit with a critical competency gap.

Right-size your workforce planning process to the size of your enterprise

Small organizations are 2.2 times more likely to have effective workforce planning processes.¹ Be mindful of the opportunities and risks for organizations of your size as you execute the project. How you build your workforce plan will not change drastically based on the size of your organization; however, the scope of your initiative, the size of your team, and the tactics you employ may vary.

¹ McLean & Company Trends Report 2014

1.1 Set project outcomes and success metrics

1-3 hours

1. As a group, brainstorm key pain points that the IT department experiences due to the lack of a workforce plan. Ask them to consider turnover, retention, training, and talent acquisition.
2. Discuss any key themes that arise and brainstorm your desired project outcomes. Keep a record of these for future reference and to aid in stakeholder communication.
3. Break into smaller groups (or if too small, continue as a single group):
   1. For each desired outcome, consider what metrics you could use to track progress. Keep your initial list of pain points in mind as you brainstorm metrics.
   2. Write each of the metric suggestions on a whiteboard and agree to track 3-5 metrics. Set targets for each metric. Consider the effort required to obtain and track the metric, as well as its reliability.
   3. Assign one individual for tracking the selected metrics. Following the meeting, that individual will be responsible for identifying the baseline and targets, and reporting on metrics progress.

1.2 Identify key roles and competency gaps

1-3 hours

1. As a group, identify all strategic, core, and supporting roles by reviewing the organizational chart:
   1. Strategic: What are the roles that must be filled by top performers and cannot be left vacant in order to meet strategic objectives?
   2. Core: What roles are important to drive operational excellence?
   3. Supporting: What roles are required for day-to-day work, but are low risk if the role is vacant for a period of time?
2. Working individually or in small groups, have managers for each identified role define the level of competence required for the job. Consider factors such as:
   1. The difficulty or criticality of the tasks being performed
   2. The impact on job outcomes
   3. The impact on the performance of other employees
   4. The consequence of errors if the competency is not present
   5. How frequently the competency is used on the job
   6. Whether the competency is required when the job starts or can be learned or acquired on the job within the first six months
3. Continue working individually and rate the level of proficiency of the current incumbent.
4. As a group, review the assessment and make any adjustments.

Record this information in the Workforce Planning Workbook for Small Enterprises.

Download the Workforce Planning Workbook for Small Enterprises

1.2 Identify key roles and competency gaps

Conduct a risk-of-departure analysis

A risk-of-departure analysis helps you plan for future talent needs by identifying which employees are most likely to leave the organization (or their current role).

A risk analysis takes into account two factors: an employee's risk for departure and the impact of departure:

Employees are high risk for departure if they:

• Have specialized or in-demand skills (tenured employees are more likely to have this than recent hires)
• Are nearing retirement
• Have expressed career aspirations that extend outside your organization
• Have hit a career development ceiling at your organization
• Are disengaged
• Are actively job searching
• Are facing performance issues or dismissal OR promotion into a new role

Employees are low risk for departure if they:

• Are a new hire or new to their role
• Are highly engaged
• Have high potential
• Are 5-10 years out from retirement

If you are not sure where an employee stands with respect to leaving the organization, consider having a development conversation with them. In the meantime, consider them at medium risk for departure.

To estimate the impact of departure, consider:

• The effect of losing the employee in the near- and medium-term, including:
  • Impact on the organization, department, unit/team and projects
  • The cost (in time, resources, and productivity loss) to replace the individual
  • The readiness of internal successors for the role

1.3 Conduct a risk analysis to identify future needs

1-3 hours

Preparation: Your estimation of whether key employees are at risk of leaving the organization will depend on what you know of them objectively (skills, age), as well as what you learn from development conversations. Ensure you collect all relevant information prior to conducting this activity. You may need to speak with employees' direct managers beforehand or include them in the discussion.

• As a group, list all your current employees, and using the previous slide for guidance, rank them on two parameters: risk of departure and impact of departure, on a scale of low to high. Record your conclusions in a chart like the one on the right. (For a more in-depth risk assessment, use the "Risk Assessment Results" tab of the Key Roles Succession Planning Tool.)
• Employees that fall in the "Mitigate" quadrant represent key at-risk roles with at least moderate risk and moderate impact. These are your succession planning priorities. Add these roles to your list of key roles and competency gaps, and include them in your workforce planning analysis.
• Employees that fall in the "Manage" quadrants represent secondary priorities, which should be looked at if there is capacity after considering the "Mitigate" roles.

Record this information in the Workforce Planning Workbook for Small Enterprises.

Info-Tech Insight

Don't be afraid to rank most or all your staff as "high impact of departure." In a small enterprise, every player counts, and you must plan accordingly.

1.3 Conduct a risk analysis to identify future needs

Determine your skill sourcing route

The characteristics of need steer hiring managers to a preferred choice, while the marketplace analysis will tell you the feasibility of each option.

Sourcing Options		Preferred Options		Final Choice
	State of the Marketplace		State of the Marketplace
	Urgency: How soon do we need this skill? What is the required time-to-value? Criticality: How critical, i.e. core to business goals, are the services or systems that this skill will support? Novelty: Is this skill brand new to our workforce? Availability: How often, and at what hours, will the skill be needed? Durability: For how long will this skill be needed? Just once, or indefinitely for regular operations?		Scarcity: How popular or desirable is this skill? Do we have a large enough talent pool to draw from? What competition are we facing for top talent? Cost: How much will it cost to hire vs. contract vs. outsource vs. train this skill? Preparedness: Do we have internal resources available to cultivate this skill in house?

1.4 Determine your skill sourcing route

1-3 hours

1. Identify the preferred sourcing method as a group, starting with the most critical or urgent skill need on your list. Use the characteristics of need to guide your discussion. If more than one option seems adequate, carry several over to the next step.
2. Consider the marketplace factors applicable to the skill in question and use these to narrow down to one final sourcing decision.
   1. If it is not clear whether a suitable internal candidate is available or ready, refer to the next activity for a readiness assessment.
3. Be sure to document the rationale supporting your decision. This will ensure the decision can be clearly communicated to any stakeholders, and that you can review on your decision-making process down the line.

Record this information in the Workforce Planning Workbook for Small Enterprises.

Info-Tech Insight

Consider developing a pool of successors instead of pinning your hopes on just one person. A single pool of successors can be developed for either one key role that has specialized requirements or even multiple key roles that have generic requirements.

1.5 Determine readiness of internal successors

1-3 hours

1. As a group, and ensuring you include the candidates' direct managers, identify potential successors for the first role on your list.
2. Ask how effectively the potential successor would serve in the role today. Review the competencies for the key role in terms of:
   1. Relationship-building skills
   2. Business skills
   3. Technical skills
   4. Industry-specific skills or knowledge
3. Determine what competencies the succession candidate currently has and what must be learned. Be sure you know whether the candidate is open to a career change. Don't assume – if this is not clear, have a development conversation to ensure everyone is on the same page.
4. Finally, determine how difficult it will be for the successor to acquire missing skills or knowledge, whether the resources are available to provide the required development, and how long it will take to provide it.
5. As a group, decide whether training an internal successor is a viable option for the role in question, considering the successor's readiness and the characteristics of need for the role. If a clear successor is not readily apparent, consider:
   1. If the development of the successor can be fast-tracked, or if some requirements can be deprioritized and the successor provided with temporary support from other employees.
   2. If the role in question is being discussed because the current incumbent is preparing to leave, consider negotiating an arrangement that extends the incumbent's employment tenure.
6. Record the decision and repeat for the next role on your list.

Info-Tech Insight

A readiness assessment helps to define not just development needs, but also any risks around the organization's ability to fill a key role.

Use alternative work arrangements to gain time to prepare successors

Alternative work arrangements are critical tools that employers can use to achieve a mutually beneficial solution that mitigates the risk of loss associated with key roles.

Alternative work arrangements not only support employees who want to keep working, but more importantly, they allow the business to retain employees that are needed in key roles who are departure risks due to retirement.

Viewing retirement as a gradual process can help you slow down skill loss in your organization and ensure you have sufficient time to train successors. Retiring workers are becoming increasingly open to alternative work arrangements. Among employed workers aged 50-75, more than half planned to continue working part-time after retirement.
Source: Statistics Canada.

Flexible work options are the most used form of alternative work arrangement

Source: McLean & Company, N=44

Choose the alternative work arrangement that works best for you and the employee

Choose the alternative work arrangement that works best for you and the employee

Phase 2

Knowledge Transfer

The Small Enterprise Guide to People and Resource Management

Phase Participants

• Leadership/management team
• Incumbent & successor

Additional Resources

IT Knowledge Identification Interview Guide Template

Knowledge Transfer Plan Template

Determine your skill sourcing route

Knowledge transfer plans have three key components that you need to complete for each knowledge source:

Don't miss tacit knowledge

There are two basic types of knowledge: "explicit" and "tacit." Ensure you capture both to get a well-rounded overview of the role.

Embed your knowledge transfer methods into day-to-day practice

Multiple methods should be used to transfer as much of a person's knowledge as possible, and mentoring should always be one of them. Select your method according to the following criteria:

Info-Tech Insight

The more integrated knowledge transfer is in day-to-day activities, the more likely it is to be successful, and the lower the time cost. This is because real learning is happening at the same time real work is being accomplished.

Type of Knowledge

• Tacit knowledge transfer methods are often informal and interactive:
  • Mentoring
  • Multi-generational work teams
  • Networks and communities
  • Job shadowing
• Explicit knowledge transfer methods tend to be more formal and one way:
  • Formal documentation of processes and best practices
  • Self-published knowledge bases
  • Formal training sessions
  • Formal interviews

Incumbent's Preference/Successor's Preference

Ensure you consult the employees, and their direct manager, on the way they are best prepared to teach and learn. Some examples of preferences include:

1. Prefer traditional classroom learning, augmented with participation, critical reflection, and feedback.
2. May get bored during formal training sessions and retain more during job shadowing.
3. Prefer to be self-directed or self-paced, and highly receptive to e-learning and media.
4. Prefer informal, incidental learning, tend to go immediately to technology or direct access to people. May have a short attention span and be motivated by instant results.
5. May be uncomfortable with blogs and wikis, but comfortable with SharePoint.

Cost

Consider costs beyond the monetary. Some methods require an investment in time (e.g. mentoring), while others require an investment in technology (e.g. knowledge bases).

The good news is that many supporting technologies may already exist in your organization or can be acquired for free.

Methods that cost time may be difficult to get underway since employees may feel they don't have the time or must change the way they work.

2.1 Create a knowledge transfer plan

1-3 hours

1. Working together with the current incumbent, brainstorm the key information pertaining to the role that you want to pass on to the successor. Use the IT Knowledge Identification Interview Guide Template to ensure you don't miss anything.
   • Consider key knowledge areas, including:
     • Specialized technical knowledge.
     • Specialized research and development processes.
     • Unique design capabilities/methods/models.
     • Special formulas/algorithms/techniques.
     • Proprietary production processes.
     • Decision-making criteria.
     • Innovative sales methods.
     • Knowledge about key customers.
     • Relationships with key stakeholders.
     • Company history and values.
   • Ask questions of both sources and receivers of knowledge to help determine the best knowledge transfer methods to use.
   • What is the nature of the knowledge? Explicit or tacit?
   • Why is it important to transfer?
   • How will the knowledge be used?
   • What knowledge is critical for success?
   • How will the users find and access it?
   • How will it be maintained and remain relevant and usable?
   • What are the existing knowledge pathways or networks connecting sources to recipients?
2. Once the knowledge has been identified, use the information on the following slides to decide on the most appropriate methods. Be sure to consult the incumbent and successor on their preferences.
3. Prioritize your list of knowledge transfer activities. It's important not to try to do too much too quickly. Focus on some quick wins and leverage the success of these initiatives to drive the project forward. Follow these steps as a guide:
   1. Take an inventory of all the tactics and techniques which you plan to employ. Eliminate redundancies where possible.
   2. Start your implementation with your highest risk role or knowledge item, using explicit knowledge transfer tactics. Interviews, use cases, and process mapping will give you some quick wins and will help gain momentum for the project.
   3. Then move forward to other tactics, the majority of which will require training and process design. Pick 1-2 other key tactics you would like to employ and build those out. For tactics that require resources or monetary investment, start with those that can be reused for multiple roles.

Record your plan in the IT Knowledge Transfer Plan Template.

Download the IT Knowledge Identification Interview Guide Template

Download the Knowledge Transfer Plan Template

Info-Tech Insight

Wherever possible, ask employees about their personal learning styles. It's likely that a collaborative compromise will have to be struck for knowledge transfer to work well.

2.1 Create a knowledge transfer plan

Not every transfer method is effective for every type of knowledge

This table shows the relative strengths and weaknesses of each knowledge transfer tactic compared against four different knowledge types.

Not all techniques are effective for all types of knowledge; it is important to use a healthy mixture of techniques to optimize effectiveness.

Employees' engagement can impact knowledge transfer effectiveness

When considering which tactics to employ, it's important to consider the knowledge holder's level of engagement. Employees who you would identify as being disengaged may not make good candidates for job shadowing, mentoring, or other tactics where they are required to do additional work or are asked to influence others.

Knowledge transfer can be controversial for all employees as it can cause feelings of job insecurity. It's essential that motivations for knowledge transfer are communicated effectively.

Pay particular attention to your communication style with disengaged and indifferent employees, communicate frequently, and tie communication back to what's in it for them.

Putting disengaged employees in a position where they are mentoring others can be a risk, as their negativity could influence others not to participate, or it could negate the work you're doing to create a positive knowledge sharing culture.

Employees' engagement can impact knowledge transfer effectiveness

Phase 3

Development Planning

The Small Enterprise Guide to People and Resource Management

Phase Participants

• Leadership team
• Managers
• Employees

Additional Resources

• IT Competency Library
• Leadership Competencies Workbook
• IT Employee Career Development Workbook
• Individual Competency Development Plan
• Learning Methods Catalog

Effective development planning hinges on robust performance management

Your performance management framework is rooted in organizational goals and defines what it means to do any given role well.

Your organization's priority competencies are the knowledge, skills and attributes that enable an employee to do the job well.

Each individual's development goals are then aimed at building these priority competencies.

Info-Tech Insight

Without a performance management framework, your employees cannot align their development with the organization's goals. For detailed guidance, see Info-Tech's blueprint Setting Meaningful Employee Performance Measures.

What is a competency?

The term "competency" refers to the collection of knowledge, skills, and attributes an employee requires to do a job well.

Often organizations have competency frameworks that consist of core, leadership, and functional competencies.

Core competencies apply to every role in the organization. Typically, they are tied to organizational values and business mission and/or vision.

Functional competencies are at the department, work group, or job role levels. They are a direct reflection of the function or type of work carried out.

Leadership competencies generally apply only to people managers in the organization. Typically, they are tied to strategic goals in the short to medium term

Use the SMART model to make sure goals are reasonable and attainable

Example goal:

"Learn Excel this summer."

Problems:

Not specific enough, not measurable enough, nor time bound.

Alternate SMART goal:

"Consult with our Excel expert and take the lead on creating an Excel tool in August."

3.2 Identify target competencies & draft development goals

1 hour

Pre-work: Employees should come to the career conversation having done some self-reflection. Use Info-Tech's IT Employee Career Development Workbook to help employees identify their career goals.

1. Pre-work: Managers should gather any data they have on the employee's current proficiency at key competencies. Potential sources include task-based assessments, performance ratings, supervisor or peer feedback, and informal conversation.
   
   Prioritize competencies. Using your list of priority organizational competencies, work with your employees to help them identify two to four competencies to focus on developing now and in the future. Use the Individual Competency Development Plan template to document your assessment and prioritize competencies for development. Consider the following questions for guidance:
   1. Which competencies are needed in my current role that I do not have full proficiency in?
   2. Which competencies are related to both my career interests and the organization's priorities?
   3. Which competencies are related to each other and could be developed together or simultaneously?
2. Draft goals. Ask your employee to create a list of multiple simple goals to develop the competencies they have selected to work on developing over the next year. Identifying multiple goals helps to break development down into manageable chunks. Ensure goals are concrete, for example, if the competency is "communication skills," your development goals could be "presentation skills" and "business writing."
3. Review goals:
   1. Ask why these areas are important to the employee.
   2. Share your ideas and why it is important that the employee develop in the areas identified.
   3. Ensure that the goals are realistic. They should be stretch goals, but they must be achievable. Use the SMART framework on the previous slide for guidance.