DS02 Process Description

DS02: External Provider Management

1. Description

Review and monitoring of existing agreements and procedures for their effectiveness and compliance with the organization policy.

2. Control Objectives

Supplier Interfaces - idenitfy third-party providers' services and document technical and organisational interfaces with suppliers,
Owner Relationships: ensure the quality of the relationships with third parties,
Third-Party Contracts - define specific procedures to ensure that for each relationship with an external service provider provider a formal contract is defined and agreed upon,
Third-Party Qualifictions - Capability assessment, due diligence
Outsourcing Contracts - define organisational procedures to ensure that the contract between the facilities management provider and the organisation is based on required processing levels, security, monitoring and contingency requirements, and other stipulations as appropriate,
Continuity of Services - To ensure continuity of services, management should consider business risk related to the third party in terms of legal uncertainties and the going concern concept,
Security Relationships - With regard to relationships with third-party service providers, management should ensure that security agreements (e.g. non-disclosure agreements) are identified and explicitly stated and agreed to, and conform to universal business standards in accordance with legal and regulatory requirements, including liabilities,
Monitoring - monitoring of the service delivery of external Provider support to ensure the adherence to the contract agreements.

3. Key Goal Indicators

Percent of service providers with formally agreed objectives
Percent of significant agreements for which service provider qualification reviews are undertaken
Percent of service providers that are formally qualified
Number of third-party contractors with welldefined goals and expected deliverables
Mutual satisfaction with the ongoing relationship
Number of third-party contractors not meeting objectives or service levels
Number and cost of disputes with third parties flowing from inadequate agreements or lack of performance against adequate agreements

4. Key Performance Indicators

Number and frequency of review meetings
Number of contract amendments
Frequency of service level reports
Number of outstanding issues
Time lag for clearing issues
Percent of contracts outstanding for legal review
Time lag since the last contract review against market conditions
Number of service contracts not using standard terms and conditions or approved exceptions

5. Critical Success Factors

Clearly-defined service requirements and performance measures exist
The organisation retains accountability and control, and proactively manages external services
The service provider has a mechanism in place to report on performance measures
Third-party providers have a quality assurance programme in place
All deliverables, including operational and performance requirements, are sufficiently defined and understood by all parties
Effective change procedures for service requirements and performance measures are implemented
Contracts are subject to successful legal review and sign-off
There is provision for adequate management and administration, addressing financial, operations, legal and control issues
The application of mutually agreed service level agreements is based on agreed upon associated rewards and penalties
An internal contract manager is the single point of contact with the third party
ARequest for Proposal (RFP) process exists, with pre-established and agreed evaluation criteria
A process is in place for classifying service problems based on their importance and the required responses

6. Service Maturity Variations

0 Non-existent	Responsibilities and accountabilities are not defined. There are no formal policies and procedures regarding contracting with third-parties. Third-party services are neither approved nor reviewed by management. There are no measurement activities and no reporting by third parties. In the absence of a contractual obligation for reporting, senior management is not aware of the quality of the service delivered.
1 (Initial/Ad Hoc)	Management is aware of the need to have documented policies and procedures for third-party service procurement, including having signed contracts. There are no standard terms of agreement. Measurement of the service provided is informal and reactive. Practices are dependent on the experience of the individual and the commercial effectiveness of the supplier.
2 (Repeatable but Intuitive)	The process for overseeing third-party service providers and the delivery of services is informal. A signed, pro-forma contract is used with standard vendor terms and conditions and description of services to be provided. Measurements are taken, but are not relevant. Reports are available, but do not support business objectives.
3 (Defined Process)	Well documented procedures are in place to govern third-party procurement, with clear processes ensuring proper vetting and negotiating with vendors. The relationship with the third-party is purely a contractual one. The nature of the services to be provided is detailed in the contract and includes operational, legal and control requirements. Oversight responsibility for third-party-service delivery is assigned. Contractual terms are based on standardised templates. The business risk associated with the contract is assessed and reported.
4 (Managed and Measurable)	Formal and standardized criteria are established for defining scope of work, services to be provided, deliverables, assumptions, time scales, costs, billing arrangements, responsibilities, business terms and conditions. Responsibilities for contract and vendor management are assigned. Vendor qualifications and capabilities are verified. Requirements are defined and linked to business objectives. A process exists to review service performance against contractual terms, providing input to current and future third-party service delivery. Transfer pricing models are used in the procurement process. All interested parties are aware of service, cost and milestone expectations.
5 Optimized	The jointly signed contract is reviewed periodically after work starts. Responsibility for quality assurance of service delivery and vendor support is assigned. Evidence of compliance with operational, legal and control contract provisions is monitored and corrective action is enforced. The third party is subject to independent periodic review, with feedback based on the nature of the review. Selected measurements vary dynamically in response to changing business conditions. Measures support early detection of problems. Comprehensive, defined reporting is linked to the thirdparty compensation process. Reporting provides early warning of potential problems to facilitate timely resolution.