WHERE can I find more information?
Please find below the answers to some frequently asked questions.
If your question (and answer!) do not appear below, please contact firstname.lastname@example.org and your query will be directed to the person best placed to answer it. We will update this page over time so please revisit.
1. Why is the Bank changing its Vendor Risk Management (“VRM”) process?
Deutsche Bank is addressing feedback from third parties and employees highlighting frustrations with the current process/system where much of the work is repetitive and low value – particularly when procuring services from organisations with whom we already have established relationships.
2. What is changing?
The Bank is implementing a new VRM process and new IT system to support it. Going forward the process will involve establishing a risk profile of a service at the outset using questions which determine its risk “attributes”. We have pre-defined the control requirements associated with these attributes and third parties will be provided with a clear list of the evidence needed to prove that the controls applicable to their service are in place. Once these controls have been ‘certified’, the system will “remember” the evidence for as long as it is valid – so future engagements should be quicker and easier to approve. If a new service has different attributes – and, therefore, require additional controls – we will only ask for evidence of these extra controls.
3. What are you trying to achieve?
- To improve the quality and time taken to execute the VRM process.
- To expand the scope of VRM by using Risk as the key driver of liability.
- To reduce the workload on Third Parties and Employees
4. What will be different for third parties?
We will be more direct and transparent with you regarding the VRM process and how to navigate it. You will manage and maintain your own evidence and liaise with the Bank through an online portal (dbSupplierManagement/dbSLPM). We expect the process to be much quicker and easier going forward with greater consistency and a lower administrative burden.
5. What are the criteria for going through the VRM process?
Liability for VRM is decided using a risk based assessment of the services being provided. We will conduct a deeper assessment for services where the risk profile indicates that this is necessary.
6. If our service is deemed “VRM Liable” what happens next?
Your Service Relationship Owner (SRO) will be asked a series of questions to establish a risk profile of the service. Once that profile has been established, and quality checked internally, the system will send requests to you to provide evidence of the applicable controls. These will be assessed and you will be contacted if more information is required. If you have provided services to Deutsche Bank before, you will only be asked to evidence controls that have not previously been “certified”.
7. How many controls will we need to evidence?
The precise number of controls requested will be determined by the risk profile of the service and whether you have any previously “certified” controls. Approximately three-quarters of the controls can be certified so once those have been evidenced, they won’t be requested again unless the evidence becomes invalid (i.e. if an insurance certificate passes its expiry date in which case the up to date version will be requested by the system three months ahead of expiry).
8. What happens once we have provided our evidence?
The evidence will be reviewed by the appropriate assessor and you will be able to track the progress through the system. Should any issues arise, we will work with you to address them.
9. How long is evidence valid?
The validity of evidence varies between evidence types. For example, an insurance certificate is likely to expire after three years, whereas a Business Continuity Plan is valid for one year. When the evidence is reviewed by our Risk Type Controllers, they will set the date of expiry and the system will notify third parties three months ahead of expiry.
10. What happens if the new process generates large numbers of new controls?
We have plenty of time to work together with you to close the gaps between controls we have already identified/certified through the existing process and any new controls generated by the new process/system. Precise timing will depend on the criticality of the service being provided.
11. Will we be able to use the same evidence for more than one control?
Yes, it will be possible to use the same evidence for multiple controls, providing that the evidence satisfies each control requirement.
12. How does the new system work?
The new system “dbSR” is built on the SAP Ariba Supplier Network platform and you will be able to access it through an online portal (the “Ariba” network). We will support you in registering on the new system and understanding how it works.
13. Are there any costs associated with the new system?
No, the Ariba Network portal is free for you to use for the purpose of Vendor Risk Management.
14. What are the advantages of the new system?
You will have direct access and responsibility for your records – which will ensure that the data relating to your business and your service is correct as you will validate its completeness and accuracy. Additionally, you can upload your evidence directly and track where it is in the approval process. Finally, the system will provide Deutsche Bank employees with a list of qualified suppliers when they begin the process of procuring new services.
15. Is there a minimum set of evidence that a new third party needs to provide?
No. Each third party will be asked to provide evidence based on the service they supply, who they supply it to, and the nature of who is providing it. This allows us to define the service, the controls and the evidence required, and this can be tailored to each individual supplier or service.
16. Can third parties “pre-supply” evidence to certify themselves for future services they may provide?
No. The system needs a transaction in process in order to determine the relevant risk profile of that service and request the associated controls and evidence required for certification.
17. Will the evidence apply to all entities within a parent group?
The controls and the evidence for them will be required at a legal entity level.
18. Is Ariba network encrypted and secure?
Yes, all internal and external communication is encrypted and a data transmission policy is in place. In addition, the data exchange between regional data centres and Ariba Network is provided exclusively over secure, industry-standard encrypted connections.
19. Is it possible to upload password protected files?
Yes, Ariba will accept password protected files (passwords can be supplied via another medium).
20. What do we do if we do not wish to submit evidence electronically (due to sensitivity)?
We may arrange for you to present particularly sensitive evidences via a WebEx session.
21. Where can I get more information?
If you would like to speak to someone, your first point of contact is your usual Deutsche Bank representative or send queries to email@example.com.