Enterprise Risk ManagementVendor ManagementBusiness Continuity
IT GRCInternal Audit
Complaint ManagementRegulatory Compliance Manager
THE 4 PILLARS OF EFFECTIVE FACILITY PARTNERSHIP MANAGEMENT
Are you & your partners ready?
Presented by William C. Hord – VP of ERM ServicesMarch 14, 2017
About Your Presenter
William “Bill” HordVP of ERM Services@ Quantivate
www.linkedin.com/in/williamhord/
www.quantivate.com
Bill has spent the last 27 years working within risk management and consults clients all over the country from manydifferent industries. He consults on enterprise risk, physical security, business continuity, emergency response,partnership management and many others. The reoccurring necessity in all of these is the need for effective facilitymanagement and ensuring the partners that are chosen are done so systematically and held to the highest standards.
Facility Breach History
Patient Records Found in Dumpster• Community Mercy Health Partners (CMHP) reported on November 27, 2015 that patient records were found in a
dumpster.
• CMHP concluded that one of its vendors had disposed of lab records by placing them in the dumpster on November 25, 2015.
• Patients’ names, physicians’ names, accession numbers, types of study, guarantor information, health insurance information, diagnoses, and other clinical information may have been exposed, according to CMHP.
• The HHS Office for Civil Rights (OCR) reports that 113,528 individuals were impacted.
• “To help prevent this from happening in the future, we have taken steps to re-inventory all document storage locations, significantly reduced or eliminated retention of paper documents when the information is electronically available, and re-educated our facilities management contractors on the requirements for physical storage relocation projects,” CMPH said in a statement.
Source: Health IT Security: http://healthitsecurity.com/news/top-5-healthcare-data-breaches-in-2016-not-from-hacking
Facility Breach History
Medical Records Found on Florida Street• Radiology Regional Center in Florida notified patients of a possible healthcare data breach after some paper records
were found on a street on December 19, 2015.
• OCR’s data breach reporting tool lists 483,063 individuals as potentially being affected.
• Records fell onto the street during transport by Lee County Solid Waste Division, which is responsible for the disposal of Radiology patient records.
• Patient names, addresses, phone numbers, Social Security numbers, dates of birth, health insurance numbers, other medical status and assessment information as well as some financial information may have been exposed.
• “As a result of our numerous searches, we believe that virtually all of the records were retrieved. To ensure an incident like this does not happen again, we have taken steps to change how paper records are transported and destroyed,” the statement explained. “Lee County Solid Waste Division will no longer be responsible for transporting our records for disposal.”
Source: Health IT Security: http://healthitsecurity.com/news/top-5-healthcare-data-breaches-in-2016-not-from-hacking
Facility Breach History
Target Hackers Broke in Via HVAC Company• Sources close to the investigation said the attackers first broke into the retailer’s network on Nov. 15, 2013 using
network credentials stolen from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of refrigeration and HVAC systems.
• Large retail operations usually have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable.
• To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”
• Target also estimates that close to 61 million people had their personal data stolen. That information could include names, mailing addresses, phone numbers and email addresses.
• Target Offers $10 Million Settlement In Data Breach LawsuitSource: Krebs on Security: https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ and NPR http://www.npr.org/sections/thetwo-way/2015/03/19/394039055/target-offers-10-million-settlement-in-data-breach-lawsuit
Facility ManagementThe Future is Now!
Improving Supply Management:
o Effective management of your parts and supplies, it’s important to integrate all planned maintenance services and warranty work;
Repair, Maintenance & Traffic:
o Shifting from ‘costs per store’ to ‘costs per sales’ (or costs per traffic metric);
Eco-Friendly:
o Enhanced monitoring of resource usage and waste;
Source: (c) 2016 ServiceChannel - What You Need to Know to Succeed in Facilities Management in 2020
Facility ManagementThe Future is Now!
Internet of Things (IoT):
o Equipment and assets are becoming internet-enabled, allowing them to report on their own condition and needs;
Data-Driven Equipment:
o Measuring maintenance costs and their effectiveness for long term value;
New Technologies:
o Technology will increase the effectiveness of preventative warranty and maintenance work;
Source: (c) 2016 ServiceChannel - What You Need to Know to Succeed in Facilities Management in 2020
Facility ManagementThe Future is Now!
Mobility:
o Bluetooth devices will connect with equipment to monitor what’s being worked on and its historical maintenance;
Increasing Partnership Sophistication:
o Facility management will increasingly rely on data-management, facility partnerships must be based on objective and quantifiable performance metrics;
Partnership Reliance and Risk:
o Partnering with properly qualified and insured partners who understand and can navigate regulations, provide quantifiable data and help the company manage and achieve their strategic objectives is critical to minimizing the potential risk from new partners and existing ones.
Source: (c) 2016 ServiceChannel - What You Need to Know to Succeed in Facilities Management in 2020
The Need For Effective Facility Partnership Management!
What Are The Commonalities?
Increased Costs;
Facility Breaches;
Network Breaches;
Increased Litigation;
Reputational Damage;
Future Challenges & Opportunities.
Facility Partnership Criticality
Certain facility partners are considered “critical” to the continued operation of the company and therefore depending upon the specific facts underlying the partnership and the risks involved, require a robust and thorough risk assessment and planning, due diligence, and monitoring and control by the facility manager.
A facility manager should consider the following factors in performing an evaluation of the criticality of the partnership:
• Involves implementing new company activities;• Material effect on the company’s revenues or expenses;• Poses risks to or could have a material effect upon the company’s reputation;• Performs significant operational functions;• Stores, accesses, transmits, or performs transactions on sensitive non-public information;• Provides a product or performs a service involving outsourced services itself;• Poses risks that could significantly affect the company’s earnings or capital and;• Otherwise “material” to the company’s operations.
Degrees of Criticality
Degrees of Criticality Performing an effective risk assessment requires a comprehensive understanding of the risks being assessed. These can be expressed in many ways such as:
Critical – Extreme liabilities result if the systems are compromised (e.g., damaged, destroyed); could cause major financial loss; result in legal action against the company; or severely damages the company’s reputation.
Significant - Possible liabilities result if the systems are compromised; could cause moderate financial loss; legal action against the company would be likely; or damage to the company’s reputation would be moderate.
Non-Essential - Would likely cause only minor financial loss; litigation unlikely; or damage to the company’s reputation would be minimal.
The 4 Pillars of Effective Facility Partnership Management
Effective Facility
Partnership Management
Ris
k A
sse
ssm
en
t &
P
lan
nin
g
1
Du
e D
ilige
nce
2C
on
trac
t M
anag
em
en
t 3
Ris
k M
eas
ure
me
nt,
M
on
ito
rin
g, &
Co
ntr
ol
4
The 4 Pillars of Effective Facility Partnership Management
Effective Facility
Partnership Management
1. Risk Assessment & Planning
Ris
k A
sse
ssm
en
t &
P
lan
nin
g
1
Du
e D
ilige
nce
2
Co
ntr
act
Man
age
me
nt
3R
isk
Me
asu
rem
en
t,
Mo
nit
ori
ng,
& C
on
tro
l4
1. Risk Assessment & Planning
Risk assessment and planning ensures that the business service or product identified complements the facility’s overall mission and goals. It also gathers enough information to ensure that the business service or product is best provided by a facility partnership instead of by the facility itself.
The 5 Aspects of Quality Risk Assessment and Planning are:
1. The adoption of facility partnership management policies;
2. Board of directors’ facility partnership management responsibilities;
3. Senior management’s facility partnership management responsibilities;
4. What actions the facility manager should take during its initial facility partnership management risk assessment and planning phase and;
5. Strategic planning in detail.
1. Risk Assessment & Planning
1. The adoption of facility partnership management policies:
• Includes determination of need for assistance from facility partners and procedures for reviewing, analyzing, selecting and administering those partnerships;
• Outline facility staff responsibilities and authorities;
• Distinguish what is required for “critical” partnerships versus “non-critical” partnerships;
• Analysis should be consistent with the company’s strategic plan and business model, with its tolerance for and ability to assess and manage risk, and;
• Stipulate which employee(s) are authorized to sign contracts.
1. Risk Assessment & Planning
2. Board of directors’ facility partnership management responsibilities:
• Fiduciary duty to operate the facility in the best interests of its owners, shareholders and employees;
• Company has a legally sound facility partnership management policy in place and is safe and effective;
• Reviewing the company’s policies on facility partnership management at least annually;
• Making inquiries to management regarding specific situations or concerns is evidence of reasonably prudent board actions and;
• Document reasoned, informed, and prudent decision-making, the less likely it is that the board’s members would breach their fiduciary duty.
1. Risk Assessment & Planning
3. Senior Management’s Facility Partnership Management Responsibilities:
• More direct role in facility partnership management than the board of directors, however, and should keep the board informed about material facility partnership-related concerns;
• Initially approve, oversee, and review at least annually critical facility partnership arrangements, and document these arrangements and written agreements whenever there is a material change;
• Periodically review the facility partner’s operations to verify that they are consistent with the terms of the existing written agreement and that risks are being controlled;
• Ensure continuing compliance with applicable federal and state laws, rules, and regulations, as well as internal policies andprocedures;
• Allocate sufficient qualified staff to monitor critical facility partnerships and provide the necessary oversight and;
• Periodically reported to the board of directors or designated committee.
1. Risk Assessment & Planning
4. What actions/questions the facility manager should take/ask during its initial facility partnership management risk assessment and planning phase:
• Does it fit into our company’s strategic plans;
• Should we outsource;
• Will we be more efficient and effective;
• Impact in a worst-case scenario;
• What do you know about this facility partner;
• What additional information would my board and management need;
• Any service or financial problems in the past, with us or with other companies;
• Nature of those problems and how were they resolved;
• How partnership can negatively impact customer service or the financial performance and reputation;
• What is the maximum potential loss exposure to the company and;
• What is our backup plan or exit strategy.
1. Risk Assessment & Planning
5. Strategic Planning:
Strategic Goals: Is the proposed partnership consistent with the company’s strategic goals, objectives, and overall business needs;
Significance/Criticality of the Facility Partnership: Is proposed partner a critical facility partner;
Analyze Costs, Benefits, and Risks: Analyze the costs, potential benefits, potential risks, and legal/compliance issues;
Legal/Compliance Issues: Reviewed for legal and compliance purposes by an attorney;
Parameters/Scope of the Partnership: Clearly define nature and scope of needs and responsibilities;
Staff Expertise: Does company personnel have the knowledge and skill to adequately analyze and oversee;
Insurance: Adequate liabilities insurance coverage;
Controls and Reporting: Identify necessary controls and reporting processes;
Potential Impact on Customers: How will it positively or negatively impact your customers and;
Exit Strategy/Contingency Plans: Always have an exit strategy.
The 4 Pillars of Effective Facility Partnership Management
Effective Facility
Partnership ManagementR
isk
Ass
ess
me
nt
&
Pla
nn
ing
1
Du
e D
ilige
nce
2
Co
ntr
act
Man
age
me
nt
3R
isk
Me
asu
rem
en
t,
Mo
nit
ori
ng,
& C
on
tro
l4
2. Due Diligence
2. Due Diligence
Facility partnership due diligence is a process used to make an informed business decision concerning the selection ofthe appropriate facility partner. Due diligence is the gathering and analysis of detailed information about possiblefacility partner. As with all business decisions, there are some risks that cannot be eliminated but can be managed. Thepurpose of due diligence is to help choose the best facility partner given the risks and abilities or services available,and then to negotiate, contract, implement, and monitor to mitigate any residual risks.
Due diligence should include at minimum:
1. The Basics of Facility Partner Due Diligence;
2. Requests for information (RFI) and requests for proposals (RFP) that are addressed to potential facility partners;
3. How to evaluate information received from facility partners and;
4. Potential due diligence “red flags.”
2. Due Diligence
1. The Basics of Facility Partner Due Diligence:
Comprehensive due diligence involves gathering and reviewing all available information about a potential facility partner, focusing on the partner's:
• Corporate ownership structure and background;
• Financial history and current condition;
• Business model and practices;
• Scope and effectiveness of its operations and controls, including:o Security and data handling practices;o Business continuity planning;o Operations controls relevant to the facility partner’s work;o Hiring/screening practices;
• Reputation & relevant experience and;
• All other available and material information.
2. Due Diligence
2. Requests for information (RFI) and requests for proposals (RFP) that are addressed to potential facility partners:
• Involve all appropriate stakeholders at the company in preparation of RFP’s or RFI’s;
• Define and communicate the company’s requirements for the facility partnership;
• Identify/evaluate potential facility partnership candidates;
• Investigate business reputation using sources such as:
o Better Business Bureau;o State agencies (e.g., departments of state, departments of corporations, state consumer protection agencies, state
attorneys general, etc.) o Credit reporting agencies; o NASDAQ or NYSE;o Current and Former Clients;o Dun & Bradstreet;o Moody’s;o Others.
2. Due Diligence
3. How to evaluate information received from facility partners:
As with the facilities’ risk/benefit analysis of the proposed partnership, the scope and depth of due diligence is directly related to the criticality of the facilities’ partner. Information that you want to verify and consider includes:
• Corporate Structure & Background;
• Business Model;
• Financial Condition;
• Operational Effectiveness and;
• Reputation & Relevant Experience.
2. Due Diligence
4. Potential due diligence “red flags”:
A red flag is anything that you believe to be a warning sign. Red flags can come in many forms, from intentional deceit to lack of knowledge. A red flag does not mean that you do not deal with the facility partner. They simply mean that you need to investigate further to ensure that you have a good comfort level with the facility partner. The following are examples of red flags that you may experience during due diligence:
• We like this salesperson better;• Latest and the greatest;• Unreasonable financial;• This is my best friend or the brother of a board member;• Failing to answer your RFP questions;• Very one sided agreements;• First to use their product or service;• Unbelievably good is probably just that and;• The proposed agreement does not make sense to you.
This list is not intended to be all inclusive. It should give you some ideas about what a warning sign or red flag might be.
The 4 Pillars of Effective Facility Partnership Management
Effective Facility
Partnership ManagementR
isk
Ass
ess
me
nt
&
Pla
nn
ing
1
Du
e D
ilige
nce
2
Co
ntr
act
Man
age
me
nt
3R
isk
Me
asu
rem
en
t,
Mo
nit
ori
ng,
& C
on
tro
l4
3. Contract Management
3. Contract Management
Contracts govern most aspects of partnership with facility partners and therefore present myriad due diligence and other facility partnership management issues.
Contract Management should include:
1. The facility manager’s review of existing contracts;
2. How to draft a contract with a facility partner and;
3. What terms should be included in the contract and what those terms mean.
3. Contract Management
1. The facility manager’s review of existing contracts:
The company should have a written contract with every facility partner. Every aspect agreed upon in the partnership both material and non-material, should be documented in the contract.
Existing Contract Review:• Collect and verify that contracts exist for all existing facility partnerships;
• Review for accuracy of current partnership terms, signatures, and update as appropriate with legally binding amendments or restatements;
• Make sure all original contracts are maintained in a safe centralized document storage system for easy reference and;
• Enter into existing contract control system or create a system for tracking terms, termination procedures, etc.
3. Contract Management
2. How to draft a contract with a facility partner:
1. Review of contract by legal counsel;
2. Legal suggest changes for you to negotiate;
3. Negotiate;
4. Get it in Writing;
5. Letters of Intent;
6. Addendums;
7. Terms and Conditions in Another Source;
8. Prohibit assignment, transfer or subcontracting;
9. Potential conflicts of interest;
10. Include RFI or RFP responses as an addendum;
11. Insist on plain easy-to-understand language and;
12. Do not forget your company will be bound by a contract even if it is grossly unfair.
3. Contract Management
3. What terms should be included in the contract:
• Scope; • Responsibilities of Parties (Including Affiliates and Subcontractors); • Compensation, Fees and Expenses; • Term and Termination;• Effect of Termination; • Compliance with Applicable Laws; • Indemnification of the Company; • Limited Liability;• Evidence of Current Insurance Coverage;• Subcontracting and Assignment;• Monitoring;• Warranties, Service Level Agreement;• Property Rights and Ownership;• Audit Rights;• Data Security and Customer Confidentiality;• Business Continuity Planning and Disaster Preparedness;• Customer Complaint and Service Issues;• Dispute Resolution and;• Choice of Governing Law and Choice of Venue Clauses.
The 4 Pillars of Effective Facility Partnership Management
Effective Facility
Partnership ManagementR
isk
Ass
ess
me
nt
&
Pla
nn
ing
1
Du
e D
ilige
nce
2
Co
ntr
act
Man
age
me
nt
3R
isk
Me
asu
rem
en
t,
Mo
nit
ori
ng,
& C
on
tro
l4
4. Risk Measurement, Monitoring, & Control
4. Risk Measurement, Monitoring, & Control
Risk measurement, monitoring, and control are necessary because due diligence is not a process that starts and ends at the time you have chosen your facility partner. The partnership must be actively managed throughout the life of a contract with a facility partner to be successful. This requires continuing communication, monitoring, and control of the product or service provided and measuring the success of the partnership.
1. Facility partnership risk management, monitoring, and control.
4. Risk Measurement, Monitoring, & Control
1. Facility partnership risk-management, monitoring, and control:
Policies/Procedures:• Develop policies/procedures that outline expectations and limitations of facility partnerships;
Risk Measurement and Monitoring:• Set up a program to measure/monitor risk of facility partnerships and report findings to management;• Measure facility partnership performance in terms of profitability, benefit and service delivery;• Set up internal controls sufficient to assist in the measurement and monitoring of facility partnership risk;• Remember, a company is always responsible for continued safety and soundness of outsourced functions;• Create an oversight program to monitor each facility partner’s internal controls, condition, and performance and;• Assign responsibility for oversight to personnel with appropriate expertise to monitor and manage each facility partnership.
4. Risk Measurement, Monitoring, & Control
1. Facility partnership risk-management, monitoring, and control:
Control Systems and Reporting:• Implement ongoing internal controls over facility partners to mitigate risks;• Adequate resources to ensure an effective facility partnership management program is in place;• Review the facility partner’s license(s) or registration(s) at least annually;• Evaluate the facility partner's financial condition at least annually;• Monitor the adequacy of the facility partner's insurance coverage;• Review audit reports or other reports of the facility partner for corrective actions;• Monitor for compliance with applicable laws, rules, and regulations;• Review the facility partner's business continuity planning and testing at least annually;• Assess the effect of any changes in key facility partner personnel involved in the partnership; • Review performance in the context of contractual requirements and performance standards;• Adequacy of any training provided to employees of the company and the facility partner;• Review customer complaints & resolutions and;• Meet regularly with representatives of the facility partner to discuss performance and operational issues.
Q&A
