Technology & Performance - esettlements - spro Vendor Performance

Technology & Performance

- eSettlements

- sPro

Harry Nowell

Manager

Technology and Performance

• .

Topic Speaker

Session 3: 10 a.m. – 10 :40 a.m. Session 4: 10:50 a.m. to 11:30 a.m.

Welcome

•Quick note on taxable goods

Harry Nowell, Procurement

•eSettlements (electronic invoicing) Juanita Mayberry, Accounts Payable

•sPro Juanita Mayberry, Accounts Payable Lisa Pointer, Procurement

•Supplier Performance Pat Sherman, Procurement Questions and Answers All Speakers

Taxable goods

• Jan. 1, 2014 BCBSM will be required to pay sales/use tax

• BCBSM and BCN will require separate purchase orders

• Invoices will need to reflect 6% Michigan sales tax

• Invoices for goods received in 2013 must meet deadline

• BCN tax status does not change

Juanita Mayberry

eSettlements

•

What is eSettlements?

•

Who should be set up on eSettlements?

•

Who can you contact for further

information?



Please review the Procurement website for

additional information

•

Discussion of:



Required password updates every 30 days

sPro payments

•

Why doesn’t my invoice number appear on the

remittance detail?

•

What period am I paying for?

•

How do I get the detail for my payment?

 Supplier instructions for obtaining payment detail can be found on the Procurement Website.

Lisa Pointer

PeopleSoft Services Procurement “Total Resource Management” PeopleSoft Services Procurement

allows suppliers to effectively manage

the entire process from candidate submittals through payment details. The system provides visibility into the entire process through automation and tracking capabilities.

PEOPLESOFT SERVICE PROCUREMENT “sPro”

sPro — staying on the tracks

PeopleSoft Services Procurement allows contract administrators to

effectively manage the entire

procurement process from request through payment. The system provides visibility into the entire process through automation and tracking capabilities.

BUSINESS RULES FOR CONTINGENT LABOR SUPPLIERS

BCBSM/BCN

Supplier contingent labor business rules

sPro – staying on the tracks

BCBSM and BCN have several active contingent labor programs. The introduction of a common technical platform (PeopleSoft Services

Procurement or “sPro”) in 2011 brought value to the program through the implementation and reinforcement of standard business rules at an enterprise level. More specifically, consistent handling of key business scenarios by applying repeatable rules reduces risk to BCBSM and suppliers while increasing program efficiency.

Contract administrator

business rules

Always start with the PeopleSoft system. If you have system inquiries, start with procurement or IT Service coordinators.

IT/ Non-IT Contingent Labor Classifications

BOTH SUPPLIER AND CONTRACT ADMINISTRATOR

Job

Family Description IT or Non-IT Comment

BUMED BU Medical Non-IT Bargaining Unit, Single resource, No SOW

BUTMP BU Temporary Non-IT Bargaining Unit, Single resource, No SOW

NBUME

D NBU Medical Non-IT

Non-Bargaining Unit, Single resource, No SOW

NBUTMP NBU Temporary Non-IT Non-Bargaining Unit, Single resource, No SOW

NONITS Non-IT Consulting SOW/No

SOW Non-IT

Non-Bargaining Unit, Single resource, SOW or No SOW *

MLNIT Non-IT Multi-resource

requisition Non-IT

Non-Bargaining Unit, Multiple resources, SOW or No SOW *

ITCNTG IT Leased Employees (RMO

ONLY) IT

Single resource, Staff augmentation level, No SOW

ITPRFS IT Consulting Professional

Services IT Professional Services, Non-consultative*

ITCONS IT Consulting SOW/ No SOW

Required IT

Single resource, Consultant level, SOW/No SOW *

MLIT IT Multi-resource requisition IT Multiple resources, SOW or No SOW *

Choosing a Job Family in sPro

• Contact Corporate Procurement to validate these job families before submitting the requisition or if you have questions

• See attached rates and job descriptions

CONTRACT ADMINISTRATOR

STEPS FOR CREATING A REQUISITION

SUPPLIER VIEW OF REQUIREMENTS

sPro – staying on the tracks

Market rate – Southeast Michigan market-driven bill rates for a fully qualified resource capable to perform at an average level compared to peers.

Maximum rate – The maximum bill rate BCBSM will accept for this role. Resources at or near maximum are proven high performers with skills/experience above their peers.

SUPPLIER SUBMITTALS /BID FACTORS

EXISTING-Vs-NEW

Note: Per established business rules, submissions are limited as follows: •Two resumes per supplier per sPro request on IT requests

•Four resumes per supplier per sPro request on non-IT requests

ONBOARDING RESOURCES

Always start with a valid work order

sPro – Staying On The Tracks

Escort all resources into BCBSM/BCN for all interviews

Escort the resource into BCBSM/BCN on the first day and badging Review PeopleSoft Time entry with the resources

IT Resources – MSP

NON – IT Resources – PeopleSoft “sPro”

NON – IT when Instructed both sPro and MSP Review all other BCBCM/BCN code of conduct rules

OFFBOARDING RESOURCES

BOTH SUPPLIERS AND CONTRACT ADMINISTRATORS

Always start and end with Procurement

SUPPLIER SCORECARDS

sPro – Staying On The Tracks

KNOW YOUR SCORE

BCBSM will monitor supplier’s performance of its services and responsibilities under this agreement. BCBSM’s engagement manager will provide supplier with feedback on

supplier’s performance. Feedback will be based on, but not limited to, the key performance categories.

Pat Sherman

Manager

Why BCBSM established

Vendor Management Center Of Excellence

20

The risk of suppliers not meeting

performance metrics, and not adhering to regulatory and accreditation

standards interjects major risks into the Blues enterprise. Risks can be:

– Operational

– Financial exposure – Reputational damage – Loss of market share

Enterprise risk Solution

Establish a Vendor Management Center Excellence within Corporate Procurement, to ensure BCBSM as a company utilizes standardized best practices to deliver the following value:

– Keep administrative costs down – Governance and compliance

– Vendor performance management – Control and mitigate risks

Governance and oversight

Annual VM assessments…

21

Are you

performing? delivering value? Are you

Are you protecting us

from risks ?

22

Key players in managing supplier relationships and performance

 Corporate Procurement

 Business leaders

 Office of the General Counsel

 Data and Information Security

 Compliance  Regulatory  Accreditation  Corporate Audit  Finance  Risk Management

Preferred suppliers…

Top reasons you are a preferred supplier Meet regulatory/accreditation standards

Contractibility

Deliver value and mitigate risks Provide competitive pricing

Perform to contract terms & conditions Committed to continuous improvement

Financially viable

Preferred Suppliers

Questions and answer cards

Governmental & Regulatory

Compliance

- Debar checks

Mike Bryson

Manager

Government and Regulatory

Compliance

• .

Topic Speaker

Session 1: 10 a.m. – 10:40 a.m. Session 2: 10:50 a.m. to 11:30 a.m.

Welcome Mike Bryson, Corporate Procurement

Government and Regulatory Compliance • Debar checks

Christine Pfeiffer, OGC

Ralph Serrico, Corporate Procurement

Information Security Damon Stokes, Manager

Information Security and Governance

Christine Pfeiffer

Attorney

Office of the General Counsel

Ralph Serrico

The “New Normal”

• The “New Normal” — governmental regulation and

compliance

• Who is affected and are you one of these groups?

Debar checks – an overview

•

Debar checks

 What is a debar check?

 Why do we do them?

 Different types of debar checks (OIG, SAM, etc.)

 Who is required to do them ( BCBSM, suppliers, etc. )?

OIG process

Step 1

OIG process

SAM process

SAM process

SAM process

Additional info regarding the

debar process

• SAM/EPLS/GSA debarment attestations

 Website for SAM debarment: www.sam.gov

• OIG attestations for exclusions

 OIG (Office of Inspector General) attestations

 http://exclusions.oig.hhs.gov/

• Examples of how to do an OIG attestation

 http://www.youtube.com/watch?v=K-ISehoQkzo

Damon Stokes

Manager

Information security

 From the cleaning and support staff that could potentially be exposed to member data; to

customer service representatives who have direct access to privileged information; to the

engineering teams that export customer files.

 Good data security requires a holistic effort with all employees, contractors and suppliers.

 A single PHI record has 50 times the street value of a Social Security number.*

* CIO Magazine, December 2012

A culture of security

• Information Security is more than securing “data”

• Effective security comes from a combination of efforts:

Data security

Physical security

Employee engagement in security

Ongoing training on security

Ongoing assessment of security

Executive leadership commitment to security

Effective information security requires that you build and

Threats are everywhere, all the time

Biggest security threats of 2013

1. Social engineering

2. Advanced persistent threats 3. Insider threats

4. Bring-your-own-device 5. Cloud security

6. HTML5 7. Botnets

8. Precision targeted malware

*Forbes Magazine - 12/05/2012

How we partner with suppliers to secure BCBSM customer data?

• Vendor Risk Management Program

 Consists of a security assessment questionnaire

 If Protected Health Information, called PHI, is being accessed or handled, an on-site assessment is performed

 Procurement's role is to facilitate all assessment activities (questionnaire and on-site)

 Identified issues are ‘risk rated’ and placed in an enterprise tracking system

 The contract administrator/business relationship manager works with the supplier to remediate issues/risks.

• Critical risks must be closed prior to accessing BCBSM customer PHI/data

About the vendor security assessment

• A due diligence process prior to a supplier connecting to

BCBSM PHI data.

• Identify risks to BCBSM and PHI data.

• Critical risks found during the assessment must be remediated prior to doing business with a supplier .

• The remaining risk levels/ratings (high, medium, low)

have timeframes associated with their remediation efforts.

• The contract administrator/business relationship

manager does not have the final authority to proceed is a critical risk exists: the decision is made by the Corporate Compliance Committee.

Vendor security assessment: new & improved

Top assessment findings

 Lack of written policies and procedures

 Not having an understanding of the importance of the

Office of the Inspector General exclusionary list

 Incomplete access logging that results in not being able

to fulfill an ‘accounting of disclosures’ request

 Suppliers not having a formal vendor risk management

process to verify that their contractors are protecting information that is shared with them

 Lack of controls/procedures that prevent access creep

for employees

 Insufficient procedures for destruction of PHI when it is

• 173 on-site visits completed • 81 questionnaire-only assessments completed 81 Critical 370 High 393 Medium 164 Low

254

Risk Level Risk Description

Critical PHI is deemed to be exposed or has lead to a previous unmitigated/un-remediated exposure. Requires immediate resolution. Remediation in 30 – 60 days.

High PHI has the potential to be exposed or the vendor is found to be out of compliance with HIPAA/HITECH or with an internal BCBSM contractual standard (VISPRD/BAA). Requires quick resolution. Remediation in 60 – 90 days.

Medium Could lead or has led to a service interruption affecting BCBSM. Prioritized according to BCBSM business criticality. Remediation in 90 – 120 days*_.

Low Could lead to degradation in operational capability or performance. These risks should be addressed as a good business practice..

1008

Closed risks

Vendor risk management stats (Since 2011)

Vendor risk management stats (2013)

48

• 53 On-site visits completed • 15 questionnaire-only assessments completed 2 Critical 36 High 36 Medium 28 Low 6 Critical 40 High 45 Medium 2 Low

68

Risk Level Risk Description

Critical PHI is deemed to be exposed or has lead to a previous unmitigated/un-remediated exposure. Requires immediate resolution. Remediation in 30 – 60 days.

High PHI has the potential to be exposed or the vendor is found to be out of compliance with HIPAA/HITECH or with an internal BCBSM contractual standard (VISPRD/BAA). Requires quick resolution. Remediation in 60 – 90 days.

Medium Could lead or has led to a service interruption affecting BCBSM. Prioritized according to BCBSM business criticality. Remediation in 90 – 120 days*_.

Low Could lead to degradation in operational capability or performance. These risks should be addressed as a good business practice..

** Not all questionnaire-only reviews require a formal report

102

Open risks

93

Closed risks

How we partner with you

Both Corporate Procurement and the contract administrator have key roles in the security assessment process.

Procurement: provide vendor security assessment questionnaire

Procurement: facilitate on-site assessment

Contract administrator: provide updates from the supplier on

What we need from suppliers

• Be open to the BCBSM Vendor Risk

Management Program: vendor

security assessment questionnaire and on-site assessment.

• Developing a strong information

security program takes time. Start on the path today and continue to

measure your progress.

• Collaboration is key and will benefit

both of us. BCBSM is here for you as an information resource to help you.

Excelling in how you secure BCBSM information will give

you a competitive advantage!

Questions and answer cards