Scope and Purpose
Scope of Policy
This Vendor Management Policy sets forth expectations governing LEE Engineering’s arrangements with third-party vendors and service providers and prospective vendors and service providers that may either perform functions on LEE Engineering’s behalf or provide products and services to the Company or the Company’s customers in support of the Company’s activities. Vendors may perform a variety of functions, including, among other things, technology and software services, document and disclosure preparation, appraisals and valuation, outsourced compliance functions such as auditing and compliance monitoring services.
Itis the goal of LEE Engineering’s management to ensure compliance with this policy with respect to every vendor relationship. However, LEE Engineering’s management recognize that certain existing contracts may not comply with all aspects of this policy. It is management’s responsibility to continuously seek opportunities to renegotiate changes (e.g., at contract renewal, etc.) to existing vendor contracts in order to achieve full compliance with this policy.
Purpose of Policy It is the purpose of this Policy to ensure that LEE Engineering realizes the benefits of its relationships with vendors while at the same time maintaining a successful framework for managing and mitigating the risks inherent in the relationship sufficient to ensure compliance with applicable law and to meet supervisory expectations.
This Policy sets forth and describes the key aspects of the vendor management oversight activities of LEE Engineering through the life of the relationship, and the obligations of individuals within LEE Engineering to ensure entity-wide compliance with this Policy.
Roles and Responsibilities
LEE Engineering’s Management
The Company’s Management is responsible for overseeing LEE Engineering’s program and process for managing vendors and ensuring sufficient resources and staff is devoted to the Vendor Management Process. The management are ultimately responsible for identifying and controlling risks arising from vendor relationships to the same extent as if the services were handled within LEE Engineering. The management shall review this policy on an annual basis.
The Management may delegate day-to-day oversight of third-party arrangements and their associated risks to an employee or employees with subject matter experience to serve as a relationship manager for the third-party relationship. This delegation does not diminish accountability by the Management for all third-party relationships.
Relationship Manager
The business owner responsible for managing the third-party relationship acts as the Business Relation Manager for that relationship. Among other responsibilities, the BRM must understand the risks associated with the third-party relationship and maintain effective oversight and control over the vendor, advise business managers on existing vendor
The Business Relationship Manager assist in the creation of the vendor contract. The BRM must ensure that adequate due diligence is conducted on the vendor prior to execution of the contract and must continue to provide effective oversight of the contractual relationship to control these risks. Where material concerns regarding the vendor’s performance arise, the BRM is expected immediately to report those concerns to the appropriate parties, including senior management, compliance, or legal counsel. The BRM manages LEE Engineering’s relationships with vendors in accordance with the Vendor Management Program and Procedures.
Employees
All LEE Engineering employees are responsible for responsibly interacting with vendors and following the requirements of this Policy. Pre-Engagement Requirements Before entering into a third-party arrangement, the BRM must evaluate LEE Engineering’s need for the service or product, the benefits to LEE Engineering of outsourcing the function rather than building the capability in-house, and the ability to effectively manage the risks related to the relationship. Before LEE Engineering begins a relationship with a vendor for products or services, it must:
- Assess the Company’s needs, exposure and control capabilities;
- Engage in due diligence to identify, evaluate, and select a third-party as a vendor; and
- Enter into a written contract.
LEE Engineering should also consider at this time whether it is necessary to develop and implement additional formal policies, procedures, and/or controls to effectively oversee and monitor the third-party’s activities, financial condition, internal controls, performance, quality of service, and support.
Initial Risk Assessment
LEE Engineering ‘s management shall perform a risk assessment in accordance with the Vendor Management Program and Procedures. The depth and scope of the risk assessment should mirror the complexity of risk involved in entering into the third- party vendor arrangement. Once the assessment of risks is complete, the Management must document the analysis so that appropriate senior management can review the assessment.
Due Diligence Review
The Management must ensure adequate due diligence of the vendor is conducted before entering into a contract or arrangement with the vendor. The extensiveness of the due diligence process is determined by the vendor’s risk category.
Before entering into an arrangement with a vendor identified in the highest risk category, LEE Engineering should make certain that such vendor has an effective internal or external audit function in place. During the term of the arrangement, the vendor must implement and maintain internal controls, policies, and procedures, including those for data security and contingency capabilities, and other operational controls that are analogous to those that LEE Engineering would perform if it performed the activity internally.
Vendor Contract
All vendor relationships must be supported by a written contract that has been approved by senior management and, for more significant contracts, legal counsel.
The Management should review contract terms for all third-party arrangements insufficient detail as required by the service performed and the level of risk. For significant or higher risk-ranked relationships, legal counsel should review the contract and incorporate such terms and conditions as required to meet the contents of the Policy. Written contracts should clearly specify all relevant expectations, rights, responsibilities, and liabilities of each party.
LEE Engineering must notify vendors that the products or services it provides to or on behalf of the Company are subject to regulatory oversight and audit by using a contract provision or other appropriate method. Consequently, LEE Engineering should consider including a provision in the contract that allows LEE Engineering to terminate upon reasonable notice and without penalty in the event that the regulator formally objects to the particular third-party relationship or otherwise recommends termination.
Before entering into any relationship, LEE Engineering (and where appropriate, legal counsel) will review each third-party contract for appropriate contract terms and compliance with this Policy and any other appropriate criteria or procedure. To facilitate review by legal counsel where necessary, LEE Engineering’s senior management, officers, and/or employees must contact legal counsel in a timely manner and initiate legal counsel’s participation in contract formation and negotiation. Unless otherwise agreed, the Management is required to provide any follow-up forms, information, and issue resolution with the third-party in order to successfully negotiate the contract.
Once a negotiated contract has been fully executed by the Company, LEE Engineering must maintain a copy of the fully executed contract and where possible and appropriate, provide a copy to legal counsel.
Vendor Preferences Vendors should be selected based solely on objective evaluation. The early involvement of the Management, as appropriate, ensures the use of appropriate selection criteria. Employees must not make any agreement with a vendor which places, or appears to place, the vendor in a position of advantage or disadvantage as to other third-party providers participating in the vendor selection process.
Termination of Vendor Contracts Any proposal for early termination of a vendor contract must be forwarded to senior management, and where necessary and appropriate, to a legal counsel, for review.
LEE Engineering has a zero-tolerance policy for fraud or fraudulent activity. If the Company identifies potential instances of fraud, misrepresentation or the receipt of undesirable business, it will research the specific situation and take appropriate action, potentially including termination of the vendor relationship. Senior management and/or legal counsel must be notified prior to any employee undertaking an investigation and any investigation of reported behaviour must be conducted under the attorney-client privilege.
Ongoing Oversight of Vendors
Ongoing Oversight On an ongoing basis, LEE Engineering will review the operational and financial performance of vendors to ensure that the vendor meets and can continue to meet the terms and conditions of the third-party arrangement. The risk rating of the vendor aids in determining the necessary frequency and scope of the Company’s ongoing monitoring and assessment of a vendor’s activities and performance. The frequency and scope of the monitoring and assessments may be adjusted by LEE Engineering based upon the results of prior reviews of the vendor.
Ata minimum, the ongoing review should include monitoring the vendor’s legal and regulatory compliance, contract compliance, appropriate information safe guard compliance, and the quality of its services and support. For vendors that are risk rated in the highest risk category, the review should be extended to include monitoring of the vendor’s financial condition, its controls, its regulatory compliance, and its disaster recovery readiness. Ongoing oversight can include the following techniques, among others: onsite reviews, review of reports prepared by the vendor, periodic meetings or calls with the vendor, periodic transactional testing, and/or establishment of scorecards or other monitoring systems.
All contracts must be reviewed by LEE Engineering on a periodic basis and the Company should consider renegotiation if service levels do not meet expectations. As necessary and where appropriate, LEE Engineering will provide its employees with additional assistance or training to have the necessary background to perform oversight functions.
LEE Engineering must document its oversight program and maintain adequate reports and records to enable regulatory examiners to effectively and fully review the activities performed by high-risk third parties. Results of oversight activities should be periodically reported to the Heads or a designated committee.
Regulatory Requirements and Dealings with Vendors
Recordkeeping and Documentation
LEE Engineering must make available to the appropriate regulators, or require the vendor to make available, all books and records related to the vendor arrangement.
In addition, LEE Engineering must maintain records comprising documents, files and other material or property of all third-party business transactions. This requirement includes records provided by vendors.
LEE Engineering must notify vendors, as appropriate, of its obligations to make records associated with the arrangement available to the appropriate regulators by using a contract provision or other appropriate method.
Arrangements with Affiliates and Subsidiaries
- be substantially the same, or at least as favourable, to LEE Engineering as those prevailing at the time for comparable transactions with a non-affiliated third-party;
- evidence an arms-length transaction; and
- provide for payments and compensation based on market rates.
Confidential Information
A confidentiality agreement form must be executed with any vendor prior to sharing information with respect to prices for products or services, disclosing strategies, or any other proprietary and confidential information.
Employees are expected to refrain from disclosing to third parties, or other Company employees without a need to know, the confidential or proprietary information of any vendor. This obligation for confidentiality may extend beyond the term of a relationship with the vendor, after an employee moves to another position, and/or upon termination of employment with LEE Engineering.
Corporate Assets Employees must not:
- provide to the vendor any asset of LEE Engineering, including proprietary information, data, services, or equipment;
- provide unrestricted or unaccompanied access to secured areas; nor
- make any commitment to a vendor, unless expressly agreed to by the parties in writing or authorized by senior management with the authority to approve such activity.
No Company employee, regardless of his or her position, can solicit gifts, entertainment, or favours from a Company vendor, either directly or indirectly, and no employee can accept anything of that nature beyond an ordinary social amenity or one involving normal company sales promotion, advertising, or publicity. Under no circumstance can gifts be accepted if the vendor is presently involved in contract negotiations.
Conflicts of Interest
It is important in all dealings with vendors to avoid any and all perceptions of impropriety. A Company employee cannot be involved in a request for proposal, contract negotiation, purchase requisition or purchase order with a vendor in which the LEE Engineering employee either has a personal relationship, including immediate and extended family, financial interest in the vendor, or are relationship with an employee of the vendor.
Former employees (including retirees or those separated for any reason) who occupied positions prior to separation in which they could influence purchasing decisions cannot be received as a representative of a vendor by LEE Engineering for a period of two (2) years following their separation.
Any exceptions to the requirements set forth in this section must be approved by senior management.