We leverage a Vendor Request form, that must be completed for any vendor activity to be authorized- new, or existing vendors. That form is auto sent to the heads of TPRM and Procurement and then a SVM manager is assigned to conduct the risk assessment (original or update the current). That outcome drives what due diligence is required for onboarding, or what additional items need to be updated based on the new or modified services.
The VRF is only accessible by our RC managers and above who are authorized to request services and changes to services, and has to be submitted prior to any contracting.
------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management
Cenlar FSB
------------------------------
Original Message:
Sent: 04-22-2022 09:43 AM
From: Anonymous Member
Subject: Procurement / TPRM
This message was posted by a user wishing to remain anonymous
Thank you for that feedback, Jenn. When you think about an entry point to onboard a third party, where is that at your org? Is the third party sourced prior to the RA being completed or is the RA the starting point for you processes?
Original Message:
Sent: 04-22-2022 07:31 AM
From: Jennifer Wilkinson
Subject: Procurement / TPRM
Hi Hilary!
At our shop, TPRM, VM and procurement work closely and verify the risk assessment for all new engagements that are deemed material. It allows transparency throughout the engagement and allows for better credible challenge especially for new vendor engagements as they are fleshed out. The line of business is responsible to provide the initial response, but then the RA is reviewed to ensure that responses are solid as part of the initial onboarding, and then through the ongoing monitoring cadence for each material vendor.
I hope you have a wonderful weekend!!
------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management
Cenlar FSB
jwilkinson@cenlar.com
Original Message:
Sent: 04-21-2022 09:37 AM
From: Hilary Jewhurst
Subject: Procurement / TPRM
I am curious if your procurement organization is doing any risk assessments for the third parties they engage. It is essential to understand and assess the risks associated with any product or service provided to your organization or its customers. Because your procurement team selectively works with specific third-party types. I would suggest collaborating with them to understand parameters that define their scope of work vs. yours and the process they apply when considering a new vendor. For the best risk management outcomes, I would strongly suggest that the two teams confirm that the same risk criteria are evaluated regardless of the product or service type and that they use the same inherent risk questions ( if not the same questionnaire) in both departments. That approach will allow you to direct your users to either Procurement or Third-Party Risk depending on the product and service type. And you won't need to worry about gaps in the risk assessment process.
I hope that answer is helpful, but I would love to hear from other members.
Original Message:
Sent: 04-13-2022 03:56 PM
From: Anonymous Member
Subject: Procurement / TPRM
This message was posted by a user wishing to remain anonymous
For those with a centralized procurement organization that does not support all third party types what does your third party onboarding process look like? How do you determine when to start with procurement/sourcing versus when to start with inherent risk questionnaire?