This message was posted by a user wishing to remain anonymous
We have been informally following the OCC guidance (although we are FDIC regulated) in maturing our TPRM program so the change in guidance is not going to impact the kinds of vendors we track so much as it will expand, in some instances, the scope of the review. One example is that we are currently tightening up our contract management, review and tracking processes in anticipation of some of the changes we feel will likely be adopted.
Our TPRM program falls under our broader risk umbrella, separate from the business units (BU) who own the relationships. The BU is responsible for the vendor selection and initial procurement processes (obtaining and checking references, scoping etc), contracting and contract management although we have added in requirements for contract approval by legal and/or TPRM for critical relationships, foreign based third parties and certain dollar amounts. We are also store the contracts in a central database and provide reporting on certain key dates for contract to ensure renewals etc are not missed at the first line.
The BU also complete the assessment of operational criticality and data confidentiality risk that we use to determine the appropriate due diligence to require and the frequency of any subsequent reviews (annual, semi-annual, not reviewed again).
One way you might be able to limit volume of handling by TPRM is to identify certain kinds of relationships that are outside the TPRM scope and managed by anther area or by the BU- like joint ventures, partnerships, Fintech etc. We have also explicitly scoped out of TPRM certain vendor types such as subscriptions, associations, federal, state and local governments, merchant payment processors (we have scoped those to a specific BU) etc. You could also allow the BU to handle certain risk level relationships directly and have TPRM handle the higher risk relationships as those would require increased expertise, review etc.
To respond to another question in this conversation, operational criticality and data confidentiality risk are determined based, in part, on the following criteria:
Is the time to replace vendor greater than 5 business days and are there limited alternatives (only 1-2) to their service?
|
Yes
No
|
How important to operations are the services or technology provided or hosted by the vendor?
|
Mission critical to operations- could be down less than 5 business days
Important to operations but not mission critical- could be down 5-10 business days
Incidental to operations- could be down for a longer period such as 2 weeks
|
Does the vendor access, store, transmit or process NPPI (Non-public personal information) or regulatory protected information?
|
Yes
No
|
|
If "yes" to above, answer the following questions. If "no" to above, worksheet completed.
|
Data Type: Can the data be reasonably used to perpetrate identity theft? For example, records that contain NPPI, such as a persons' name associated with an SSN, credit card number, or financial account number carry more risk than records that only include a person's name and address.
|
Yes
No
|
|
Volume: Select the volume of regulatory protected information
|
High
Moderate
Low
|
|
Original Message:
Sent: 10-06-2021 04:08 PM
From: Anonymous Member
Subject: Proposed Interagency Guidance and Staff in Vendor Management
This message was posted by a user wishing to remain anonymous
I am hoping for some feedback on an issue here with management buy-in or alternate solutions. The Vendor Management team for our credit union is a singular person. We currently do not review all relationships, such as maintenance contractors, commodity services, catering, etc. In preparation for the new guidance we proposed to have another staff member added to the Vendor Management team (even a .5 FTE) to help as our relationships to be reviewed will go up over 100%. Right now we are getting some resistance and Sr. Leadership wants me to consider having the vendor owner handle these low risk items. Of course this raises concerns as the responsibility for third party relationships fall under our VM Program.
Does anyone have suggestions?
Do your vendor owners handle their own vendors without a vendor management rep assisting in the 2nd line of defense? How is this working for you? What obstacles are you encountering?
How are other FI's preparing for the regulations when is comes to vendor vetting?
I don't expect a lot of heavy lifting for the due diligence as it is risk based, but the volume is what I am concerned with.
Thank you