Policy, Program, and Procedures

 View Only

Welcome to the Policy, Program, and Procedures Community. Here you will find the latest discussions and resources that can help you in this area. This community focuses on creating a policy, program, and procedures; best practices; ideas; tips; guidance; how to implement; and more. Note: You will need to Sign In to join in the discussions and access resources. 

About Third-Party Risk Policy, Program, and Procedures: Successful vendor risk management requires a fully documented set of practices. Regulators and examiners expect you to have three written documents – a policy, program, and procedures. These documents must be updated at least annually or more frequently as guidance changes or significant organizational changes occur. And, it’s important the work product produced matches what the policy and program documentation says.  

Latest Discussion Posts

  • Thanks all USAA Classification: Internal More

  • Hi, Has anyone hired any consultant to come in to assess your TPRM program? We are looking to expand to include all third parties and mature the program and are interested in an outside assessment to give us direction. Any recommendations would be helpful! ... More

    2 people like this.
  • Thank you! Kelli Shoup | Technology Support Lead/Information Security Specialist The Farmers Bank More

  • Good morning, This is a template that I have used as an auditor for the mapping of a SOC 2, in this example the sub-service organization is Workday. The CUEC tab I map to Company ABC internal controls to the CUECs in Workday's listing of CUECs ... More

  • I am interested in this topic as well, we are struggling with the same issue. We are building a "mapping library" as we go, but would be interested in how others are handling this process as well. Thanks, Krysten More