Policy, Program, and Procedures

 View Only

Welcome to the Policy, Program, and Procedures Community. Here you will find the latest discussions and resources that can help you in this area. This community focuses on creating a policy, program, and procedures; best practices; ideas; tips; guidance; how to implement; and more. Note: You will need to Sign In to join in the discussions and access resources. 

About Third-Party Risk Policy, Program, and Procedures: Successful vendor risk management requires a fully documented set of practices. Regulators and examiners expect you to have three written documents – a policy, program, and procedures. These documents must be updated at least annually or more frequently as guidance changes or significant organizational changes occur. And, it’s important the work product produced matches what the policy and program documentation says.  

Latest Discussion Posts

  • This is an interesting question where I would love to hear from other members. In my opinion, Insurance for your organization would likely not be critical or have elevated risk, but should still be within TPRM. Consider baseline Monitoring and Due-diligence ... More

  • Hi, The timeframe for determining whether to reclassify a vendor from active to inactive status within a software tool is typically 15 months to 2 years of dormancy (no activity). Reclassifying an active vendor to inactive is different ... More

  • Profile Picture

    Status of Vendor (Active to Inactive)

    This message was posted by a user wishing to remain anonymous What timeframe does your FI/Company follow before marking a vendor as inactive? More

  • Cost / spend does not really drive our criticality rating, but it does inform our DD requirements. For example a critical service with a spend over $250k will need a credit assessment at onboarding. All critical vendors will have a credit assessment ... More

  • Pam makes a good point. Cost and risk are not necessarily linked. While one might argue that there is some correlation between vendor cost and criticality or risk, I think it is more important to assess what the vendor does, what the loss of that vendor ... More