Latest Discussions

  • Profile Picture

    RE: BC Plan

    I have been asked to write a BCP for a warehouse and distribution food company. Can anyone share an example that they may have, (all company names, detailed information redacted of course) I am in IT and have written DR plans but not a BCP. I have ...

  • Posted in: Risk Assessments

    I'm curious how other organizations are assessing risks of third-party AI. There are different schools of thought that the AI Model itself isn't the risk, it's the product of what the AI produces/is used for, therefore the risk is not fully assessed ...

  • Profile Picture

    RE: BC Plan

    I am responsible for not only seeing if our key suppliers have BCPs but assess them. I check for a BC policy (for leadership support) and BCP components (Risk Assessment, BIA, Crisis Management (Incident Response & DRP), Training & Exercise, Plan Maintenance) ...

    1 person likes this.
  • Profile Picture

    RE: BC Plan

    When I look at DR/BCP plans I look to see if the plan is well documented, regularly updated and tested, has a BIA that includes RPO/RTO. I also like to see there back up locations for their data, and other important information will also be there that's ...

    1 person likes this.
  • Hi Christi, Question: how often do you assess your non-critical vendors to determine/confirm if they are critical? Answer: We do not reassess vendor criticality unless there is some sort of change in service that would trigger such an event. I ...

  • Hi Anonymous, We have a vendor we use their services for surrounding our board meeting. Based on the service they are providing we did include them in our vendor program as a tech vendor. I think this will depend on how your institution structures your ...

  • Profile Picture

    Board of Directors Vendor

    This message was posted by a user wishing to remain anonymous I work for a financial institution and the board of directors would like to engage with a vendor for their use. Would we need to include this vendor is our program?

  • Hi Christi, Thanks for the clarification. I now understand that you don't provide an overall risk rating, but rather assign each risk a separate rating. In that case, I would recommend re-assessing for criticality at least annually. You should ...

  • Profile Picture

    RE: Company Issued Cell Phones

    This message was posted by a user wishing to remain anonymous This is as much an HR/Risk/Legal question as it is vendor management. BOD's concern (not expressed in the question) seems to be: ability to contact loan officers with personal devices and ...

  • Christine, Thank you for your response. We have a set frequency for reassessing risk. We do not tier or rate vendors as high, moderate, low - instead we assign a risk rating of high, moderate, or low inherent (and then, residual) risk for 10 separate ...

  • Hi Christi, The frequency of risk re-assessments should align with both the inherent risk level and criticality. Here's the frequency we recommend: Critical and High Risk: At least annually, but reviews may be more frequent if there ...

  • Hi Shelly, Our company went with personal cell phones and was able to obtain an app from our Telephony/IVR provider for our employees to use for customer calls. This way customers would have their "work" number and not their personal cell phone number. ...

  • Profile Picture

    RE: Company Issued Cell Phones

    This message was posted by a user wishing to remain anonymous Our company only offers company cell phones to upper management, like VP's and Directors, however, they are situational. For instance, IT management has them because you never know when something ...

  • Shelly: We are going the other way - moving from company provided plan/device to a stipend for employees requiring cellular devices for company use. This provides greater employee flexibility [such as adding a second line to an existing ...

  • Hi all - our BOD is asking for options for company-issued cell phones for our loan officers. I've chatted with our HR to get their thoughts on this, but I am also wondering if anyone else out there offers company-issued cell phones for customer contact? ...

    1 person likes this.
  • Profile Picture

    BC Plan

    This message was posted by a user wishing to remain anonymous During the due diligence, what is documented from the business resiliency results, how do you measure against your own organizations plan? Also if it appears to be risky, how do you miti ...

    1 person likes this.
  • Profile Picture

    BSA Model Validation

    This message was posted by a user wishing to remain anonymous Hi, My midsize community bank is considering switching BSA/AML transaction monitoring vendors. The vendor has not had an independent review of their internal system. I suggested we ...

  • Posted in: Contract Management

    What method is used to formally track a exceptions from a third party agreement? We have playbook on hand to use but for third party agreements if there is refusal on a certain clause, how does it get tracked.

    1 person likes this.
  • Profile Picture

    RE: Exit Plans

    Hey Jennifer, I sent you a contact request and a LinkedIn request. Would you be able to share this blank template for vendor owners? We are looking to beef up our exit plans and are looking for guidance. I am happy to share my email once you see this ...

  • Profile Picture

    RE: Risk appetite/Risk tolerance level

    This message was posted by a user wishing to remain anonymous My experience is that risk management function with input from the business functional units and senior management determine the appetite.

    1 person likes this.